Welcome to Day 4 of 30 Days to a Better Compliance Program. Today we tackle risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What Should You Assess?

What risks should you assess? There are a number of ways you can slice and dice your basic inquiry. The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.

How Should You Assess Your Risks?

Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high risk countries, high risk business areas an more detailed review of your third party representatives.

How do You Evaluate a Risk Assessment?

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.

 Three Key Takeaways

  1. Assess the risks relevant to your company.
  2. Document your risk assessment protocol and results.
  3. The evaluation of your risks and remediation therefrom. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

qtq80-0i5583When I was in the corporate world, I cannot begin to recall the number of times senior management had an overly optimistic forecast regarding some transaction; whether the transaction was the purchase of a smaller company, a joint venture (JV), teaming agreement or you name the business venture. Unfortunately, such unrealistic forecasting is not simply limited to business ventures as the UK learned in the run up to the Brexit vote and the US learned in the most recent presidential election. Tim Harford, writing in his Undercover economist column in the Financial Times (FT), said “the truth is once Trump secured the nomination, a Trump presidency was always a strong possibility. The betting markets seemed to recognize this, offering odds of three-to-one a week or so before the” election. Of course, three-to-one shots “happen all the time – or at least, about a quarter of the time.”

What I found interesting was three lessons Harford suggested from the wildly inaccurate polling before the US election. Drawing on research by Guy Mayraz from Oxford University’s Experimental Social Science center, the first lesson is the bias towards predicting what they hope will happen. If you want your business to increase, you have to believe your transaction/investment/deal will always make money. After all, have you have ever seen a business plan that was designed to lose money?

The second lesson derived from something called the Good Judgment project and almost sounds like someone channeled their inner Howard Sklar and his maxim of “Water is Wet”. It is that that “self-critical, open-minded forecasters do a better job than narrow-minded overconfident ones.” He goes on to further note that dwelling on our own fallibility is not something people do very well; whether it involves hanging out with our friends or on cable news. The result is that “Confident, eye-catching forecasts are the snack food of analysis”. Unfortunately, this is even more true in the business world.

Finally, forecasters must always remember that more than one outcome is possible. A strong possibility may be a possibility but it is not a certainty. Harford suggests that one way to overcome this bias is to develop alternative scenarios. My 12 O’Clock High podcast host Richard Lummis calls this the “devil’s advocate” role at the business planning table. Harford further formalizes this contra-concept by suggesting every scenario-planner create at least two contradictory alternatives to their rosier, positive scenario.

Harford’s ultimate point is that in any forecast there must be preparedness for contra-events. Elizabeth Holmes, founder of Theranos, famously said that if you have a Plan B as a back-up, you have already lost. I find that to be worse than not helpful in any setting, particularly the business setting. No matter what your forecasting or scenario planning model shows, prepare for other results. For any Board of Directors overseeing a compliance program or managing any type of risk, it all begins by asking questions.

Just as any compliance program begins with your risk assessment so should a Board begin at this point. However, the Board should start by reviewing what process is being used to identify risks, whether those risk be corruption in violation of such law as the Foreign Corrupt Practices Act (FCPA), violation of anti-trust law such as the Sherman Act or any other risk which might arise in a business segment, product line or geographic area. This risk analysis should be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as business continuity planning, crisis response plans and even basic fraud which led to the sales incentive program which recently laid Wells Fargo low.

The key is that Boards of Directors need to use their expertise and ask the right questions. The problem is that many Board members do not know what questions to ask in this area. Some of the following are good areas to begin your inquiry.

