Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Roman Numbers 1-10.2I.     Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Up until recently, we had not heard anything from the DOJ around the testing the effectiveness of compliance training, however, beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, they to talk about whether you have determined the effectiveness of your training.

You can begin with a baseline measurement of employees who participated in your compliance training through a general assessment of those trained on the FCPA and your company’s compliance program is a starting point. Some questions to use for the assessment of the effectiveness of your FCPA compliance training could include the following:

  1. What does the FCPA prevent?
  2. Does your company allow facilitation payments?
  3. How do you report compliance violations at your company?
  4. What types of improper compliance conduct should you report?
  5. What is the name of your company’s Chief Compliance Officer?

For high-risk employees, you can have a more focused evaluation. You can give some circumstances an employee might face when traveling or doing business abroad. As always, you need to document the training, attendance at the training and then the post-training testing. 

II.     Communication

Ethical leadership is absolutely mandatory to have a successful compliance program, whether it is based upon the FCPA or the UK Bribery Act. Senior management must not only be committed to doing business in compliance with these laws but they must communicate these commitments down to the organization. But leadership is not limited only to senior management within an organization. Tone at the Top begets Tone in the Middle; which begets Tone at the Bottom. At each rung there is the need for compliance leadership. Yet these communications can come in many forms. Consider the Morgan Stanley declination that specifically mentioned the ongoing compliance reminders as one of the reasons the company received a declination.

All of this leads me to consider the message of compliance inside of a corporation and how it is distributed. In a compliance program, a large portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward.

Another key issue seems to be that problem that companies do not write the way they speak, and do not speak the language of their employee base. In many ways, compliance is a brand and that compliance brand needs to make sure that the message of compliance will resonate with your audience, whether that be your employee base, third parties working for your company, even senior management or the Board. This is where social media can help you and the compliance function to hone your message through social media. Part of this is based on experimenting on what message to send and how to send it throughout your organization.

This means that you will need to work to groom your message but also continue to plug away to send that message out. I think the Morgan Stanley declination will always be instructional as one of the stated reasons the DOJ did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

The key to training and communication is that they be done effectively. Whether you utilize one of the myriad of compliance training professionals, online training companies or another mechanism, the bottom line is that you need to risk rank your training attendees and follow up by measuring training effectiveness. If you can neither think of anything else nor have the budget for professional consultants, you can always start with the FCPA Guidance and use the hypotheticals as your training materials. I still maintain that in communications you are only limited by your own imagination. By keeping the communications fun, fresh and relevant, you can help keep the eye on compliance in your organization.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

To listen to my podcast on this Hallmark, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

 

 

 

 

 

 

 

 

Roman Numbers 1-10.2One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999 the DOJ has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What risks should you assess? The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. One approach to putting these amorphous guidelines into place was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk.

  1. Company Risk – High risk companies involve some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk – this area involves countries, which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  1. Sector Risk – these involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care; and/or
  • Financial services.
  1. Transaction Risk – this risk takes a look at the financial aspects of a payment or deal. This means that it is necessary to think not only about where your money is ending up but what is the source of the funding. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk – this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

How Should You Assess Your Risks? 

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” Here Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

It is suggested that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act, and from there create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

How do You Evaluate a Risk Assessment?

Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”, in which she looked at the risk evaluation process used by Timken Company (Timken).

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

 The ‘Likelihood’ factors to consider include: the existence of internal controls, written policies and procedures designed to mitigate risk; leadership capable to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs. The Priority Rating factors are the product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit-monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by the Red Flag Group (RFG), relationship-analysis based software or other analytical based tools. But you should not forget the human factor. This means not only training but ongoing communication with employees to guard against the most significant risks coming to pass and to keep the key messages fresh and on top of the mind. RFG also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The keys to this approach are the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. The DOJ has made clear that it wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model described is a reasoned approach and can provide the articulation needed to explain which steps were taken.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

To listen to my podcast on this Hallmark, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

 

 

 

Roman Numbers 1-10.2The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. In the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

I.     Code of Conduct

In an article in the Society for Corporate Compliance and Ethics (SCCE) publication, The Complete Compliance and Ethics Manual, 2016 Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors, which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

II.     Policies, Procedures and Controls

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, in his book “Foreign Corrupt Practices Act”. Murphy wrote that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” This cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that the same conduct lands your top producer in the US with the same quality of discipline.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

You can listen to a podcast on this Hallmark No. 2 by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016