Lear's FoolI conclude my week honoring the 400th anniversary of the death of Shakespeare by using my favorite character in all his work to introduce today’s post. He is The Fool from King Lear. Of Shakespeare’s many theatrical innovations, his transformation of The Fool from the Renaissance Court Jester of songs, music, storytelling, medieval satire and physical comedy to commentator is right up there for me. The Fool became closer to the Greek Chorus. Shakespeare brought the Chorus commentary function back. As noted in Wikipedia, “Where the jester often regaled his audience with various skills aimed to amuse, Shakespeare’s fool, consistent with Shakespeare’s revolutionary ideas about theater, became a complex character who could highlight more important issues. Like Shakespeare’s other characters, the fool began to speak outside of the narrow confines of exemplary morality. Shakespeare’s fools address themes of love, psychic turmoil, personal identity, and many other innumerable themes that arise in Shakespeare”.

While Lear’s Fool was actually a font of wisdom and commentary, the same cannot always be said for the corporate fools who put evidence of bribery and corruption in emails, excel spreadsheets and PowerPoint slide deck presentations. In Foreign Corrupt Practices Act (FCPA) training I always remind attendees that if you put your bribery scheme in emails, it will be uncovered. Further, if you put together an excel spreadsheet tying your nefarious acts, such as hiring the family member of a foreign official or state owned enterprise employee to the award of a contract, it will be uncovered. Now I find I must supplement my training to add the following admonition: do not put your fraudulent scheme in a PowerPoint slide deck for presentation to senior management.

The issue previously arose with our friends at GlaxoSmithKline PLC (GSK) who put together such a presentation in 2013 for targeted bribery campaign code named “Vasily” borrowing its name from Vasily Zaytsev, a noted Russian sniper during World War II. According to Wall Street Journal (WSJ) reporter Laurie Burkitt the campaign “targeted 48 doctors and planned to reward them with either a percentage of the cash value of the prescription or educational credits, based on the number of prescriptions the doctors made.” While Burkitt did note “A Glaxo spokesman has said the company probed the ‘Vasily’ program and [the] investigation has found that while the proposal didn’t contain anything untoward, the program was never implemented.” But, from my experience, if you have a bribery scheme that has its own code name enshrined in a PowerPoint slide deck presentation, even if you never implemented that scheme, it probably means that the propensity for such is pervasive throughout the system.

Yet now we have more and greater evidence of corporate tomfoolery from the Volkswagen (VW) emissions-testing scandal. In an article in the New York Times (NYT), entitled “VW Presentation in ’06 Showed How to Foil Emissions Tests”, Jack Ewing reported that a top technology executive at VW prepared a PowerPoint presentation for management in 2006, laying out in detail how the automaker could cheat on emissions tests in the United States. Ewing wrote, “It provides the most direct link yet to the genesis of the deception at Volkswagen, which admitted late last year that 11 million vehicles worldwide were equipped with software to cheat on tests that measured pollution in emissions.”

The article noted, “It is not known how widely the presentation was distributed at Volkswagen. But its existence, and the proposal it made to install the software, highlight a series of flawed decisions at the embattled carmaker surrounding the emissions problem.” Moreover, “As the PowerPoint underscored, people inside Volkswagen were aware that its diesel engines were polluting significantly more than allowed. Yet company executives repeatedly rejected proposals to improve the emissions equipment, according to two Volkswagen employees present at meetings where the proposals were discussed.”

As more and more of the internal investigation dribbles out, VW’s claim that its emission-testing defeat device was the creation of a small group of ‘rogue engineers’ is rightly dying a death of 1000 cuts. The company began to understand that “The pattern of those [regulatory] tests, the presentation said, was entirely predictable. And a piece of code embedded in the software that controlled the engine could recognize that pattern, activating equipment to reduce emissions just for testing purposes.” This language demonstrates not only the reason behind the defeat device but the requisite mens rea to prove intent to deceive.

But VW did not stop at this aha moment of realization. The company made the defeat device better over the years. The article reported that the defeat device had been enhanced over the years. The software that allowed VW cars to appreciate when the car was being tested, differentiated from when the car was in use on the road. It measured such criteria as determining whether the steering wheel was in use and “During regulators’ tests, the engine software would turn up the pollution controls. When it was on the road, equipment designed to neutralize harmful nitrogen oxides would turned down, resulting in emissions that were up to 40 times the legal limit.” In tech terms, the software was upgraded from defeat device 1.0 to 2.0 and beyond to “detect other telltale signs of a regulatory test.”

