Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: January, 2018
Jan 17, 2018

In this episode Matt Kelly and I take a deep dive into a fascinating paper from Harvard Business School. Boris Groysberg and George Serafeim, worked with a global recruitment firm to study more than 2,000 executive-level job placements from 2004 to 2011, examining a wide range of job placements and pay data since 2004. They found that the stigma of listing a discredited company on your resume, even if you had nothing to do with the misconduct there, leads recruiters at your next employer to pay you less.

Some of the numbers Groysberg and Serafeim calculated:

  • Overall, executives with a restatement in their past received a salary 4.6 percent lower than those without one;
  • Executives with a restatement in their recent past saw an even larger discount: 5.6 percent; and the professors defined “recently” as within the last nine years;
  • Executives specifically in the finance function saw a 9.9 percent discount compared to others without a tainted work history.

We consider the long-term salary effects by reference to tables put together my Matt which show how such an initial reduction would impact your overall compensation on a 15 year basis.

It’s not news that listing tainted employer on your LinkedIn profile can harm your career. This study, however, is one of the first that tries to quantify exactly how much that “stigma effect” can harm your salary career on a go-forward and long-term basis. It is yet another way to convince senior executives and other colleagues that a strong compliance program matters: misconduct at the company can trim the salary offer those people might get at their next job — by 4.6 percent or more, apparently. executive’s career in dollar terms.

For more on the topic see Matt Kelly’s blog post The Salary Penalty for Misconduct

For more reading, see the article by Sarafeim and Groyberg, Does Financial Misconduct Affect the Future Compensation of Alumni Managers?

Jan 17, 2018

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in Evaluation that companies need to consider.

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” provide an excellent manner to consider steps in the management of third party relationships. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

Consolidate Third Parties but Retain Redundancy-It is incumbent that consolidation in your third-party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third-party lifecycle easier to manage, particularly steps 1-4.

Keep Tabs on Subcontracted Work- If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors.

Make Sure Your Company is Legally Protected-This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract.

Keep Track of Your Third Parties’ Financial Stability-This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances.

Formalize Incentives for Third Party Performance-One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

Auditing Third Parties-Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four step in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three Key Takeaways

  1. Have a strategic approach to third party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 16, 2018

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

Appropriate ControlsWhat was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. 

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing. 

Step 1 - Business Justification

The first step breaks down into two parts: 

  1. Business Sponsor
  2. Business Justification 

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the Business Sponsor, who will be the primary contract with the third-party for the life of the business relationship. 

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. 

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. Further both operate as compliance internal controls. 

After you have completed Steps 1-3; then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted. 

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these red flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

The Evaluation specified the importance of this final step when it stated: Management of RelationshipsHow has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed. The bottom line is that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward. 

Final Thoughts 

I continually give my mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon. 

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.” This makes the evaluation of your risk assessment a key element in your compliance regime.

William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions -- on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

David Lawler, in Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”

In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

Three Key Takeaways 

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and force rank your risks.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

In this podcast, I visit Jonathan Marks, a partner at Marcum LLP on how to perform a root cause analysis and it uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. 

Jonathan Marks, notes a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”

We also consider how to use a risk assessment because under the Evaluation, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

We tie these requirement from the Evaluation of Corporate Compliance Programs together. You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.

Jan 14, 2018

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.

The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices  compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements listed the seven following areas of risk to be assessed, which are still relevant today.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the 2012 FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.

One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article, “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption would might well be attributed to your company.

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

Three Key Takeaways 

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 13, 2018

In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the FCPA Corporate Enforcement Policy it states, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred”.

Under Hallmark Six of the Ten Hallmarks of an Effective Compliance Program it states:

In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.

However, I believe that the 2012 FCPA Guidance’s best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. This is more than financial incentives for ethical behavior but institutional objectivity for your employees.

Institutional objectivity comes from procedural fairness. This is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by, processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program.

Administration of Discipline

One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Similarly and as was re-emphasized in the FCPA Corporate Enforcement Policy, there must be real consequences to employee who violate your compliance program. If the regulators come knocking and you have not disciplined any company employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude pretty quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is with the organization.

Employee Promotions

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

Internal Investigations

The third area the Fair Process Doctrine is critical in, is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

An often-overlooked role of any CCO or compliance professional is to help provide employees procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program.

