Chief-Compliance-OfficerAt the Opening Session of Compliance Week 2016, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) and Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke about their views of what constitutes an effective compliance program under the Foreign Corrupt Practices Act (FCPA). Compliance Week’s Editor-in-Chief Bill Coffin moderated the panel. The majority of the discussion was around the Chief Compliance Officer (CCO) position; specifically the independence of the position, the authority the CCO has in an organization and the resources made available to the CCO.

Weissmann related that many presentations are made to the DOJ in the context of Filip Factors presentations, where a company generally presents evidence of the effectiveness of its compliance program at the time of the incident that led to the criminal investigation. He said that one of the things he thinks is important is how a CCO talks about the company’s compliance program.

He began by noting the initial straw poll showed that 65% of those responding to the first poll said their compliance program could probably pass DOJ muster or needs work. Weissmann viewed this as a positive sign because it demonstrated to him the ongoing evolution a company’s compliance program. He said he would often specifically delve into how a risk assessment had been done and then use that information as a springboard to inquire into whether it actually predicted the FCPA violation(s). It was not surprising to hear Weissmann basically say McNulty Maxim No. 3 (what did you do when you found out about it?) when he said that he would inquire into the company’s response and whether the response was then integrated that into the compliance function.

Cohen also said that he encourages CCOs to come and meet with him early in the SEC investigatory process. He did acknowledge that outside counsel usually hated the idea, obviously because they lose complete control, which they seek to maintain. Yet Cohen thinks that it helps him because it gives him a window into whom he is dealing with in the process. Additionally, as the CCO is generally more attuned to remediating problems, rather than simply protecting the company like outside counsel, a different view can often be obtained through such meetings. I would note from the CCO perspective, this is very valuable as it gives you the ability to begin to win an ally for your remediation program early on in the process.

One of the specific areas that Cohen wants to know about is what are the resources that have been made available to the CCO and what is the level of CCO independence? He is concerned about whether the CCO is appropriately valued and supported in the organization. He specifically asks if the CCO is on the Executive Leadership Team (ELT) or other top group of C-Suite executives. He would also inquire into whether the CCO had visibility into the transaction(s) that may have become the problem issue(s). Not necessarily whether there was a bribe authorized but if the transaction warranted someone violating the FCPA to get the deal done, did the compliance function have visibility into the matter? It is all Cohen’s way of trying to ascertain whether the CCO and compliance function have standing in company to get things done.

Weissmann was asked about individual liability for CCOs under the FCPA. I found this question propitious given my blog posts earlier this week. He said that the DOJ not going after CCOs for criminal liability unless they are a part of bribery scheme or some cover-up. He reiterated that the DOJ is trying to reduce the risk of criminality for violations under the FCPA and indeed that was one of their goals in hiring its new Compliance Counsel, Hui Chen. Chen enables the DOJ to be more robust in evaluating compliance programs of companies that come before the DOJ. He also noted that this new position works to heighten the power of CCO within companies as it gives them a specific advocate at the DOJ during enforcement actions.

Cohen took another approach to responding to the inquiry about CCO liability. He said that he believed there had been approximately 8000 SEC enforcement actions over past 10 years in regulated space involving CCOs. Of all of those cases, only five had involved individual liability actions brought against CCOs. These were along the lines of the FINRA action against Linda Busby I detailed yesterday, where the CCO had a clear regulatory responsibility to implement or enhance a compliance program and failed to do so. Cohen also made the point again that these five SEC enforcement actions were all in regulated industries only, not FCPA cases.

On the question of CCO independence, Weissmann believes this is one indicia of an effective compliance program. He reiterated yet again the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but he is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, Weissmann would want to know if the CCO has ever exercised that right.

Finally, Weissmann turned to the operationalization of compliance. Echoing the remarks of the DOJ Compliance Counsel last fall, he wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of Chen, is compliance operationalized within your organization? Weissmann had an interesting angle on the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also wanted to know who could terminate the CCO so he might inquire to see if it was the CEO, the Audit Committee of the Board or did the CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?

The remarks of Weissmann and Cohen demonstrated the continued evolution in the thinking of the DOJ and SEC around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ and SEC talk about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the position in their organizations.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

desk-and-suppliesToday we have Part II of my exploration with Joe Howell about the PCAOB and how its work with public company auditors impacts anti-corruption compliance.

I asked Howell about auditor rotation and what it means. Howell explained that the basic concept of auditor rotation is simply to keep fresh eyes on things because auditors may become complacent over time. Simply put auditors can get too familiar, too cozy with the clients. Yet the converse can also lead to problems as Howell noted, “almost every time there has been a fraud that has gone undetected or a major failure that has gone undetected for long periods of time, that has resulted from the fact that the auditors didn’t have enough experience to find the kinds of weaknesses that they’re talking about. That often happens when a new auditor is involved. That’s when things seem to go wrong.”

