Golden Gate BridgeToday, we celebrate one of the greatest engineering achievements of the century. On this date in 1937, the Golden Gate Bridge opened. At 4200 feet long, it was at the time the world’s longest suspension bridge. But not only was it an engineering and architectural milestone, its aesthetic form was instantly recognized as classical and to this day is one of the most iconic structures in the US if not the world. With just a few years until its 80th birthday, it demonstrates that a lasting structure is more than simply form following function but contains many elements that inform its use and beauty.

I use the Golden Gate Bridge as an entrée to my continued discussion on the series on steps that you can use in your compliance program if you find yourself, your company or your industry in an economic downturn. Whether you are a Chief Compliance Officer (CCO) or compliance practitioner, these steps are designed to be achieved when you face reduced economic resources or lessened personnel resources going forward due to a downturn your economic sector. Yesterday, I discussed mapping your current and existing internal controls to the Ten Hallmarks of an Effective Compliance Program so that you can demonstrate your compliance with the Foreign Corrupt Practices Act’s (FCPA) internal control prong to the accounting procedures. Today I want to discuss the issues surrounding the inevitable layoffs your company will have to endure in a downturn.

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the recent SEC v. KBR Cease and Desist Order regarding Confidentiality Agreement (CA) language which purports to prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC/KBR language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.

When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the Securities and Exchange Commission (SEC), identifying bribery and corruption.

Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or Department of Justice (DOJ)) comes calling after that ex-employee has blown the whistle on your organization.

I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.

Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Just as the Golden Gate Bridge provides more to the human condition than simply a structure to get from San Francisco to Marin County, layoffs in an economic downturn provide many opportunities to companies. If they treat the situation appropriately, it can be one where you manage your FCPA compliance risk going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

 

The symbol of Venice is the Lion of St. Mark. The use of this symbol led to the maxim ‘straight from the lion’s mouth’. This adage came about because the Republic of Venice had its own hotline system where citizens could report misconduct. A citizen could write down his concern on paper and literally put the message into the mouth of statues of lion heads placed around the City. This system was originally set up to be anonymous but later changed to require that a citizen had to write his name down when submitting a message.

I thought about this early form of hotline and how its use portended the hotline systems used today to help companies identify compliance issues which might arise under an anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) recognize the importance of an internal company reporting system, such as a hotline. In the FCPA Guidance it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.” I have often heard Chief Compliance Officers (CCOs) speak about how they are able to not only hear about but address employee’s concerns through confidential reporting where it is clear there will be no tolerance for retaliation.

So, once again, using Venice as inspiration for a compliance topic, today I would like to review some best practices regarding a compliance hotline.

  1.  The hotline should be developed and maintained externally. It seems axiomatic that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. Through the submitting of reports via an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
  2. The hotline supports the collection of detailed infor­mation. As with most everything else, information is power. If a CCO can gather and re­cord information throughout a complaint life cycle, the company will have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All reported materials should be consolidated in one comprehensive, chronologi­cally organized file, so a CCO can monitor ongoing progress and make better, more informed decisions.
  3. The hotline must meet your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. A hotline should offer a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
  4. The hotline should be designed to inspire employee confidence. Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
  5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. One of the biggest mistakes you can make is to sit on a hotline complaint and let the employee reporting it fester. Additionally, with the short time frames set out in the Dodd-Frank Whistleblower timelines for resolution before an employee can go the SEC to seek a bounty, the clock is literally clicking.
  6. The hotline provides inbuilt litigation support and avoidance tools. A company must make certain that its hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
  7. The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As my stay in Venice draws to an end, I am reminded how much the western world has to thank the Republic of Venice for. From the forms of republican democracy that the US Founding Fathers drew from to helping to establish a world-wide trade and banking system which still reverberates today. But, if you look closer, ancient Venice had many good government techniques which also still inform the modern world. Straight from the lion’s mouth to your company’s compliance hotline is just one of them.

A most Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

  1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
  2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
  3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

I often write about what can happen to companies who run afoul of the Foreign Corrupt Practices Act (FCPA). Usually enforcement actions focus on companies and not individuals. However, as is often pointed out by commentators other than Mitt Romney, corporations are not humans but consist of people. It is individuals who engage in conduct that violates the FCPA, just as it is individuals who engage in conduct which violates other US securities laws.

I was reminded of this in an article by Loren Steffy, of the Houston Chronicle, entitled “She offers cautionary tale for corporate employees”. In this article Steffy writes about Helen Sharkey, who worked for Dynegy Inc, a Houston company which was involved in energy trading and gas transportation. Sharkey was an accountant who worked on an assignment known as Project Alpha, which Steffy wrote was “a $300 million scheme that inflated Dynegy’s cash flow.”

In an interview with Steffy she told him that she was the lowest of seven employees assigned to the project. According to the Securities and Exchange Commission (SEC) Sharkey and others disregarded the company’s external auditor’s advice that certain forms of risk-hedging involving derivative instruments, such as commodity price swaps and interest rate swaps, would defeat Dynegy’s goal of accounting for Alpha as an ordinary operating contract and require recording it as a financing. As reported by Steffy, “If the banks didn’t have risk, it meant the deal was a loan and required different accounting treatment.”