  • What is the risk assessment process? When was the last time your risk assessment was performed? Was it enterprise wide or limited in scope?
  • How effective is your overall risk assessment process? Is it stale? Here you are focusing not so much on the recency of your risk assessment but have corporate circumstances changed so that the risks which were previously assessed?
  • Who is involved in the risk assessment process? Was it performed in-house? Did you bring in a regular service provider who may have created the processes which are now being assessed?
  • Does the risk assessment process take into account any new legal or compliance best practices developments? Technology development speeds along for every business. Even the Justice Department recognizes this in every Deferred Prosecution Agreement (DPA) it enters into for FCPA violations by requiring companies to take into account relevant developments in the field and evolving international and industry standards for best practices in compliance.
  • Are there any new operations that pose substantial compliance risks for the company? Where has your company moved geographically or product-wise? Have there been any significant acquisitions or other business developments which have changed thing for the company?
  • Is your company tracking enforcement trends? 2016 has been one of the most significant years in FCPA enforcement but anti-corruption enforcement is only one of the major risk developments which can be derived from reviewing the FCPA enforcement actions. The aforementioned Wells Fargo fraudulent accounts scandal and the ongoing Volkswagen (VW) emissions-testing scandal continue to resonate throughout the business world.
  • Equally important, are any competitors facing enforcement actions? This piece of information has long been a real source of information to Chief Compliance Officers (CCOs) as they have assessed and opened internal investigations based on enforcement actions involving competitors. In a speech at the recent ACI-FCPA Conference, Securities and Exchange Commission (SEC) Director, Division of Enforcement, Andrew Ceresney again said that hedge funds and private equity companies are and will continue to be under SEC scrutiny for FCPA violations around their hiring practices for family members of foreign government officials, as well as other violations of US securities laws. If you are on the Board of such an entity, you might want to ask some very pointed questions about now.
  • Has the company moved into any new markets which impose new or additional risks? This moves beyond the questions I suggested above to consider such things as supply chain and supplier risk. Even a name and shame law like the California Transparency in Supply Chain Act can cause reputational damage. Moreover, even if some types of enforcements lessen under a Trump administration, aggressive states’ Attorney Generals or other state regulators could well pick up the slack.
  • Has the company developed any new product or service lines which change the company’s risk profile? As there will always be some business development along these lines, what changes have increased risk for your business?

For a Board of Directors to be truly effective and informed it must know where the company stands not only at the present moment, but also known that the company has a strategic plan for the management of risk going forward. Arnold & Porter partner Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5-year compliance game plan. I would add that this formulation should be expanded to encapsulate greater risk management. Yet a compliance program must be nimble enough to respond to new information or actions, such as mergers or acquisitions (M&A), divestitures or other external events. If something dramatically changes, you want to get your Board’s attention on the changes which may need to happen with your risk management program. This type of agility is best accomplished by obtaining buy-in from the Board through its understanding of the role of forecasting a compliance program going forward.

Harford ends his piece with this final lesson from the 2016 UK Brexit vote and US election, “uncertainties are not going away, so it’s not too late to learn.” For every Board of Director or CCO, you need to start a forecasting review now to be ready to respond if an incident arises so that it will not become a full legal violation. Better yet, such forecasting could lead you to prevent such conduct before it even arises and needs detection and remediation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

whos-afraid-of-virginia-woolfEdward Albee died last week. To my mind he was right up there with Arthur Miller and August Wilson as one of America’s greatest playwrights of the second half of the 20th century. His works were known, as noted in his New York Times (NYT) obituary, as “psychologically astute and piercing dramas explored the contentiousness of intimacy, the gap between self-delusion and truth and the roiling desperation beneath the facade of contemporary”. I would simply call them gut-wrenching. After the first time I saw Who’s Afraid of Virginia Woolf I recall leaving the theater feeling as if I had been psychologically worked over with a wet mop. It was certainly the last time I saw one of his works for weekday entertainment, at least seeing one of his play’s on Friday or Saturday night gave me a day to work off the psychic hangover.

I thought Albee and his type of works would make a very good introduction to a multipart series I will be writing about the Wells Fargo cultural miasma which led to the recent $185MM fines levied by Consumer Finance Protection Board (CFPB) ($100 million), the largest in the agency’s short history. Another $85 million was tacked on by paying $35 million to the Office of the Comptroller of the Currency and $50 million to the City and County of Los Angeles. The total fines were assessed based upon the bank’s conduct of opening over 2 million bank and credit card accounts, usually without customers’ knowledge.

The fraud was all domestic so there were no Foreign Corrupt Practices Act (FCPA) violations. However, the actions which led to this record breaking fine, the actions of Wells Fargo during the violations and thereafter may well be one of the best teaching moments for any FCPA compliance practitioner around a variety of issues related to FCPA compliance. Today I want to look at the sales strategy and compensation structure which led to the scandal.

The sales strategy under which Wells Fargo came to such grief is simple and even benign, cross-selling of products. As noted by Rachel Louise Ensign, writing in a Wall Street Journal (WSJ) article entitled “Banks Simple Strategy Gets Tangled”, “the concept sounds simple enough. If a customer has a checking account, why not sell him a mortgage, wealth management services and credit card as well?” She went on to write, “with banks becoming larger over the past two decades, cross-selling has become a mantra.” You can also think of the cross-selling McDonalds engages in every time you buy a Big Mac when the representative asks you “Would you like french fries with that?”

