Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Roman Numbers 1-10.2Over the next two weeks I will be revisiting the Ten Hallmarks of an Effective Compliance program, as laid out in the 2012 A Resource Guide to the U.S. Foreign Corrupt Practices Act ( FCPA Guidance) authored by the Criminal Division of the U.S. Department of Justice [DOJ] and the Enforcement Division of the U.S. Securities and Exchange Commission [SEC]. I still find it to be one of the most useful articulations of a best practices compliance program. Each day the blog post will be partnered with a 10 minute podcast featuring the same Hallmark. These offerings are designed to give you a good summary of not only the government’s expectations but also some basics in meeting these expectations. This series is based upon my seminal book, Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, available through Compliance Week. At the end of this series you will not only have a good summary of the basics of a best practices compliance program but information that you can incorporate into your compliance regime.

The FCPA Guidance states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.” But the DOJ and SEC expect more than simply to have senior management say the right things. They both expect that such message will be pushed down the ranks of an enterprise so that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. In short, compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company stan­dards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. Any compliance program starts at the top and flows down throughout the company. The concept of appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the FCPA; the FCPA Guidance; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices). The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important.

The FCPA world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In two of the largest monetary settlements of FCPA enforcement actions to date, Siemens and Halliburton, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the SEC noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the Halliburton matter, the government noted that the Halliburton subsidiary involved, KBR, had a “tolerance of the offense by substantial authority personnel” that was pervasive throughout the organization. Yet tone at the top is still a major issue for many corporations. Simply scan today’s headlines and you will see evidence of such failures and they will be costly.

At The Top

 So how can a company overcome these employee attitudes and set, or re-set, its “Tone at the Top”? David Lawler, writing in his book Frequently Asked Questions in Anti-Bribery and Corruption, boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” I once had a Chief Executive Officer (CEO) of a client who described his role at the company as “the ambassador for compliance.” I can think of no better description of the role of a CEO for a best practices compliance program.

In the Middle

 A company must have more than simply a good ‘Tone-at-the-Top’; it must move it down through the organization from senior management to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization, is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

What should the tone in the middle be? Put another way, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore, your organization should train middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. Without this organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness then an employee is more likely accept a decision that they may not like or disagree with the final result.

Tone at the Bottom

 Even with a great ‘Tone-at-the-Top’ and in the middle, you cannot stop. One of the greatest challenges for a compliance practitioner is how to affect the ‘tone at the bottom’. To do so, you must work to engage those at the front lines, including training, communication and the tools to accomplish these tasks. A key question is how to tap into this belief system? I think the answer is to engage employees in a manner which allows you to not only find out what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. It is my belief that employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all of the time.

The bottom line is that not only must a company ‘talk-the-talk’ of compliance but it must also ‘walk-the-walk’ of compliance. It really is about the culture of compliance in your organization because the real issue is whether or not that culture has embedded itself in middle and lower management. A company’s culture is reflected in the values and beliefs that are exhibited throughout your company. You must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

You can listen to a podcast on this Hallmark No. 1 by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Show notes for week ending August 19, 2016

  1. Tom Fox posts on Key Energy FCPA enforcement action: Part I, Part II and Part III.
  2. More Och-Ziff FCPA news as its “Fixer” is arrested for FCPA violations. See this FCPA Blog report.
  3. EU’s to Olympic committee arrested and charged with ticket scalping in Rio. See BBC story.
  4. SEC has second enforcement action against company attempting to prevent employees from going to the SEC with complaints of illegal conduct. This time in a post-employment separation agreement. See Dan Marshall story in the FCPA Blog.
  5. Keppel executives alleged to have known about their agent’s bribery to obtain Petrobras business. See Petro Global News story.
  6. Compliance is a business. See blog post.

7K0A0246Compliance is a business. That statement should not come as a shock or even a surprise to anyone who has worked in the corporate world. Every part of a business should work towards doing business. Yet many compliance practitioners and unfortunately some business types see compliance as the Land of No, led by the corporate equivalent of Dr. No.

