Innovation 5I have been exploring innovation in the compliance function this week. For my final piece I want to consider the innovation process itself. In an article in the MIT Sloan Management Review, entitled “Finding a Lower-Risk Path to High-Impact Innovations”, authors Joseph V. Sinfield and Freddy Solis came up with a different method to view the innovation process. They posited something called the ‘Lily Pad’ approach, which they believe can be a lower risk stratagem to innovation. I found that this approach had some interesting applications for the compliance discipline.

The authors begin with the premise, which is found in the traditional risk-reward theory, when they noted, “Innovation initiatives and the funding programs that support them are generally viewed as “investments,” with an expectation that taking higher risks should be rewarded with higher returns. At the low-risk, low-return end of the spectrum, we tend to see investments that drive incremental innovation or development of innovations that are already proven. At the opposite extreme are corporate “skunk works” that seek to drive innovation in technology and business models to develop whole new product or service categories.” Compliance initiatives can fall anywhere along this spectrum for the reason that if they fail, it can create the conditions for a more systemic failure, which could bring the catastrophic consequences of a Foreign Corrupt Practices Act (FCPA) or other legal violation.

The authors believe that an incremental approach, which they designate as the ‘Lily Pad’ approach, “are developed and introduced opportunistically in application spaces that are ready for adoption. Progress in one lily pad garners resources/cash flow earlier in the development process and can create a pathway for subsequent lily pads in other application spaces.” This allows innovations to break out from their initial breakthrough at an organization, through the period where “decisions about which capabilities to develop and which application contexts to pursue” are made by the development team. All this leads to a progressive cascade of innovation moving forward, as visualized by the authors, as leaping from one lily pad to the next.

The authors list some characteristics of innovations, which they believe leaders should consider for investment. I have adapted them for the compliance function. Does the innovation “offer multiple pathways from first principles to impact” and how relevant is the innovation to multiple business lines or units? Will the innovation change the perspective of employees and even move towards reconfiguring the compliance ecosystem? Finally, is there potential for both growth and improvement in the innovation going forward?

After you have gone through and answered these questions, you should be ready to move forward with what the authors called ‘enabling actions’ and implement one or more of the innovations. By using their approach, the authors write that “Lily pad applications for an enabling innovation provide opportunities to match capability, purpose, and context in a manner that advances select performance dimensions of the innovation, aligns elements of ecosystems, and/or begins to shift” employee views across your organization. But more than simply the singular innovation, the lily pad approach allows your company to reduce the time and cost to jump to the next iteration of development.

Finally, the authors believe that you must “understand and proactively shape the ecosystem”, which for the Chief Compliance Officer (CCO) or compliance practitioner, means working with the business teams so that they understand how and why the innovation will help them achieve their corporate goals. Simply put employees can get stuck in the same rut of doing the same thing the same way. Yet it is a maxim that your compliance program must evolve to meet new risks and new demands. The authors’ lily pad approach allows for an incremental growth of change in ways that can demonstrate effectiveness and allow not only feedback but also acceptance from the employee base.

An example of such an approach could be around the use of data driven analysis from the compliance perspective of all dramatic growth in sales. Recall that there is no materiality level under the FCPA, so the business unit that experiences a dramatic growth in sales, even if non-material within the entire organization, could be the basis of a FCPA enforcement action. By focusing your innovation on one business unit that has experienced a dramatic growth, even if it is in a province of one country or a relatively small country in one larger geographic region, you can use this approach to demonstrate the usefulness of such data monitoring.

The lily pad approach would inform the presentation going forward as every business would want to know and understand how a dramatic growth occurred. Was it product driven? Was it personnel driven? Was a new sales campaign employed? Did a new or different product come to market? Of course, if the sales spike was due to nefarious activity such as bribery, corruption, financial fraud, accounting fraud or other egregious behavior then it can be reviewed and remediated as appropriate. For corporate management the initial results obtained by such a review could be the start of an entire innovation process around any portion of the sales cycle that might have been impacted by such stunning sales growth. It could certainly lead to better and more robust business forecasting going forward.

