What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and compliance behavior is an end-goal and of itself – not necessarily one that everyone feels should be subject to a ROI calculation.

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.”

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions.

  1. Figure out what you want to measure (i.e. what’s the “benefit”?) Before you ever train an employee, you should have a goal in mind. In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations.
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job.
  1. Did employees actually learn anything? If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training.
  1. Are employees applying your training? You should determine employee application and their implementation of the training topics, with employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations.  
  1. What’s the quantitative business impact of your training? There are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Determine with these 5 questions.
  1. How often could a noncompliance event occur?
  2. How much revenue would be involved?
  3. What is the profit margin on the revenue?
  4. What are the other costs?
  5. What are the noncompliance hard costs?

Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided – Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.”

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more robust assessment and calculation laid out by Smith provide you with formulae you can use going forward.

Three Key Takeaways

  1. You need to know the effectiveness of your compliance training.
  2. What is the quantitative business impact of your compliance training?
  3. What is the qualitative business impact of your compliance training?

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

For compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk.

The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk ranking process, you have internalized the admonition that one size does not fit all in deciding the content and intensity of training needs for each role or individual. You should be now ready to design your compliance training.

The first step is to define what you are trying to achieve in your compliance training. This certainly means more than simply ‘check-the-box’ training and when implementing compliance training you have put some significant time and thought into it. It should be well designed to the targeted group of employees who will receive it. Your compliance training can and should have several business-related goals, in addition to specifics of anti-bribery laws such as the FCPA. These include identifying the business objectives of engaging in commerce in a legally compliant manner; managing threats which may come to employees you have identified as high-risk and the business opportunities afforded if you have sufficient compliance systems in place to prevent bribery and corruption. Moreover, you can present tangible business benefits if you address these issues in a positive manner. Finally, such focused training can and should help to ensure integrity and the company’s reputation by strengthening your business culture and ethical conduct.

You are now ready to design your compliance training, with the above goals in mind. You should include the development of curriculum using a risk-based model and set uniform methods for acquiring content, maintaining records and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Lastly, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who your audience is and what their characteristics might be. For the high-risk employee, you will need focused training so that they will be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements and penalties. For the medium risk employee, compliance training should include scenarios so that they know the risks, requirements and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. For the low risk employee, they should be made aware of the risks, requirements and penalties as well as your entity’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

Now you need to determine the most appropriate mechanism to deliver the content of your compliance training. You can use a variety of methods for each of the designed risk based rankings. The delivery of compliance training for high-risk employees should be repeated frequently using several methods of delivery. You can include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises. Additionally, you should work to determine the effectiveness of your compliance training to this group through testing and certification. For your medium risk employees, your compliance training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, both live and online, and have methods to demonstrate evidence of understanding. To address the content required for low risk employees it can be done largely through online training, again you will need to make sure the material is reviewed and updated on an as needed basis.

Three Key Takeaways

  1. Identify your goals.
  2. Risk rank your target audiences and risk base your training.
  3. Develop multiple forms of training delivery mechanisms.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Welcome to Day 5 of 30 Days to a Better Compliance Program. Today, I focus on training, ongoing communications and the use of social media in a best practices compliance program. 

Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, the Justice Department began to talk about whether you have determined the effectiveness of your training.

Communication and Use of Social Media

Next you need to consider the messaging of compliance inside of your corporation and how it is distributed. This means that you will need to work to hone your message but also continue to plug away to send that message out. I think the Morgan Stanley Declination will always be instructional as one of the stated reasons the Department of Justice (DOJ) did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

In a compliance program, your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward.

Three Key Takeaways

  1. You need to demonstrate the effectiveness of your compliance training.
  2. Ongoing communications from compliance is an often overlooked tool in compliance.
  3. Utilize innovative social media techniques to communicate and train.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

This week I have been exploring the General Cable Corporation (General Cable) Foreign Corrupt Practices Act (FCPA) enforcement action. It was settled with the Department of Justice (DOJ) via a Non-Prosecution Agreement (NPA) and the Securities and Exchange Commission (SEC) via a Cease and Desist Order (General Cable Order). There was also the resolution of a civil charge by the SEC against a former General Cable executive, Karl Zimmer, via a Cease and Desist Order (Zimmer Order). The fines and penalties paid by General Cable were not insignificant. The company paid a $20MM fine based upon its criminal conduct and paid another $51MM in profit disgorgement. Finally, based upon the conduct laid out by the SEC in the General Cable Order, the company was assessed another $6.5MM for violations of the FCPA’s accounting provisions. The $20MM figure reflects a 50% discount off the bottom of the US Sentencing Guidelines fine range, demonstrating that as bad as the underlying bribery and corruption may have been, the DOJ will give significant credit when the company meets the requirements under the FCPA Pilot Program.

In Part II, I considered how General Cable obtained such a positive result in the light of multiple bribery schemes in multiple jurisdictions and corporate awareness or conscious indifference to them. Today I want look at some of the lessons to be learned by the compliance practitioner.

