Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third party relationship after the contract is signed and one which the government will expect you to engage in going forward. 

You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions. 

The next step is to determine the entry points of foreign government involvement; (1) direct and (2) indirect. The direct category includes: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners. 

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. It is much easier to get database records for internal audits than audits of third parties. Try and obtain records in database or excel format and not simply in .pdf. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer. 

Your lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with the forensic auditors on your audit team, who will be reviewing the documents from their professional perspective. Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with: 

• Business Leadership
• Sales/Marketing/Business Development
• Operations
• Logistics
• Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal. 

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. You should not play ‘got-cha’ in this format. You should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included: 

• General policies and procedures;
• Books and records pertaining to FCPA risks;
• Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
• Regulatory challenges they may face;
• Any payments of taxes, fees or fines;
• Government interactions they have on your behalf; and
• Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust. 

In the review of the General Ledger (GL) accounts, you should consider commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered. 

Regarding bank accounts and cash disbursement controls, you should review the following: 

• Review controls around bank accounts and cash disbursements;
• Identify and review authorized signers, approval levels, and bank reconciliations;
• Ensure all bank accounts are included in the General Ledger;
• Identify and review certain bank and cash disbursement transactions;
• Identify offshore bank accounts. 

In the area of cash funds review the following: 

• Review controls around petty cash funds;
• Ascertain processes in place regarding disbursement and reconciliation of cash funds;
• Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
• Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons. 

You should review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account. 

Three Key Takeaways

1. Be prepared.
2. It is not an investigative interview but an audit interview.
3. Listen, listen, listen. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

In this episode, Matt Kelly pinch hits for a Walt Disney World-vacationing Jay Rosen. Matt and I have a wide-ranging discussion on some of the week’s top FCPA and compliance related stories. We discuss: 

1. Shearman & Sterling issues its Report to the Wells Fargo Board on the fraudulent account scandal. For Tom’s three-part series see Part I, Part II and Part III.
2. United Airlines is at it again. Click here for Matt’s article on Radical Compliance. Click here for Tom’s article in Compliance Week.
3. Interesting judicial decision on restitution from Judge Posner. See article in the Grand Jury Target blog.
4. Barclay’s CEO penalized for trying to unmask internal and anonymous whistleblower by using corporate security and US law enforcement. See Tom’s article in Compliance Week.
5. Matt reports on Oracle’s Modern Finance Experience conference. Click here for Matt’s blog post on Radical Compliance.

The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. 

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” were an excellent manner to consider steps in the management of third party relationships. 

The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties. 

Consolidate Third Parties but Retain Redundancy 

It is incumbent that consolidation in your third party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However, a company must not “over-consolidate” by going down to a single source supplier. You should build a diversified supplier base, with a through “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

 Keep Tabs on Subcontracted Work 

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

 When Disaster Strikes, Make Sure Your Company is Legally Protected

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

 Keep Track of Your Third Parties’ Financial Stability 

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished. 

You should take advantage of automated financial tracking tools to keep track of material changes in a third parties’ financial stability. You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties. 

Formalize Incentives for Third Party Performance 

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regimes.

By linking contractual compensation to performance, there should be an increase in third party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs. 

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them. 

Three Key Takeaways

1. Have a strategic approach to third party risk management.
2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs.
3. Keep track of the financial stability of your third parties. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

In a speech before the SIFMA Compliance and Legal Society New York Regional Seminar in November 2015, then Assistant Attorney General Leslie Caldwell laid out metrics the Department of Justice would consider in evaluating a corporate compliance program around third parties. Caldwell began with the following question, “Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the Justice Department’s Evaluation of Corporate Compliance Programs. 

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the management of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.” 

While the 2012 FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. This means that you must have an experienced compliance and audit team, actively engaged in the corporate office and in the business units, to ensure that financial controls and compliance policies are followed and that remedial measures for violations or gaps are tracked, implemented and rechecked, as additional detection and prevention. Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so. 

Relationship Manager for Third Parties 

The starting point for the management of a third party, is your Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include: 

• Point of contact with the Third Party for all compliance issues;
• Maintaining periodic contact with the Third Party;
• Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
• Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
• Assisting the company’s Oversight Committee with any issues with respect to the Third Party. 

Compliance Professional 

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance professional should work closely with the Relationship Manager to provide advice, training and communications to the third party. 

Oversight Committee 

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk. 