The authors end their article with four key questions, which I found to be an appropriate manner to end this series on innovation in compliance. First, do you understand the role of innovation in your compliance strategy? Second can you spot the innovations as this may well require you to think differently, particularly if you come from the legal department or have legal training, which certainly does not favor or foster innovation. Next, do you have the ability to adapt to innovations in your compliance function to the company as a whole? Put another way, can you demonstrate how an innovation in compliance will help the company do business more efficiently and in compliance with applicable laws. Of course it all begins with the willingness to engage in innovation and that starts with the top of your organization.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Battle of the Somme II have not written much in honor of the centennial of the First World War (WWI). However this week I will to remedy this oversight by focusing on the Battle of the Somme, leading up to the first day of the long battle, which began on July 1, 1916. I cannot say precisely why this one battle has long held such fascination for me. Perhaps because I first read a detailed account of it in John Keegan’s seminal work The Face of Battle back in 1976. I subsequently read other, more detailed works on the battle.

In many ways the Battle of the Somme was a defining moment in British history. Perhaps only Waterloo (defeat of Napoleon) was as important and certainly only Hastings (1066 and all that) was more important. In raw numbers, no other battle in British history comes close to the horrific slaughter of British manhood, with 20,000 killed and another 40,000 wounded on the opening day of the campaign. The campaign lasted five months and cost the British nearly 420,000 casualties. Many authors have struggled to explain the battle and its costs. As a reader, I have struggled to understand the same issues as a reader. Yet there are lessons to be learned from the battle and its aftermath, which I will use as an introduction to my blog posts this week.

Last week the Securities and Exchange Commission (SEC) announced a resolution of an outstanding Foreign Corrupt Practices Act (FCPA) action involving the company Analogic Corporation (Analogic) and Lars Frost (Frost), a former Chief Financial Officer (CFO) of its wholly-owned Danish subsidiary BK Medical ApS (BK Medical). Separately BK Medical settled its outstanding FCPA enforcement action with the Department Of Justice (DOJ) via a Non-Prosecution Agreement (NPA). BK Medical agreed to pay a fine of $3,402,000. In a settlement with the SEC, Analogic agreed to pay $7.7 million in disgorgement and $3.8 million in prejudgment interest. Frost agreed to a fine of $20,000.

Analogic is a medical device manufacturer headquartered in Massachusetts, primarily manufacturing ultrasound equipment. Its sales method into Russia, as well as other countries, was through its Danish subsidiary BK Medical and then through distributors. It was through this mechanism that the bribery and corruption was facilitated. And what a bribery scheme it was.

As stated in the SEC Order, “From at least 2001 through early 2011, BK Medical participated in hundreds of highly suspicious transactions at its distributors’ direction which posed a significant risk of bribery or other improper conduct. The suspicious transactions involved BK Medical’s distributor in Russia, as well as, to a lesser extent, its distributors in Ghana, Israel, Kazakhstan, Ukraine, and Vietnam. The transactions routinely involved fictitious invoices issued by BK Medical at inflated prices, overpayments to BK Medical from the distributors against the inflated invoices, and subsequent payments by BK Medical out of the distributors’ excess funds to unknown third parties all over the world for unknown reasons. In short, for at least nine years, BK Medical acted as a conduit for its distributors to funnel money to parties, and for reasons, unknown to BK Medical. Approximately $20 million flowed through BK Medical from these distributors, with over $16 million from BK Medical’s Russian distributor.”

Down in his CFO office at BK Medical, Frost “personally authorized approximately 150 conduit payments to unknown third parties during his tenure at BK Medical despite knowing that the payments violated BK Medical’s internal accounting controls. Frost also submitted numerous false quarterly sub-certifications to Analogic.”

False Contracts and Bogus Invoices

The SEC Order gave exacting detail on how the illegal payments were created and funded. “The first step involved the creation of one or more fictitious documents reflecting an inflated purchase price for the product or products BK Medical was selling to the Russian distributor.” From there, “the Russian distributor would request that BK Medical create a fictitious, second invoice at an inflated price. The Russian distributor would send BK Medical a template invoice with the inflated price, which was regularly well in excess of 100% of the original, agreed-upon price. BK Medical’s distributor sales staff understood the inflated price to reflect the price the ultimate end user would pay to the distributor.”

