In a recent article entitled “The Breakthrough Myth” author Clive Thompson postulates that most radical new technologies have been “percolating in plain sight for years.” He begins with the position that everyone is looking for the Next New Big Thing or as I like to say, the “New New Thing”. This is based upon the assumption that all breakthroughs are “inherently surprising, so it takes a special genius to spot one coming.”
Thompson goes on to point out that such breakthroughs are not how innovation works. He cites Bill Buxton for the proposition that “paradigm-busting innovations are easy to see because they are already lying there-close at hand.” Further, anything that will have an impact in the next ten years has already “been around for 10 years.” He cites Buxton for the name of this phenomenon, the “long nose theory of innovation.” Is this some type of reference to Cyrano de Bergerac (or perhaps more recently, Steve Martin in Roxanne)? No all this means is that big ideas poke their noses into consciousness very slowly, “easing gradually into view.”
I would add my own corollary for the compliance world, the train moves most slowly when leaving the station,but after it leaves, it certainly picks up speed. The most prescient example is the compliance assessment. At the Compliance Week 2010 Annual Conference one of the issues discussed by Lanny Breuer, Assistant Attorney General, for the Criminal Division of the US Department of Justice (DOJ), was what might constitute as some of the elements of an effective compliance and ethics program under the Foreign Corrupt Practices Act (FCPA). In the Q&A following his prepared remarks, Breuer answered a question from the floor and indicated that an annual assessment was one such element. This annual assessment is different from a biennial compliance audit, utilizing a company’s internal audit department or outside professional auditors.
One of the purposes of the compliance assessment is to determine if any new elements of an effective compliance program have been developed in the past year and if they should be incorporated into your company’s compliance program. After I blogged about this point, several people asked me for the text where Breuer spoke about this point and I informed them that it was raised in the unscripted Q&A session with Compliance Week Editor Matt Kelly. Back in May 2010, this was a new component of a best practices compliance program, now one year later an annual assessment is viewed as a key component of such a compliance program.
To demonstrate the “long nose theory” one only need look at the Johnson & Johnson Deferred Prosecution Agreement (DPA), released in April of this year. In addition to the (now) standard Attachment C, in which the DOJ listed its minimums for a best practices compliance program, there was an Attachment D, entitled “Attachment D-Enhanced Compliance Obligations”, it was designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C.
These enhanced obligations include the following:
- Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
- Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
- Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
- Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
- Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
- Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
- Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
- Annual Certifications – The company shall implement a system of certifications from “each of J&J’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”
The J&J Enhanced Compliance Obligations would seem to fall under the “long nose theory” as the nine points set out as obligations are not unfamiliar to the FCPA compliance practitioner. They build upon concepts which have been articulated for some time in the compliance arena. But by utilizing the annual compliance assessment a company may more nimbly move towards a best practices compliance program by determining if it currently has these concepts incorporated into it program. If not it can implement these changes more easily than waiting every two years.
This Week in FCPA, Episode 13 is up. Check out Howard Sklar and myself as we discuss the week’s top FCPA developments. Click here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011