Innovation 5I have been exploring innovation in the compliance function this week. For my final piece I want to consider the innovation process itself. In an article in the MIT Sloan Management Review, entitled “Finding a Lower-Risk Path to High-Impact Innovations”, authors Joseph V. Sinfield and Freddy Solis came up with a different method to view the innovation process. They posited something called the ‘Lily Pad’ approach, which they believe can be a lower risk stratagem to innovation. I found that this approach had some interesting applications for the compliance discipline.

The authors begin with the premise, which is found in the traditional risk-reward theory, when they noted, “Innovation initiatives and the funding programs that support them are generally viewed as “investments,” with an expectation that taking higher risks should be rewarded with higher returns. At the low-risk, low-return end of the spectrum, we tend to see investments that drive incremental innovation or development of innovations that are already proven. At the opposite extreme are corporate “skunk works” that seek to drive innovation in technology and business models to develop whole new product or service categories.” Compliance initiatives can fall anywhere along this spectrum for the reason that if they fail, it can create the conditions for a more systemic failure, which could bring the catastrophic consequences of a Foreign Corrupt Practices Act (FCPA) or other legal violation.

The authors believe that an incremental approach, which they designate as the ‘Lily Pad’ approach, “are developed and introduced opportunistically in application spaces that are ready for adoption. Progress in one lily pad garners resources/cash flow earlier in the development process and can create a pathway for subsequent lily pads in other application spaces.” This allows innovations to break out from their initial breakthrough at an organization, through the period where “decisions about which capabilities to develop and which application contexts to pursue” are made by the development team. All this leads to a progressive cascade of innovation moving forward, as visualized by the authors, as leaping from one lily pad to the next.

The authors list some characteristics of innovations, which they believe leaders should consider for investment. I have adapted them for the compliance function. Does the innovation “offer multiple pathways from first principles to impact” and how relevant is the innovation to multiple business lines or units? Will the innovation change the perspective of employees and even move towards reconfiguring the compliance ecosystem? Finally, is there potential for both growth and improvement in the innovation going forward?

After you have gone through and answered these questions, you should be ready to move forward with what the authors called ‘enabling actions’ and implement one or more of the innovations. By using their approach, the authors write that “Lily pad applications for an enabling innovation provide opportunities to match capability, purpose, and context in a manner that advances select performance dimensions of the innovation, aligns elements of ecosystems, and/or begins to shift” employee views across your organization. But more than simply the singular innovation, the lily pad approach allows your company to reduce the time and cost to jump to the next iteration of development.

Finally, the authors believe that you must “understand and proactively shape the ecosystem”, which for the Chief Compliance Officer (CCO) or compliance practitioner, means working with the business teams so that they understand how and why the innovation will help them achieve their corporate goals. Simply put employees can get stuck in the same rut of doing the same thing the same way. Yet it is a maxim that your compliance program must evolve to meet new risks and new demands. The authors’ lily pad approach allows for an incremental growth of change in ways that can demonstrate effectiveness and allow not only feedback but also acceptance from the employee base.

An example of such an approach could be around the use of data driven analysis from the compliance perspective of all dramatic growth in sales. Recall that there is no materiality level under the FCPA, so the business unit that experiences a dramatic growth in sales, even if non-material within the entire organization, could be the basis of a FCPA enforcement action. By focusing your innovation on one business unit that has experienced a dramatic growth, even if it is in a province of one country or a relatively small country in one larger geographic region, you can use this approach to demonstrate the usefulness of such data monitoring.

The lily pad approach would inform the presentation going forward as every business would want to know and understand how a dramatic growth occurred. Was it product driven? Was it personnel driven? Was a new sales campaign employed? Did a new or different product come to market? Of course, if the sales spike was due to nefarious activity such as bribery, corruption, financial fraud, accounting fraud or other egregious behavior then it can be reviewed and remediated as appropriate. For corporate management the initial results obtained by such a review could be the start of an entire innovation process around any portion of the sales cycle that might have been impacted by such stunning sales growth. It could certainly lead to better and more robust business forecasting going forward.

