Roman Numbers 1-10.2The FCPA Guidance states, “In addition to evaluating the design and implementa­tion of a compliance program throughout an organization, enforcement of that program is fundamental to its effec­tiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri­ate and clear disciplinary procedures, whether those proce­dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”

This means you need to have recognized incentives for doing business under your Code of Conduct and in fulfillment of your compliance policy and procedures. Incentives can be immediate such as cash bonuses or other awards or more long term, such as promotion within an organization. Conversely, if someone violates your Code of Conduct, there needs to be consequences for such violation.

A key concept to recognize at this juncture is that procedural fairness is one of the things that will bring credibility to your compliance program. It is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Doctrine in the areas of incentives, promotion and discipline for any compliance function is key to have credibility with the rest of the workforce.

Incentives

Compliance incentives do not have to be extravagant or groundbreaking. Even rather plain vanilla incentives can work if you deliver it consistently, if you make the rewards visible, as the FCPA Guidance states, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.” Lastly, make certain that your compliance incentives can be implemented on all levels within your organization.

For those struggling with some metrics around specific compliance obligations to measure against, you could start with the following examples of compliance obligations that are measured and evaluated.

For Senior Management

  • Lead by example in your own conduct and in the decisions you take, to the resources and time you commit to compliance.
  • Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
  • Support specific initiatives from the Chief Executive Officer (CEO), legal and compliance functions.

 For Middle Management

  • Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
  • Support specific initiatives from the legal and compliance functions.
  • Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner.
  • Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies.
  • Include the Chief Compliance Officer (CCO) or another legal or compliance function representative in your management meetings at least twice per year, per geography.
  • Identify instances of non-compliance and support compliance monitoring and reporting systems.
  • Partner with compliance in resolving compliance issues.

For Business Development or Company Sales Representatives

  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials in a timely manner.
  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with third party sales representatives have occurred.

Promotions 

Another important part is around promotion of employees up to senior management. Human Resources (HR) could help you in compliance to lead the effort to promote only employees who demonstrate a commitment to doing business in compliance. Once again the Fair Process Doctrine is critical here as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

Discipline

The types of discipline within a company are fairly standard. Most generally it is any negative consequence, up to and including termination. However, I believe that the key to discipline is procedural fairness and this will help to bring credibility to your compliance program.

Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

For a video podcast on this Hallmark 6, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

To read more, check out my blog post series on Hallmark 4.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Roman Numbers 1-10.2I.     Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Up until recently, we had not heard anything from the DOJ around the testing the effectiveness of compliance training, however, beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, they to talk about whether you have determined the effectiveness of your training.

You can begin with a baseline measurement of employees who participated in your compliance training through a general assessment of those trained on the FCPA and your company’s compliance program is a starting point. Some questions to use for the assessment of the effectiveness of your FCPA compliance training could include the following:

  1. What does the FCPA prevent?
  2. Does your company allow facilitation payments?
  3. How do you report compliance violations at your company?
  4. What types of improper compliance conduct should you report?
  5. What is the name of your company’s Chief Compliance Officer?

For high-risk employees, you can have a more focused evaluation. You can give some circumstances an employee might face when traveling or doing business abroad. As always, you need to document the training, attendance at the training and then the post-training testing. 

II.     Communication

Ethical leadership is absolutely mandatory to have a successful compliance program, whether it is based upon the FCPA or the UK Bribery Act. Senior management must not only be committed to doing business in compliance with these laws but they must communicate these commitments down to the organization. But leadership is not limited only to senior management within an organization. Tone at the Top begets Tone in the Middle; which begets Tone at the Bottom. At each rung there is the need for compliance leadership. Yet these communications can come in many forms. Consider the Morgan Stanley declination that specifically mentioned the ongoing compliance reminders as one of the reasons the company received a declination.

All of this leads me to consider the message of compliance inside of a corporation and how it is distributed. In a compliance program, a large portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward.