The Department of Justice (DOJ), in the form of its Compliance Counsel, Hui Chen, has phrased it somewhat differently. In November 2015, at the New York University Program on Corporate Compliance and Enforcement, Chen provided her initial public comments about how she would consider the effectiveness of a compliance program. One of her points was that you should operationalize your compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 with the initiation of the DOJ Pilot Program around FCPA enforcement, under the remediation prong, the DOJ once again emphasized the operationalization of a company’s compliance program as a key metric in determining benefits under the program.

All of this leads me to conclude the DOJ (as well as the Securities and Exchange Commission (SEC)) want to see compliance moved out into the business. This means that Chief Compliance Officers (CCO’s) will need to move past the thinking that simply having a compliance program will be enough to make compliance effective. You must actually be doing compliance going forward. So what are some of the indicia of doing compliance as a business?

Compliance is a service within your organization. You could actually be a part of the profit generator for your company. Just as law departments generate business by doing transactions, compliance can be viewed as delivering services not only to the business unit but also third parties with whom the company does business. This means not only traditional transaction partners such as sales agents, representatives and distributors but also joint venture (JV) partners, teaming partners and others. Compliance can deliver compliance related services to these third parties as a profit center.

Doing compliance means doing business. There are multiple types of risks in a business; operational, regulatory and reputational, just to name a few. The effort to measure and then manage each of these risks can be led by the compliance function. The more efficiently these risks are measured (i.e. assessed) the more easily and efficiently these risks can be managed. This means that the business is not faced with a binary 1/0 or Go/No Go decision on risk but if compliance moved into measuring and the managing risk through the operationalization of compliance into the business unit; the process would help you to do business more efficiently and with greater profitability.

Compliance is a platform to make your company not only a better run organization but can also demonstrate the thoughtfulness and effectiveness of your compliance program should a regulator ever come knocking. Compliance as a business even satisfies the Tom Fox mantra of Document, Document and Document. This is because if you operationalize compliance into the fabric of your organization, compliance internal controls will touch every aspect of the employment experience in a way that is not obtrusive and will not slow down what you are trying to achieve.

Take compliance as a platform in HR. At every point in talent management, HR can insert compliance into the cycle. Those points include the pre-employment interview and screening, the interview process with progressively higher senior management, the initial on-boarding process, the quarterly; semi-annually; annual performance review, annual bonus review, assessment and award, promotions and even exiting of an entity. The platform of compliance can record each of these touch points and you now have an internal control burned into HR which is a compliance internal control. Further, if there is any attempt to circumvent or over-ride one of these HR internal controls involving the hiring of a son or daughter of a foreign governmental official, a red flag can be raised and sent to the compliance function for further review.

Compliance is a marketing platform. Some attention has been paid to the use of compliance as a recruiting and hiring tool for millennials. One of the facts of their generation is they want to work at companies which are seen to be doing business ethically, all the while making money. Moreover, as Ethisphere demonstrates annually with its World’s Most Ethical Company awards, businesses which win those awards, on average, exceed the New York Stock Exchange blue chip average for profitability.

Compliance embraces public advocacy. The Volkswagen (VW) emissions-testing scandal is one of the largest corporate scandals of the past few years. One thing that makes the VW scandal so unique is that it is one of the few scandals where a company’s actions were so transgressive they damaged the reputations of its competitors. As a response to the VW scandal, Ulrich Grillo, President of the German industry association BDI, recognized that compliance is the answer. He urged companies to check their management processes, including compliance and control systems. He suggested one of the key questions to ask should be “Are we doing everything right?” When you have the President of a national industrial association saying compliance is the answer, you need to sit up and take notice.

As we move from the legal based model of compliance to the more mature understandings that compliance may best well be thought of as a business process, we begin to see how compliance can fit seamlessly into a business. This integration will allow a business to move more nimbly and with greater acumen. Compliance has been driven largely by legal requirements. The enactment of the Foreign Corrupt Practices Act in 1977, the implementation of the 1992 US Sentencing Guidelines, the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010 have all led to development and innovation in compliance. Now the DOJ is moving the bar again by talking about the operationalization of compliance and this development will continue to advance the corporate compliance function.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016