The authors end their article with four key questions, which I found to be an appropriate manner to end this series on innovation in compliance. First, do you understand the role of innovation in your compliance strategy? Second can you spot the innovations as this may well require you to think differently, particularly if you come from the legal department or have legal training, which certainly does not favor or foster innovation. Next, do you have the ability to adapt to innovations in your compliance function to the company as a whole? Put another way, can you demonstrate how an innovation in compliance will help the company do business more efficiently and in compliance with applicable laws. Of course it all begins with the willingness to engage in innovation and that starts with the top of your organization.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Harry PotterOne of the things I have enjoyed for years is listening to some of America’s top professors and academics that teach in their subject area of expertise through lectures from the Teaching Company. I just completed the 24 episode series entitled “Heroes and Legends: The Most Influential Characters of Literature” by Professor Thomas A. Shippey. I was interested in his episode on Harry Potter, whom he identified as a ‘whistleblower’. I have to admit I had never thought of Potter in this manner.

In his show notes, Professor Shippey articulates that Harry’s role is largely to prepare the magic world for the return of the Dark Lord, whose name , Lord Voldemort, is not to be mentioned. If Voldemort returns he will not only take over the world of magic but also lead its rule over the rest of us, the world of muggles.

Shippey believes this war is being fought on several fronts, which is a contemporary situation. Shippey writes, “Just like Harry, we face serious threats to our security: terrorism, financial instability, climate change, and more. We have to trust the state to protect us from those threats, but do we trust the institutions of the state? Skepticism about politicians, lobbyists, and bureaucrats is very much a part of the modern mindset. For this reason, ever since Watergate, we’ve had a word for another new kind of hero: the whistle-blower. As a whistle-blower, Harry tries to alert his community to one threat, but he also faces the other threat of the forces that are trying to hush him up.”

I thought about the struggles of Potter as a whistleblower when I read a piece by Michael Skapinker, in the Business and society column in the Financial Times (FT) entitled “The Libor trial and how to deal with a bullying dishonest boss”. One of the defendants, who was convicted this week in a trial in London, is Jonathan Mathew. According to Skapinker, “He told the court that he had no idea he was behaving dishonestly and only did what Peter Johnson, his manager, told him to do. Mr Mathew said he dealt mainly with Canadian dollar Libor matters and other currencies and only set US dollar rates when Mr Johnson was out of the office or on holiday.”

But more than following his boss’s dictate (I should note that Johnson has pled guilty to the Libor rate-fixing charges and is awaiting sentencing) Mathew was mercilessly bullied by Johnson. Skapinker wrote, “Early on, when another banker asked him to set a particular US dollar rate, he ignored the email, which earned him a rebuke from Mr Johnson when he returned. In future, Mr Johnson told him, he should take a “firm-first approach” and “help these guys out”. He also told the court that Mr Johnson used to hit him on the back of the head with a miniature baseball bat. This was to humiliate, not hurt him. Mr Johnson also made him stand on a chair on the trading floor when he could not name the capital of the Philippines.”

Not surprisingly the bullying was not only physical but verbal as well. In testimony it came out that Johnson had called Mathew, “a “deaf git” (Mr Mathew has hearing difficulties) and once sent him an email headed “brick dain” because the bank’s compliance department would have picked up an email headed “dick brain”.” If this was not evidence of a completely toxic workplace, I have not seen a much greater example.

However it is more than simply a failure of corporate culture, it is a failure of compliance. Roy Snell has been one of the most forceful in articulating the proposition that a Chief Compliance Officer (CCO) and compliance practitioner has to stand up for employees like Mathew and against corporate bullies like Johnson. One of the things every compliance function has to create is a safe place for such bullying conduct to be reported. Skapinker noted that he has “interviewed several whistleblowers over the years. Most have been driven half-crazy by the persecution, law suits and vituperation that followed their act of public service.” He further noted that while “You could call the ethics hotline. This is clearly the right thing to do, but it will almost certainly spell the end of your career and you and your family’s happiness.”

Every compliance department must make it clear that any such employee who comes forward with such tales will not face retaliation. Moreover, such a whistleblower should be actively rewarded for bringing such antithetical conduct to the attention of someone at the company who can do something about it. For if such a culture is allowed to not only exist but to flourish there will always be legal repercussions, in the form of some legal violations.

