SECThe Foreign Corrupt Practices Act (FCPA) enforcement journey, which began last summer with the guilty plea of Vicente Garcia for the payment of bribes to obtain contracts in Panama for his employer, SAP International, ended this week with the release of the Securities and Exchange Commission (SEC) civil action against the parent of SAP International, SAP SE, a German company. The case was concluded via a Cease and Desist Order (the “Order”). The fine was a relatively small $3.7MM with prejudgment interest of another $188K.

The facts were straightforward, which Garcia had previously admitted to in his guilty plea and sentencing hearing last December. He circumvented SAP internal controls to create a slush fund from which to pay bribes. To do so, he had to actively evade an internal compliance system that had stopped him from hiring a corrupt agent to facilitate the bribe payments. Frustrated by the success of the SAP compliance function to stop his initial bribery scheme, he then turned to using a previously approved distributor to facilitate the payment. He did so through giving this distributor an extra ordinary discount. The corrupt distributor then sold the SAP products to the Panamanian government at full price and used the price difference to fund the bribes to the corrupt government officials. This led to a $14.5MM sale to the distributor with $3.7MM in profits to SAP. Hence, the amount of profit disgorgement.

The bribery scheme is a clear lesson for any company that utilizes a distribution model in the sale chain. Bill Athanas, a partner in Waller Lansden Dortch & Davis LLP, has articulated a risk management technique for this type of bribery scheme, which he has called Distributor Authorization Request (DAR) and it provides a framework to help provide a business justification for any such discount, assess/manage and document any discount offered to a distributor. 

It begins with a DAR template, which is designed to capture the particulars of a given request and allows for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

Yet in addition to the DAR risk management technique advocated by Athanas is more robust transaction monitoring in your compliance program going forward. As noted in the Order, one of the remedial measures engaged in by SAP after the bribery and corruption was detected was that the company “audited all recent public sector Latin American transactions, regardless of Garcia’s involvement, to analyze partner profit margin data especially in comparison to discounts so that any trends could be spotted and high profit margin transactions could be identified for further investigation and review.”

This is the type of transaction monitoring which a Chief Compliance Officer (CCO) or compliance practitioner traditionally does not engage in on a pro-active basis. However this is clearly the direction that US regulators want to see companies moving towards as compliance programs evolve.

Here a couple of questions would seem relevant. What happened? and How do you know? In answering these questions, it is clearly important that there should be an understanding of the business cause of significant sales and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. While a company would usually only consider an analysis of variations at the level at which the sales increase was material, this was not the path taken by SAP in their post-incident investigation. Moreover, such a sales increase would most probably be material for the Panama region and certainly for the employee in question.

Once the appropriate level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on discounts to distributors; etc., might help to get at the true underlying reason for a spike in sales. Further, a company should review its findings over subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods? The answer to such a question might identify red flags indicating the need for further review.

A final lesson to be considered is when you have an employee like Garcia. Is he a rogue employee? Does rogue mean his behavior is only sociopathic so that he appears to operating within the rules? Or were there clear signs that greater scrutiny needed to put in place? What about his clear attempt to bring in a corrupt agent, at the last minute of a deal to facilitate it? This is a clear red flag and was not approved by SAP compliance. Does this put the company on notice that an employee is not only willing to go beyond the rules but also engage in illegal conduct down the road? How many passes does such an employee get before they are shown the door?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

GodolaThis is my final Travel Edition from Venice. If there is one thing that is ubiquitous throughout this city it is the Gondolier, the Venetian Gondola boatman. You are never far from hearing their cry of “Gondola, Gondola” to attract tourists for a fabled and romantic gondola ride. One thing I notice about the Gondolier that in addition to having a stout pairs of lungs, they are almost all in very good physical condition. They have to be piloting this very old craft by hand in and around the crowded waters of Venice.