Three Key Takeaways

  1. The DOJ and SEC have long called for consistent application in both incentives and discipline.
  2. The Fair Process Doctrine ensures employees will accept results they may not like.
  3. Inconsistent application of discipline will destroy your compliance program credibility.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 12, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Does Free Speech exist at the office? Can you tell your boss what you think of them? Ben DiPietro looks at a new Department of Labor approach in WSJ Risk and Compliance Journal.
  2. Are fraudsters like the rich (as in different than the rest of us)? Jonathan Marks explores the mind of the fraudster in his Board and Fraud blog.
  3. What can you do to manage your third parties more effectively? Rick Chapman provides his experiences in the SCCE Blog.
  4. Is there a unified theory of corruption? Professor Joseph Pazsgai explores the question in a guest post on the FCPA Blog.
  5. Mike Volkov gives his five top compliance predictions for 2018 in the Crime, Corruption and Compliance Blog.
  6. Oh thank Heaven? Feds raid 7-11 looking for criminals (IE undocumented workers). See story by Alicia Caldwell in the WSJ.
  7. Is there a real (or perceived) bias in the monitorship process? Several experts are cited in GIR piece sub. req’d
  8. Shearman & Sterling releases its annual report, the Recent Trends and Patterns in the Enforcement of the FCPA.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 11 & 12 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Jay Rosen previews the Jay Rosen weekend report.
  12. We preview this week’s NFL playoffs.

 

Jan 12, 2018

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

This same concept around compensation and incentives was brought forward in the Evaluation under Prong 8, Incentives and Disciplinary Measures, where it stated, “Incentive SystemHow has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

A Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, discussed a company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” The article lays out a framework for the Chief Compliance Officer or compliance practitioner to operationalize compensation as a mechanism in a best practices compliance program.

As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

There are three key questions you should ask yourself in modifying your compensation structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Keep the compensation plan simple and even employee KISS, keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.” The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third-party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. The beauty of this alignment is that it works with your sales force throughout the entire sales cycle. If your sales channel is employee based then their direct compensation can be used for alignment. However, such alignment also works with a third-party sales force such as agents, representatives, channel ops partners and even distributors. You can even introduce clawbacks, which would come into play at some point in the future for who might violate your compliance program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. As a part of immediacy, there must be sufficient communication with your employee. In the world of employee compensation incentives, there should be transparency as to the expectations.

A panel at Compliance Week 2016, entitled “The Unsolvable Problem: Performance, Pay, Pressure and Misconduct”, focused on variable compensation. The panel had some interesting thoughts around compensation, including the amount of your variable compensation relative to risk; What does your discretionary bonus program consist of? Is it corporate performance based? Group performance based? Only personal, i.e. eat what you kill? Or is it some combination of all of the above?

The panel provided three examples of which might lead to compliance failures. (1) Lofty goals but no direction for employees on how to get there; (2) A paucity of communication between management and line employees, meaning there was raw fear from employees to inform their immediate supervisor of bad news. Conversely, it could be the supervisors who do not want to hear such bad news; and (3) If your company has singular focus on numbers, meaning that is the single judge of your worth as an employee. Answering some of these questions if they arise can help you to understand the design of incentive plans and allow monitoring of incentive plans to identify underlying links that may arise through compliance violations. 

Obviously, the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support your company’s business model and overall culture and values. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process. 

Three Key Takeaways

  1. The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors.
  2. Keep the compliance aspects of your compensation structure simple and easy for your employees to understand.
  3. Have full transparency in the framework of your compensation structure.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 11, 2018

 I. Legal Requirements of the Board Regarding Compliance

A. Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses.

B. FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) 2012 FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

From the Delaware cases, a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

II. Prudent Discharge of Compliance Obligations

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In webinar, entitled “Reporting to the Board on Your Compliance Program: New Guidance and Good Practices”, Rebecca Walker and Jeffery Kaplan, explored these and other issues.

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, Walker looked to Delaware corporate law for guidance. She cited to the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance.

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a board’s role is not to actually manage the company, but instead to oversee and monitor the management of the company. In the realm of compliance, this means the Chief Compliance Officer. The board has the responsibility to fulfill the role of strategic and business advisor to management of the company. In addition, the board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics, and by overseeing compliance with applicable laws and regulations. While the board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the board must take appropriate action if and when it becomes aware of a material problem that it believes management is not properly handling.

There is no reference to prudent discharge in the FCPA itself. However, a Board member might well think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might well wish to look into a Board’s prudent discharge of duties under the FCPA.

Jan 11, 2018

The communication of your anti-corruption compliance program, both through training and message, is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation of Corporate Compliance Programs where they asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training.

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based TrainingWhat training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects? 

This adds two requirements. The first is that you must assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program. 

Joel Smith, the founder of Inhouse Owl, a training services provider, considered an analysis of return on investment (ROI) for compliance training. He advocated performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (i.e. effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. I have adapted his concepts on ROI to focus on compliance training effectiveness.

Smith’s model uses four factors to help determine ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These same four factors can be used to determine compliance training effectiveness.

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
  3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

The beauty of using surveys is that it provides feedback on not simply the compliance training to determine effectiveness but a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.

The importance of determining effectiveness of your compliance program is now enshrined by the DOJ in its Evaluation. The Evaluation demonstrates the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many Chief Compliance Officers and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three Key Takeaways

  1. You must demonstrate you have measured the effectiveness of your compliance training?
  2. The DOJ is clearly moving into requiring a demonstration of effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate full operationalization of your compliance training. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 10, 2018

In this episode Matt Kelly and I take deep dive into the issue of non-GAAP metrics and its implications. We were inspired an article in this quarter's MIT Sloan Management Review entitled, "The Pitfalls of Non-GAAP Metrics" by H. David Sherman and S. David Young. It is fascinating review of this topic, which as the authors note "Lurking within the financial statements and communications of public companies is a troubling trend. Alternative metrics, once used sparingly, have become increasingly ubiquitous and more detached from reality." 