It is a loss of institutional knowledge that can cause problems. An auditor needs to be asking probing, independent questions and being independent in attitude as well as on paper. Howell noted the “other thing that you lose is that sense of deep understanding of the kinds of transactions, the history, and how things flow together. I think that balance is hard to draw, but it really points to the need that the client has to have a clear understanding of their processes themselves and how those processes are going to effect the controlled environment.”

For the compliance practitioner this can be where an auditor fails because there is fraud or some other form of collusion which could generate a pot of money to fund a bribe, there are going to be telltale signs or evidence somewhere, but those red flags might be missed because the client is not thinking clearly about how those red flags would be monitored and how they could detect them.

Inspection Focus is another area that the PCAOB is concerned about and while it may not immediately appear applicable to the compliance department I believe it can have a significant impact. This area focuses on judgments clients make, most generally around revenue recognition or more simply “rev rec”. Howell began by noting, the “number of mistakes are very high and often they’re challenging because when you somehow mischaracterize the top line, the rest of the financial statements change their character because of a number of things that have keyed off of what your revenue is. The other thing that’s true is that it also causes the rest of the financial statements to become questionable just because that most important number was not right.”

The rules that evolved in the 1990’s and early 2000’s made revenue recognition increasingly more complicated. Now companies are gearing up to transition to a new revenue recognition methodology that is a more principles-based practice that is going to affect all industries the same, meaning we no longer have separate revenue recognition approaches for different industries.

This transition is going to also create a lot of opportunities for mistakes and worse, fraudulent accounting to hide evidence of bribery and corruption. This could be through strategies as diverse as channel stuffing to evaluation of long-term contracts. Rev rec is an area that the compliance function needs to depend more highly on the auditing function to help detect either over-rides of internal controls or more simple failures.

This ties into Howell’s next point, which was accounting estimates. Typically, goodwill is perhaps the most challenging when you acquire a company and you have an excessive payment over what the assets that you identified as tangible assets. Howell said, “You end up with this intangible number goodwill, which needs to be tested for impairment. You can’t go judge the fair value of goodwill other than by an accounting estimate at one point in time when you made an acquisition, but the accounting rules now require that you go back and reassess that value from time to time and put an impairment charge against it if you feel that it’s not what you paid for to begin with.”

I found this analysis interesting as Matt Kelly raised this same issue in a blog post, entitled “Impairment Data Hints at Problems Ahead”, on his site, Radical Compliance. Matt and I also explored this issue in greater depth in our podcast “Compliance Into the Weeds – Episode 6”. Kelly’s basic thesis was that goodwill impairment would negatively impact compliance particularly after an acquisition, when the value of the acquired entity can drop significantly or even propitiously. Witness the HP goodwill impairment charge around its acquisition of Autonomy of nearly $5.5 billion.

This ties into Howell’s concerns from the auditing perspective because, “You can’t say what goodwill is based upon today without understanding that, “Hey, it’s based upon the value I’m going to receive over a period of time in the future.” That means that the auditors have to look to the work that’s being done by the people who prepare those projections and those are usually the Financial Planning and Analysis (FP&A) folks”, who typically do not have an appropriate level of documentation to support their analysis of goodwill value.

Moreover, FP&A is actually trying to drive behavior through these projections. Howell said they typically cannot provide either the specific documentation of analysis or even a history of results over time. This is because they “frequently are developing these projections to be aspirational. They’re trying to drive business behavior, not really trying to predict it. You end up with some issues that are creating strain in accounting organizations around the world.” Such an approach would certainly raise issues in a compliance realm.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Carter FamilyToday we celebrate great American music and honor one of its founders, Mother Maybelle Carter who was born on this day in 1909. Now known more as the mother of June Carter Cash, the wife of Johnny Cash, Mother Maybelle was a true musical pioneer. Together with her cousin Sara and Sara’s husband A.P. Carter, they formed the Carter Family who were recorded by a producer for the Victor Talking Machine Corporation in Bristol TN. The Carter Family recorded a body of songs that are a significant part of the country and bluegrass canon – songs like “Wildwood Flower” and “Can the Circle Be Unbroken (By and By).” Those recordings earned the Carter Family a shot at their first regular live radio program and those live radio programs influenced an entire generation of country and rock-and-roll stars.

I thought about the change fashioned by the Carter Family in what we now call Roots Music when I read an article in the Global Manager column of the New York Times (NYT), entitled “In a Crisis Be Open and Honest, where Sonia Kolesnikov-Jessop interviewed James Whitehurst, the Chief Executive Officer (CEO) of Red Hat Inc., the world’s largest open source software company. While the larger part of the interview was Whitehurst’s view on dealing with crisis, I found many of his thoughts very useful for the Chief Compliance Officer (CCO) or compliance practitioner to use in the day-to-day doing of compliance.

