Over the weekend, my wife and I caught the current Bon Jovi This House is Not For Sale Tour. My rock and roll foundation was laid in the 60s/70s so the group is not all that relevant for me. However, they are substantially relevant for my wife so she rocked out the three-hour show as did about 98% of the sold out house. Even if they are not in my top ten bands, I know a great show when I see one and these guys put on a heck of a rock and roll show.

One thing that Jon Bon Jovi said during the show struck me as a great insight for the Chief Compliance Officer (CCO) or compliance practitioner. He was explaining the inspiration which came to him for the name of the latest Bon Jovi album which was the title of this year’s tour. He also said that while the band was cutting the album, he put out the name of the album along with some concept art to the band’s fan base. He expected some response but he was overwhelmed by the use of album’s theme, what it meant to so many others and how the band’s fans collective vision influenced his thinking while writing songs for the album and then recording them. I found it to be a great insight around the two-way use of social media.

For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of a number of business leaders I have studied for my multiple books on leadership and my podcast, 12 O’Clock High, a podcast leadership, is the art of listening. I thought about Bon Jovi’s comments when I read  an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative.

I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.”

However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout isan employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.”

For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena.

An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform – including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen.

Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.”

Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s.

But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”.

Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy.

Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization.

To further facilitate your experience, I would suggest you fire up Bon Jovi’s latest album, This House is Not For Sale.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

On this day in 1836, Colonel William Barrett Travis issued his now famous call for help on behalf of the Texan troops defending the Alamo. It has gone down as one of the great cries for freedom-loving peoples everywhere. The plea was made the day after a large Mexican force, commanded by General Antonio Lopez de Santa Ana, arrived suddenly in San Antonio. Travis and his troops took shelter in the Alamo, where they were soon joined by a volunteer force led by Colonel James Bowie. Though Santa Ana’s 5,000 troops heavily outnumbered the several hundred Texans, Travis and his men determined not to give up. On February 24, they answered Santa Ana’s call for surrender with a bold shot from the Alamo’s cannon. Furious, the Mexican general ordered his forces to launch a siege.

Addressing one of the pleas to “The People of Texas and All Americans in the World,” Travis ended his call for help with the following, “I call on you in the name of Liberty, of patriotism and everything dear to the American character, to come to our aid, with all dispatch. The enemy is receiving reinforcements daily and will no doubt increase to three or four thousand in four or five days. If this call is neglected, I am determined to sustain myself as long as possible and die like a soldier who never forgets what is due to his own honor and that of his country.

VICTORY or DEATH.”

While Travis certainly took the direct approach with General Santa Ana, the same cannot not be said to always be appropriate for a Chief Compliance Officer (CCO) or compliance practitioner. Indeed, I am continually amazed at the sources that would seem about as far from the world of Foreign Corrupt Practices Act (FCPA) compliance that lends itself to CCO lessons. One such unexpected source was the Financial Times (FT) Business Book of the Year Award judging competition. Andrew Hill, in his On management column, wrote about the “horse-trading, mind games and bluff” engaged in by the business executives, professorial types and editors who make up the judging panel, in a piece entitled “Seven lessons from the FT’s business book prize judges”. There are two rounds: the first selects a shortlist of six books and the second chooses the winner.

The seven lessons were about navigating “the fine art of group decision-making”. As every CCO must lead through group consensus, I thought it was an excellent article to draw upon for leadership lessons for such a person. Hill thought the discussions around this book award could be “lessons for far weightier decisions, such as selecting a chief executive.”

Hill believed the first point was almost self-obvious, which is “people whose time is precious must set priorities.” I often say that meetings are the bane of corporate existence and this book award process is no different. Hill noted that while the selection process in fiction awards can drag on for hours, in the initial meeting “the jury ruthlessly dismissed the weakest titles in the first 30 minutes.”

