We are now half way (hopefully) through what is predicted to be the largest amount of rain seen in one week by the city of Houston and its surrounding environs in the city’s recorded history. First and foremost, my deepest thanks to everyone who emailed, tweeted, LinkedIn or in any other manner contacted me to ask how my family, myself and my house have all fared up over the past couple of days. So far, all is as good as can be hoped for, we still have power and we have not been flooded out, at least as yet.

Today we hit the 500-year flood mark and it is only the second day of the event. We seem to be hurtling towards the 1000-year storm and flood for South Texas. Even with this cataclysmic event, I think there are lessons to be garnered by the compliance professional which hopefully you can use during less eventful times. The first is to be prepared for the true emergency. Early on at my tenure with Halliburton, when the long-forgotten Hurricane Rita was barreling towards Houston I received a call at home at 6 AM from the then EVP of Legal Services telling me he wanted the Law Department’s Emergency Response Plan ready in the next hour and he would call me at my office number to hear what I came up with. About all I could come up with in the next hour was to stop at every open gas station on the way to the office to purchase maps so all the lawyers would know the routes out of Houston. When he called me at 7 AM, I duly reported these purchases and that I would get everyone’s primary and secondary emergency contact numbers. I then went around to everyone’s office to get the information as the Law Department had somehow never thought to obtain this information previously.

I garnered three important lessons from this exercise were to have this information kept on file and kept up to date. Equally important was the information I had to impart to everyone, which was your secondary emergency contact information was not your spouse but someone you would call to let know if you were safe (or not). Since your spouse and immediate family would be with you, they would be of little use as an emergency contact in a situation such as an evacuation.

But the over-riding lesson was to be prepared for such an eventuality. While you may not have put plans in place for the 500-year or 1000-year floods; if you live on the Gulf Coast, you can certainly prepare for the eventuality of a hurricane and an evacuation. For the compliance practitioner, the emergency you can predict you will face is a potential unknown claim of a Foreign Corrupt Practices Act (FCPA) violation which suddenly becomes public, as when the New York Times (NYT) broke the story of Wal-Mart’s alleged bribery and corruption in Mexico in April 2012. An equally plausible event could be an internal whistleblower report of similar conduct. Equally hair-raising for the General Counsel (GC), could be the situation where the Department of Justice (DOJ), with FBI agents in tow, show up at your company offices, bright and early one morning, search warrant in hand.

It is easy to see that you can anticipate such an eventuality. It means that you should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is brought to your attention. One of the best investigation protocols is derived from a presentation I saw by Jay Martin, Vice President (VP), Chief Compliance Officer (CCO) and Senior Deputy Counsel for Baker Hughes, a GE company, and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global, which was entitled “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets”.

The five steps were: (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained.

Step 1: Opening and Categorizing the Case. This first step is the triage step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. If there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week.

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week.

Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Equally important is the government requirements for an effective investigation. The Securities and Exchange Commission (SEC) considers a variety of factors around giving credit to corporate investigations including: Did management, the Board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

But simply having written up an investigation protocol is not enough. You need to be ready to implement it. Even if you cannot perform drills similar to those for hurricane preparedness, you can walk through the steps you have laid out in your investigative protocol, listing who should be notified with multiple contact points to make sure you can get through to them. My hope is that you will never have to face a true emergency but it is certainly plausible you might so having prepared will certainly help you going forward.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017