Harry Potter was willing to be a whistleblower and suffer the consequences. Not all of us have the wherewithal to do so. That is where compliance has to make a stand for what is right. Business is not the Marine Corp, where actions can literally be life and death. These are white-collar businesses and there is no place for the type of bullying that Johnson engaged in with Mathew Skapinker ended his piece with “There have been many villains in the financial crises of the past few years. Mr Mathew does not strike me as the worst.” I would add that every compliance practitioner needs to commit to preventing such conduct at his or her company. There should be some type of detection system in place to pick up such conduct if it does occur. Finally, there should be a remedy immediately brought to bear if such conduct does appear.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Battle of the Somme II have not written much in honor of the centennial of the First World War (WWI). However this week I will to remedy this oversight by focusing on the Battle of the Somme, leading up to the first day of the long battle, which began on July 1, 1916. I cannot say precisely why this one battle has long held such fascination for me. Perhaps because I first read a detailed account of it in John Keegan’s seminal work The Face of Battle back in 1976. I subsequently read other, more detailed works on the battle.

In many ways the Battle of the Somme was a defining moment in British history. Perhaps only Waterloo (defeat of Napoleon) was as important and certainly only Hastings (1066 and all that) was more important. In raw numbers, no other battle in British history comes close to the horrific slaughter of British manhood, with 20,000 killed and another 40,000 wounded on the opening day of the campaign. The campaign lasted five months and cost the British nearly 420,000 casualties. Many authors have struggled to explain the battle and its costs. As a reader, I have struggled to understand the same issues as a reader. Yet there are lessons to be learned from the battle and its aftermath, which I will use as an introduction to my blog posts this week.

Last week the Securities and Exchange Commission (SEC) announced a resolution of an outstanding Foreign Corrupt Practices Act (FCPA) action involving the company Analogic Corporation (Analogic) and Lars Frost (Frost), a former Chief Financial Officer (CFO) of its wholly-owned Danish subsidiary BK Medical ApS (BK Medical). Separately BK Medical settled its outstanding FCPA enforcement action with the Department Of Justice (DOJ) via a Non-Prosecution Agreement (NPA). BK Medical agreed to pay a fine of $3,402,000. In a settlement with the SEC, Analogic agreed to pay $7.7 million in disgorgement and $3.8 million in prejudgment interest. Frost agreed to a fine of $20,000.

Analogic is a medical device manufacturer headquartered in Massachusetts, primarily manufacturing ultrasound equipment. Its sales method into Russia, as well as other countries, was through its Danish subsidiary BK Medical and then through distributors. It was through this mechanism that the bribery and corruption was facilitated. And what a bribery scheme it was.

As stated in the SEC Order, “From at least 2001 through early 2011, BK Medical participated in hundreds of highly suspicious transactions at its distributors’ direction which posed a significant risk of bribery or other improper conduct. The suspicious transactions involved BK Medical’s distributor in Russia, as well as, to a lesser extent, its distributors in Ghana, Israel, Kazakhstan, Ukraine, and Vietnam. The transactions routinely involved fictitious invoices issued by BK Medical at inflated prices, overpayments to BK Medical from the distributors against the inflated invoices, and subsequent payments by BK Medical out of the distributors’ excess funds to unknown third parties all over the world for unknown reasons. In short, for at least nine years, BK Medical acted as a conduit for its distributors to funnel money to parties, and for reasons, unknown to BK Medical. Approximately $20 million flowed through BK Medical from these distributors, with over $16 million from BK Medical’s Russian distributor.”

Down in his CFO office at BK Medical, Frost “personally authorized approximately 150 conduit payments to unknown third parties during his tenure at BK Medical despite knowing that the payments violated BK Medical’s internal accounting controls. Frost also submitted numerous false quarterly sub-certifications to Analogic.”

False Contracts and Bogus Invoices

The SEC Order gave exacting detail on how the illegal payments were created and funded. “The first step involved the creation of one or more fictitious documents reflecting an inflated purchase price for the product or products BK Medical was selling to the Russian distributor.” From there, “the Russian distributor would request that BK Medical create a fictitious, second invoice at an inflated price. The Russian distributor would send BK Medical a template invoice with the inflated price, which was regularly well in excess of 100% of the original, agreed-upon price. BK Medical’s distributor sales staff understood the inflated price to reflect the price the ultimate end user would pay to the distributor.”

BK Medical would then “cut and paste BK Medical’s logo onto the template invoice and complete other pertinent fields, such as an invoice number. These steps were taken outside BK Medical’s standard invoice-generation system, in violation of BK Medical’s internal accounting controls. The fictitious, second invoice would subsequently accompany the ultrasound products when they were shipped to Russia. An invoice prepared by BK Medical’s standard invoice generation system reflecting the agreed-upon, actual price would also be sent to the Russian distributor”.

