I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

The indictments last week of executives from Takata and Volkswagen roiled many in the business world and ethics and compliance arena. Coming on the heels of the Wells Fargo scandal, one might wonder how corporations can stop the clear ethical lapses which led to these corporate disasters. Let us assume that these corporations were not headed by the type of crooks which led Houston based Enron or WorldCom or any of the other corporations laid low by the accounting scandals of the early 00’s.

Interestingly, there was an article in a recent Harvard Business Journal (HBJ) online publication by Christopher McLaverty and Annie McKee, entitled “What You Can Do to Improve Ethics at Your Company”, which I recommend to every compliance practitioner. The authors surveyed C-suite executives and noted, “More often the dilemmas were the result of competing interests, misaligned incentives, clashing cultures.” Based on this study and their prior work, the authors noted three major obstacles to ethical behavior.

Initially was the issue of corporate change. The authors stated, “Companies can warp their own ethical climate by pushing too much change from the top, too quickly and too frequently. Leaders in the study reported having to implement staff reduction targets, dispose of big businesses in major markets, and lead mergers and acquisitions. Some of these activities included inherent conflicts of interest; others simply caused leaders to have to act counter to their values (loyalty, for example). Many leaders felt poorly prepared for the dilemmas they faced and felt compelled to take decisions they later regretted.”

The second was the age old dilemma of compensation where incentives tended to drive certain behaviors or, as the authors stated, “People do what they are rewarded to do, and most leaders are rewarded for hitting targets.” Of course the most recent example is Wells Fargo where employee compensation was based solely on the number of accounts they opened. Yet such incentive based behavior was not limited to front line employees as the authors stated, “The lure of incentives are a problem in boardrooms too: Bonus payments and executive share schemes are often based on short-term business metrics, which can be counter to long-term success.”

Finally, was an area which may require a Chief Compliance Officer (CCO) or compliance practitioner to think through several different calculi; cross cultural differences. Obviously some countries have gift giving cultures but this is more than simply the value of a gift to give at Christmas, it involves cultures where gift giving may be a part of the overall business relationship. The authors cited examples such as “closing a sales office in Japan, breaking a verbal promise made during after-work drinks in China, or ignoring “sleeping” business partners in a Saudi Arabian deal, all of which have cultural and ethical components.”

An interesting insight was teaching employees how to understand what matters in an organization. This is not simply the written Codes but how things really work. The authors posited three questions: (1) How are employees paid? Obviously a compensation plan is a critical benchmark. If it is solely based on ‘eat what you kill’, focusing on the short term, it may presage problems down the road. (2) Who gets promoted and why? This is not simply whether the high producer gets promoted but how about those who speak up and raise ethical issues. Are they subtly (or not so subtly) discriminated against or held back from promotion? (3) How do employees feel about their organization? Although it seems straight-forward, if your employees are disengaged or worse yet, ashamed about your company, you might be an ethical time bomb waiting to happen.

The authors then turned to initiatives that the interviewees had successfully used in their own organizations to improve the ethical climate. While noting that there is some importance in the corporate governance documents, such as a Code of Conduct and policies and procedures, the authors averred “Companies become ethical one person at a time, one decision at a time.” This means employees need to understand their organizations underlying culture. They stated, “Self-awareness enables you to build and strengthen that inner compass. Organizational awareness enables you to identify the forces in your company’s culture and processes that could drive you and others to do the wrong thing. You also need emotional self-control: it takes courage to step away from the crowd and do the right thing.”

To have such courage, the authors noted many employees who did speak up had a personal network which operates as “an informal sounding board and can highlight options and choices that the leader may not have considered. When making ethical decisions, it’s important to recognize that your way isn’t the only way, and that even mandated choices will have consequences that you must deal with.” This is yet another reason for the breaking down of silos in a corporate organization because “The challenge is that most leaders have networks full of people who think and act like them and many fail to seek out diverse opinions, especially in highly charged situations. Instead, they hunker down with people who have similar beliefs and values. This can lead to particularly dire consequences in cross-cultural environments.”