Second, “preparation is everything.” This is more than simply reading the books or even for a CCO reading all the memos but being ready for the political aspects of the event. Hill noted, “I have seen judges strike alliances in taxis en route to the meeting, or over coffee before the formalities begin, as they jockey to get their favourite titles through to the final six.”

Third, at times team decisions require deft and nuanced leadership. One example was the change in meeting styles from Fed Chairmen Alan Greenspan to Ben Bernanke. Greenspan was an autocrat who “quashed dissent…by laying out his preferences at the start of the policy discussion.” Contrastingly, Bernanke changed the tone of the meetings by “inviting others to voice their options first” and reserving his “judgment to the end.”

Fourth, a “diversity of approach yields the best decision”. Hill reported that “Some judges apply a strict, quasi-scientific method — separating the books into genres or styles — and some trust their gut. Executives tend to put a premium on the topic of the books (the rise of China, say, or the march of technology); journalists and writers on the panel naturally favour elegant prose. To win, business books have to satisfy those contrasting viewpoints.”

Fifth, “flexibility is important.” But more than being flexible Hill noted there was the technique of reciprocity, as articulated by Robert Cialdini who wrote about the concept in his seminal work, Pre-Suasion. Cialdini’s key thesis is “people say yes to those they owe” and Hill wrote that by “gracefully conceding on one of their choices, panelists may win reciprocal support for another.”

Sixth, use your veto power sparingly or I might say, listen, listen and listen before making up your mind and then making a decision. A team by its nature will move towards consensus. If you break that consensus with a veto, rash or otherwise, you will probably hear about it for some time to come.

Seventh, and finally, “compromise with care.” While it is certainly a requisite to listen, it is important to listen with empathy to understand the perspective of other parties and you must “strike a balance between co-operation and competition.” If you have too much empathy, you may fail to “advance your own interests.”

Hill concluded with an interesting twist. He wrote, “Sometimes a surprise contender bursts through to the shortlist of six, ahead of books that initially seemed bound to reach the final. As one judge and non-executive director told me, there are dark parallels with the way boards sometimes mishandle succession planning. A candidate for chief executive who is some board members’ favourite loses out to a less suitable rival who was their second choice. That is tolerable when only book sales are at stake, unacceptable when the future of a whole enterprise depends on the decision.”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Today we honor what was called by British Lord Nelson, “the most daring act of its age”; the capture and burning of the US frigate Philadelphia in Tripoli harbor. In October 1803, the ship had run aground near Tripoli and was captured. The Americans feared that the well-constructed warship would be both a formidable addition to the Tripolitan navy and an innovative model for building future Tripolitan frigates. Hoping to prevent the Barbary pirates from gaining this military advantage, President Thomas Jefferson sent Lieutenant Stephen Decatur to lead a daring expedition into Tripoli harbor to destroy the captured American vessel. The Americans recaptured the ship and then set it alight. Decatur and his men escaped without the loss of a single American. The Philadelphia subsequently exploded when its gunpowder reserve was lit by the spreading fire.

A most “daring act” seems to be a good way to introduce a multi-part look at the recent Foreign Corrupt Practices Act (FCPA) enforcement action involving the Chilean chemicals and mining company Sociedad Química y Minera de Chile (SQM), which agreed to pay a criminal penalty of $15.5 million and a civil penalty of $15 million for a total fine and penalty of $30.5 million. The company settled with the Department of Justice (DOJ) via a Criminal Information and Deferred Prosecution Agreement (DPA) and the Securities and Exchange Commission (SEC) via a Cease and Desist Order (Order).

There were a couple of unusual aspects to this matter which bear review and consideration by any Chief Compliance Officer (CCO) and compliance practitioner, particularly for those with companies headquartered or domiciled outside the United States. The first is that the case was rare for its criminal violations of the FCPA for the Accounting Provisions; both the Books and Records and Internal Controls provisions. The second was that the company’s illegal actions appeared to have no US nexus to the conduct involved and the jurisdictional hook was that the company’s shares trade on the New York Stock Exchange (NYSE) as American Depository Receipts (ADRs) and the company is required to file periodic reports with the SEC. There were however some excellent points for review by any compliance practitioner regarding the underlying conduct involved.