I thought about this as a metaphor for improving your compliance program. As a Chief Compliance Officer (CCO) or compliance practitioner, the more you can get out of the office, into the field and meet the troops the more fit your compliance program will be. Any best practices compliance program should have input from the geographies, cultures, business units and corporate functions within the company. It is well understood that a compliance procedure that works well in the US may not work in Indonesia.

This means that a CCO or compliance professional needs to understand how the cultures in your organization work and then create a compliance program to fit those needs. It does not mean a company can continue to do business with corrupt intent but if there is a culture of gift giving in a geographic area, you should determine a way to continue such courtesies, within the context of your overall compliance regime.

Channeling both my inner Jay Rosen and the FCPA Guidance, you should also work to train your employee base on your compliance protocol in local languages. Even in one country, this could mean more than translating into more than one language in one country; so for instance in Spain you may be required to train both in Spanish and Catalan, if you have operations in the Catalonian region.

Conversely to make your compliance program more robust, you should not simply believe your own story or even worse, your own propaganda about the effectiveness of your compliance program. Simply because a Country Manager says something is true means does not mean that it is true. You also have the opportunity to get out of the home office and visit international locations. This is the best way to find out what is going on in the field. In the compliance arena, your primary sources are the employees in your own organization.

In addition, by getting out of the office you can create relationships with company personnel. Bruce Rector, writing in the Houston Business Journal (HBJ) in an article entitled “All good businesses are built on personal relationships”. Rector’s thesis is that “All business is, in the final analysis, about people – and therefore about relationships.” At the end of the day, compliance, like business is about people and that means it is about relationships. But perhaps more importantly, is the development of personal relationships.

If you meet with your international sales team, my corporate experience is that they will appreciate that you took the effort to travel to train them or meet with them. They are also more likely to tell you things in persons than they would via email or over the phone. One of the criticisms of anonymous hotlines and other internal reporting mechanisms is this lack of the personal experience that can lead to mis-trust if not distrust. Getting out into the field and meeting folks can go a long way to overcome this frailty of human nature.

Finally, by getting out of the office and working directly with other company personnel, you can set expectations appropriately. This is true for the compliance practitioner whether you are dealing with third party vendors in the Supply Chain, agents and other foreign business representatives, your employee base, senior management or the Board of Directors. You must set the expectation that if something occurs that materially impacts these expectations, you “must immediately communicate to the person or business affected.” For, as Rector believes, “Nothing will detail a business relationship – or any relationship, actually – more than blindsiding someone with bad news that has been withheld for some time.” By properly managing the expectations of the company’s compliance group with the relationships that you have established in the company, you will make the doing of compliance less stressful for all involved.

I hope you have enjoyed reading my Venetian Travel posts as much as I have enjoyed bringing them to you. My observation that Gondoliers tend to be physically fit ties directly to the job they have to do, propelling a gondola. Yet as a CCO or compliance practitioner you can get out of the office and make your compliance program more robust and get it in better shape.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Vivaldi-the Four SeasonI return to my Travel Edition themed blog posts today. One of Venice’s greatest citizens was Antonio Vivaldi. His work is celebrated throughout his home city. Last night, I saw a performance of his most famous work, The Four Seasons, which is a piece composed of four violin concertos depicting scenes appropriate for each season. The inspiration for the concertos was probably the countryside around Mantua. They were a revolution in musical conception: in them Vivaldi represented flowing creeks, singing birds, barking dogs, buzzing mosquitoes, crying shepherds, storms, drunken dancers, silent nights, hunting parties from both the hunters’ and the prey’s point of view, frozen landscapes, ice-skating children, and warming winter fires. Each concerto is associated with a sonnet, believed to have been written by Vivaldi, describing the scenes depicted in the music.

 

The venue for the performance was a deconsecrated church and the sound was phenomenal. A former member of the Houston Symphony Orchestra once told me you can tell a great concert venue if “you can see the music” and tonight I could see it. It was performed by an octet so I could focus on the sound from the individual musicians and it was magical. While doing so, I was also able to better see how it all is structured and integrated together.

