Cuba 4-Managing the RelationshipToday, I continue my exploration of doing business in Cuba from the Foreign Corrupt Practices Act (FCPA) perspective. Yesterday, I made clear that anyone you do business with in Cuba is going to be a foreign official under the FCPA and it will apply to every interaction in which you engage in Cuba. Today I want to work through some of the implications of this and how you might protect your company going forward.

One of the interactions we had on the trip was with four Cuban lawyers. The initial thing that was apparent was their age, from 25-30. Much, much younger than most American firms would put in front of prospective clients or even allow to represent the firm in events. They were all very knowledgeable and enthusiastic about practicing law going forward.

There are three law firms in Cuba that are authorized to do work for foreigners and are owned by the Cuban government. This has several important implications for any foreign entity doing business in Cuba. From the FCPA perspective this means all interactions will be covered by the FCPA. From the attorney/client perspective, it could also be problematic. We did pose this question to each attorney present and they all said they had never been pressured to cede any information which you and I might consider confidential to the government but as the client, you need to understand who the ultimate owner of each law firm is in all of your dealings with any Cuban lawyers.

You will need some form of counsel or advisor to navigate the Cuban laws regarding investments by foreigners. Whether you utilize Cuban lawyers or some other group or entity, such as the Chamber of Commerce, a professor with expertise in the area or another advisor, you will have the same FCPA issue. All of these persons work for entities that are owned by the Cuban government.

Typically in the life cycle of third party management, you would perform background due diligence to determine if any of the owners or beneficial owners are politically exposed persons (PEPs). However, in Cuba, any person or entity of repute that you would consider as a trusted advisor already is an employee of the government; either as a government minister or some type of advisor, such as the lawyers we met with during our trip.

On the one hand, it does make things much clearer if the government does own the entity you select as an advisor. There is no question that the FCPA is involved but more importantly, there is no question that any of the monies generated by the law firm or other entity will be going to line the pockets of a government minister who has discretionary decision making authority over your business opportunity in Cuba. The profits generated by the law firm or other entity will be paid to the Cuban government.

However, due diligence is only one step in a five-step process to manage third parties under the FCPA. The first step is still a business justification. Here it may be somewhat easier as there are so few knowledgeable counselors available to your company to consult with on business opportunities in Cuba. Once again there are only three law firms approved to do legal work in Cuba for foreign entities. Step two in the process is the questionnaire, which is done to obtain basic information on who the owner and beneficial owner of your third party is, see if the person or entity is generally aware of the FCPA and anti-corruption compliance, see if they have received any type of training, have they been involved in any compliance related incidents and, finally, they agree to release any claims of privacy around such information requests.

While it may be apparent from the tenor of this blog post what the answers to most, if not all, of these areas of inquiry will be; I think there is an added purpose to this FCPA questionnaire. It is another step in the communication to the third party of your company’s expectations around FCPA compliance and a zero tolerance for bribery and corruption. Moreover, given the level of sophistication by Cubans around international anti-corruption legislation, the questionnaire process will most probably require detailed and lengthy explanations but you will have the opportunity for some serious education in not only what the FCPA requires but your company’s expectations.

The next iteration in the five-step process is the contract. The FCPA Guidance specifies some minimum compliance terms and conditions which should be included in any contract with a third party consultant. These compliance terms and conditions include audit rights; training requirements around the FCPA and other anti-corruption laws; representations that the consultant will abide by the FCPA and other anti-corruption laws; and ensuring that payments requested by consultant have the proper supporting documentation before they are approved for payment. I would also add that you should include language which makes a FCPA incident a material breach of contract; full cooperation by the consultant with any FCPA investigation and possibly an indemnity for FCPA violation.

All of these compliance terms and conditions are going to be new to any consultant you retain in Cuba, law firm or other. You will need to explain why they are required and how they may be invoked. Many persons and entities outside the US, when they are first confronted with these compliance contract requirements, are insulted, mistakenly thinking you are saying they will engage in bribery and corruption. This can be a delicate educational process but one which you will have to patiently explain.

All of this leads to the final step in the five-step process but one that I have come to believe may well be the most important step; managing the relationship after the contract is signed. I think it is self-evident that you will need to put on your own FCPA compliance training, as there will be no local assets of experts you can retain. While all of the lawyers we met with spoke very good English, my suggestion would be to put on the training in Spanish for more complete understanding by the participants. This means a translator or Spanish speaking FCPA expert (here think of FCPAmericas blog founder Matt Ellis) will be needed.