According to the DOJ Press Release, “SQM knowingly failed to implement internal controls sufficient to ensure that payments from a fund under the control of one of its officers and high-level executives were made for services received and in compliance with Chilean law. Between 2008 and 2015, SQM made donations to dozens of foundations controlled by or closely tied to Chilean politicians. During this period, for example, SQM funneled approximately $630,000 to foundations controlled by a Chilean official with influence over the government’s mining plans in Chile, a key segment of SQM’s business.” It went on to add, “SQM also admitted to falsifying its books and records to conceal payments to vendors associated with politicians, logging them as consulting and professional services SQM never received. For example, in 2009, SQM paid approximately $11,000 to the sister-in-law of a Chilean official, recording the payment in SQM’s books as a payment for services received, despite the fact that the official’s sister-in-law submitted the false invoice solely to disguise payment to a Chilean senatorial campaign.” The sum total was that “SQM admitted having paid nearly $15 million between 2008 and 2015 to vendors despite having no evidence any goods or services were actually received.”

Yet in none of the resolution documents was there discussion of specific bribes paid or obtaining or retaining business by SQM. Moreover, as noted above, none of the payments were routed through the US or the US banking system. Finally, although there were numerous emails cited in the resolution documents, there was no evidence presented that they were stored on a US server or even went through the US in cyberspace.

What does come through loud and clear from the Information is the discretionary fund used by the person designated as “SQM Executive” and identified as Mr. Patricio Contesse G. – former Chief Executive Officer (CEO) of SQM. When I say discretionary fund, it was apparently at his sole discretion. Simply put, according to the Information “SQM paid approximately US $14.75 million to PEPs [Politically Exposed Persons] and related parties without effective internal accounting controls, such as appropriate due diligence, documentation or oversight.”

Going more deeply into the results of the company’s internal investigation than was reported in the Information, the company made the following Form 6-K SEC disclosure in December 2015.

“(a) payments were identified that had been authorized by SQM’s former CEO, Mr. Patricio Contesse G., for which the Company did not find sufficient supporting documentation;

(b) no evidence was identified that demonstrates that payments were made in order to induce a public official to act or refrain from acting in order to assist SQM obtain economic benefits;

(c) regarding the cost center managed by SQM’s former CEO, Mr. Patricio Contesse G., it was concluded that the Company’s books did not accurately reflect transactions that have been questioned, notwithstanding the fact that, based on the amounts involved, these transactions were below the materiality threshold defined by the Company’s external auditors determined in comparison to SQM’s equity, revenues, expenses or earnings within the reported period; and(d) SQM’s internal controls were not sufficient to supervise the expenses made by the cost center managed by SQM’s former CEO and that the Company trusted Mr. P. Contesse G. to make a proper use of resources.”

This same disclosure also specifically noted that Mr. Contesse G. (the former CEO) and “Mr. Patricio Contesse F. – former director of SQM,” declined to be interviewed by company’s designated outside counsel performing the internal investigation.

Contesse G.’s involvement and fraud was more than simply using his unlimited discretion to facilitate shady payments. He was actively and intentionally involved in falsifying the company’s books and records. The Information stated, “From 2008 to 2013, at the end of each fiscal year, SQM’s books and records, including those that SQM Executive and others intentionally falsified to justify payments to vendors connected to PEPs, were used for the purpose of preparing SQM’s financial statements. In addition, during each of these years from 2008 to 2013, SQM Executive signed financial certifications as part of SQM’s securities filings that he knew to be false.”

Regarding the internal controls violations, the company’s auditors noted payments made to third parties which “had a ‘high-risk’ connection to PEPs.” These findings were even presented to the full company Board of Directors with the recommendation that adequate internal controls be put in place to prevent such conduct going forward. However, none were.