Finally, and perhaps most intuitively, is speaking up. Here business leaders must encourage not only a speak up culture but also one of no retaliation. But it is more than this as Vanessa Rossi, FCPA Due Diligence Counsel at Baker Hughes Inc. noted in a panel discussion to the Greater Houston Business and Ethics Roundtable, it is more tones at the tops as for many employee’s senior leadership resides in the form of their direct manager. The authors phrase it as “If you find you need to speak up, there will be a number of choices to be made. Do you talk to the boss? Consult with peers? Work with advisory functions such as legal, compliance or human resources? You can draw on your personal network for support and guidance on the right way forward within the context of your unique situation.”

Ethics and compliance blend together in the corporate world. It is not just the responsibility of CCOs and compliance practitioners but of senior managers to support those employees who want to do the right thing. While written protocols are significant in both detection and prevention, one should never lose sight of a corporate culture as a way to positively impact your workforce and company going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Welcome to Day 4 of 30 Days to a Better Compliance Program. Today we tackle risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What Should You Assess?

What risks should you assess? There are a number of ways you can slice and dice your basic inquiry. The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.

How Should You Assess Your Risks?

Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high risk countries, high risk business areas an more detailed review of your third party representatives.

How do You Evaluate a Risk Assessment?

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.

 Three Key Takeaways

  1. Assess the risks relevant to your company.
  2. Document your risk assessment protocol and results.
  3. The evaluation of your risks and remediation therefrom. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Ed. Note-today I have a joint posting by myself and Jay Martin, Chief Compliance Officer at Baker Hughes Incorporated. 

Two of the most common compliance focused committees for public companies are those at the Board level and those which sit between the Chief Compliance Officer (“CCO”) and the Board, usually consisting of very senior executives such as members of a company’s executive leadership team. It is noteworthy, however, that Houston-based Baker Hughes Incorporated (“BHI” or “Company”), which has been highly recognized for its effective global compliance program, has adopted additional compliance committees, with strong support from the senior operations leaders in the organization. These new committees will help the Company’s corporate compliance function to more effectively ensure employee and business partner compliance with the Company’s Code of Conduct (“COC”) throughout its global organization by integrating compliance into every aspect of Company’s functions and generating the necessary information to continuously improve the Company’s Compliance Program. These additional committees also operate on multiple planes to fully operationalize compliance in the Company, augment the Company’s internal controls and make the Company a more efficient and profitable entity. BHI has named these additional compliance committees “GeoMarket Ethics and Compliance Committees” (hereinafter “Committees.”)

Purpose

As noted above, most companies have a Board Committee dedicated to ethics and compliance or something like a Board Audit Committee which the CCO will report into. Once again, there are many companies with senior executives populating another level of oversight with a compliance committee between the CCO and the Board. However, the BHI initiative, which involves the formation of numerous additional compliance committees (“Committees”) at the regional Geomarket level, helps to create more direct ownership, accountability, and valuable transparency.  This moves compliance down into all levels of the Company’s operations.  This approach also significantly improves consistency of compliance execution, and helps to ensure that all of Company’s business objectives are achieved in a legally compliant fashion. According to the Company’s Committee Charter, these Committees are designed to “periodically advise and provide information and insights to the CCO (as well as receive compliance information from the CCO and the Ethics and Compliance Director for the relevant GeoMarket) regarding applicable legal and regulatory requirements, industry standards, and the Company’s COC, as well as the Company’s Compliance Program as it relates to the GeoMarket.” The Committee does not have primary responsibility for internal investigations but is charged with reporting any known compliance issues to the CCO should the Committee or a Committee member be made aware of “any matter potentially constituting misconduct or related to legal, financial or HS&E compliance.”