Jan 10, 2018

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward?

I visited with Louis Sapirman, Chief Compliance Officer at Dun & Bradstreet (D&B) about the company’s integration of social media into compliance. Sapirman emphasized the tech savvy nature of the company’s work force. It is not simply about having a younger work force. If your company is in the services business it probably means an employee base using technological tools to deliver solutions. He also pointed to the data driven nature of the D&B business so using technological tools to deliver products and solutions is something the company has been doing for quite a while. This use of technological tools led the company to consider how such techniques could be used internally in disciplines which may not have incorporated them into their repertories previously.

Not surprisingly, with most any successful corporate initiative, Sapirman said it began at the top of the organization, literally with the company’s Chief Executive Officer, Robert Carrigan. Sapirman noted that the CEO saw the advantage of using social media internally and challenged his senior management team to take a new look at the manner in which their corporate functions were using social media. From there Sapirman and his compliance team saw the advantages of using social media for facilitating a 360-degree approach to communications in compliance. Sapirman comprehended the possibility for use of social media for compliance with those external to the company as well.

Internally Sapirman pointed to a tool called Chatter, which he uses similarly to Twitter users who engage in a Tweet-up. He has created an internal company brand in the compliance space, using the moniker #dotherightthing, which trends in the company’s Chatter environment. He also uses this hashtag when he facilitates a Chatter Jam, which is a real-time social media discussion. He puts his compliance team into the event and they hold it at various times during the day so it can be accessed by D&B employees anywhere in the world.

He said that he seeds Chatter Jam so that employees are aware of the expectations and to engage in the discussion respectfully of others. When D&B began these sessions he also reminded employees that if they had specific or individual concerns they should bring them to Sapirman directly or through the hotline. However, he does not have to make this admonition any more, as everyone seems to understand the ground rules. Now this seeding only relates to the topics that each Chatter Jam begins with going forward.

One of the concerns lawyers tend to have about the use of social media is with general and specific topics coming up on social media and the ill it may cause the organization. Sapirman believes that while such untoward situations can arise, if you make clear the ground rules about such discussions, these types of issues do not usually arise. That has certainly been the D&B experience.

Each employee uses their own names during these Chatter Jams so there is employee accountability and transparency as well. Sapirman said they further define each communication through a hashtag so that it cannot only immediately be defined but also searched in the archives going forward. He provided the examples of specific regulatory issues and privacy. This branding also enhances the process going forward.

I asked Sapirman if he could point to any specific compliance initiatives that arose during or from these Chatter Jams. Sapirman emphasized that these events allow employees the opportunity to express their opinions about the compliance function and what compliance means to them in their organization. One of these discussions was around the company’s Code of Conduct. He said that employees wanted to see the words “Do The Right Thing” as the name of the Code of Conduct.

I inquired about D&B’s use of social media in connection with their third parties. Sapirman said that the company allows some of them access to its internal Chatter tools to facilitate direct communications. Further, these external contractors can connect with both Sapirman and the company through Twitter. He said that he is consistently communicating to the greater body of customers about the compliance initiatives or compliance reminders on what the D&B compliance function is doing and how it is going about doing them. He believes it is an important communications tool to make sure that he and his team are getting their compliance messages out there.

Both of these initiatives drove home to me three key insights. The first is how compliance, like society, is evolving, in many ways ever faster. As more millennials move into the workforce, the more your employee base will have used social media all their lives. Once upon a time, email was a revelatory innovation. Now if you are not communicating, you are falling behind the 8-ball. Employees expect their employers to act like and treat them as if this is the present day, not 1994 or even 2004.

The second is that these tools can go a long way towards enhancing your compliance program going forward. Recall the declination to prosecute that Morgan Stanley received from the Department of Justice, back in 2012, when one of its Managing Directors had engaged in FCPA violations. One of the reasons cited by the DOJ was 35 email compliance reminders sent over 7 years, which served to bolster the annual FCPA training to the recalcitrant Managing Director. You can use your archived social media communications as evidence that you have continually communicated your company’s expectations around compliance. It is equally important that these expectations are documented (Read – Document, Document, and Document).

Finally, never forget the social part of social media. Social media is a more holistic, multiple-sided communication. Not only are you setting out expectations but also these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

Three Key Takeaways

  1. Incorporation of social media into your compliance communications can pay off big dividends.
  2. Focus on the ‘social’ part of social media.
  3. Use internal corporate social media to have facilitate a 360-degree conversation.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 9, 2018

Today, I visit with Mark Rainsford and Jason Sugarman, principals with RS Legal Strategies which is a pioneering Queen’s Counsel led business crime, fraud and legal strategy boutique. Its world-class professionals include leading and junior counsel, a solicitor, a former member of the judiciary and special advisor to the Serious Fraud Office, two former investigators, analysts, researchers, tax fraud and compliance specialists. RSL has special expertise in UK DPAs and NPAs and offers an Independent Compliance Monitor or Reviewers.