BK Medical would then “cut and paste BK Medical’s logo onto the template invoice and complete other pertinent fields, such as an invoice number. These steps were taken outside BK Medical’s standard invoice-generation system, in violation of BK Medical’s internal accounting controls. The fictitious, second invoice would subsequently accompany the ultrasound products when they were shipped to Russia. An invoice prepared by BK Medical’s standard invoice generation system reflecting the agreed-upon, actual price would also be sent to the Russian distributor”.

Next the Russian distributor would send BK Medical a bogus contract at this higher price that the Danish-subsidiary would approve it. The Russian distributor would then pay against the bogus contract and invoice. BK Medical would book the true or original contract price and credit the excess amount to the Russian distributor.

As set out in the NPA’s, in addition to these fake contracts, with their attendant payments, the Russian distributor “would send BK Medical an invoice that purported to be from the third-party entity that was to receive a payment from BK Medical. These invoices referred to services being rendered to BK Medical as, among other things, “marketing,” “logistic service,” and “commission.” BK Medical employees have confirmed that none of these entities actually rendered any services to BK Medical and that they understood this fact at the time these invoices were received by BK Medical.”

Payments Based on False Documents

 Of course this excess amount had to be sent somewhere for a bribe to be paid and sent somewhere the payments were. The SEC Order stated, “Then, at some point weeks or months later, the Russian distributor would direct BK Medical to make a wire payment out of the excess funds to a third party that was otherwise unknown to BK Medical. BK Medical complied with the directives, despite not knowing the purpose of the payments or the nature of the payees.” The payees were largely shell companies located in the usual locations for suspicious payments: Belize, the British Virgin Islands, Cyprus and the Seychelles and made payable “to specific individuals in Russia.”

All of these payments were made outside of and in violation of Analogic’s internal controls. Over a 10-year period, these payments totaled approximately $16.1 million and BK Medical recorded over $21.6 in profits from these transactions. There were other countries where this or a similar distributor-based bribery funding mechanism was used. These countries were “Ghana, Israel, Kazakhstan, Ukraine, and Vietnam” to the tune of some $3.8 million.

As blatant as all of the above was in terms of an overt bribery program, it did not pass unnoticed. As early as 2004, BK Medical’s Vice President (VP) of Sales asked the purpose of the payments. He was told “Russian market conditions.” Moreover, in 2008, Analogic recognized the potential for FCPA violations by BK Medical. The parent corporation provided training to BK Medical but it stopped there and did not inquire further into the Russian agent. So red flags were identified and raised yet there was no follow up action by the corporate parent.

Tomorrow, I will consider more lessons from the Battle of the Somme and how a company, which engages in such a blatant bribery program, can achieve the rather stunning result that Analogic sustained.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Compliance Training IIIThis week, I am exploring issues related to compliance and ethics training, inspired by an article in the online publication, Slate, entitled “Ethics Trainings Are Even Dumber Than You Think, by author L.V. Anderson. Today I tackle the issues of effectiveness and evaluation of your compliance training.

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended Foreign Corrupt Practices Act (FCPA) compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

 One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which can be used to evaluate ethics and compliance training.

The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Leona Lewis explored this issue recently on her podcast Masters of Disaster, where she interviewed Joel Smith, the founder of Inhouse Owl, a training services provider. He advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and compliance behavior is an end-goal and of itself – not necessarily one that everyone feels should be subject to a ROI calculation.

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.”

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions.

  1. Figure out what you want to measure (i.e. what’s the “benefit”?) Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations. So your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures rules so you avoid liability related to actions. Therefore the benefit to calculate for ROI purposes is the total amount saved by the company because employees now understand (due to the training) not to engage in unethical and non-compliant conduct around bribery and corruption.
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. Smith believes you can get data on employee engagement through a quick post-training survey. Although this factor does not produce a quantitative number to use in the ROI calculation, it will help you isolate and qualify the training benefit.
  1. Did employees actually learn anything? Smith believes that a critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre and post training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  1. Are employees applying your training? Smith says that for this point you will need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.
  1. What’s the quantitative business impact of your training? At this point you are ready to determine the numerical business impact of your ethics and compliance training. Smith has an approach he calls the “Best Guess” approach. Smith believes there are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Smith provided five questions he would pose.
    1. How often could a noncompliance event occur?
    2. How much revenue would be involved?
    3. What is the profit margin on the revenue?
    4. What are the other costs?
    5. What are the noncompliance hard costs?