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests. 

Audit 

A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following: 

1. the effectiveness of existing compliance programs and codes of conduct;
2. the origin and legitimacy of any funds paid to Company;
3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
4. all disbursements made for or on behalf of Company; and
5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company. 

If you want to engage in a deeper dive you might consider evaluation of some of the following areas: 

• Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
• Determine that actual due diligence took place on the third party.
• Review FCPA compliance training program; both the substance of the program and attendance records.
• Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
• Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
• Review employee expense reports for employees in high-risk positions or high-risk countries.
• Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
• Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
• How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
• Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
• With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Tying it all Together 

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out herein, you need to fully document all steps you have taken so that any regulator, and most specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics portended the Evaluation and what the DOJ will be reviewing and evaluating going forward so that it is clear will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program. 

Three Key Takeaways

1. It all starts with a Relationship Manager.
2. Have company oversight of all third parties.
3. Audit, monitor and remediate on an ongoing basis.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

In this episode Matt Kelly and I take a deep dive into the recently released, Public Company Accounting Oversight Board (PCAOB) semi-annual white paper. The white paper providing general information about certain characteristics of emerging growth companies (EGCs). Matt and I discuss some of the PCAOB's key findings:

• There were 1,951 companies that identified themselves as EGCs in at least one SEC filing since 2012 and have filed audited financial statements with the SEC in the 18 months preceding the measurement date (“EGC filers”). The PCAOB staff observe that the number of EGC filers has grown since the enactment of the Jumpstart Our Business Startups (JOBS) Act, but has stabilized recently.
• There were 742 EGC filers (or 38 percent) that have common equity securities listed on a U.S. national securities exchange (“exchange-listed”). 
• The five most common industries for EGC filers as of November 16, 2016, are pharmaceutical preparations, blank check companies, real estate investment trusts, prepackaged software, and surgical/medical instruments and apparatus.
• Many EGC filers that were not exchange-listed had limited operations. Approximately 50 percent of the non-listed EGC filers reported zero revenue in their most recent filing with audited financial statements and 23 percent of non-listed EGCs that filed periodic reports disclosed that they were shell companies.
• Approximately 51 percent of EGC filers, including 74 percent of those that were not exchange-listed, received an explanatory paragraph in their most recent auditor’s report expressing substantial doubt about the company’s ability to continue as a going concern.
• Among the 1,951 EGC filers, 1,262 provided a management report on internal control over financial reporting in their most recent annual filing. Of those 1,262 companies, approximately 47 percent reported material weaknesses.
• Approximately 96 percent of EGC filers were audited by accounting firms that also audited issuers that are not EGC filers, including 39 percent of EGC filers that were audited by firms that provided audit reports for more than 100 issuers and were required to be inspected on an annual basis by the PCAOB.

What is satisfactory due diligence under the Foreign Corrupt Practices Act (FCPA)? That question seems to be more important after story on Unaoil and the subsequent release of the Panama Papers. However, both of these events largely focused on the “who” part of due diligence and the need to know whom you are doing business with going forward. However there is another important question which does not come up as often in due diligence, which is how? 

How does a particular third party perform its services with or for your company? If it is on the sales side of things, how can a third party help you make sales? If a third party comes through the Supply Chain, how do their products or services meet the needs of your company? If the third party has a closer business relationship, such as a joint venture (JV), teaming agreement or other similar arrangement, you may well need a much deeper understand of how this third party does business because the relationship may well become so close you will be intertwined with the party. It may mean more than simply does their how product work but how does this third party conduct themselves and their business? 

The questions beyond simply who were made clear in a Wall Street Journal (WSJ) article by Christopher Weaver and John Carreyrou, entitled “Deal With Theranos Haunts Walgreens”. It turns out that Walgreens left a gap by “never fully validating the startup’s technology or thoroughly evaluating its capabilities”. The clear message is if you are going to partner with a technology company which is going to change your business model, you best make sure the technology works. Moreover, if a potential JV partner refuses to show you its technology, how it keeps records, its financials relating to the products and services you are contracting for and generally tries to hide from you the very thing you are buying into; you should not walk but run away from the deal. 

This article detailed the lack of steps and miss-steps by Walgreens when entering its partnership with Theranos and how these actions caused Walgreens to consider its $50MM investment in Theranos as something it will never recoup, caused Walgreens reputational damage and potentially subjected it to civil liability. As the reporters noted, “The relationship is now in tatters, making Walgreens an extreme case study of what can go wrong when an established company that craves growth decides to gamble on an exciting and unproven startup.” 