RS Legal Strategies employs former senior UK law enforcement investigators to provide expert analysis and an invaluable strategic advice on evidential and disclosure issues. RS Legal Strategies conducts internal investigations into wide variety of areas including: fraud detection, business and corporate crime, proceeds of crime and money laundering investigations and regulatory compliance.

In 2017, RS Legal Strategies formed a strategic alliance with Affiliated Monitors (AMI). With the complementary experience of the US and UK teams, it allows companies to take a more pro-active approach to addressing ethics and compliance deficiencies comprehensively and through the efforts of an independent advisors, there is a much greater likelihood that a successful outcome and improved practices can be achieved. Through the combination of RS Legal’s experience with UK enforcement actions, with AMI’s global ethics and compliance, this alliance can significantly increase the likelihood of any of a corporate client securing a non-prosecution outcome, a Deferred Prosecution Agreement, or other beneficial outcome resulting from ongoing investigations.

Together AMI and RS Legal Strategy offer a unique and compelling vision. Although independent, we would work alongside our client’s lawyers, thus allowing outside and in-house counsel to leverage the exceptional know how from both a UK and USA strategy and compliance consulting perspective.

The interviewees are Mark Rainsford QC, RS Legal Strategies Chairman and Head of Litigation and Jason Sugarman, RS Legal Strategies Managing Director.

For more information, click here.

Jan 9, 2018

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program.

Previously, I had thought of communications really as a two-way street upward and downward, inbound and outbound, and side to side communications. However, you might choose to phrase it, a 360-degree approach to compliance communications is something different. You simply can no longer as effectively communicate in just two ways. You now communicate in a more holistic manner, and in multiple ways. If you are just thinking about communications in the classic form you are missing something that is happening around you.

360-degrees of compliance communication is not just a classic form of communication but rather it is a communication in the concept of every interaction, whether they be planned interactions or whether they be into or accidental interactions. It is all a form of communication. This is particularly true if you are a compliance professional, a chief compliance officer or a compliant practitioner. The things you do, the way you act, and the way people see you are always communicating. It is not simply communicating to one another as often you may well be communicating to a group across siloed boundaries, to the constituencies with whom you had not even planned to initially communicate.

There are several concepts which should be included in your 360-degree view of compliance communications. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment?

Next, who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach.

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program.

Using such a 360-degree approach to communication, allows a CCO to “see around corners” and can be one of the greatest strengths of a best practices compliance program. The reason is listening. Listening is a key leadership component and there are certainly many ways to listen. You can sit in your office and wait for a call or report on the hotline or you can go out into the field and find out what challenges employees are facing. From this you can work with them to craft a solution that works for the company and holds to the company’s ethical and compliance values.

Three Key Takeaways

  1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
  2. What is your objective? What are you trying to do with your 360-degrees of compliance communications and how are you using that mechanism to deliver the objectives of your compliance program.
  3. Evaluate. You need to evaluate three factors: (a) has the message been delivered; (b) has it been heard; and (c) is it being implemented.

 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 8, 2018

In this episode, I visit with QuantaVerse CEO/Founder David McLaughlin on the company’s new tool, the Chief Audit Checkup service, which leverages the QuantaVerse AI Financial Crime Platform to analyze enterprise data and more efficiently and effectively identify insider threats, bribery, corruption, money laundering, fraud, terrorism financing and third-party risks that traditional internal audit investigations routinely miss. The Chief Audit Checkup service identifies anomalous data patterns related to both known and not yet identified financial crime typologies. The Chief Audit Checkup service lets organizations see first-hand how AI analysis can improve their audit processes and outcomes.

We discuss what is new about this offering and how it can assist a CCO to manage many risks: AML, ABC, Cyber, Export, Fraud, Third parties? In ABC cases, the old Watergate maxim of ‘follow the money’ applies because the employees have to get the money from somewhere to pay the bribes and the Chief Audit Executive Checkup service helps a CCO to follow the money. We explore how the Chief Audit Executive Checkup service helps to see down the entire continuum of a transaction; from initial bid to contract signing and how financial anomalies presented to the user in the Chief Audit Executive Checkup service.

Finally, we walk through a fascinating FCPA hypothetical can how the Chief Audit Executive Checkup can help a CCO in the following. A compliance team is tasked to audit an international electronics company’s line of business with a central Asian country, the team would manually review 150 travel and expense reports for anomalies, one month’s worth of core accounting system records of financial transfers to/from the central Asian country, and 30 days of vendor payments as they relate to possible FCPA or other insider threat or corruption risk. The internal audit team might identify 1-2 cases in which employees submitted questionable travel expense reports. Using Chief Audit Executive Checkup, the compliance team could leverage AI to examine thousands of combined data points to holistically screen all LOB data related to central Asian country for known and unknown financial crime red flags truly worthy of their attention.

