Belatedly, we boldly go where no Canadian actor has ever gone before, to celebrate yesterday’s birthday of William Shatner, Captain Kirk of the original Starship Enterprise. I thought about Captain Kirk and his leadership of the Enterprise in the context of a panel at Ethisphere’s 2012 Global Ethics Summit. In a moderated keynote session, entitled “View from the Board”, moderator Stephen Jordan lead the panel in an exploration of issues relating the Board of Directors responsibility in a company’s compliance program.

What is the relationship between leadership and culture? Panelist Sheila Penrose, Chairman of the Board at Jones Lang LaSalle and Board member of the McDonald’s Corporation, said that she views the Board of Directors as the “curator of a company’s culture.” As a Board member she wants to know if there is a clear framework to determine and measure certain key facets of a compliance program. These key facets include: (1) tone of the company towards doing business in a compliant manner; (2) the effectiveness of the company to understand new compliance issues as they arise; and (3) the process and dynamics of the company’s compliance program. Her view of a Chief Compliance Officer (CCO) is that he or she should have “good professional judgment” and be able to communicate to the Board about their judgment of ethical behavior in the company.

Presentations to the Board

Regarding presentations to the Board of Directors, Penrose said that she desired to have two general types. The first is training the Board of Directors on emerging issues that the company might face from the compliance context and to direct how the Board of Directors might think about these issues, particularly in regard to how they would affect the risk profile of the company. The second is a report of the trends emerging from internal reporting on compliance issues. This could include hotline reports or surveys that the compliance group performs to determine if there are any emerging or systemic issues relating to compliance that should be addressed. From these metrics Penrose said that she is always keen to know if there are any lessons to be learned which can be applied to future situation or to stop certain behaviors.

The second panelist, Daniel Tishman, Board member of AECOM Technology Corporation, said the initial issue to determine is the type of Board. Is it the Board of a new or relatively new entity, populated with friends of the Chief Executive Officer (CEO) and with persons who either work in or have significant experience in the core business of the company? Conversely, is it the Board of a more mature company? If it is the former, Tishman believes a CCO will have to provide much more basic compliance education to the Board.

As to the types of presentations he prefers, Tishman focused his answer on the types of information that he expects if a serious compliance issue has arisen, which may well be a violation of a substantive anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. He said there are four points that he would like to receive guidance on or through. First, he demands prompt reporting to the Board. Second, all reporting must have complete transparency to the Board. Third, he expects proactive action by the CCO, rather than simply waiting for instructions. Lastly, Tishman would expect to be told if any event is a one-off or a systemic problem, coupled with a fair appraisal if the event is a true crisis or is it is more of a “regular issue”.

Metrics

Both panelist discussed metrics as a key component of Board reporting. Tishman said that he prefers to receive metrics which focus on new or emerging areas for the company. So if the company is opening up with a new product line or service, or is moving into a new geographic area, he wants to see the compliance risks assessed and reported to the Board of Directors.

Penrose advocated metrics to measure three areas: (1) measures of magnitude; (2) measures of direction; and (3) measure of penetration. By measures of magnitude, she said that she desired information on how well the company’s compliance regime had been communicated throughout the target audience of employees and third parties, or “exposure”. The measures of directions are designed to present information on trends that compliance is seeing within the company, an example she gave was a review and summary of hotline reporting. The final measure of penetration was designed to drill down further than the measure of magnitude to provide metrics on how well the compliance program had penetrated down into the employee base and third parties with whom the company might be working with to obtain or retain business.

And what of Captain Kirk, his leadership and lessons learned for the compliance profession? He did not have to deal with a Board of Directors, in the form of Star Fleet Command, too often so that probably is not a helpful analogy. However, Kirk did lead from the front and that is what a CCO must do. Penrose said that she expects her CCO to “manage by walking around” to go out into the field and get the message of compliance to the troops. If you are the CCO, or compliance professional, you need to either be on the Away Team or lead the Away Team and boldly go where no CCO has gone before.

To get yourself in a Star Trek frame of mind, cue the iconic original television series opening theme here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

There is an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). However, before a company can answer this question, it must meet No. 6 of the Department of Justice’s (DOJ) minimum best practices requirement for a Foreign Corrupt Practices Act (FCPA) based compliance program. Requirement No. 6 reads:

The company will assign responsibility to one or more senior corporate executives for the implementation and oversight of the company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to independent monitoring bodies, including internal audit, Company’s Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

This requirement clearly mandates that a company must have one or more senior level executives to oversee the company’s compliance program. At the recent Ethisphere 2012 Global Ethics Summit this issue was explored. Alan Yuspeh, Senior Vice President and Chief Compliance and Ethics Officer for Hospital Corporation of America, said that he believed there were three keys to the role of a company’s head of compliance.

