Supply ChainOn this day we celebrate the greatest upset in the history of the NCAA Basketball Tournament, when Villanova beat Georgetown for the 1985 national championship. Georgetown was the defending national champion and had beaten Villanova at each of their regular season meetings. In the final the Wildcats shot an amazing 79% from the field, hitting 22 of 28 shots plus 22 of 27 free throws. Wildcats forward Dwayne McCain, the leading scorer, had 17 points and 3 assists. The Wildcats’ 6’ 9” center Ed Pinckney outscored 7’ Hoyas’ center, Patrick Ewing, 16 points to 14 and 6 rebounds to 5 and was named MVP of the Final Four. It was one of the greatest basketball games I have ever seen and certainly one for the ages.

I thought about this game when I read an article in the most recent issue of Supply Chain Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for SUPPLY CHAIN”. In their article the authors asked “what does it take to create meaningful innovation across supply chain partners?” Their findings were “Our researchers identify five components that are common to the most successful supply chain innovation partnerships.” The reason innovation in the Supply Chain is so important is that it is an area where companies cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their Supply Chain third parties as partners and not simply as entities to be squeezed for costs savings. By doing so, companies can use the Supply Chain in “not only new product development but also [in] process improvements”.

I found their article resonated for the compliance professional as well. It is almost universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your Supply Chain from being considered a liability under the FCPA to an area that brings innovation to your compliance program? This is an area that not many compliance professionals have mined so I think the article is a useful starting point. The authors set out five keys to successful innovation spanning Supply Chain partners. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?”

Don’t Settle for the Status Quo

This means that you should not settle for simply the status quo. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. The authors emphasize that “you need to be leading the innovation change rather than catching up from behind.” If a company in your Supply Chain can suggest a better method to do compliance, particularly through a technological solution, it may be something you should well consider.

Hit the Road in Order to Hit Your Metrics

To truly understand your compliance risk from all third parties, including those in the Supply Chain, you have to get out of the ivory tower and on the road. This is even truer when exploring innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about “organically”. There is little downside for a compliance practitioner to go and visit a Supply Chain partner and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.”

Send Prospectors Not Auditors

While an audit clause is critical in any Supply Chain contract, both from a commercial and FCPA perspective, the authors believe that “Too often firms use supply chain managers as auditors when they are dealing with supply chain partners.” The authors call these types of managers “innovation partners.” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.”

Show Me Yours and I’ll Show You Mine

Here the authors note, “Trust plays an extremely important role in supply chain innovation. Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if your Supply Chain partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive.

Who’s Running the Show?

I found this point particularly interesting as for the authors, this prong means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime it could well lead to your Supply Chain partner taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local Supply Chain partner might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act.

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the Supply Chain. Now imagine if you could increase your compliance process performance by considering innovations from your Supply Chain third parties? The authors conclude by stating that such innovation could lead to three “interesting outcomes 1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; 2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; 3) by engaging supply chain partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation Villanova coach Rollie Massimino led his team over the prohibitive favorite Georgetown, and you may be able to tap into a resource immediately available at your fingertips, your Supply Chain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

7K0A0014-2One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Sales Side

I tend to view things in a straightforward manner when it comes to representatives on the sales side of your business. I believe that third party representatives you might have, whatever you might call them, i.e. sales reps, sales agents, sales agents, commissioned sales agents, or anything else, are high risk and therefore they should receive your highest level of scrutiny. This is also true with any party that might be called, charitably or not, ‘a partner’ whether that is a joint venture (JV) partner, plain old partner, Teaming Partner or another monickered ‘partner’. However, under this approach you should also consider the perception of corruption in the geographic area that you will use the third party. I recognize that you can overlay a financial threshold but the reality is that if a sales representative generates such a small amount of money for your business you probably do not need them as representative.

At least with distributors, I have seen merit in more sophisticated approaches such as that set out by David Simon, a partner at Foley & Lardner LLP, who advocates a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and

Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere re-sellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

Supply Chain

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, but not limited to, whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier detailed below.

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence of one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors,: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) it was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) it is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering and anti-terrorism laws comparable to those of the United States and the United Kingdom; or (7) it lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $100,000 with the supplier; and (3) the supplier has no involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add the category of ‘Minimal-Risk Suppliers’ who generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. This category would also include those third parties that provide widely available services and products that are not industry specific, are offered to the public at large. Here you might think of periodicals, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services.

Last, but certainly not least, is the category of Government Service Providers, which includes entities that generally come into a company through the supply chain, who interact with a foreign government on behalf of your company. Examples might be customs brokers, providers who obtain and process business permits, licenses, visas, work permits and necessary clearances or waivers from government agencies; perform lobbying services; obtain regulatory approvals; negotiate with government agencies regarding the payment of taxes, tax claims, and tax audits. These third parties present some of your highest risks so they need to have not only the highest level of scrutiny but post contract-signing management as well.

The risk ranking of third parties is one of the areas that seems to continue to cause confusion, if not outright bewilderment. The manner in which the articulated risk rankings presented herein is not to be the ‘be-all and end-all’. As the FCPA Guidance reminds us, “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.”…A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” If you think through your risk rankings and can articulate a reasonable basis for doing so followed by documentation, I think your own risk ranking system will survive regulatory scrutiny.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Today we celebrate Thomas Edison. It is not his birthday but the 127th anniversary of Edison announcing his first recording invention, the phonograph. According to This Day in History “Edison stumbled on one of his great inventions–the phonograph– while working on a way to record telephone communication at his laboratory in Menlo Park, New Jersey. His work led him to experiment with a stylus on a tinfoil cylinder, which, to his surprise, played back the short song he had recorded, “MARY HAD A LITTLE LAMB”. Public demonstrations of the phonograph made the Yankee inventor world famous, and he was dubbed the “Wizard of Menlo Park.”” For any audiophile, the phonograph was one of the greatest inventions of all-time.