One might think that if you are investing in a technology company that provides medical testing, the investor would want to see the laboratory where the testing is performed. It turns out that Walgreens representatives were never allowed to tour, let alone review the labs where the results of Theranos pinprick blood tests were run. A Walgreens consultant, Paul Rust, who was sent to Theranos to do a quality control data review said, “It was a very strange situation. The results were actually really good, but I was never allowed to go into the lab. I have no idea that the results I saw were run on the Edison devices or not.” He went on to say that he was “led to believe that they were being run on the Edison.” Yet even Rust was surprised no Walgreens representatives had been allowed to view Theranos labs. 

Interestingly, when Theranos did provide the test results to Walgreens representatives, the results came back with ““low” and “high” values rather than numeric values. As a result, Walgreens couldn’t compare results from the Theranos machine to any commercially available tests.” Once again, this was something which Walgreens should be sought additional information on. 

Yet even when Walgreens’ consultants, assisting the company in evaluating Theranos and the proposed transaction, voiced and wrote up their concerns, they were not passed along to Walgreens management. The article reported, “In a report later in 2011, the consultants concluded Walgreens needed more information to assess the partnership. Those findings and reports by other consultants were kept from many Walgreens officials, including some directly involved in the negotiations with Theranos.”

Walgreens made another classic mistake in the due diligence process; they took comfort when a competitor was allegedly considering a similar venture with Theranos. The article said, “Some executives were comforted when Theranos said Safeway Inc. had agreed to host blood-drawing sites at some of its supermarkets. If Safeway trusted Theranos, then Walgreens could, too, the Walgreens officials believed.” How often have your heard that some other company is considering or has approved them through due diligence and a decision was based on the alleged actions of an alleged party. 

Walgreens hamstrung itself from managing the relationship after the contract was signed by agreeing to contract terms that prevented Walgreens from auditing or even viewing “Theranos clinical data or financial records”. Finally, and perhaps most damagingly, there was a complete lack of communications between the two companies about the issues that have bedeviled Theranos. The article concluded,  “Walgreens shelved the expansion plans after the Journal reported in October that Theranos did the vast majority of tests it offered to consumers on traditional lab machines. The Journal also reported that some former employees doubted the accuracy of a small number of tests run on Edison devices. One of the most recent setbacks came in mid-April when the Journal reported that regulators had 3½ weeks earlier proposed banning Ms. Holmes from the lab-testing industry. The drugstore chain’s senior executives found out from the news report.” 

Under the FCPA, most companies understand the need to know with whom they contract for sales or vendor services. They also understand the need to know why they should do business with a proposed third party (IE., a business justification). However the need to perform an investigation into how the third party can actually deliver the contracted services is equally important.

The Walgreens imbroglio around Theranos points out why such clauses are mandatory. If you do not have them, you do not have the ability verify what you may or may not have been told in due diligence. Finally, managing the relationship after the contract is signed is where the rubber hits the road. If you only obtain a due diligence report and insert compliance terms and conditions, you will have done nothing to test whether the third party is performing as it has agreed to under the terms of the contract. 

Three Key Takeaways

1. The how question can be as critical as the who question.
2. The more integrated a third party is into your operations the more important this question becomes.
3. Incorporate a how question into not only your due diligence but also your ongoing monitoring and auditing, after the contract is signed. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

The Justice Department Evaluation of Corporate Compliance Programs states in Prong 10, Appropriate Controls – What was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

You should incorporate compliance terms and conditions into your contracts with third parties. You must have appropriate compliance terms and conditions in every contract with third parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption. 

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions: 

• payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
• the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
• the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
• the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
• remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract. 

I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant. 

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it. 

• Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
• Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
• Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
• No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company's prior written consent (to be based on adequate due diligence).
• Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
• Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
• On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
• Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
• Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years. 

Many do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum compliance terms and conditions. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator. 

Three Key Takeaways

1. There is no set formula for clearing of red flags or the evaluation of due diligence.
2. Know when to say enough has been done.
3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode, I am joined by Eric Feldman, SVP at Affiliated Monitors. Eric is a long time US government employee who now helps to provide companies with monitorship services, in a wide range of areas. These include external monitors after a FCPA enforcement action, monitorships with companies who contract with the federal government, state and local authorities. Eric discusses the strategic use of a monitor in a wide variety of areas, from prevention and detection of legal violations to M&A work. For more on Affiliated Monitors, check out their website by clicking here.