While the Enron Corporation is the poster child for corporate fraud in Houston, three Dynegy employees went to jail over Project Alpha: Sharkey; Gene Foster, who was Dynegy’s Vice President of Taxation during the relevant period; and Jamie Olis, who was Dynegy’s Senior Director, Tax Planning and International. Foster received a sentence of 15 months in jail. Olis, who went to trial, received a whopping sentence of 24 years by the trial judge, although this was later reduced to six years.

What did Sharkey think about the deal at the time? As quoted by Steffy, “Did I feel in my gut that it was wrong? Absolutely. Did I think it was illegal? No way.” Unfortunately Sharkey did not apparently have a mechanism that she could use to raise this concern that was in her gut.

What are some of the lessons that current compliance practitioners can draw from Sharkey, Dynegy and Project Alpha?

Hotlines

One of the results from the actions that companies like Dynegy, Enron and others was the passage of Sarbanes-Oxley (SOX). SOX required publicly traded companies to set up anonymous hotlines to allow employees to report company wrong-doing. This is enshrined in the FCPA world as one of the Ten Hallmarks of an Effective Compliance Program as set out in the Department of Justice (DOJ)/ SEC FCPA Guidance. Under the section entitled “Confidential Reporting and Internal Investigation”, it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.”

Generally, employees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a system developed in-house. This is because there can be a fear of retaliation by employees. This fear can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.

Failure to Escalate

In almost every circumstance where a significant FCPA compliance violation has arisen, if the issue had been reported or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. Matthew King, Group Head of Internal Audit at HSBC, calls this concept “escalation” and he believes that one of the more key features of any successful compliance program is to escalate compliance concerns up the chain for consideration and/or resolution.

This means that in almost every circumstance regarding a compliance issue he had been involved with, at some point a situation arose where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later becomes more difficult and more expensive to deal with in the company. A company needs to have a culture in place to not only allow escalation but to actively encourage escalation. This requires that both a structure and process for this must exist. Then the company must train, train and train all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

The starkest example of which I am aware of this failure to escalate in the FCPA arena is the Hewlett-Packard (HP) matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. The Wall Street Journal (WSJ) has reported that at least one witness has said that the transactions in question were internally approved by HP through its then existing, contract approval process. That witness, Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Training

Why is training of employees regarding a hotline and the ability to escalate important in the context of an anti-corruption/anti-bribery compliance program? Training is recognized as one of the points in the Ten Hallmarks of an Effective Compliance Program and one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

In the case of HP, think what position the company might be in today if Brunner had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russia. In the United States, both the DOJ and SEC have announced they are investigating the transaction, for potential FCPA violations. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Dénouement

Steffy penultimate paragraph states, “her story lends insight into one of the most enduring questions that linger from a decade ago – how corrupt corporate cultures encouraged so many who considered themselves law-abiding citizens, to commit crimes, often without realizing it.” One of the things that I emphasize in training to employees is that if their guts turns in knots, the hair on the back of their neck stands up or if something doesn’t smell right, just raise your hand. You don’t have to know the ins and outs of the FCPA, but if something does not feel right, raise your hand and get the matter to someone who does know the ins and outs of the FCPA and who can thoroughly investigate the issue that you do not feel right about. If you do not do so, you may end up like Sharkey and, as Steffy writes as the final sentence of his piece, “The one time she wavered became a mistake she’ll regret the rest of her life.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

As almost everyone knows, Lance Armstrong spoke for the first time about his performance enhancing drug (PED) use recently on Oprah. On the first night he admitted for the first time that he used PEDs during his seven wins at the Tour De France. The title of my colleague Doug Cornelius’ piece in Compliance Building really said it all in his article “Lance Armstrong – A Lying Liar Just Like Madoff”. Cornelius said “What caught my attention about the Armstrong interview was the window into the mind of a pathological liar. Armstrong had been telling the lie over and over and over. He lied to the public. He lied to the press. He lied to cancer survivors. He lied under oath.”

One of the areas which came up for me was how the people who blew the whistle on Armstrong’s use of PEDs before his admission were treated and how Armstrong subsequently treated them. Armstrong admitted that he was a ‘bully’ to those who said, hinted, or even implied that he had taken PEDs. He attacked ex-teammates; wives of ex-teammates and even a masseur who saw him take such substances. He put on an aggressive PR campaign for the better part of the past decade, to which the wife of ex-Tour De France winner Greg LeMond said “I can’t describe to you the level of fear that he brings to a family.”

While I would hope that most American and European companies have moved past the situation where whistleblowers are ostracized or worse threatened, one can certainly remember the GlaxoSmithKline (GSK) whistleblower Cheryl Eckard. A 2010 article in the Guardian by Graeme Wearden, entitled “GlaxoSmithKline whistleblower awarded $96m payout”, he reported that Eckard was fired by the company “after repeatedly complaining to GSK’s management that some drugs made at Cidra were being produced in a non-sterile environment, that the factory’s water system was contaminated with micro-organisms, and that other medicines were being made in the wrong doses.” She later was awarded $96MM as her share of the settlement of a Federal Claims Act whistleblower lawsuit. Eckard was quoted as saying, “It’s difficult to survive this financially, emotionally, you lose all your friends, because all your friends are people you have at work. You really do have to understand that it’s a very difficult process but very well worth it.”