a.      Senior Management

Yuspeh believes that whoever heads compliance at a company must be included in the ranks of the company’s senior management. This is because when such a person speaks, they need to do so as a peer and not as a subordinate, to company management. Senior management status is also important when dealing with the Board of Directors.

b.      Clear Commitment

Here Yuspeh spoke about a clear commitment from the top management of the company to the position of the head of compliance. This is more than simply the ubiquitous “Tone-at-the-Top” as it means a commitment to the position of head of compliance; a commitment to funding and achieving the goals of meeting a minimum best practices compliance program. This means that top management cannot simply cut-off compliance at the knees every time it makes an unpopular decision. Further, the money must be made available to hire the necessary staff, travel and train employees, implement and help to perform the requisite investigations of third parties. If such monies are not made available, your company truly has a paper program.

c.       Keep Compliance Involved

The third element that Yuspeh mentioned was whoever heads compliance must “constantly fight to keep compliance involved” in all appropriate aspects of the company’s business. This is more than compliance simply having a seat at the table. The head of compliance must insure that the compliance function is inculcated down into the DNA of the company. So, just as a Chief Executive Officer (CEO) might ask what is the Legal Department’s view on a certain contract or issue facing the company, the head of a company’s Compliance function should also be thought of as a person who’s group is a “go-to” group within the company for advice.

Smaller companies may not have a Compliance function within their organization but it is clear from the DOJ’s minimum best practices that there must be a person who heads that function within a company. Yuspeh has laid out what he believes the practical guidelines are for a head of compliance within an organization. His comments speak to the requirements of the DOJ as laid out in requirement No. 6. Does the head of compliance in your organization meet these criteria?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

  1. Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
  2. Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
  3. Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
  4. Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
  5. Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
  6. Monitor and Evaluate– Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
    1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
    2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
    3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
    4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
    5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
    6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Last week I attended the 2012 Global Ethics Summit hosted by Ethisphere. The first event was a conversation between Mark Mendelsohn and Brackett Denniston, Senior Vice President and General Counsel of General Electric (GE). They both had some interesting observations on the current state of Foreign Corrupt Practices Act (FCPA) compliance. Dennison believes that the conversation on FCPA compliance has evolved to “What can organizations do to create a culture of compliance on a world-wide basis?” To answer this question he gave three overarching themes.

First it all starts with the ubiquitous “tone-at-the-top” but it means more than simply saying the right things on a regular basis. Denniston believes that senior management must “speak often and be sincere” in communicating this tone. If they are not sincere, he believes that employees will pick up on this immediately and any efforts to instill such a culture of compliance will be doomed to fail. Second, senior management must “walk the talk” through both discipline and a system of rewards. The discipline must be clear and delivered decisively. The rewards must be not only direct financial remuneration but also the internal promotion of persons who do business in an ethical manner, under the Company’s Code of Conduct. Lastly, a company as a whole must have the willingness to listen. He directed these remarks to helplines and other mechanisms where employees can report compliance violations or even raise concerns. He was clear that there must be be directly stated and enforced, that there is a no retaliation policy for all reports made in good faith. This also requires a company to keep accurate measurements of such reports and to design and refine its processes around these metrics.

Mendelsohn asked Denniston what were his three biggest challenges at GE regarding compliance and ethics. Denniston responded that the biggest challenge was in integrating acquisitions into the GE compliance culture. This is challenging in remote sites around the globe particularly in locations which do not have a senior management presence nor are visited by senior management on a regular basis. The second area is improper payments on a global basis. While noting that GE bans facilitation payments, these are still a challenge as are payments made through gifts, entertainment and travel. Lastly, he expanded his answer on the top three challenges to add regulatory compliance in general.

Denniston believes that the key for any company is how they will respond when a compliance issue arises. Within the GE world he said that the thing he worries about is that an issue will arise and the local business team will try to clean the matter and will not disclose it to the home office. From afar, such a response would appear as a cover-up of a reportable FCPA violation, even if no one in the US was involved. It could lead to a conclusion by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) of an entire failure of a company’s compliance program. Recognizing that the cover-up is always worse than the original event, this would seem to echo Number 3 of Paul McNulty’s Maxims of “What did you do when you found about it [a compliance violation]?”

Picking up on his point about one of the things a company must do is listen to its employees, Denniston re-emphasized that communication is important but that a company must also measure the effect that these communications have. Metrics are an important aspect to creating and maintaining a culture of compliance at GE because it allows the company to base its compliance program enhancements on quantifiable data. He added that this helps dissipate the confusion between quality in the overall company compliance regime and simple regulatory compliance.