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking.

The Justice Department Evaluation of Corporate Compliance Program states under Prong 10 the following, “Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?” There is no set formula or guideline for clearing red flags or evaluating due diligence. One approach came from two compliance practitioners at GE Oil & Gas, Flora Francis and Andrew Baird made at the 2014 SCCE Utility and Energy Conference on GE’s third party risk management, where they described the process by which GE reviews the risks around each third party with which it does business. 

Some of the factors which GE considers, when evaluating a third party, include the following: 

• Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
• In-house Capabilities: Do we already have the organization in place to handle these capabilities?
• Overlap: Do we already have a third party in the region/country that can handle our needs?
• Volume of Business: How much business will this third party bring to the company?
• Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
• Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
• Reputation: What is the third party’s reputation in the market? 

GE takes this information and then break downs the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were: 

• Country channel where the third party is located in or where it sells into;
• Experience by the third party with the sales channel;
• Type of third party involved; agent, reseller, distributor;
• Commission rate, is it standard v. non-standard;
• Will any sub-third party relationships be involved;
• Will the third party sell to government entity or instrumentality;
• Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
• Was the third party mandated by customer or the end user;
• What is the third party’s contract duration;
• Is the third party involved in more than one project;
• Does the third party have any historical compliance issues;
• What is the percent of sales with products or services; and
• What is GE’s annual revenue with the third party? 

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and a Go/NoGo decision whether the company should move forward with a proposed third party. 

One approach came from Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. I found his questions to be very relevant when considering how far down the chain a company must go. 

Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties. 

Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier. 

Step 3: What Do You Need To Know? While with your first-tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties. 

Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared. 

Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process. 

In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so. 

Three Key Takeaways

1. There is no set formula for clearing of red flags or the evaluation of due diligence.
2. Know when to say enough has been done.
3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

Show Notes for Episode 47, for the week ending April 7, the Season Opener Edition

In this episode, Jay and I have a wide-ranging discussion on some of the week’s top FCPA and compliance related stories. We discuss: 

1. Wrap up from the SCCE European Compliance and Ethics Institute.
2. SEC Unit Chief Kara Brockmeyer announces her retirement. Click here for Matt Kelly’s article on Radical Compliance.
3. Wal-Mart announces its 2016 spend on its FCPA investigation and remediation of $99MM. Click here for Matt Kelly’s article on Radical Compliance.
4. Upjohn warnings after the Yates Memo. See article the Grand Jury Target blog.
5. Report on OECD Integrity Forum. Allison Taylor writes in the FCPA Blog.
6. Astros, Red Sox and Dodgers all lead their divisions.
7. Jay previews his weekend report.

Yesterday I considered the need for due diligence in the management of third parties. Today, I want to take a deeper dive and explore the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. 

Level I 

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering, anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases.  These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities.  It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements. 

Level II 

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties.  I believe that Level II should also include an in-country data base search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources. 

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. According to Candice Tal, founder of Infortal, Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions.  Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.” 

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players.  These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such  “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.”  

Further you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party willing to stand up with under the FCPA and are you willing to partner with the third party. 

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence.  

Three Key Takeaways

1. A Level I due diligence should be only used where there is a low risk of corruption.
2. A Level II due diligence is sufficient in a high risk jurisdiction if there are no red flags to clear.
3. Level III due diligence is deep dive, boots on the ground investigation.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

Most companies fully understand the need to comply with the FCPA requirements around third parties as they represent the greatest risks for an FCPA violation. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to comply with the FCPA while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of third party risk and thereby perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you should have developed in Steps 1 & 2 of the third party management process should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads Step 3 in the five steps of the third-party management-Due Diligence. 

Jay Martin, CCO at BakerHughes often emphasizes that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf. 

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle IV of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.” 

Carol Switzer, writing in Compliance Week related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.” 

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the DOJ discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.” 