I thought about Edison and the evolution of his invention in the context of how the audit requirement has been viewed under the Foreign Corrupt Practices Act (FCPA). In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to FCPA compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA and, in last year’s FCPA Guidance, the Department of Justice (DOJ) made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of the agents, business partners and supplier or contractors to ensure compliance with the foregoing. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I thought this might be a good time to review some of the items you should consider in this area.

I.                   Right to Audit

Initially it should be noted that a company must obtain the right to audit for FCPA compliance in its contract with any third party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

a.                  the effectiveness of existing compliance programs and codes of conduct;

b.                  the origin and legitimacy of any funds paid to Company;

c.                   its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;

d.                  all disbursements made for or on behalf of Company; and

e.                   all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

II.                Structure of the Audit

 In the December 2010 issue of the Industrial Engineer Magazine, authors Aldowaisan and Ashkanai discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. In a webinar hosted by Securities Docket, entitled “Follow the Money: Using Technology to Find Fraud or Defend Financial Investigations”, noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data.

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:

  •  Review of contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

III.             Conclusion

 As noted the above list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties (SODs). Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. At the conclusion of an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the FCPA compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.

The authors starting point is that of the Rana Plaza building collapse in Bangladesh, which killed at least 1129 workers, which has led to a “significant departure from the extant model of labor compliance that has developed over the past two decades”. The previous model of labor compliance had assumed that labor issues were a “factory-level problem and the only entity that needs to be regulated is the contractor factory.” This was enforced by companies adopting codes of conduct and then monitoring their suppliers for compliance. However, after the Rana Plaza tragedy, certain western corporations adopted the Bangladesh Accord, which anticipates joint responsibility for labor issues between both vendors and the purchasers of their goods and services. Further, the Bangladesh Accord is not merely like the prior general statements of intent but brings binding, contractually enforceable duties.

While the focus of the article was on labor issues such as pay, safety and retaliation for raising such concerns, the article did point to some interesting ideas which could be applied to this issue as it relates to anti-corruption compliance under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously both laws require a specified protocol for the hiring of third parties which represent companies. These concepts and techniques are now being used for third parties who develop relationships with companies through the supply chain. Companies such as freight forwarders, visa processors and customs brokers have foreign governmental touch points which clearly mandate a through due diligence process under the FCPA and Bribery Act. However, many companies may not recognize their potential exposure for companies which supply them but engage in bribery and corruption to fulfill their contracts.

Using the authors discussion of the regulatory scheme for compliance of labor and safety issues for suppliers under the Bangladesh Accord I have adapted them for anti-corruption compliance. The intention is to create stable, long term relationships and also to promote a stable core of suppliers who are FCPA or Bribery Act compliant in anti-corruption and anti-bribery. These points can incentive suppliers to not only become more compliant in anti-corruption and anti-bribery programs but also reward them for doing business with other like-minded sub-suppliers and sub-contractors. They include:

  • Requiring suppliers to designate all sub-suppliers and sub-contractors that they will use.
  • Restrict the subset of sub-suppliers and sub-contractors to those who have been certified, through a recognized Non-governmental organization (NGO) or company, in anti-corruption.
  • Prohibit retaliation against supplier employees who report, in good faith, allegations of bribery and corruption.
  • Require a supplier to register the number of sub-suppliers and sub-contractors that it intends to use for a company.

For US, and other western companies, I think that there are some lessons which might be drawn from the authors’ piece in connection with their compliance programs around the Supply Chain.

Know Your Suppliers

When it comes to anti-corruption compliance in the Supply Chain, many companies either fail to embrace this concept or, worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless, if companies understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how such a model can and should be used as a guidepost for the Supply Chain and compliance.

The Compliance Oversight Committee

The Oversight Committee is a key component of any best practices compliance program. Not only should it be used for reviewing and managing traditional high risk areas such as third party business representatives in the sales chain; a company can create such committees for other high risk issues particular to a company. Witness the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and its “Enhanced Compliance Obligations”. In this J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” This is precisely the type of rigor which should be included in a best practices compliance program. Compliance Committees can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act and are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Risk Assessments – Don’t Let Growth Overwhelm Your Compliance Program

The Department of Justice (DOJ) continually reminds us of the need for risk assessments. One of the areas often overlooked in risk assessments is growth. Growth and indeed explosive growth can be pursued or occur while not fully assessing or even appreciating the risks involved. This could mean that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training in anti-corruption and anti-bribery compliance. A company can also hire huge numbers of new contract employees who do not receive the same anti-corruption training as previously hired employees. These can lead to organizational incentives that become skewered towards growth and not compliance.

If a company wants to move forward with an aggressive growth model, it should assess the compliance risks of doing so. Through a risk assessment, it might be determined that compliance might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees; additionally new vendors need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate them that your company takes compliance very seriously.

So today I honor my father and all Veterans everywhere. And thanks to my father for continuing to be interested enough to read articles which help inform my knowledge of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013