The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro-economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%.

  1. ROI: bringing it all together. Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided – Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.”

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more robust assessment and calculation laid out by Smith provide you with formulae you can use going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

TrainingIn a recent Slate article, entitled “Ethics Trainings Are Even Dumber Than You Think, author L.V. Anderson railed against what she termed box-checking training where companies put on training not to actually train employees but simply to check the box that training has occurred. She also spoke against “dumbed-down nature of most compliance courses”.

Certainly recognizing that inane training is simply that – inane training, Anderson missed the larger picture of what constitutes a best practices compliance program. Training is one part of a larger component of how companies manage their compliance with laws, regulations and, most importantly, the ultimate barometer of their value – their corporate reputation through compliance. The role of compliance in corporations was born in 1992 with the enactment of the US Sentencing Guidelines, which laid out the initial standards for corporate compliance and ethics programs, of which training is one part. It was only after these Sentencing Guidelines were put into effect that corporations moved to create Codes of Conduct to publicly state their values.

These Sentencing Guidelines provide a very general outline of what would constitute an effective compliance program. In the latest amendments to the Sentencing Guidelines, in 2010, the stated purpose of training is to “(6) Training – Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, high level personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program”.

One of the most significant areas of the law, where the government has provided specific guidance on compliance programs including training, is the 2012 publication entitled “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, which was issued jointly by the Criminal Division of the Department of Justice (DOJ) and the Enforcement Division of the Securities and Exchange Commission (SEC). This FCPA Resource Guide provided the government’s views on what constituted an effective compliance program under the Foreign Corrupt Practices Act of 1977 (FCPA) in the form of the Ten Hallmarks of an Effective Compliance Program.

Hallmark No. 5, Training and Continuous Advice, which says, in part, “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” This Hallmark goes on to state that training should be appropriate for the risk of the persons being trained and tailored to the situations they might find themselves at risk in for their company.

Whether you consider the language of the Sentencing Guidelines or the much more specific FCPA Resource Guide, the proper context to review ethics and compliance training is as a part of an overall holistic approach to compliance and ethics, compliance can be seen in its proper role as a communication tools. The reason a company puts on compliance training is not to solely stop unethical or non-compliant conduct. The role of training is to communicate the standard of values the company wants to set forth.

The training itself should be tailored to risks involved with those employees receiving the training. My wife works at a major oilfield service company in Houston, as an SAP integration specialist in the IT department. The risk that she could engage in non-compliant, unethical behavior, that could put her company at legal risk, is relatively low. So basic training for her on the company’s ethical values is an appropriate reminder.

However, in the same company there are thousands of employees who are in positions oversees which are at much higher risk for non-compliant behavior, particularly under the FCPA. For those employees more focused, specific and in person training is the preferred method. So more than simply asking is something illegal, such training would focus on the specific requirements under the law, what an employee should do if a foreign government official demands a bribe and how to seek help or report such conduct through the company hotline.

Training is not and never has been the all-encompassing way to stop illegal or even non-compliant, unethical conduct. It should be seen as a part of the overall corporate compliance program. Enron is the prime example that simply having one part, the Enron gold standard Code of Conduct and even training on that Code of Conduct, is not enough. It all starts at the top with the tone from the top. If your top management are crooks, in the case of all the former Enron senior managers who are now convicted felons, that speaks to the tone management creates. No rule, regulation, company policy or certainly compliance training should get in the way of the next deal.

Yet even after management sets an appropriate tone, that tone must be communicated to the employees. A corporate Code of Conduct sets out the general values and the policies and procedures lay the specifics of how employees can comply with laws, regulations and ethical concepts. After this communication, a company must set out appropriate incentives and discipline (carrots and sticks) to reinforce these behaviors. Finally, there should be internal controls baked into to all of this, which not only reinforces these concepts but also allows a corporate compliance department to monitor compliance to hopefully prevent any incidents before they become violations and detect them if they occur.

Anderson does get one thing right. If a company is putting on training simply as “just a form of legal ass-covering” then it is probably the type of company which does not put a high value on doing business either (1) ethically or (2) in compliance with existing laws. That alone puts a company in the Enron zone for compliance. Next, I will take a look at her claims about the dumbing down of compliance training.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016