Lessons LearnedToday I conclude my three-part series on the Nortek, Inc. (Nortek) and Akamai Technologies, Inc. (Akamai) Foreign Corrupt Practices Act (FCPA) enforcement actions. These enforcement actions resulted in excellent results for both companies in that they each received Non Prosecution Agreements (NPAs) from the Securities and Exchange Commission (SEC) and declinations to prosecute from the Department of Justice (DOJ). The more I have read and reread the resolution documents from both enforcement actions, the more I have come to believe they are hugely significant and need to be studied by each and every Chief Compliance Officer (CCO) and compliance practitioner whose company is subject to the FCPA. The reason is we may have well reached a turning point in FCPA enforcement and how companies evaluate potential FCPA claims and disclosure.

The reason I think we may have reached this stage is that previously, in the fact pattern presented by either Nortek or Akamai, a company may have well made the decision to investigate thoroughly, remediate effectively and then not self-disclose to the government. However these two enforcement actions, coupled with the Pilot Program, may well change this calculus. This begins with the length of time from initial discovery to self-disclosure to the final resolution announced last week.

These enforcement actions were resolved quickly and efficiently. Further, Nortek’s self-disclosure was based on the company’s 2014 audit that had identified potential issues in a routine audit of the China subsidiary. These concerns were elevated for a full FCPA forensic audit and that investigation provided the information for the self-disclosure. Akamai began its investigation after a whistleblower report in December 2014. Both cases then show a less than two-year period from initial discovery to conclusion. This speaks to the robust nature of their detect prongs; either through Nortek’s internal audit or Akamai’s whistleblower program and response.

As noted by the FCPA Blog, in a post entitled “Akamai, Nortek settle China bribe cases with SEC non-prosecution agreements”, Nortek self-disclosed this matter in January 2015 and Akamai self-disclosed to the government in February 2015 and both had resolutions in June, 2016. This is a very short reported time frame for resolution of a FCPA matter and hopefully it will be a harbinger of things to come in terms of the reduced time frame from self-disclosure to resolution. Further, the reported investigations costs were far below those usually seen in FCPA investigations and enforcement actions as Nortek reported approximately $3.1MM in “FCPA related costs”; which is significantly lower than most reported costs in such a matter.

With the stated credit available in the Pilot Program and now the language from the DOJ in its declination and from the SEC in the two NPAs, I think companies may now see the benefits of coming forward and self-disclosing. Any company that makes the decision to not self-disclose most probably investigated and remediated so those costs will be incurring under such a scenario. However, if companies see the benefit of such self-disclosure, both in terms of not only a positive result but also a quick and efficient process, I think the calculus will change. I would also note, the straight line from the Yates Memo to the hiring of the new DOJ Compliance Counsel, Hui Chen, to the Pilot Program may well need to be extended to these two enforcement actions to demonstrate the change in the DOJ enforcement strategy.

However, there is more to be learnt from these enforcement actions than simply the fact that it may now be better to self-disclose than to choose not to do so, after complete investigation and full remediation. There were nuts and bolts nuggets about what to look for in your internal investigations. Indeed there were a couple of compelling references made not often seen in FCPA investigations reports. First in the Akamai internal investigation, its NPA reported that as a part of the company investigation it provided to the government “analyses of customer usage versus purchased capacities”. This is the type of data analysis we rarely see discussed in FCPA compliance programs yet I believe can greatly assist a CCO in looking at a large amount of information to see what risks strategically need to be investigated. Yet typically how many compliance practitioners either make this type of analysis or even have the capability to do so? This is why data analytics can be of use to the CCO going forward and, indeed, may be one of the prime ways to help the compliance function in the detect prong. Moreover, if such an analysis is used proactively, as a monitoring tool on an ongoing basis, it could move the needle from detect to prevent. This is well worth considering as you think about your compliance budget and resources going forward.