However, before I get to the lessons to be garnered, I want to briefly discuss the SEC enforcement action against Karl Zimmer (Zimmer). Per the Zimmer Order, he was a Senior Vice President of General Cable who approved improper commission payments to a third-party Agent on sales by General Cable’s Angolan subsidiary to Angolan state-owned enterprises. At the time, Zimmer knew that policies prohibited excessive commissions to third parties on sales to state-owned enterprises. For his violations, Zimmer agreed to a $20,000 fine. The Zimmer action should stand as a stark reminder that individuals who violate the FCPA stand to lose as much or even more than corporations as it is difficult to believe any reputable company would hire someone who blatantly violated the FCPA.

The first obvious lesson is that the FCPA Pilot Program provides significant benefits for companies which meet it strictures. Even with the odious conduct of General Cable, the company made a stunning comeback. As much as the other enforcement actions announced since the implementation of the Pilot Program, this enforcement action has changed the calculus around self-disclosure. If the call is anywhere close, a company should self-disclose. Yet that is only the first step, as the other prongs must also be met to obtain the discount offered.

Regarding the second prong of significant cooperation, a couple of things stand out. The first no doubt warms the heart of Mr. Translations (Jay Rosen) by specifically stating that General Cable produced voluminous documents, including translations. Next was the manner of production, performed in way, “that did not implicate foreign data privacy laws; collecting, analyzing, and organizing voluminous evidence and information for the DOJ”. Jonathan Armstrong once said on a podcast that it was his experience there were usually numerous ways to produce documents and other evidence in a manner that did not violate certain countries’ data privacy. General Cable would seem to have found a way to do so. This may require the compliance practitioner to use some creativity or bring in experienced data privacy counsel but the clear import is the DOJ expects such efforts in document and other evidence production. Finally, was the notation that General Cable disclosed “conduct to the DOJ that was outside the scope of its initial voluntary self-disclosure.” This sets an expectation for companies to continue their investigations and turn over new or additional findings.

Next, there were several remediation areas that stood out. The first was termination of recalcitrant employees and those third-party agents and distributors who participated in the misconduct. Next a Chief Compliance Officer (CCO) was hired who reported to both the Chief Executive Officer (CEO) and the Audit Committee of the Board.

Interestingly was the requirement for operationalization of compliance into the business units of the company. The NPA stated, the company developed a “comprehensive compliance program that integrates business functions into compliance leadership roles, is designed to deliver clear and consistent communications and expectations Company-wide through policies and procedures, and includes frequent leadership communications to all employees.” This final clause speaks to the importance of not only tone at the top but continued communications from the senior management of the organization.

This operationalization also went down to the revamped third party program. The NPA specifically noted the company had built “a system for third-party due diligence that assigns ownership to business personnel to shepherd prospective third parties through a comprehensive risk assessment, review, and approval process.” This step clearly requires business unit involvement at the beginning and, indeed, all the way through the lifecycle of third party management.

Finally, remediation Step 10, which specified that the company would be “Delivering tailored face-to-face compliance training, including training on the FCPA, to the Board of Directors and senior executives, Internal Audit personnel, sales leaders, and all salaried employees.” [emphasis supplied]. The word tailored communicates the DOJ’s expectation for training far beyond the standard out of the box compliance training. It means you must put on training which is not only designed for the risk group it is being presented to but you must have some thought into the different risks for each discipline within an organization and their respective role in any compliance program.

As the final enforcement action of 2016, the General Cable matter may well be one of the most significant for the compliance practitioner as it clearly states the need to operationalize a compliance program. From the FCPA enforcement year for the record books, it could be the case which portends the most significant step in doing compliance forward. Finally when Hui Chen speaks through the vehicle of a FCPA resolution, the compliance profession should listen.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Yesterday I began an exploration of the General Cable Corporation (General Cable) Foreign Corrupt Practices Act (FCPA) enforcement action. It was settled with the DOJ via a Non-Prosecution Agreement (NPA) and the SEC via a Cease and Desist Order ( General Cable Order). There was also the resolution of a civil charge by the SEC against a former General Cable executive, Karl Zimmer, via a Cease and Desist Order (Zimmer Order). The fines and penalties paid by General Cable were not insignificant. The company paid a $20MM fine based upon its criminal conduct and paid another $51MM in profit disgorgement. Finally, based upon the conduct laid out by the SEC in the General Cable Order, the company was assessed another $6.5MM for violations of the FCPA’s accounting provisions. The $20MM figure reflects a 50% discount off the bottom of the US Sentencing Guidelines fine range, demonstrating that as bad as the underlying bribery and corruption may have been, the DOJ will give significant credit when the company meets the requirements under the FCPA Pilot Program.