The rogue employee defense was never going to work. To have software in place for over 10 years designed to defraud a regulatory scheme, requires a wide swath of knowledge in any organization. But not only within the organization, those vendors in the supply chain, which supplied component parts or products had to be in on the entire scheme as well. Moreover, the very top of the company has been shown to have been aware of these issues. Ewing said, “The management board led by Martin Winterkorn, the chief executive who resigned in September after the admission of cheating, repeatedly rebuffed lower-ranking employees who submitted technical proposals for upgrading the emissions controls, according to the two people who attended meetings where the proposals were discussed. The management board rejected the proposals because of cost”.

You might think only idiots would put into emails, spreadsheets and PowerPoint presentations not only intent to violate laws but also their plans. As bad as all of this is, it points to an even greater insight relevant to FCPA enforcement, that being the Myth of the Rogue Employee. Davide Torsello and Alison Taylor, in a post in the FCPA Blog, detailed some of the major reasons why the myth is just that, a myth. The VW PowerPoint adds yet another spike in its coffin. If your corporate culture is such that you not only communicate internally about illegal conduct but also record those communications, it speaks to a culture that supports and embraces skirting the rules. Commentators who claim that companies should not be punished by the actions of a small group of employees miss this greater truth; these employees would not engage in illegal conduct if their company, either through compensation, succession or other remuneration, did not reward them for engaging in such conduct.

That is the greater truth that Lear’s Fool would impart to corporate management.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Big Data 3Today I continue my exploration of big data in a best practices Foreign Corrupt Practices Act (FCPA) compliance program. Yesterday, I considered how you might use big data in a best practices compliance program. Today I want to explore how visualization of data can assist you in a wide variety of ways in both the detect and prevent prongs of your compliance program. The topic of this series of blogs is based upon an eBook, entitled “Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team, with a series of authors each contributing a chapter. Today I will focus on a chapter by Julie Steele, entitled “A Picture is Worth a 1000 Rows”.

 Joe Oringel, co-founder of Visual Risk IQ, is often heard saying, there is a reason his company is named Visual Risk IQ. It is because his company specializes in visualizing the results of the transactions they monitor or analyze. Steele asks “How are you going to make sense of all that information efficiently so you can make a good decision?” She believes “Data Visualization is an important answer to that question.” Put another way, visualization allows you to see the data.

Recognizing that not all visualizations are helpful, Steele writes, “The best data visualizations are ones that expose something new about the underlying patterns and relationships contained within the data. Understanding those relationships – and so being able to observe them – is key to good decision-making. The Periodic Table is a classic testament to the potential of visualization to reveal hidden relationships in even small data sets. One look at the table, and chemists and middle school students alike grasp the way atoms arrange themselves in groups: alkali metals, noble gasses, halogens.” All of this means “If visualization done right can reveal so much in even a small data set like this, imagine what it can reveal within terabytes or petabytes of information.”

Steele says there an “important distinction lies between visualization for exploring and visualization for explaining.” She explains that while visualization for exploring can be imprecise, it is “useful when you’re not exactly sure what the data has to tell you, and you’re trying to get a sense of the relationships and patterns contained within it for the first time. It may take a while to figure out how to approach or clean the data, and which dimensions to include. Therefore, visualization for exploring is best done in such a way that it can be iterated quickly and experimented upon, so that you can find the signal within the noise.” She concludes by noting, “Software and automation are your friends here.”

Steele believes that “Visualization for explaining is best when it is clean.” This is because paring down information to its simplest form, by removing as much noise as is as possible, will allow the “efficiency with which a decision maker can understand” the data. She notes this is the preferred approach “to take once you understand what the data is telling you, and you want to communicate that to someone else.” Moreover, “Visualization for explaining also includes infographics and other categories of hand-drawn or custom made images.”

Incumbent throughout these blogs posts on big data is embedded the concept that the customer base of any company’s compliance function is its employee base. So if you consider that “Many kinds of data visualization, from complex interactive or animated graphs to brightly-colored infographics, can help” to explain to your employee base many of the key issues around compliance. This can allow your employees to better understand your company’s values, the expectations under your Code of Conduct and compliance program and their obligations going forward. It can also be a useful teaching tool to help prevent inadvertent actions that may become more nefarious later. Steele believes that “As Big Data becomes bigger, and more companies deal with complex data sets with dozens of variables, data visualization will become even more important.”