One of the things I hear most often from Chief Compliance Officers (CCOs) and compliance practitioners is that they do not have the time to take a step back and look at the larger picture of their compliance program to see how it is structured and how it all inter-relates. That is one reason I developed my service offering I call the Compliance Retreat. The Compliance Retreat allows you to work through a wide range of compliance issues specific to your company, your risk profile, your industry and your culture. It will allow you to see the structure of your program and then think differently about your complete and integrated program, all facilitated by one of the top Nuts and Bolts compliance practitioners around.

The role of facilitator is crucial for several reasons. First and foremost, you should have a neutral party, one with no stake in the outcome. This means that you should not bring in your regular counsel or compliance advisors because they will have a vested interest in projects moving forward. Further, the facilitator needs to be well versed in not only the anti-corruption compliance field but also someone who has seen a wide variety of best practices in compliance in multiple business and industries. In the compliance field many practitioners want to know what other companies are doing and how they are facing unique challenges in many areas. Only an expert in the compliance arena can bring all of these skills to bear.

It starts with a Facilitator prepared to discuss your compliance program; the current structure, risk assessments, audits and outstanding issues at this time. A Facilitator could then help lead a discussion based on wide compliance discipline knowledge for steps to consider in building your program. From there, you can move towards building out and enhancing your own compliance program. It would end with action steps that can be measured moving forward.

The Compliance Retreat is more than simply getting away for one day to discuss the specifics of your compliance program. Sarah Kessler, writing in Inc.com, in an article entitled “How to Plan a Company Retreat”, listed some of the key principles of a strategic retreat that I have adapted for the Compliance Retreat. They include:

  • Collaborate. Make certain that all participants have the ability to collaborate.
  • Make discussion introvert-friendly. Ask the participants to write down answers to questions instead of blurting them out, and ask every person in the room to give their opinion in an organized manner.
  • Encourage people to express themselves. It is important that all opinions are heard and make certain that minority opinions have a way to be heard.
  • Combine team building with work. Compliance is always about teamwork so your compliance team should decide their next steps in the future, versus just experiencing a task together and deciding that the group can simply work well together.
  • Stay on topic. It is important to stay focused on compliance issues.
  • Diverge, converge. You should break up your group for more focused discussions then bring them back to the larger group for discussion.
  • Document your next steps. Assign a champion for each step that the compliance team has agreed on, making those steps as specific as possible. You should document who does what, when they will accomplish the task and how, at the end of the day, you will measure it.

Through my new service offering the FCPA Master Class Training I am bringing the most current best practices on the nuts and bolts of FCPA compliance to a wide variety of compliance practitioners across the US. With the Compliance Retreat I will be able to offer the best practices to any compliance department or similar corporate function that wants to have a focused retreat on its compliance program. You will have the time to step back and take a look at the bigger picture. Imagine you could focus for one day on your compliance program and be able to pick the brain of the one of the tops Nuts and Bolts compliance practitioners around.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

7K0A0246One of the areas that a Chief Compliance Officer (CCO) must master is looking beyond their own compliance department to the company as a whole. CCOs must therefore lead their own compliance function but also lead with an enterprise wide perspective. Simply put, the nature of any CCO position is an enterprise wide role to prevent, detect and remediate any compliance issues before they become full-blown Foreign Corrupt Practices Act (FCPA) violations. Yet this enterprise wide mindset is something that any CCO or indeed compliance practitioner must develop.

This issue was recently explored in a MIT Sloan Management Review article by Douglas A. Ready and M. Ellen Peebles, entitled “Developing the Next Generation of Enterprise Leaders”. I found the article very useful for taking the compliance practitioner from implementing their vision of a compliance department to learning to build with an enterprise perspective. The reason would seem obvious; compliance demands an integrated response across “functional, geographic and business unit boundaries.”

It also seems that successful enterprise leaders are able to see “the importance of the micro and macro simultaneously”. A key component of any successful CCO is understanding that no one size fits all in compliance. This is certainly magnified across an organization. The authors said, “their trust in their leaders and their peers enabled them to share successes and combat difficulties together.” This is mandatory space for any CCO or compliance practitioner.