Three Key Takeaways

1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
2. All commentary on best practices compliance programs require an appropriate level of due diligence.
3. The best practice is to use a professional due diligence provider to perform due diligence level 2 and 3. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode, I visit with Adelle Berger, who recently became the Chief Integrity Officer at Louis Berger. Some of the topics we discuss are:

• Why is her title “Chief Integrity Officer” as opposed to Chief Compliance Officer or Chief Ethics and Compliance Officer?;
• What is the role of a CCO around integrity or how does she see her role at Louis Berger different that a traditional CCO?;
• Does she have any specific initiatives around ‘integrity’?;
• How can a Chief Integrity Officer help drives the values and culture in an organization;
• Her academic background is not the usual one for a compliance professional, what took her in the field; and
• How a Chief Integrity Officer is the most recent iteration of the compliance function, to Compliance 3.0.

The next step in the five-step process is the Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. The questionnaire should be mandatory step for any third party that desires to work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk, but run away from doing business with such a party. 

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following, a Questionnaire, “means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.” 

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties with which it may have business relationships. For example, a company that properly assesses that there is no risk of bribery on the part of one of group of its third parties will require nothing in the way of procedures to prevent bribery in the context of those relationships. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks. 

What should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know? Initially, Corley said that the scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise. 

Below are some of the areas which I think you should inquire into from a proposed third party include the following: 

• Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
• Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
• Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
• Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
• •References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
• PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
• UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
• Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
• FCPA Training and Awareness: Has the proposed third party received FCPA training or certified by a recognizable entity? 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

The questionnaire fills several key roles in your overall management of third parties. Obviously, it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three Key Takeaways

1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
2. All commentary on best practices compliance programs still require questionnaires.
3. If a third party refuses to fully respond to your questionnaire, walk away from the proposed relationship. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode Matt Kelly and I take a deep dive into the recent kerfuffle involving United Airlines and its policy which prevented to teenaged girls from boarding a flight wearing leggings. Was United within its rights to exclude the passengers for inappropriate dress? Is the policy valid? Did the gate agent receive appropriate training to make their decision? In the world of today, social media accelerates the ability to judge, without improving the ability to judge. For ethics & compliance officers, that means every compliance risk is now magnified into a reputation risk. Finally, we consider Matt's closing sentence, "Training, values, culture, judgment. Funny how those four things keep cropping up, isn’t it?" and what it means for compliance. 

For more insight, read Matt's blog post, "United's Policy Management Lessons"

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. 

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have that specific third party representing your company. This concept is enshrined in the 2012 FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” 

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program. 

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include: 

1. Business Sponsor - Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
2. Business Rationale - The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction? 

What should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor. 

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations include a review of the qualifications of the third-party candidate for subject matter expertise, the resources to perform the services for which they are being considered and the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive. 

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.   

Three Key Takeaways

1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
3. Always remember to Document Document Document. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC Accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

In this episode I visit with John Hanson (AKA 'the Fraud Guy') who is also the founder of the International Association of Independent Corporate Monitors (IAICM). He discusses why he founded the group, the needs it hopes to address, the resources available to members and others  and how someone can apply for membership. the Association's website is icicm.org. For additional information you can contract Hanson at jhanson@iaicm.org. Finally, ror more information see my blog post IAICM Shines a Light on Corporate Monitor. 

Day 1- The Third-Party Risk Management Process

This month, I will consider the risk management of third parties in an operationalized compliance program. As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following: 

Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management. 

1. Business Justification and Business Sponsor;
2. Questionnaire to Third Party;
3. Due Diligence on Third Party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third Parties After Contract Signing. 

Over this month, I will be exploring each of these steps in detail so by the end of this month, you will be able to fully operationalize your third party risk management program. 

 Step 1 - Business Justification

The first step breaks down into two parts: 

1. Business Sponsor
2. Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed.  

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. 

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted. 

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

Step 5 - Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. Here we will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward. 

Final Thoughts 

I continually give my Mantra of FCPA compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon. 

Three Key Takeaways

1. Use the full 5-step process for 3rd party management.
2. Make sure you have BD involvement and buy-in.
3. Operationalize all steps going forward by including business unit representatives. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC Accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

I conclude my One Month to Operationalizing your Compliance Program series by discussing how you can put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” 

This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. 

Communicate the Strategy 

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. 

Continually improve your compliance productivity

Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.  

Improve the human element in your compliance program 

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. 

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. 

Make your compliance strategy relevant 

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. 

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. 