Next the Russian distributor would send BK Medical a bogus contract at this higher price that the Danish-subsidiary would approve it. The Russian distributor would then pay against the bogus contract and invoice. BK Medical would book the true or original contract price and credit the excess amount to the Russian distributor.

As set out in the NPA’s, in addition to these fake contracts, with their attendant payments, the Russian distributor “would send BK Medical an invoice that purported to be from the third-party entity that was to receive a payment from BK Medical. These invoices referred to services being rendered to BK Medical as, among other things, “marketing,” “logistic service,” and “commission.” BK Medical employees have confirmed that none of these entities actually rendered any services to BK Medical and that they understood this fact at the time these invoices were received by BK Medical.”

Payments Based on False Documents

 Of course this excess amount had to be sent somewhere for a bribe to be paid and sent somewhere the payments were. The SEC Order stated, “Then, at some point weeks or months later, the Russian distributor would direct BK Medical to make a wire payment out of the excess funds to a third party that was otherwise unknown to BK Medical. BK Medical complied with the directives, despite not knowing the purpose of the payments or the nature of the payees.” The payees were largely shell companies located in the usual locations for suspicious payments: Belize, the British Virgin Islands, Cyprus and the Seychelles and made payable “to specific individuals in Russia.”

All of these payments were made outside of and in violation of Analogic’s internal controls. Over a 10-year period, these payments totaled approximately $16.1 million and BK Medical recorded over $21.6 in profits from these transactions. There were other countries where this or a similar distributor-based bribery funding mechanism was used. These countries were “Ghana, Israel, Kazakhstan, Ukraine, and Vietnam” to the tune of some $3.8 million.

As blatant as all of the above was in terms of an overt bribery program, it did not pass unnoticed. As early as 2004, BK Medical’s Vice President (VP) of Sales asked the purpose of the payments. He was told “Russian market conditions.” Moreover, in 2008, Analogic recognized the potential for FCPA violations by BK Medical. The parent corporation provided training to BK Medical but it stopped there and did not inquire further into the Russian agent. So red flags were identified and raised yet there was no follow up action by the corporate parent.

Tomorrow, I will consider more lessons from the Battle of the Somme and how a company, which engages in such a blatant bribery program, can achieve the rather stunning result that Analogic sustained.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Compliance Training IIIThis week, I am exploring issues related to compliance and ethics training, inspired by an article in the online publication, Slate, entitled “Ethics Trainings Are Even Dumber Than You Think, by author L.V. Anderson. Today I tackle the issues of effectiveness and evaluation of your compliance training.

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended Foreign Corrupt Practices Act (FCPA) compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

 One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which can be used to evaluate ethics and compliance training.

The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Leona Lewis explored this issue recently on her podcast Masters of Disaster, where she interviewed Joel Smith, the founder of Inhouse Owl, a training services provider. He advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and compliance behavior is an end-goal and of itself – not necessarily one that everyone feels should be subject to a ROI calculation.

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.”

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions.

  1. Figure out what you want to measure (i.e. what’s the “benefit”?) Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations. So your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures rules so you avoid liability related to actions. Therefore the benefit to calculate for ROI purposes is the total amount saved by the company because employees now understand (due to the training) not to engage in unethical and non-compliant conduct around bribery and corruption.
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. Smith believes you can get data on employee engagement through a quick post-training survey. Although this factor does not produce a quantitative number to use in the ROI calculation, it will help you isolate and qualify the training benefit.
  1. Did employees actually learn anything? Smith believes that a critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre and post training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  1. Are employees applying your training? Smith says that for this point you will need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.
  1. What’s the quantitative business impact of your training? At this point you are ready to determine the numerical business impact of your ethics and compliance training. Smith has an approach he calls the “Best Guess” approach. Smith believes there are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Smith provided five questions he would pose.
    1. How often could a noncompliance event occur?
    2. How much revenue would be involved?
    3. What is the profit margin on the revenue?
    4. What are the other costs?
    5. What are the noncompliance hard costs?

The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro-economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%.

  1. ROI: bringing it all together. Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided – Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.”

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more robust assessment and calculation laid out by Smith provide you with formulae you can use going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016