While in a previous position as Chief Operating Officer (COO) at Delta Airlines, Whitehurst stated, “One of the key things I learned is that in this type of situation, your goal should not be to comfort or make people feel better, but to be open and honest. Tell people what it’s like and allow them to make the decisions that work best for them. A lot of leaders want to show a ray of optimism, but all you do is shade the truth. Be honest and say, “This is what it is and this is what we’re going to do about it.””

It appears that Whitehurst’s real education began after he became the CEO at Red Hat. One of the first things he asked for from his direct reports was an employee engagement plan for his five-year product lifecycle. He never got it. When he did not receive one, Whitehurst thought, “This is major insubordination.” And it wasn’t like people were even embarrassed about it — it was like it was just normal.”

But finally he came around to the realization that something else was going on. He said, “It took me a while to realize things were happening bottom-up and that it was not necessarily chaos, it was just different.” From there on, Whitehurst reported, “it took me about 18 month to embrace it, and change my management style to fit in that corporate culture.”

Let that sink in for a moment. A new CEO was not groveled to or even responded to when he directly asked for information. Instead, the response was along the way of “that is not the way we do things around here”. Most importantly the key insight the new CEO took away was that this type of action was a plus for the organization because the organization was a bottom-up organization and not a top-down organization.

Whitehurst went on to observe that in a more top-down organization, they are “very good at optimizing in a static environment, when you are trying to orchestrate people to do what you want them to do, and also in a world when those roles don’t have a lot of variance in potential output. You’re just trying to optimize for efficiency, and individual variance in performance doesn’t matter that much.”

Yet “in knowledge-based environments… that’s a very different situation. In that environment… maximizing that discretionary effort to get it is incredibly important. And in an environment that is moving very quickly, you can’t plan and then execute and then optimize around that, while it’s all moving too fast for the plan. You need to have an organization that can self-regulate and react quickly. You need to create an environment where people can execute and make changes as they need to.”

For the CCO or compliance practitioner this is an incredibly important insight. If you can get bottom-up buy-in to compliance, this will drive the ethos through the organization. While not every entity will be reverse-hierarchical like Red Hat, the Whitehurst experience does demonstrate what can be achieved certainly from the bottom of an organization up through the middle of a company.

As Whitehurst said, “if you go in thinking, “I’m a leader because people choose to follow me,” it creates a very different mental dynamic. A leader’s role is to create an environment where people can do their best work”. In the compliance realm, this means providing the business unit the tools to management their risks in a quick and efficient business manner. He ended this section by observing, “The whole point of an open organization is to relax the constraints of management to create the environment in which your team can do their best work. And what is most important is to cascade this philosophy through every manager in the organization. I know that if something happens to me tomorrow, nothing will change at Red Hat because it’s really built into who we are and what we do.”

Another important point was around change. I think everyone who has ever worked in a corporation understands that management does not like surprises. But Whitehurst’s key insight as a CEO was that the rest of the troops do not like surprises any more than senior management like them. He said, “The key is that you never want to surprise people. So you must engage them first in dialogue. In a traditional model, you have a small number of people making the decision at the top, and then you announce, “This is what we’re doing.” Then the organization doesn’t really do it, so you bring in management consultants to help you do it. And then the C.E.O. says, “This is awful; my organization is resistant to change.””

If it is not obvious, the key is to engage. Whitehurst related, “People want to be engaged; you involve them in the decision process. When it comes down to execution it can happen very quickly, even if they disagree with the decision; again, this is not a democracy, but if they feel they were heard, they will generally align and execute.”

Once again for the CCO or compliance practitioner, Whitehurst’s insight provides guidance. No employee should be surprised by a compliance initiative. Consultation and engagement is the key. If a change is going to happen make sure the key stakeholders know about so there will not be resistance going forward.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

May the 4th Be Wtih YouMay 4th is universally recognized (at least in the universe I inhabit) as Star Wars Day. According to Wikipedia, “May 4 is called Star Wars Day because of the popularity of a common pun spoken on this day. Since the phrase “May the Force be with you” is a famous quote often spoken in the Star Wars films, fans commonly say “May the fourth be with you” on this day.” Given the rejuvenation of the franchise, in the form of Star Wars VII – The Force Awakens all Star Wars fans have reason to celebrate this May 4th in a manner we have not seen for some time.

The most recent entry into the Star Wars oeuvre revolves around a young girl, Rey, a scavenger who was abandoned as a child on the desert planet Jakku. She is patiently waiting for her family to return. She is completely self-sufficient and does everything for herself, until she is drawn into the intergalactic battle. It turns out The Force is strong in Rey and at the end of the movie she returns Luke Skywalker’s light sabre to him, strong implying that he is her father. Not so has intoned director J.J. Abrams, who has said publicly that Rey’s father did not appear in Episode VII. Rey is also, as my teenaged daughter informed me, “kick-ass”. Read More