Another key issue seems to be that problem that companies do not write the way they speak, and do not speak the language of their employee base. In many ways, compliance is a brand and that compliance brand needs to make sure that the message of compliance will resonate with your audience, whether that be your employee base, third parties working for your company, even senior management or the Board. This is where social media can help you and the compliance function to hone your message through social media. Part of this is based on experimenting on what message to send and how to send it throughout your organization.

This means that you will need to work to groom your message but also continue to plug away to send that message out. I think the Morgan Stanley declination will always be instructional as one of the stated reasons the DOJ did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

The key to training and communication is that they be done effectively. Whether you utilize one of the myriad of compliance training professionals, online training companies or another mechanism, the bottom line is that you need to risk rank your training attendees and follow up by measuring training effectiveness. If you can neither think of anything else nor have the budget for professional consultants, you can always start with the FCPA Guidance and use the hypotheticals as your training materials. I still maintain that in communications you are only limited by your own imagination. By keeping the communications fun, fresh and relevant, you can help keep the eye on compliance in your organization.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

To listen to my podcast on this Hallmark, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

 

 

 

 

 

 

 

 

Roman Numbers 1-10.2I.     Autonomy

The DOJ has made clear over the years the importance of this hallmark. In the FCPA Guidance it states, “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned respon­sibility for the oversight and implementation of a com­pany’s compliance program to one or more specific senior executives within an organization.” But this person must also have the expertise and resources to adequately fill that role. This last point was made clear when the DOJ announced its Pilot Program in April 2016.

Here we refer to the 2011 Amendments to the US Sentencing Guidelines, §8B2.1 (b)(2)(C), which specified:

Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

There once was an ongoing debate in the compliance world about whether a company can or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). However it would appear that initial debate has ended because of the differences in focus. The GC and legal department are present to protect the company. The CCO and compliance function exist to prevent, detect and remedy issues as they arise.

In the 2015 Deloitte/Compliance Week Compliance Trends Survey, it reported, “Out of 364 respondents, 57 percent now say their CCO reports directly to either the chief executive officer (CEO) or the board. This number has fluctuated over time (from as low as the mid-40s), but is now clearly marching upward. Fifty-one percent say the CCO has a seat on the executive management committee, and 59 percent say the CCO job is a stand-alone position. Fifty-five percent say they regularly brief the board on the company’s overall ethics and culture.” These changes “suggest that most CCOs, especially those at larger corporations, now have an opportunity to participate in high-level discussions about corporate strategy, values, and culture.”

Neither the DOJ nor SEC have taken a formal position on which approach they favor. Whichever structure your company may utilize, it is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Indeed the DOJ Pilot Program specifies this with the following language, “The independence of the compliance function”. Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee with, more importantly, “unfiltered” access to the Board. There should also be employment protection including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.

II.     Oversight

A Board’s duty under the FCPA is well known. In the FCPA Guidance there are two specific references to the obligations of a Board. The first in Hallmark No. 1, it states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second here in Hallmark 3, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

A Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

III.    Resources 

Funding your compliance program is always one of the biggest challenges for any CCO. Short of being in the middle of a worldwide FCPA investigation you are never going to receive all the funding you want or even think that you are going to need. But this corporate reality is not going to save you if the government comes knocking. The FCPA Guidance provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” In the Pilot Program it requires only “the company dedicates sufficient resources to the compliance function.”

But there are some things that a CCO might do to try and obtain the resources needed. One thing you can do is have a list of information prepared and be ready to present to the Board or CEO who may provide funding is for your compliance function. If you lay out the information in a coherent manner, it would allow the Board or senior management to get some perspective on the compliance function; what you are asking for and why.

Once again recognizing that every compliance function will always be resource constrained, you can look to other areas in your company to assist the compliance function. An obvious starting place is Human Resources (HR). Internal Audit is another function that you may want to look at for assistance as they should have access to your company’s accounting systems, which allows them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. A corporate IT department has several functions that can assist compliance. Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

You can listen to a podcast on this Hallmark No.3 by clicking here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016