The second investigative prong reference I found interesting was in Nortek’s investigation protocol that stated the company conducted “a risk assessment to determine whether the improper conduct at Linear China occurred at Nortek’s other manufacturing locations in China.” Note that the government did not say Nortek performed a full FCPA forensic audit at the company’s other manufacturing locations in China but only a risk assessment. If there was ever language which validates the concept that a company does not have to “boil the ocean” in the context of an internal FCPA investigation, I think this statement may be it. If you move forward with a thoughtful approach, that is a well-thought out process, in a step-by-step approach, you do not need to look everywhere for everything under every rock.

Next, a word about translations. I would have thought it was almost self-evident that in any FCPA investigation it would be mandatory to translate into English foreign language documents. However in both NPAs the SEC specifically stated that the respondents “voluntarily translating documents from Chinese into English”. I guess there are still companies out there that have not gotten the message that documents have to be translated into English. So call Mr. Translations, Jay Rosen, and he will explain to you how to accomplish this requirement.

You should use both of these NPAs as guideposts to benchmark your company’s compliance program as the DOJ and SEC favorably commented on the remediation steps that both entities engaged in. In other words there were lessons on the actual doing of compliance that are significant for the compliance professional.

From the Nortek NPA, it articulated the following steps the company took:

  1. Revising its internal audit testing and protocols to focus on quickly discovering any FCPA-related improprieties;
  2. Strengthening the company’s its anti-corruption policies;
  3. Developing a Compliance Committee consisting of representatives from management and subsidiaries to supervise compliance implementation of Nortek’s policies and training;
  4. Providing extensive mandatory in-person and on-line trainings on the FCPA and anti-corruption policies to its employees around the globe in appropriate languages (there’s that translations issues again); and
  5. Adjusting its internal audit schedules to prioritize facilities located in geographic areas known for higher incidences of corruption.

From the Akamai NPA, it articulated the following steps the company took:

  1. Implementing a comprehensive due diligence processes for channel partners, which included engaging an outside consultant to conduct channel partner risk assessments;
  2. Strengthening the company’s anticorruption policies;
  3. Implementing enhanced compliance monitoring functions and structures, such as naming a Chief Compliance Officer and staffing a global team of dedicated compliance professionals in Europe, the U.S., and Asia;
  4. Providing extensive mandatory in-person and on-line trainings on FCPA and anti-corruption policies to its employees around the globe in appropriate languages; and
  5. Enhancing the company’s travel and expense control requirements in China, including requiring more detailed expense descriptions and supporting documentation and appointing an independent function with Chinese language capability to review and approve expense claims.

I hope that you will study these NPAs and declinations closely to see what lessons you may find for your compliance program. I also hope they will be a harbinger for both DOJ and SEC enforcements to come, where companies not only receive credit for turning over information on individuals for the government to prosecute but for taking steps to engage in the doing of compliance and not simply having a paper compliance program in place. No matter what the reason for the timing of these settlement resolutions, they are a welcomed addition for the FCPA compliance practitioner.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IV. A New HopeToday I begin a series of Star Wars themed blog posts to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VII – The Force Awakens. Please note that I will only use the first three movies, now known as Episodes IV-VI, for the themes this week. So if you are a millennial and the prequels are your Star Wars sorry but you can write about them as the first three are my Star Wars movies. In conjunction with this series of blog posts, Jay Rosen and I are doing a trilogy of Star Wars themed podcasts this week, monikered May the Podcast Be With You. They were a ton of fun for Jay and I to put together so I hope you will check them out on my podcast site or on iTunes at the FCPA Compliance and Ethics Report.

I will begin with Episode IV – A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and steals a computer program detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, it told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate anti-corruption compliance risk under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption regime. Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations” in which she looked at the risk evaluation process used by Timken Company (Timken).

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

 

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

 

PRIORITY

 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-19

20-25

Low

Trivial

Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit and monitoring plan going forward. One of the methods used by the compliance group to manage such risk is to provide employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

A second approach to reviewing the results of a risk assessment was detailed in a Harvard Business Review (HBR) article, entitled “Managing Risks: A New Framework”, by Robert Kaplan and Annette Mikes. The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. Companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those that a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors listed several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks that arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks that turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

Whether you utilize one of these approaches or another approach, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

May the force be with you.

TexasBarToday_TopTen_Badge_Large

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015