For more information on Chief Audit Executive Checkup, click here.

Jan 8, 2018

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

ControlsWhat controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

here are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company.

Next is the vendor master file, which can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Internal controls are needed over the submission, approval, and input of changes to the vendor master file.

Contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices.

All situations involving the movement of cash or transfer of monies outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system. 

To prevent these types of activities, internal controls need to be in place. All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist at your organization. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice or ‘functioning’. 

Three Key Takeaways

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. SEC lead FCPA enforcement actions demonstrate the enforcement spotlight on internal controls.

                                                      

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 7, 2018

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated set of policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct.

The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

  • identify who the compliance policy applies to;
  • set out what is the objective of the compliance policy;
  • describe why the compliance policy is required;
  • outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • lay out the specific consequences for failure to comply with the compliance policy.

The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Under Part B of Prong 4 is the Operational Integration section with the following components.

Responsibility for IntegrationWho has been responsible for integrating policies and procedures? With whom have they consulted (e.g., officers, business segments)? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)? 

There are also two specific area that policies and procedures need to focus on. They are around payments and third parties. They have the following components.

Payment SystemsHow was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved? 

Vendor ManagementIf vendors had been involved in the misconduct, what was the process for vendor selection and did the vendor in question go through that process? 

This means that it more than simply having appropriate policies and procedures. It is operationalizing them into your compliance program, down to the business unit level. How can you do so? Compliance training is only one type of communication. This is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Three Key Takeaways

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrine holds for the application of policies and procedures. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 6, 2018

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. Document Document Documents your training and communication efforts.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com

Jan 5, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week. Jonathan Marks joins us to discuss his new Board and Fraud blog. 

  1. More fallout from the Keppel Offshore FCPA enforcement action. See articles by Dick Cassin in the FCPA Blog on the in-house lawyer who pled guilty and the systemic nature of the corruption.
  2. Rick Messick considers risk assessments in the Global Anti-Corruption Blog.
  3. Well know anti-fraud specialist Jonathan Marks starts a new blog Board and Fraud, focusing on corporate governance and fraud issues. He begins by telling auditors to be skeptical. Check it out here.
  4. Is the purpose of corporate enforcement deterrence or punishment? Mihailis E. Diamantis considers this question with a preview of his upcoming article “Clockwork Corporations: A Character Theory of Corporate Punishment”. The preview is posting in NYU’s Crime and Enforcement blog.
  5. Former Och Ziff hedge fund executive, Michael Cohn indicted for fraud in Africa investment scheme. See article in Bloomberg.
  6. A banker From Turkey Convicted in plot to evade Iran sanctions. See article by Benjamin Weiser and Carlotta Gall in the New York Times. See DOJ Press Release.
  7. Petrobras Settles U.S. Securities Suit Based on Corruption-Related Allegations for $2.95 Billion. Kevin LaCroix reports from the D&O Diary. Henry Cutter reports from the WSJ Risk and Compliance Journal.
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. Tom announces his next Compliance Master Class, sponsored by Marcum LLC. It will be held on February 11 & 12 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
Jan 5, 2018

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs? In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board.

  1. What compliance expertise has been available on the board of directors?
  2. Have the board of directors held executive or private sessions with the compliance function?
  3. What types of information has the board of directors examined in their exercise of oversight in the area in which the misconduct occurred?

In the new FCPA Corporate Enforcement Policy, it supplements the above with the following requirement for a Board of Directors in a best practices compliance program, asking what is “the availability of compliance expertise to the board”?

At a general level, these inquiries several structural components for a Board around compliance. They include defining the Board’s role so there is a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities around compliance. The Board must work to foster a culture of compliance risk management so all stakeholders should understand the compliance risks involved and manage such risks accordingly. The Board must incorporate compliance risk management directly into a strategy by overseeing the design and implementation of compliance risk evaluation and analysis. The Board should help to define the company’s appetite for compliance risk so all stakeholders need to understand the company’s appetite or lack thereof for compliance risk. The Board must oversee the execution of the compliance risk management process by maintaining an approach that is continually monitored and had continuing accountability. Finally, the Board must demand benchmarking through compliance systems which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. Your  Board should create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information, the Board can give oversight to any modifications to managing risk that should be implemented. 

In addition to the requirement that a Board of Directors have a Compliance Committee, a Board should also have a compliance subject matter expert as a member. Mike Volkov looked at it from both a practical and business perspective stating, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.” Roy Snell considered it through the prism of the compliance profession and noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Board Compliance Committee

  1. What are the Board Compliance Committee’s responsibilities and what value does it bring to the board?
  2. How can the Board Compliance Committee assist the board to enhance its relationship with management?
  3. What is the role of the Board Compliance Committee?

Part II: Building an Effective Board Compliance Committee

  1. What skill sets does the Board Compliance Committee require?
  2. Who should sit on the Board Compliance Committee?
  3. Who should chair the Board Compliance Committee?