Finally, you need to consider the payment terms. The FCPA Guidance says that you should look at “how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” The FCPA Guidance also specifies, “Moreover, companies may want to confirm and document that the third party is actually performing the work for which it is being paid and that its compensation is commensurate with the work being provided.” This may be hard because there is no historical data for you to compare other than the standard hourly rates charged by the three Cuban law firms for general corporate work.

The FCPA Guidance makes clear that compensating a third party for commercial services rendered is acceptable and well within the parameters of the FCPA. What companies will have to do is to document all of the steps I have laid out. The Fox Mantra of Document, Document, and Document will play out as strongly for any company doing business as anywhere in the world; perhaps even more so. Due to the very unique nature of the Cuban economy the pressure maybe greater for step five, aka managing the relationship after the contract is signed. Finally, you will have to communicate and educate your Cuban business partners on your obligations under the FCPA and the obligations they will find themselves under when they do business with an American or other foreign company subject to the FCPA.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

St. Mark'sThe Venice Travel Edition continues today by focusing on Saint Mark’s Basilica, one of both Venice’s and the world’s treasures. It sits on Saint Mark’s Square, one of the most famous locations in all of Italy. While today it is the cathedral church of the Roman Catholic Archdiocese of Venice, originally it was the church of the Doge, or civic ruler of Venice. It only became the Basilica, in 1807 after the city was conquered by Napoleon and ceased to be a Republic. Napoleon wanted to move the power of the church under his administrative control so relocated the city’s Basilica to Saint Mark’s.

One of the wonders of the church is how it continually reinvented itself through new additions added to the exterior of the Basilica. The most spectacular are the Horses of Saint Mark, which were installed on the balcony above the portal of the Basilica in about 1254. The horses were long displayed at the Hippodrome of Constantinople, and in 1204 Doge Enrico Dandolo sent them back to Venice as part of the loot sacked from Constantinople in the Fourth Crusade. Another prize stolen during the Fourth Crusade, which now adorns Saint Mark’s, is the Four Tetrarchs. They honor the attempt to stabilize the Roman Empire by the Emperor Diocletian who imposed a new Imperial office structure: a four co-emperor ruling plan called The Tetrarchy. These exterior additions are but a mere fraction of the changes the structure went through over the years as it continually updated itself and its place in Venetian culture and society.

I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the FCPA Guidance, your compliance program should be thoughtful and well considered. In an article in the Society for Corporate Compliance and Ethics (SCCE) Magazine, entitled “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.

  1. Get buy-in from decision makers at the highest level of the company

Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee

A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment

The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

  1. Determine translations and localizations

Channeling my inner Jay Rosen I would note you must hire both a reputable and approved company translation expert to translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

  1. Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.

  1. Stay on Target

If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

This article provides a useful guide to not only thinking through how to determine if your Code of Conduct needs updating, but also practical steps on how to tackle the problem. If you are a compliance practitioner, I would urge you to take a look at your company’s Code of Conduct. If your Code is pre-2012, I think you need to update sooner rather than later and take into account what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ in speeches and talks last fall, you may well need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IV. A New HopeToday I begin a series of Star Wars themed blog posts to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VII – The Force Awakens. Please note that I will only use the first three movies, now known as Episodes IV-VI, for the themes this week. So if you are a millennial and the prequels are your Star Wars sorry but you can write about them as the first three are my Star Wars movies. In conjunction with this series of blog posts, Jay Rosen and I are doing a trilogy of Star Wars themed podcasts this week, monikered May the Podcast Be With You. They were a ton of fun for Jay and I to put together so I hope you will check them out on my podcast site or on iTunes at the FCPA Compliance and Ethics Report.

I will begin with Episode IV – A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and steals a computer program detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, it told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate anti-corruption compliance risk under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption regime. Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations” in which she looked at the risk evaluation process used by Timken Company (Timken).

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

 

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

 

PRIORITY

 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-19

20-25

Low

Trivial

Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit and monitoring plan going forward. One of the methods used by the compliance group to manage such risk is to provide employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

A second approach to reviewing the results of a risk assessment was detailed in a Harvard Business Review (HBR) article, entitled “Managing Risks: A New Framework”, by Robert Kaplan and Annette Mikes. The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. Companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those that a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors listed several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks that arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks that turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

Whether you utilize one of these approaches or another approach, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

May the force be with you.

TexasBarToday_TopTen_Badge_Large

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015