The Committee is designed to “promote clear and frequent compliance-related communication on related matters throughout the GeoMarket and strengthen the Company’s compliance culture.  The Committee therefore is very valuable to the overall performance of the Company’s Compliance Program” within the GeoMarket.” This initiative has caused compliance topics to be more thoroughly discussed at regularly occurring Company operations meetings. Also note these Committees have communication structures designed to facilitate communication up the chain and down the chain. They also allow the CCO to have a more direct set of ‘eyes and ears’ closer to the ground. Finally, the Committees give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis.

Composition

One of the key elements of the Committees are their makeup, which is GeoMarket centric. The Committee members are: (a) the Vice President of the GeoMarket; (b) the Ethics and Compliance Director for the GeoMarket; (c) the Legal and Compliance Director for the GeoMarket; (d) the HR Director of the GeoMarket; (e) the Finance Director of the GeoMarket and/or audit personnel located in the GeoMarket; (f) the Trade Compliance Director of the GeoMarket; (g) the Supply Chain Director of the GeoMarket; (g) the Sales Director of the GeoMarket and (h) senior representatives of Operations in the GeoMarket. This composition of the Committees, coupled with their structures, allow compliance to be fully operationalized into the Company’s global organization.

Authority and Responsibility

There are multiple delineated responsibilities for each Committee. Some of these responsibilities include:

  • Assisting in identifying not only potential legal and compliance risks in the GeoMarket but also reputational risks to BHI.
  • Establishment of goals and metrics to measure against these legal and compliance goals in the GeoMarket.
  • Exercising oversight of the implementation and effectiveness of the Company’s global compliance program in the GeoMarket. Additionally, to make recommendations to the CCO and suggest improvements to the Company’s compliance practices in the GeoMarket.
  • Reviewing and monitoring implementation of BHI’s COC in the GeoMarket and assisting in the identification of best practices, alternative strategies and local initiatives to enhance the BHI Compliance Program.
  • Assuring to the CCO and the senior leaders of operations that compliance goals and requirements are both established and communicated across the Company.
  • Advice management of its assessment of the Compliance Program, ethics and compliance risks in the GeoMarket and steps taken to both manage and lessen such risks.
  • Reviewing the Company’s Business Helpline complaints and other information to assure the GeoMarket that “appropriate steps are taken to modify the Compliance Program to reduce identified ethics and compliance risks.”

The innovation represented by the formation of the Committees operationalizes compliance into the Company’s GeoMarket operations where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Department’s FCPA Pilot Program for companies to move the doing of compliance down into the business of the organization. The make-up of BHI’s Committees, while including legal and compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice but reviews consistent with the Committee’s Charter.

It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the GeoMarket level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. BHI’s GeoMarket Committee provides a unique structure to perform these functions.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

qtq80-AnPoaxMatt Stephenson, myself and others have engaged in a dialogue about where Foreign Corrupt Practices Act (FCPA) enforcement may be headed under the incoming administration. I have tried to focus on why compliance with anti-corruption laws, such as the FCPA, will not lessen. The discussions at ACI’s 33rd International Conference on the FOREIGN CORRUPT PRACTICES ACT (ACI-FCPA Conference) demonstrate why compliance will remain an important part of the business process of any US company doing business internationally.

The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have worked quite diligently to increase professionalism around anti-corruption enforcement in jurisdictions outside the US. At the ACI-FCPA conference Kara Brockmeyer, Chief, FCPA Unit, Division of Enforcement at the SEC, and Daniel Kahn, Chief, FCPA Unit, Fraud Section, Criminal Division at the DOJ, articulated an additional reason, which was the increase in international cooperation and enforcement.

Over the past few years, the DOJ and SEC have worked to create a network of international cooperation in the global war against bribery and corruption. In addition to forming liaisons, they have put on three conferences dedicated to the training of foreign prosecutors on investigations, best practices around anti-corruption compliance program and cooperation between countries in sharing of documents and other evidence. Both speakers remarked about the increased sophistication of foreign prosecutors in both investigations of bribery and corruption and in understanding compliance programs around anti-corruption laws.