Part III: Directed to the Board of Directors

  1. What is the Board Compliance Committee’s role in building an effective compliance program within the company?
  2. How can a Board Compliance Committee assess potential members and senior leaders of the company’s compliance program?
  3. How long should directors serve on the Board Compliance Committee?
  4. How can the Board Compliance Committee assist in Board succession issues?

Part IV: Enhancing the Board’s Compliance Performance Effectiveness

  1. How can the Board Compliance Committee assist in director development?
  2. How can the Board Compliance Committee help the board chair sharpen the board’s overall performance focus?
  3. What is the Board Compliance Committee’s role in board evaluation and feedback?
  4. What should the Board Compliance Committee do if a director is not performing or not interacting effectively with other directors?
  5. Should the Board Compliance Committee have a role in chair succession?
  6. How can the Board Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

  1. How can the Board Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
  2. What is the Board Compliance Committee’s role in CCO succession?
  3. What role can the Board Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
  4. How can the Board Compliance Committee help the board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

Three Key Takeaways

  1. The DOJ Evaluation of Corporate Compliance Program requires active Board of Director engagement around compliance.
  2. Board communication on compliance is a two-way street; both in bound and out bound.
  3. Has the Board built an effective Board Compliance Committee?

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 4, 2018

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move down through the organization from senior management down to middle management and into its lower ranks. This means that one of the task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization.

What should the tone in the middle be? What should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they will take their cues from how middle management will respond to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be organizational justice so that people believe they will be treated fairly. For if there is organization justice, it engenders perceived procedural fairness which makes it more likely an employee will be willing accept a decision that they may not like or disagree with end result.

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into the theory and practice of compliance in your company.

From this then test what is real in theory and in practice. You can check and see which employees are promoted more regularly; those who do business ethically and in compliance or those who meet their sales quotas every quarter. After you have internally tested, reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your how your compliance model tested. Lead a discussion that attempts to identify any what is different in practice and in theory and then how you can move from theory to practice to operationalizing compliance. Finally, and in the feedback step, test how to more fully operationalize your compliance regime. These tests can be accomplished in the regular course of business or through a special project with a special team and separate budget.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect them as well.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

  1. Tone at the tops- direct supervisors become the most important influence on people in the company.
  2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
  3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 4, 2018

In this episode, Richard Lummis and I consider the recent revelations which came to light that during the tenure of the former Chief Executive Officer, Jeff Immelt, he had an empty plane fly behind his jet on corporate trips. This ghost plane tracked Immelt’s jet and was designed to be available if there was a mechanical issue, which presumably could not be fixed sufficiently in time for the CEO’s busy travel schedule. There were several points a Board of Directors can learn from these revelations going forward. 

Thomas Gryta, Joann S. Lublin and Mark Maremont, writing in the Wall Street Journal (WSJ), said that a GE spokesperson noted the reason for the ghost plane ““This practice, which GE has discontinued, involved business-critical itineraries with tight schedules, multiple international stops and, in most cases, security concerns.”” The spokesperson then gratuitously added, ““We do not believe that the understandable criticism of this discontinued practice fairly reflects on Jeff’s dedicated service to GE for over 30 years.”” However the WSJ piece, citing un-named sources said, “While CEO, Mr. Immelt wanted a backup jet in case there was a mechanical issue that could lead to delays”. The cost to operate the ghost plane was about $6500 per hour, adding up to $250,000 to the cost of each flight. 

The New York Times (NYT) reported that the practice occurred during his 16-year tenure as CEO of GE. Yet it was the subject of an internal whistleblower complaint in 2014. The WSJ reported, “The company told GE’s directors the company had reduced the practice in mid-2014 and that the continued use of the backup plane was limited to isolated situations such as travel to risky destinations. The board members were previously unaware, the people said, and some were dismayed to learn of the practice. “Obviously, this was an excess,” one of these people said.” 

Here was a clear misrepresentation to the Board of Directors. Even if limited to ‘isolated situations’ there was a CEO’s behavior and practices which was so egregious that it took a hotline compliant to change and the company executives were less than truthful to its own Board of Directors that the practice could continue. It was not as if company executives had any lack of understanding that the practice was not approved by the Board. The head of the Board’s Audit Committee mandated the practice must end. 

To hide what was going on, the company went out of its way to hide the ghost plane practice as “Flight crews were told to not openly refer to the backup planes, for fear of raising eyebrows, especially at the small airport facilities for private jets, the people said. One person said the flight manifest sometimes listed “Robert Jeffries” or “Jeffrey Roberts” as the passenger on the second plane, when in fact the seats were empty.” That certainly sounds like someone trying to hide something. 

What about the excuse that it was for security? James Stewart, writing in the NYT skewered that reasoning by citing to Scott Davis of Melius Research who stated, ““Not even heads of state get that kind of treatment.” Moreover, if the security was such a concern, why was GE sending its CEO there in the first place. Stewart wrote, “No one I spoke to in the field of corporate security said that made any sense, especially in the instance when the second plane stayed in Anchorage while Mr. Immelt traveled to Asia. There are plenty of planes there that could be chartered in case of emergency, not to mention commercial flights with first-class cabins and ample security. Robert Strang, a corporate security expert and the chief executive of the Investigative Management Group, told me he had been conducting security audits for chief executives for 29 years and could think of no similar example.” Finally, “If a destination is so dangerous that it requires a backup plane, then a C.E.O. shouldn’t be going in the first place”. And it’s not as if Mr. Immelt had been traveling to war-torn Syria or Afghanistan. 