More recently there was the example of NCR Corp., as reported in the Wall Street Journal (WSJ) by Christopher M. Matthews and Samuel Rubenfeld, in an article entitled “NCR Investigates Alleged FCPA Violations”, who stated that NCR spokesperson Lou Casale said “While NCR has certain concerns about the veracity and accuracy of the allegations, NCR takes allegations of this sort very seriously and promptly began an internal investigation that is ongoing,” regarding whistleblowers claims of Foreign Corrupt Practices Act (FCPA) violations. In a later WSJ article by Matthews, entitled “NCR Discloses SEC Subpoena Related to Whistleblower, he reported that NCR also said “NCR has certain concerns about the motivation of the purported whistleblower and the accuracy of the allegations it received, some of which appear to be untrue.”

Lastly, is the situation of two whistleblowers from the British company EADS. As reported by Carola Hoyos in a Financial Times (FT) article, entitled “Emails tell of fears over EADS payments”, Hoyos told the story of two men who notified company officials of allegations of bribery and corruption at the company and who suffered for their actions. The first, Mike Paterson, the then financial controller for an EADS subsidiary GPT, internally reported “unexplained payments to the Cayman Island bank accounts for Simec International and Duranton International, which totaled £11.5M between 2007 and 2009.” Hoyos reported that Paterson was so marginalized in his job that he was basically twiddling his thumbs all day at work.

The second whistleblower was Ian Foxley, a retired British lieutenant-colonel, who had joined the company in the spring of 2010 stationed in Saudi Arabia, to oversee a £2M contract between the British Ministry of Defence (MOD) and the Saudi Arabian National Guard. In December 2010, Foxley discovered some of the concerns which Mike Paterson had raised. According to Hoyos, “The morning after he discovered Mr. Paterson’s concerns he assessed the emails that Mr. Paterson had told him he had written over the previous three years.” This led Foxley to flee Saudi Arabia with documents of these suspicious payments, which he has turned over to the Institute of Chartered Accountants and the UK Serious Fraud Office (SFO).

What does the response of any of these three companies say about the way that it treats whistleblowers? Is it significantly different from the bullying Armstrong admitted he engaged in during his campaign to stop anyone who claimed that he was doping? While I doubt that companies will ever come to embrace whistleblowers, the US Department of Justice’s (DOJ’s) recent FCPA Guidance stated that “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” However, by marginalizing, attacking or even making a whistleblower fear for their life, such actions can drive a whistleblower to go the DOJ, Securities and Exchange Commission (SEC) or SFO. The Guidance recognized that “Assistance and information from a whistleblower who knows of possible securities law violations can be among the most powerful weapons in the law enforcement arsenal.”

So what is the compliance professional to make of the Armstrong confession and how can it be used for a compliance program? A recent White Paper, entitled “Blowing the Whistle on Workplace Misconduct”, released by the Ethics Resource Center (ERC) detailed several findings that the ERC had determined through surveys, interviews and dialogues. One of the key findings in this White Paper was that that a culture of ethics within a company does matter. Such a culture should start with a strong commitment to ethics at the top, however it is also clear that this message must be reinforced throughout all levels of management, and that employees must understand that their company has the expectation that ethical standards are vital in the business’ day-to-day operations. If employees have this understanding, they are more likely to conduct themselves with integrity and report misconduct by others when they believe senior management has a genuine and long-term commitment to ethical behavior. Additionally, those employees who report misconduct are often motivated by the belief that their reports will be properly investigated. Conversely, most employees are less concerned with the particular outcome than in knowing that their report was seriously considered.

This is the ‘Fair Process Doctrine’. This Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel, to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

Phrasing it in another way, Mike Volkov, writing in his blog Corruption, Crime and Compliance, in an article entitled “How to Prevent Whistleblower Complaints”, had these suggestions: (1) Listen to the Whistleblower – In dealing with a whistleblower, it is critical to listen to the whistleblowers concerns. (2) Do Not Overpromise – At the conclusion of an initial meeting with a whistleblower, the company representative should inform the whistleblower that the company will review the allegations, conduct a “preliminary” investigation and report back to the whistleblower during, or at the conclusion of, any investigation. (3) Conduct a Fair Investigation – Depending on the nature of the allegations, a follow up inquiry should be conducted. The steps taken in the investigation should be documented.

I would add that after your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Lance Armstrong has and will continue to provide the ethics and compliance practitioner with many lessons. You can use his treatment of whistleblowers as an opportunity to review how your company treats such persons who make notifications of unethical or illegal conduct. With the increasing number of financial incentives available to persons to blow the whistle to government agencies, such as the SEC under the Dodd-Frank Act, it also makes very good business sense to do so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013