In Part I, I laid out the bribery scheme in some detail. Today I consider how General Cable was able to obtain such positive result in the light of multiple bribery schemes in multiple jurisdictions and corporate awareness or conscious indifference to them. Clearly the four prongs of the FCPA Pilot Program were met. As stated by Assistant Attorney General Leslie Caldwell in the DOJ Press Release announcing the enforcement action, “General Cable paid bribes to officials in multiple countries in a scheme that involved a high-level executive of the company and resulted in profits of more than $50 million worldwide. But General Cable also voluntarily self-disclosed this misconduct to the government, fully cooperated and remediated. This resolution demonstrates the very real upside to coming in and cooperating with federal prosecutors and investigators. It also reflects our ongoing commitment to transparency.”

Reviewing each of the Pilot Program prongs separately, there was self-disclosure by General Cable. The NPA stated, “the Company received voluntary self-disclosure credit because it voluntarily and timely disclosed to the Fraud Section the conduct described in the Statement of Facts attached hereto as Attachment A (the “Statement of Facts”).” The issue of self-disclosure is one which has bedeviled companies for quite some time. However, the General Cable enforcement action continues to demonstrate the DOJ takes this seriously and will give credit when companies do self-disclose.

In the area of significant cooperation, the NPA stated, “the Company received full credit for its cooperation with the Fraud Section’s investigation”. The parameters of this cooperation included conducting a thorough internal investigation; “making regular factual presentations and proactively providing updates to the DOJ; voluntarily making foreign based employees available for interviews in the United States; producing documents, including translations, to the DOJ from foreign countries in ways that did not implicate foreign data privacy laws; collecting, analyzing, and organizing voluminous evidence and information for the DOJ; and identifying, investigating, and disclosing conduct to the DOJ that was outside the scope of its initial voluntary self-disclosure.”

This is the first time I have seen a specific reference to production of documents in a manner which “did not implicate foreign data privacy laws”. It is not clear from this statement how the implication was avoided, whether through employee consent or having a duplicate document in a more corporate friendly country. This shows the DOJ has some sensitivity to foreign document privacy laws but there are almost always alternative methods of production.

Also note the additional information provided to the DOJ which was “outside the scope of its initial voluntary self-disclosure.” This means the DOJ will accept the results of a less than complete internal investigation if you supplement the information regularly and on a timely basis. The important point was noted to be that by the conclusion of the investigation, General Cable had provided to the DOJ all relevant facts known to the company, “including information about individuals and third parties involved in the misconduct.”

Next was in the area of remediation. The NPA is replete with the steps taken by General Cable. As laid out in the NPA they included:

  • Terminating the employment or accelerating the previously-planned departures and resignations of 13 employees who participated in the misconduct;
  • Causing the resignation of employees and accelerating the previously-planned departure of an additional employee who failed to supervise effectively others who were engaged in the misconduct described in the Statement of Facts;
  • Causing the resignation of an additional employee who failed to take appropriate steps in response to identifying the misconduct;
  • Terminating the business relationships with 47 third-party agents and distributors who participated in the misconduct described in the Statement of Facts;
  • Hiring a Chief Compliance Officer (CCO) who has an executive officer position in the Company and separate reporting lines to the Chief Executive Officer (CEO) and Audit Committee of the Board of Directors;
  • Conducting a global and enterprise-wide risk assessment and evaluation;
  • Developing and implementing a risk mitigation plan for risks identified through the assessment and evaluation;
  • Developing a comprehensive compliance program that integrates business functions into compliance leadership roles, is designed to deliver clear and consistent communications and expectations Company-wide through policies and procedures, and includes frequent leadership communications to all employees;
  • Revamping the ethics and compliance helpline;
  • Delivering tailored face-to-face compliance training, including training on the FCPA, to the Board of Directors and senior executives, Internal Audit personnel, sales leaders, and all salaried employees;
  • Adopting heightened controls on the selection and use of third parties, including building a system for third-party due diligence that assigns ownership to business personnel to shepherd prospective third parties through a comprehensive risk assessment, review, and approval process;
  • Issuing, and providing training on, business amenities policies specific to certain countries; and
  • Conducting on-site global compliance audits to test adherence to enhanced controls and procedures.

These remediation steps can be broken down into three general categories. First was the disciplining of the persons directly involved, those who knew or should have known and recalcitrant third parties. Next was the hiring of a CCO with real authority and power to act and get things accomplished. Finally, was the specifics of the compliance program which was implemented.

While many of these steps have been laid out previously as a part of a best practices compliance program, there is one I want to highlight. It is No. 10, which specifies “Delivering tailored face-to-face compliance training, including training on the FCPA, to the Board of Directors and senior executives, Internal Audit personnel, sales leaders, and all salaried employees.” [emphasis supplied] The word tailored communicates the DOJ’s expectation for training far beyond the standard out of the box compliance training. It means you must put on training which is not only designed for the risk group it is being presented to but you must have some thought into the different risks for each discipline within an organization and their respective role in any compliance program.

There is quite a bit for the compliance practitioner to consider in this NPA. Tomorrow I will present some of the lessons to be garnered by the General Cable FCPA enforcement action.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017