Also interesting was the lack of notation of how the company’s illegal actions came to attention of the US government. There was no company self-disclosure, no reported whistleblower, no reported referral from another law enforcement agency, domestic or foreign. It may well be there was some type of tip or even electronic information obtained by government regulators.

The actions of SQM senior management were certainly daring in the extreme, one might even say stupid, given their blatant disregard for US law. If companies want the benefits of US securities offerings and prestige, they need someone to counsel them on why they have to comply with US regulations, even in their actions exclusively outside the US. The matter also points to the need for a company’s Board of Directors to step up, ask the hard questions and then take action when management fails to fulfill its obligations to do business legally. Finally, the enforcement action makes clear the need for any company which crosses multiple borders to have a best practices compliance program in place as there will be at least one country which has an anti-bribery/anti-corruption compliance program.

In the next post we will consider how the company was able to receive a 25% discount off the minimum fine range through cooperation and remediation after the US government came knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Today’s headline is inspired by two recent notices; the first is from a January 25 ENI Press Release crowing that “Eni is the first Italian company to receive that certification”. The second came from an article in the Financial Times (FT) entitled “Eni chief Claudio Descalzi charged with international corruption” by James Politi, where he began his piece with the opening, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”

The international corruption, also involving Royal Dutch Shell, involved questions regarding “an offshore exploration bloc called OPL 245, which is estimated to contain up to 9bn barrels of oil and is considered one of Nigeria’s most highly-prized energy prospects.” It was further noted that “The main accusation is that Eni and Shell knew the money paid to the government for OPL 245 would then be funnelled to other Nigerian individuals, essentially as bribes.” In what can only be said is a non-denial denial, both “Eni and Shell have said that they simply transferred money to the Nigerian government, without making any arrangements with third parties or the ultimate beneficiaries.”

The problem I see with one headline is that it brings up the uselessness of the ISO certification process. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’? The ISO certification issue is separate and stands apart from the ISO 37001 standards themselves. When I sat down to read the more than 100 pages of what might constitute good compliance practices, I, for the most part, did not have too many disagreements with the articulation. However, in the global world of anti-bribery/anti-corruption enforcement there were multiple standards for an effective compliance program, including, but not limited to the Ten Hallmarks of an Effective Compliance Program, Six Principles of Adequate Procedures, the OECD 13 Good Practices and multiple others. Indeed, I published an entire book some 2 1/2 years ago to laying out what constitutes an effective compliance program. So while it is mildly interesting from an intellectual perspective, the reality is that it is not anything new, different or innovative.

Yet the title of this blog post makes clear that any ISO 37001 certification is much worse, for it can lead an unsuspecting person to conclude that because a company has the ISO 37001 certification, it is actually doing compliance. From the ENI Press Release it stated, “quality of the system of rules and controls aimed at preventing corruption”. If that does not sound like a paper compliance program I do not know what does. I should also note the same Press Release goes on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI chief executive under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former ENI chief executive.

What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company which has an ISO 37001 certification? This is where the worse than useless part comes into play. People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.

The Department of Justice (DOJ), Securities and Exchange Commission (SEC) and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.

What about a company which thinks it needs an ISO 37001 certification? This is equally problematic but for different reasons. The DOJ and SEC jointly issued FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. Moreover, this flexibility allows a Chief Compliance Officer (CCO) or compliance practitioner to put forward clear evidence of compliance with this approach if the government comes knocking in a FCPA investigation. The evidence from the Pilot Program is that the DOJ is taking this approach into account and has doled out multiple declinations and Non-Prosecution Agreements (NPAs) since its inception in April 2016.

So which headline is right: that ENI received an ISO 37001 certification or that the chief executive of ENI will stand trial for corruption? Unfortunately, they are both right and that simple answer communicates to every CCO and compliance practitioner across the globe that the ISO 37001 certification process is worse than useless. This is both for the company assessing the effect of such a certification from a potential third-party and a company considering whether it should obtain the certification to prove it is actually doing compliance.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017