Sir George Martin died yesterday. For anyone born after the break up of the Beatles, this name is probably not too familiar. However, even more than Brian Epstein, the band’s first professional manager, Martin truly was the 5th Beatle. He not only signed the group to its first recording contract but produced all of their hits as well. As noted in his obituary in the New York Times (NYT), “Martin, the urbane English record producer who signed the Beatles to a recording contract on the small Parlophone label after every other British record company had turned them down, and who guided them in their transformation from a regional dance band into the most inventive, influential and studio-savvy rock group of the 1960s.” Moreover, he was one of the very few producers who became as famous as the musicians he worked with in the recording studio.
The tributes poured in yesterday. Ringo Starr tweeted out, “God bless George Martin”. Mark Ronson (lead guitarist on Bowie’s Ziggy Stardust tour) added, “Thank you Sir George Martin: the greatest British record producer of all time. We will never stop living in the world you helped create.” Even UK Prime Minister David Cameron, tweeted, “Sir George Martin was a giant of music – working with the Fab Four to create the world’s most enduring pop music.” I can only add, To Sir George – thanks for everything and it was a great ride.
Today I want to finish my exploration of the Olympus Corporation of America (Olympus) Corporate Integrity Agreement (CIA) and how it might portend emerging best practices in a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. Yesterday I reviewed the concepts of how a Compliance Committee and Board involvement, as detailed in the CIA, might well help your compliance program going forward. In this blog I want to consider the obligations for senior management, training, third parties and risk assessments.
Senior Management Certification
The CIA requires a list of senior management to certify their business units are all in compliance with Federal health care obligations. The certification required is as follows:
“I have been trained on and understand the compliance requirements and responsibilities as they relate to [insert name of department or functional area], an area under my supervision. My job responsibilities include ensuring compliance with regard to the [insert name of the department or functional area] with all applicable Federal health care program requirements, FDA requirements, obligations of the Corporate Integrity Agreement, and OCA policies applicable to [department or function], and I have taken steps to promote such compliance. To the best of my knowledge, the [insert name of department or functional area] of OCA is in compliance with all applicable Federal health care program requirements, FDA requirements, and the obligations of the Corporate Integrity Agreement. I understand that this certification is being provided to and relied upon by the United States.”
If the manager cannot make the above certification, he or she must explain why they cannot do so and the steps being taken to remediate.
Imagine the power of a similar certification in the FCPA context. This is beyond the usual employee certification that they have not violated the FCPA in the past year and they are not aware of any violation. This would proactively require management to make some type of assessment as to whether their business unit was in compliance with the company’s anti-corruption compliance program.
Many would no doubt exclaim, “What an order, I can’t go through with it.” However, it might make such senior managers actually do their job and manage rather than put their head in the sand around FCPA compliance. At the very least it would certainly end the rogue employee defense, which companies are quick to bring out when under a FCPA investigation or most any other corporate matter. (Witness Volkswagen’s (VW’s) abysmal claims of the ‘rogue engineers’ creating and maintaining its emissions-testing fraud.)
Training and Education
The CIA has very detailed instructions around training which require the company to outline steps which will ensure employees receive compliance training. Within 90 days from the date of the CIA, Olympus is required to present its plan for training essentially high-risk employees on the applicable laws, the personal obligations for employees, the company’s policies and procedures, criminal penalties for violations and reporting mechanisms. If any compliance practitioner wondered what should go in training that is a pretty good description.
However, the CIA goes further to require that a qualified trainer put on the training, employees certify receipt of training and periodic updating of the training and training protocol. Finally, the Board must be trained on all of the above plus the Board’s separate role in the company’s compliance efforts going forward.
The CIA had some interesting insights into the management of third parties, which are not normally considered in a FCPA compliance program. The CIA requires Olympus to prepare annual budgets around consultants and they are to be identified before pursuing due diligence. The CIA states, “The purpose of this review shall be to ensure that Consultant arrangements and related events are used for legitimate and lawful purposes in accordance with applicable [laws and company] Policies and Procedures.”
It goes on to require the company to set up a “needs assessment to justify the retention of a Consultant prior to the retention of the Consultant.” This rigor is probably required due to the company’s prior transgressions but it provides an interesting model for a FCPA compliance practitioner to consider of putting the onus on the business unit to plan out and justify the retention of a third party representative.
Here the rigor is once again quite stringent. The company must “establish a grants management system which shall be the exclusive mechanism though which requestors may request or be awarded grants for independent medical education grants, other grant activities (including in-kind grants involving equipment loans), and healthcare-related charitable contributions supported by” the company. But the is kicker that the company’s “sales and marketing personnel shall have no involvement in, or influence over, the review and approval of medical education grants or healthcare-related charitable contribution requests.” This is certainly one way to keep a business unit from engaging in charitable donations to influence business decisions.
Risk Assessment Process
Here the CIA requires centralized risk assessments “to evaluate and mitigate covered risks”. This process requires, “compliance, legal and business unit leaders, at least annually, to evaluate and identify risks associated with [the sales of products and services], including risks associated with the sales, marketing.” Moreover, it requires a centrally developed plan to mitigate identified risks. This is required for all company business units and each is required to identify and mitigate risks unique to its services or products.
The totality of Olympus’ actions warranted this very strict and robust oversight. There are several more conditions in the CIA including a monitor and continuing oversight that I have not discussed. Clearly the Department of Justice (DOJ) does not yet have the full confidence that the company has the will to comply with US laws going forward so robust oversight is warranted.
Nonetheless, many of the strategies the government has pursued may move from the very robust best practices to the new normal. In 2007, I went to work for a company that had a Deferred Prosecution Agreement (DPA) that required stringent due diligence, monitoring and oversight of third parties who came into contractual relationships with the company. This was beyond cutting edge at that point in time. Now it is standard practice. The FCPA compliance practitioner would do well to study the Olympus CIA as it may well portend things to come.
I think I will spend the rest of the week listening to the Beatles catalogue. To Sir George Martin one very large thank you and maybe you can produce David Bowie in the great beyond.
I want to consider the obligations for senior management, training, third parties and risk assessments.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016