Three Key Takeaways

1. Use information from your employees to make your compliance program more productive.
2. Use social media and other innovative techniques to communicate your compliance strategy.
3. Operationalize Operationalize Operationalize, then Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Show Notes for Episode 46, for the week ending March 31, the On the Road to Prague Edition 

In this episode, Jay and I have a wide-ranging discussion on operationalizing compliance through business processes. We discuss: 

1. Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
2. Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
3. Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
4. Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
5. Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
6. What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
7. Jay previews his weekend report. 

Jay Rosen new contact information: 

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

The Evaluation of Corporate Compliance Programs, Prong 6, Incentives and Disciplinary Measures states: 

Incentive System – How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

How can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. An article entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives, addressed these issues and concerns. 

The article was built around a case study of the Sorin Group, a healthcare multinational, and the company’s incentive program for its compliance regime. The company created such an incentive program to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” Compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.” 

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO). 

The variable compensation awarded at the end of each year can be affected in two ways by this compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependent on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.” 

Some examples of compliance obligations that are measured and evaluated include the following: 

For the ELT

• Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance;
• Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally; and
• Support specific initiatives from the CCO, compliance function.

For Department Heads

• Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally;
• Support specific initiatives from the compliance function;
• Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner;
• Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies;
• Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography;
• Identify instances of non-compliance and support compliance monitoring and reporting systems; and
• Partner with compliance in resolving compliance issues.

For Country Heads of Sales

• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials or employees of state-owned enterprises in a timely manner and
• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with government officials or employees of state-owned enterprises on ERP. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives. 

As the final item to consider, is you need to have SMART compliance objectives, which are defined as: 

• Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
  • Who: who needs to be trained?
  • What: what training objectives do you want to accomplish?
  • Where: identify a location for the training
  • When: establish a time frame for the training to be completed
  • Which: identify requirements and constraints for any training
  • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
• Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
• Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
• Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
• Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned, including the following: 

• Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
• Personalize: The objectives should be more personal to each function and more granular.
• Balance: Have qualitative judgments but couple them with concrete and - most importantly - objective and measurable key performance indicators.
• Publicize: Talking about the real company examples of its people make the difference.
• Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
• Just do it: Stop talking the talk and start walking the walk. 

The Evaluation makes clear that the Department of Justice expects incentives to be operationalized into your compensation structure. While there may always be subjectivity built into any compensation incentive system, that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices. 

Three Key Takeaways

1. The Evaluation requires not only carrots around compliance but metrics to justify compensation.
2. Provide metrics for each level of employee to hit as a part of a discretionary bonus evaluation.
3. Up to 25% of a discretionary bonus should be based on compliance or an ethical component. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon's blog post on the topic on Linkedin, click here. 

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. In an article in the Spring 2012 Issue of the MIT Sloan Management Review, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors explored the “often overlooked, critical source of differentiation is [a] company’s beliefs” and provided techniques on how to tap into these beliefs. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows: 

1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team. These assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon-the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
4. Develop tests for common beliefs. For those beliefs that are labeled common - you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates a common industry or that we “do it because it has always been done this way” is necessarily a “hard fact.” Consider what test you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that ‘are quite possibly wrong, but worth experimenting with anyway.”
7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect it as well. 

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization. 

Three Key Takeaways

1. How is your compliance embedded at the bottom of your organization?
2. Use of social media can help set the tone at the bottom.
3. A company’s culture is reflected in the values and beliefs that exist throughout the company-make certain you assess it and use that information going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward. 

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move it down through the organization from senior management down to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. Adam Bryant, writing in the NYT in an article entitled, “If the Supervisors Respect Values, So Will Everyone Else”; explored this topic when he interviewed Victoria Ransom, the Chief Executive Officer (CEO) of Wildfire, a company which provides social media marketing software.

Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So, while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Bryant wrote that Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said that “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom wanted to make clear to everyone what senior management considered when determining whether employees “are living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees.

• Passion: Do you really have a thirst and appetite for your work?
• Humility and Integrity: Treat your co-workers with respect and dignity.
• Courage: Speak up - if you have a great idea, tell us, and if you disagree with people in the room, speak up.
• Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
• Impact: Are you having an impact at the company?
• Be outward-looking: Do good and do right by each other.

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

What should the tone in the middle be? That is, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they  will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore your organization should training middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. He further explained that without organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness that an employee is more likely accept a decision that they may not like or disagree with.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

1. Tone at the tops- direct supervisors become the most important influence on people in the company.
2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.