While I had previously considered such training as a way for US authorities to garner relationships to assist US based FCPA investigations, both speakers talked about more joint and coordinated international investigations. This point towards to not only to parallel investigations but also coordinated resolutions. While the OECD is a large part of how the US makes such connections it is these formal trainings that have allowed US regulators to also make inroads into increasing prosecutions of such conduct.

Yet, in addition to this increased cooperation with US authorities, many other countries’ anti-corruption regulators are now actively prosecuting bribery and corruption as well. Obviously Operation Car Wash in Brazil is a prime example but the speakers pointed not just to increased assistance with the US but also enforcement, in the words of Brockmeyer, “going global”. She pointed towards two 2016 enforcement actions as prime examples.

As set forth in the SEC Press Release in the VimpelCom enforcement action there was cooperation from the following regulatory and enforcement authorities outside the US: “Public Prosecution Service of the Netherlands (Openbaar Ministrie), National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway (ØKOKRIM), Swedish Prosecution Authority, Office of the Attorney General in Switzerland, and Corruption Prevention and Combating Bureau in Latvia.  Other valuable assistance was provided by the British Virgin Islands Financial Services Commission, Caymans Islands Monetary Authority, Bermuda Monetary Authority, and Central Bank of Ireland, Estonia Financial Supervisory Authority (Finantsinspektioon), Comisión Nacional del Mercado de Valores (Spain), Latvian Financial and Capital Market Commission, UAE Securities and Commodities Authority, Banking Commission of the Marshall Islands, and Gibraltar Financial Services Commission.” The final resolution required VimpelCom to pay $167.5 million to the SEC, $230.1 million to the DOJ, and $397.5 million to Dutch regulators.

As set forth in the SEC Press Release in the Embraer enforcement action, the following regulatory bodies and enforcement agencies were involved: “the Brazilian Federal Prosecution Service, the Brazilian Federal Police, Brazil’s Comissão de Valores Mobiliários, the South African Financial Services Board, the Swiss Financial Market Supervisory Authority (FINMA), the Banco Central del Uruguay, the Spanish Comisión Nacional del Mercado de Valores, and the French Autorité des Marchés Financiers. In this matter the total fines and penalties paid by Embraer were pay a $107 million penalty to the Justice Department as part of a deferred prosecution agreement, and more than $98 million in disgorgement and interest to the SEC. Embraer received a $20 million credit on the amount of disgorgement based upon its payment to Brazilian authorities in a parallel civil proceeding in Brazil.”

Another interesting concept the speakers put forth was the one pie concept. They explained that increasingly, enforcement authorities were moving towards one total cost to anti-corruption violators which would be equitably split up by authorities where the corruption occurred or by the countries which had jurisdiction. Kahn said that companies who self-disclosed to multiple regulators and extensively remediated, along the lines laid out in the FCPA Pilot Program, were more likely to garner credit with US regulators for fines paid to overseas authorities. A contra example was Alstom, which tried to settle piecemeal with a variety of countries and entities such as the World Bank. Under this approach, Alstom did not received credit from US authorities for any of their other payments. For this, and other reasons, Alstom now stands at Number 2 on the Top Ten list of FCPA settlements, paying a whopping $772MM.

All of this means that the SEC and DOJ, together with the OECD, created an active and robust international anti-corruption enforcement regime, which is moving literally across the globe. Any US company doing business outside the US must have a compliance program in order to prevent, detect and remedy any corruption issues. Furthermore, if they want to receive the maximum credit from multiple regulatory bodies they will need such a best practices compliance program.

Indeed in some jurisdictions such a compliance program can be defense to a criminal charge against corporations if there are employees engaging in bribery and corruption. Yet even in the UK, where such a defense is available, a company must actually do compliance, not just have a paper program in place and call it a day’s work done.

All of this means doing compliance is even more important than ever and will be going forward. Even with a Trump administration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016