Here is another area where the compliance function can draw upon other talents in a company as Steele suggests you should work with an in-house designer or better yet a team of designers to help you put together visualizations. This is because “Visualization for explaining works best when someone who understands not only the data itself, but also the principles of design and visual communication, tailors the graph or chart to the message.”

Such a designer can work as your translator “Since data visualization is like a foreign language, in the same way, hire an experienced designer for important jobs where precision matters. If you’re making the kinds of decisions in which your customer, product, or profit hangs in the balance, you can’t afford to base those decisions on incomplete or misleading representations of the knowledge your company holds.”

In the concluding chapter in the eBook, entitled “The Future of Big Data”, Edd Dumbill noted, “Visualization fulfills two purposes in a data workflow: explanation and exploration. While business people might think of a visualization as the end result, data scientists also use visualization as a way of looking for questions to ask and discovering new features of a dataset. If becoming a data-driven organization is about fostering a better feel for data among all employees, visualization plays a vital role in delivering data manipulation abilities to those without direct programming or statistical skills.”

The ability to put disparate pieces together in a way that company employees, from top management to the business development person in the AsiaPacific region, understand and see the connections is an important method that should be used by any Chief Compliance Officer (CCO) or compliance practitioner. Consider such analysis as buying patterns of foreign governments in the context of charitable donations. In both the Schering-Plough and Eli Lilly Securities and Exchange Commission (SEC) FCPA enforcement actions, the SEC simply put in a table showing the date of donation to the decision maker’s personal charity and the date of obtaining or retaining business by the company in question. Imagine if the CCO had had that data visually displayed, it might have detected an issue that could have then been prevented before it became a full-blown FCPA violation. It might have led to remediation. It might also lead to additional investigation to see if the charitable donation met the company’s internal requirements or if any exceptions were granted and if so were they properly vetted.

I hope that this series on big data has given you some ideas on what might be available to you, hiding in plain sight, in your own company data.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Big Data 2Today I continue my exploration of big data in a best practices Foreign Corrupt Practices Act (FCPA) compliance program. Yesterday, I considered what big data is and some ways to think about it. Today I want to move into some thoughts on how to use it going forward. The topic of this series of blogs is based upon an eBook, entitled “Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team, with a series of authors each contributing a chapter. Today I will focus on a chapter by Alistair Croll, entitled “The Feedback Economy”.

Croll believes that big data will allow continuous optimization through what he terms the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to prevent, detect and remediate in a compliance program is.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the Chief Compliance Officer (CCO) or compliance practitioner this means that if your compliance program is able to collect and analyze information better and you can act on that information faster; you can then use it have a more efficient and more robust compliance program.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His most important acumen is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many CCOs or compliance practitioners, displaying the data is most difficult because it is not generally in a readable form. To say lawyers are not as proficient as other corporate types in excel or similar tools would be to state the obvious, yet that is about as sophisticated as many practitioners can get. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments. As Joe Oringel is want to say, there is a reason his company is named Visual Risk IQ.

Of course having all this data is of zero use unless you act on it. Croll believes that big data can be used in a wide variety of corporate decision making, from “hiring and firing decision, to strategic planning, to market positioning.” I would certainly add compliance programs as well. But it does take a shift in compliance thinking to use such data. Once again lawyers are particularly ill suited to consider such information for reasons as diverse as training and temperament. This is yet another reason why compliance has evolved to Compliance 2.0, Compliance 3.0 and beyond. Big data allows you to make a quicker assessment of the impact of measured risks. It advocates “fast, iterative learning.”

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

The three prongs of any best practices anti-corruption compliance program are prevent, detect and remedy. Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed compliance program. The feedback components in both processes allow you to make adjustments literally on the fly. For the CCO or compliance practitioner reviewing and analyzing disparate pieces of information available to you, could help you to recognize troubling trends that are not yet full FCPA violations and deliver a solution before you have self-disclose in the new age of the Yates Memo and Department of Justice (DOJ) Pilot Program.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2016

DOJThis week I have been exploring the implications of the Department of Justice (DOJ) announcement last week of a new program Pilot Program around Foreign Corrupt Practices Act (FPCA) enforcement, together with the document, entitled “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance” (herein “The Guidance”), more fully laying out the specifics of this Pilot Program and providing more background and information for the compliance practitioner. I visited with Arnold & Porter LLP partner Stephen Martin on this exploration and today I conclude this series by looking at what is the impact for the compliance practitioner.

