One of the key lessons I learned in doing the research for The Complete Compliance Handbook is how compliance programs best practices have evolved beyond the basic requirements laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the Department of Justice’s (DOJ’s) 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking and where the compliance ball has moved since 2012. For this series, I am exploring this evolution and lay out where I think a best practices compliance program currently stands. Today, I take up Hallmarks VII and VIII.
Hallmark VII – Third Parties
Third-parties are still recognized as the highest risk for corruption. Management of third-parties is therefore a critical component for any best practices compliance program. Under the 2012 Guidance, it discussed three prongs on inquiry. The first focused on risk-based due diligence, mandating companies to understand the qualifications and associations of its third-party partners, including its business reputation and relationship, if any, with foreign officials. Second is a business justification, requiring companies to have an understanding of the business reason for including the third party in the transaction. Third is compliance terms and conditionsin the commercial contract.
This original formulation has expanded into five distinct steps: business justification, questionnaire, due diligence, compliance terms and conditions and management after the contract is signed. Understanding and properly using each step is critical to fully manage the lifecycle of third-party relationships. The Evaluation devotes an entire prong to third-party management. It begins with the following:
How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?
What was the business rationale for the use of the third-parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
This first set of queries clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third-party risk management. Moreover, the management of the third-party relationship after the contract has been signed is becoming much more important. This integrated approach is further confirmed by another series of questions in the Evaluation.
Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
Managing your third-parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those four are, in reality, the easy steps. Managing the relationship is where the real work begins.
Hallmark VIII – Reporting and Investigations
This was one of the shortest Hallmarks in the Ten Hallmarks. It had three parts: (1) internal reporting; (2) investigations; and (3) remediation. The Evaluation and FCPA Corporate Enforcement Policy gave extended discussions on what the DOJ expects in this area, beyond the basic formulation found in Hallmark VII.
The 2012 FCPA Guidance had as clear and concise a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated:An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.
The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation: How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?
This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communication resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.
2. The Investigation Protocol
The 2012 FCPA Guidance had only a short statement about investigations, which stated: once an allegation is made, companies should have in place an efficient, reliable,and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.
This was expanded in the Evaluation under Prong 7, where it stated: How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?
Moreover, with the advent of the SEC Whistleblower Program, companies must quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.
Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the compliance department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance department to have not only flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
In the 2012 FCPA Guidance, it stated: “Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.” Clearly lessons learned are near and dear to the heart of any ‘Nuts and Bolts’ compliance practitioners as it clearly means you need to input your investigative findings into the solution of the issue which led to the compliance failure.
This was expanded in the Evaluation with the following: “Response to Investigations– Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?”
Finally, in the FCPA Corporate Enforcement Policy, the DOJ had several different pronouncements on the remedial aspect of any investigation. Initially, it noted there should be a “remediation to the root causes” and then went on to add the following points:
- Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred; and
- Any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.
There is nothing like an internal whistleblower report about a Foreign Corrupt Practices Act (FCPA) violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger Board of Directors and senior management attention to the compliance function and the company’s compliance program. You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.
One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. You will have everyone’s attention on remediation and you must use that attention to provide for the required steps to not only fix the issue but, as the FCPA Corporate Enforcement Policy says, implement measures to reduce the risk that the same or similar conduct will occur again.
I will conclude tomorrow with Hallmarks IX, X and the new requirement for a Root Cause Analysis.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018