Next was a point that Immelt himself raised which spoke directly to business leadership. In a letter to John J. Brennan, chairman and CEO of Vanguard and GE’s lead director, Immelt said, “Given my responsibilities as C.E.O. of a 300,000-employee global company, I just did not have time to personally direct the day-to-day operations of the corporate air team.” He added, “Other than to say ‘hello’ I never spoke to the head of Corporate Air in 16 years.” The CEO of the company goes 16 years without once ever having a substantive conversation with the head of the group mandated with handling his air travel? Frankly I do not know whether to laugh or cry at this statement. If it is true what does it tell you about the Imperial leadership style of Immelt. If he is not telling the truth, it tells you about the liberties he is taking with his facts. 

Stuart Davis also raised some obvious issues. If the CEO or his underlings were willing to violate the Board’s edict of no ghost jets; what else did they allow? Davis was further quoted, ““You hear about this and you have to wonder what else they were spending money on. You really have to question the financial oversight and controls and internal audit. You have to question the entire organization.”” 

According to the WSJ article, “GE informed its board’s compensation committee each year about how much the company had spent to fly Mr. Immelt on corporate aircraft, the people said. But those total amounts lacked details such as how many flights the CEO took, the number of pilots involved or the cost of aircraft fuel, people familiar with the process said. Directors assumed that GE’s human-resources executives had reviewed details about Mr. Immelt’s personal and business trips, according to one person. The GE board’s compensation committee should have requested more detail about Mr. Immelt’s usage.” Even if the Board was initially misled by GE executives, it should have asked for the details to test the information presented to it, especially as it had been the subject of a whistleblower compliant involving the CEO. 

All this would seem to indicate that no one was either (1) running the ship, (2) watching the ship being run or (3) was interested enough to find out what was going on. That is laid at the feet of the Board, in not asking direct, probing questions. It also points to the role of compliance to resolve whistleblower issues and to monitor on an ongoing basis to ascertain if the remediation has been followed or the company reverted to its prior conduct. Finally, any CEO’s excuse that as a 30-year employee, including 16 as CEO and he never had time to say anything other than ‘hello’ to an employee speaks to a CEO who is not only ignoring his employees but clearing communicating that I do not care about you or your job function at this organization. How is that for not only tone at the top but also conduct at the top.

Jan 4, 2018

In this episode, Richard Lummis and I consider the recent revelations which came to light that during the tenure of the former Chief Executive Officer, Jeff Immelt, he had an empty plane fly behind his jet on corporate trips. This ghost plane tracked Immelt’s jet and was designed to be available if there was a mechanical issue, which presumably could not be fixed sufficiently in time for the CEO’s busy travel schedule. There were several points a Board of Directors can learn from these revelations going forward. 

Thomas Gryta, Joann S. Lublin and Mark Maremont, writing in the Wall Street Journal (WSJ), said that a GE spokesperson noted the reason for the ghost plane ““This practice, which GE has discontinued, involved business-critical itineraries with tight schedules, multiple international stops and, in most cases, security concerns.”” The spokesperson then gratuitously added, ““We do not believe that the understandable criticism of this discontinued practice fairly reflects on Jeff’s dedicated service to GE for over 30 years.”” However the WSJ piece, citing un-named sources said, “While CEO, Mr. Immelt wanted a backup jet in case there was a mechanical issue that could lead to delays”. The cost to operate the ghost plane was about $6500 per hour, adding up to $250,000 to the cost of each flight. 

The New York Times (NYT) reported that the practice occurred during his 16-year tenure as CEO of GE. Yet it was the subject of an internal whistleblower complaint in 2014. The WSJ reported, “The company told GE’s directors the company had reduced the practice in mid-2014 and that the continued use of the backup plane was limited to isolated situations such as travel to risky destinations. The board members were previously unaware, the people said, and some were dismayed to learn of the practice. “Obviously, this was an excess,” one of these people said.” 

Here was a clear misrepresentation to the Board of Directors. Even if limited to ‘isolated situations’ there was a CEO’s behavior and practices which was so egregious that it took a hotline compliant to change and the company executives were less than truthful to its own Board of Directors that the practice could continue. It was not as if company executives had any lack of understanding that the practice was not approved by the Board. The head of the Board’s Audit Committee mandated the practice must end. 

To hide what was going on, the company went out of its way to hide the ghost plane practice as “Flight crews were told to not openly refer to the backup planes, for fear of raising eyebrows, especially at the small airport facilities for private jets, the people said. One person said the flight manifest sometimes listed “Robert Jeffries” or “Jeffrey Roberts” as the passenger on the second plane, when in fact the seats were empty.” That certainly sounds like someone trying to hide something. 