The FCPA commentariat has had several different views of this new Pilot Program. The FCPA Professor has said the Pilot Program is nothing new and renewed his call for a compliance defense, Billy Jacobsen, writing in the FCPA Blog, called the Pilot Program a “swing and a miss” and Mike Volkov said the Pilot Program is a “mixed bag”. My conclusion is different from all of these commentators. I find the Pilot Program to have provided solid, tangible benefits for the Chief Compliance Officer (CCO) or compliance practitioner around the issue of whether or not to self-disclose, coupled with more and additional information about the DOJ expectations for a best practices compliance program.

There are two new categories of credit that companies can receive. These categories are not new but they are identified in writing so that a CCO or compliance practitioner can point to them when having a conversation with a Board of Directors or senior management about the tangible benefits of self-disclosure. As stated in the Guidance, a company can receive up to a 25% reduction off the bottom guideline of the US Sentencing Guidelines fine range if it cooperates and engages in appropriate remediation. A company can receive up to a 50% reduction off the bottom end of the Sentencing Guidelines and will generally not have to sustain a corporate monitor if it self-discloses, cooperates and fully remediates. This means that self-disclosure can lead to a 25% discount greater than no self-disclosure.

As Stephen Martin said, “The question you always get from the general counsel, from the CEO, from the Board of Directors is how do we know we will get credit and what does that credit really look like?” He went on to say, “That was always a tough discussion with the senior manager and the Board of Directors because they look at publicly are these huge fines, huge investigation expenses and they don’t really understand or see the fact that a number of cases are declined for prosecution or really never really go forward. You only see the ones that the wealthy settlements that are out there in the fines. It had been a very tough discussion to have with the senior manager and Board of Directors.” Now you can point directly to this Guidance and tell them “you get a reduction fine up to fifty percent off of the bottom level from the Sentencing Guidelines and not require the appointment of a monitor. It’s a very clear statement from the Department of Justice as to what does it mean to self disclose,” cooperate and remediate.

Yet there is another reason why I think this potential discount is so powerful – you will get double discount credit for engaging in the same conduct. Recall that this Guidance supplements but does not supplant the Sentencing Guidelines. Under those Sentencing Guidelines, there is a reduction in the Culpability Score of up to -5 for self-disclosure, full cooperation and demonstration of responsibility. A company will receive an additional discount of 25% or 50% for engaging in the same activities, in addition to remediation.

Martin believes that these numbers will not only make it easier to speak to a Board and senior management but it will also make it easier for those bodies to grasp the tangible benefits they are receiving by engaging in such conduct. More importantly, he said that it speaks to that long sought metric of what is the return on investment for compliance. Martin stated, “The reality is if you are doing compliance the right way inside of a company and your working on strategic business initiatives and your working with the management and the business immediately. What you are really trying to do is help the company be pro-active, help it understand and reduce it’s risk profile and maximize profitability and if you are doing your job the compliance officers in that fashion you are not a cross netter you are actually a real benefit to the business. Sometimes that is hard to understand, executives when they are looking at budgets and costs. This then ultimately gives a very clear message if you invest in your compliance program, you have an effective compliance program it’s going to protect the business… Those are very clear signals about why this is a great return on investments”.

I also think the Guidance points out the growing importance of the compliance function in a company and the growing need for professionalism among compliance practitioners. This is first time I have heard the DOJ talk about the “quality and experience” of a company’s compliance personnel. Clearly this means that a corporate legal department cannot simply assign an Associate General Counsel to be a CCO. They must have real compliance skills, beyond simply learning the law. Compliance is a much different discipline than a corporate legal department and while a solid legal training and grounding in the law is a start, it is only a start.

The other trend I see at play is the direction of Leslie R. Caldwell and Andrew Weissmann. They have both called for greater clarity and greater transparency in the FCPA enforcement process. They have both worked assiduously to make this the DOJ policy, which I think the Pilot Program and Guidance are a part of going forward. Yet the incentives laid out in the Guidance also support the DOJ focus stated in the Yates Memo, that being to go after individuals who have violated the FCPA. I recognize the proof will be in the pudding but prosecutions move more slowly so it may be some time going forward before there is a dramatic uptick in individual prosecutions under the FCPA.

Yet the Yates Memo (focused on all white collar prosecutions, not simply FCPA) incentivizes corporations to turn over individuals and prosecutors to go after individuals. The now doubled sized of the DOJ’s FCPA unit and three new FBI investigative teams add some real resources and they will not be sitting around doing nothing. The Guidance reinforces the incentives companies have to investigate individuals and name names to the DOJ.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016