In a chart in the article, the authors laid out what steps a builder would take and followed it up with the steps a broker within an organization would bring. Adapting them for the CCO or compliance practitioner yields the following. Build a compliance vision, strategy and brand and then broker shared meaning across the company. Build enthusiasm for the compliance program and combine this with a sense that everyone in the organization is responsible for compliance. Build compliance department capabilities and then turn this knowhow into an integrated compliance function across the organization. Build support for compliance values and principles and burn them into the DNA of your organization. Build compliance teams throughout the organization and broker that talent across the company. Yet even beyond the personal stakes of the CCO are the benefits to the overall organization of a CCO with an enterprise leader mindset. A compliance solution should be integrated across an organization so the business units can work together in a seamless fashion. Such an approach also brings more and great efficiencies.

The authors believe the key essence of an enterprise leader comes from combining ““two often incompatible roles” – those of a builder and broker.” This means that any CCO must integrate their vision for compliance across an organization by integrating it “into the wider corporate vision, clarifying where the organization and where their teams can best contribute, both within and beyond unit, geographic and functional boundaries.” The authors identified “six components of the mindset of successful enterprise leader.”

  1. Heightened Sense of Place. By absorbing a corporate culture, a CCO can use that sense of the company as a competitive advantage. Further, such persons can transmit that passion to others in the organization. In today’s hyper-transparent world of reputational risk, a culture of compliance can be a business differentiator. Yet with all senior management leadership, it is what you do more than what you say.
  2. A Broad Sense of Context. Here the authors intone that it is the integration of understanding the business of a company with all its various components. It is not simply the crossing of siloed boundaries but understanding the differences in business units, corporate functions and even geographic locations that can bring this broad sense of context.
  3. A Sharp Sense of Perspective. Interestingly the authors believe this skill is the ability to see both the big picture “but they also appreciate the pixels that make up the picture.” CCOs need to learn from everyone in the organization. This can expose the CCO to different leadership styles but the CCO can also see how such leadership styles work in various areas and with different constituencies. The CCO should use other learning tools such as coaching, mentoring and observation to see what really works.
  4. A Powerful Sense of Community. The authors believe that high-potential talent employees are “drawn to peer networks which challenge and support them.” The CCO should cultivate his or her own personal and professional network. Many companies have a Chairman’s Group or President’s Group to challenge such individuals. Any chance to participate in such an opportunity should be accepted.
  5. A Deep Sense of Purpose. The authors believe that enterprise leaders are “exceptionally passionate about their careers and their companies.” I would certainly hope that a CCO or compliance practitioner would have passion around this field. However the authors believe such passion can occur as a result of “reflection, introspection and ability to change as a leader.” Moreover, “rather than influencing employees through individual speeches or stories, the everyday connections between” a CCO’s sense of purpose and the compliance vision can work to “form an indelible impression” about the importance of compliance to an organization.
  6. An Abiding Sense of Resiliency. The authors said that enterprise leaders need to have a next generation mindset; knowing where you came from is certainly important but enterprise leaders must be “fit for the future” and be committed to continuous improvement going forward. The authors made clear this is not “organizational agility” or even the ability to pick one’s self up after a setback but rather the ability to “pivot to the future” even after a stumble.

By using these six components of a successful enterprise leader, a CCO or compliance practitioner can bring greater corporate wide presence to the compliance function. Integrating these six steps together into an already forward and outward looking regime can give compliance the tools to make the doing of compliance second nature within an organization. For if you can make compliance a part of the business process it becomes second nature and a recognized part of any business transaction. The authors ended their piece with a quote from Bill Carapezzi, Pfizer Vice President for Finance and Global Operations, who said, “As I learned to work in new way at Pfizer, I developed better relationships and learned how to mobilize my team for the greater good, which enabled me to deliver more value for the company, and I just felt better.” This would seem to be a laudable goal for every CCO as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015