What about the excuse that it was for security? James Stewart, writing in the NYT skewered that reasoning by citing to Scott Davis of Melius Research who stated, ““Not even heads of state get that kind of treatment.” Moreover, if the security was such a concern, why was GE sending its CEO there in the first place. Stewart wrote, “No one I spoke to in the field of corporate security said that made any sense, especially in the instance when the second plane stayed in Anchorage while Mr. Immelt traveled to Asia. There are plenty of planes there that could be chartered in case of emergency, not to mention commercial flights with first-class cabins and ample security. Robert Strang, a corporate security expert and the chief executive of the Investigative Management Group, told me he had been conducting security audits for chief executives for 29 years and could think of no similar example.” Finally, “If a destination is so dangerous that it requires a backup plane, then a C.E.O. shouldn’t be going in the first place”. And it’s not as if Mr. Immelt had been traveling to war-torn Syria or Afghanistan. 

Next was a point that Immelt himself raised which spoke directly to business leadership. In a letter to John J. Brennan, chairman and CEO of Vanguard and GE’s lead director, Immelt said, “Given my responsibilities as C.E.O. of a 300,000-employee global company, I just did not have time to personally direct the day-to-day operations of the corporate air team.” He added, “Other than to say ‘hello’ I never spoke to the head of Corporate Air in 16 years.” The CEO of the company goes 16 years without once ever having a substantive conversation with the head of the group mandated with handling his air travel? Frankly I do not know whether to laugh or cry at this statement. If it is true what does it tell you about the Imperial leadership style of Immelt. If he is not telling the truth, it tells you about the liberties he is taking with his facts. 

Stuart Davis also raised some obvious issues. If the CEO or his underlings were willing to violate the Board’s edict of no ghost jets; what else did they allow? Davis was further quoted, ““You hear about this and you have to wonder what else they were spending money on. You really have to question the financial oversight and controls and internal audit. You have to question the entire organization.”” 

According to the WSJ article, “GE informed its board’s compensation committee each year about how much the company had spent to fly Mr. Immelt on corporate aircraft, the people said. But those total amounts lacked details such as how many flights the CEO took, the number of pilots involved or the cost of aircraft fuel, people familiar with the process said. Directors assumed that GE’s human-resources executives had reviewed details about Mr. Immelt’s personal and business trips, according to one person. The GE board’s compensation committee should have requested more detail about Mr. Immelt’s usage.” Even if the Board was initially misled by GE executives, it should have asked for the details to test the information presented to it, especially as it had been the subject of a whistleblower compliant involving the CEO. 

All this would seem to indicate that no one was either (1) running the ship, (2) watching the ship being run or (3) was interested enough to find out what was going on. That is laid at the feet of the Board, in not asking direct, probing questions. It also points to the role of compliance to resolve whistleblower issues and to monitor on an ongoing basis to ascertain if the remediation has been followed or the company reverted to its prior conduct. Finally, any CEO’s excuse that as a 30-year employee, including 16 as CEO and he never had time to say anything other than ‘hello’ to an employee speaks to a CEO who is not only ignoring his employees but clearing communicating that I do not care about you or your job function at this organization. How is that for not only tone at the top but also conduct at the top.

Jan 3, 2018

In this episode, Matt Kelly and I take a look at some of the more intriguing issues in compliance and ethics, FCPA and greater GRC issues in the new year of 2018.

  1. The upcoming SEC Guidance on cybersecurity, which is an issue the SEC has struggled upon. The SEC claims its new guidance will focus more about internal escalation procedures and controls to prevent insider trading ahead of disclosure. The new Revenue Recognition standard which went into effect in December 2017.
  2. We consider how will companies manage consequences of the new standard and some of the ancillary issues: new accounting policies, new procedures for auditors, new assessments of internal control, and even changes to business practices and disclosures in quarterly filings.
  3. The upcoming US Supreme Court decision on whistleblower protection under Dodd-Frank, which centers on whether whistleblower protections under the Dodd-Frank Act extend to employees who only report misconduct internally.
  4. The new FCPA Corporate Enforcement Policy, which was announced in November. How it will be used going forward?
  5. In one of the most public series of scandal, the continued fallout from sexual harassment scandal, including changes to anti-harassment programs in the wake of the Harvey Weinstein scandal, #MeToo and associated corporate and government scandals.
  6. The maturity of vendor risk management programs, both in compliance and in greater business processes. Compliance and audit executives have worried about slices of vendor risk, too. How will audit, risk, and compliance functions work together to tame vendor risk in a more systematic, intelligent way in 2018?
  7. A bustling GRC vendor world is expanding. If risks to the large enterprise are undergoing a digital transformation, so too are the tools and systems enterprises use to manage those risks. How will the GRC software vendors respond to it?
  8. Will the SEC reform SOX? If so what might it look like.

For more on these topics see Matt Kelly’s blog post “Eight Compliance Events to Watch in 2018

« Previous 1 2 3 Next »