Yet there are other reasons for engaging in this type of business practice. Each and every time a company has a touchpoint, particularly a commercial touchpoint with a business, it strengthens the relationship. According to Gary Silverman, writing in the Financial Times (FT) in an article entitled “John Stumpf, the Labrador of Main Street , Wells Fargo’s Chief Executive Officer (CEO) “Mr Stumpf’s take on traditional Wells teaching was to promote deeper, more frequent contact with the people it serves. “If there’s one word to describe this company, it’s ‘relationship,’” he told the Financial Times in May. “What we’re trying to do is make sure that every team member, in every interaction with a customer, gets it right. If we don’t get it right, we try to make it right, really quickly.””

So what starts off as a legitimate, legal and beneficial business strategy becomes not only high risk but illegal because of the manner in which Wells Fargo administered its approach to cross-selling. As with any sales initiative, if a company wants to push it, it will set up incentives for the sales team to engage in such behavior. This can be done by increasing commissions around the service or product being emphasized, such as the banks products. Ensign noted, “Banks have tried to create incentives for cross-selling.” At some banks, “Branch employees can get bonuses—sometimes 10% or more of their salaries—when they sell additional products.” Companies can also increase sales by making clear that you will be evaluated on how much you sell a product or service. In other words, whether you receive a bonus, pay raise or even keep your job will be evaluated, in some part, on how much you cross-sell.

You can even have a hybrid of the above, which may be the worst of all worlds. At Wells Fargo, employees were evaluated for continuing employment by supervisors on cross-selling. Yet they did not receive the same financial incentives to make such cross-selling. Branch managers and supervisors could receive bonuses of up to $10,000 per month for meeting cross-selling quotas when employees who hit their monthly quotas, received, in addition to continued employment, $25 gift cards.

Last week Richard Bistrong wrote a piece in the FCPA Blog, entitled “Wells Fargo stretch goals brought out the sandbaggers”, in which he discussed stretch incentives as a process that could lend itself to abuse. While there will always be a dynamic tension between operations, in the form of the sales force, to lower sales projections so that goals set can be more easily met (called: sandbagging) and the corporate office, which wants to set higher goals to generate more overall revenue, I do not think that the Wells Fargo matter is one of such sandbagging.

I think the Wells Fargo case is broader with multiple corporate failures. Emily Glazer and Christina Rexrode, in a WSJ article entitled “Wells Boss Says Staff at Fault for Scams”, wrote of one former employee who said, “a former Wells Fargo teller in Pennsylvania, said of responsibility for the sales tactics, “It was all management: their boss, then their boss, then their boss.” Ms. Bhowmick took early retirement from the bank in 2014 at age 58. “They are putting pressure on employees, and it’s sad,” Ms. Bhowmick added. “People need their jobs.”” When you put people’s job on the line, they will usually do whatever it takes to keep it.

The learning point for this blog post is risk assessment and risk management. If you put a selling system in place that says if you do not meet your quotas, you are history; that is the message your employees will take home. It really does not matter what the CEO says the culture is or what he or she aspires it to be. Do I think CEO Stumpf ordered this draconian a system from on high? Not much chance of that as he was quoted, by Glazer and Rexrode, as saying “the bank doesn’t want a dime of income that’s not properly earned.”

This is why a risk assessment must look beyond simply what is being sold to how it is being sold. Tomorrow we will consider the culture of Wells Fargo and how you, as compliance practitioner, might use the bank’s failing to improve your own corporate culture.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016




This Week in FCPA-Episode 19, the International Edition

Show Notes for Week ending August 26, 2016

  1. John Kerry: Corruption is ‘root cause’ of terrorism, on FCPA Blog.
  2. Eric Ben-Artzi Op-Ed piece on why he turn down his whistleblower award, as featured in the Financial Times.
  3. Lessons from History-the Tudors on compliance, from the FCPA Compliance Report.
  4. FedEx trial debacle for the DOJ, and Paul Pelletier’s recommendation to fix recent spate of ill-fated and advised DOJ prosecutions, as featured in the FCPA Blog.
  5. Hallmarks 1-5 of the Ten Hallmarks of an Effective Compliance Program, as featured in the FCPA Compliance Report.