In a very interesting response to a Mendelsohn question along the lines of “is there too much FCPA enforcement?” Denniston responded that he did not think so as he believes that the DOJ has “got it right.” However, he does not believe this is the case with the SEC. He said that the problem, in his opinion, is around how much “fuzziness” there is from the SEC on the credit a company will receive for a self-disclosure. This is true even if the SEC has a principle which is consistent; Denniston believes that it does not always play out so clearly in practice.

Dennison ended his remarks in responding to a Mendelsohn question on “the single best compliance innovation at GE, during his tenure?” Being a good lawyer, Denniston had three single best compliance innovations. They were (1) every year GE tried to introduce a substantive improvement to its compliance program. These improvements are generated from a variety of sources, from local business unit employees to his aforementioned metrics to lead to an enhancement. (2) The continued efforts in the company to increase reporting of any compliance issues so that they might be evaluated by an appropriate compliance professional. He gave an example of a geographic region which had an inordinately low number of reports of compliance issues, which Dennison viewed as a negative. He sought to have this number increased by a minimum of 20% annually, which was achieved. In other words, if there are no reports, GE wants to know why there are no reports. (3) He said that there is now the creation of an unanticipated risk list. This has turned into an early warning system of issues that might pop up on the compliance radar, however it also forces all employees engaged in the exercise to come up with compliance issues the company is not currently thinking about in any detail.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Last week, the Department of Justice (DOJ) announced the resolution of an enforcement action under the Foreign Corrupt Practices Act (FCPA) involving the Tulsa based company, BizJet. The company is in the business of providing aircraft maintenance, repair and overhaul services (MRO) to customers in the US and internationally. BizJet ran into FCPA trouble regarding its Latin American operations, specifically in the countries of Mexico and Panama. BizJet employees and executives were involved in multi-year running bribery scheme which paid hundreds of thousands of dollars for these MRO contracts. These payments were discussed at the highest levels of the company, including the Board of Directors, and occurred from 2004 until 2010.

BizJet Bribery Box Score

The Deferred Prosecution Agreement (DPA) listed the following instances of recorded bribery, a/k/a the “BizJet Bribery Box Score”.

BizJet Executive or Employee Named Payment Made To Amount of Payment Others Involved
Sales Manager  A Official 6 Cell Phone and $10K Executive B and C
Sales Manager A Official 3 $2K Executive  B
Executive B, C and Sales Manager A Official 2 $20K
Executive C Official 2 $30K Sales Manager A
Executive B Mexican Federal Police Chief $10K Executive C and Sales Manager. A
Executive C Official 5 $18K Sales Manager A
Sales Manager A Official 4 $50K
Sales Manager A Mexican Federal Police $176 Executive C
Sales Manager A Official 4 $40K
Sales Manager A Mexican Federal Police $210K Executive C
Sales Manager A Official 5 $6K Executive C
Executive C Official 5 $22K

The above bribes were characterized as “commission payments” and “referral fees” on the company’s books and records. Payments were made from both international and company bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in the company’s books and records.

Reduction in Monetary Fine

I set out these facts as listed in the DPA in some detail to show the serious nature of enforcement action. However, the clear import that I found in this is that a company can make a comeback in the face of very bad facts. The calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This is obviously a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.”

How did BizJet achieve this reduction and avoid an external monitor? As reported by the FCPA Professor, the following were factors:

(a) following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants, BizJet initiated an internal investigation and voluntarily disclosed to the DOJ the misconduct …;

(b) BizJet’s cooperation has been extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the DOJ;

(c) BizJet has engaged in extensive remediation, including terminating the officers and employees responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for all BizJet contracts;

(d) BizJet has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in the” corporate compliance program set forth in an attachment to the DPA; and

(e) “BizJet has agreed to continue to cooperate with the DOJ in any ongoing investigation of the conduct of BizJet and its officers, directors, employees, agents, and consultants relating to violations of the FCPA.

Reports to the DOJ

As mentioned, the company avoided an external monitor. However, it agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” which were listed in Attachment C to the DPA (the DOJ guidelines for a minimum best practices compliance program). The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Cooperation is the Key

Last week I attended the Ethisphere 2012 Global Ethics Summit where Lanny Breuer closed the conference. He did not present a speech but engaged in dialogue with Alex Brigham and took questions from the audience. One of the clear points Breuer emphasized was that if companies will come to the DOJ, make a voluntary disclosure and fully cooperate, it will pay dividends. I believe that this is clearly the case in the BizJet matter. Here you had a multi-year bribery scheme in place, not only approved at the highest levels of the company but with active involvement from senior managers, yet the final monetary penalty was almost 30% below even the lowest in the Sentencing Guideline range. Clearly BizJet benefited through its cooperation with the DOJ and that message should be made clear to any other company which might find itself in such a “fine mess.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012