The first thing I do in the morning, via my Google Reader, is read a few FCPA-related blogs. One of these is the FCPA Professor. An excellent source of information. Today, he brings word of a quiet settlement by the Ball Corporation. Reading it, Prof. Koehler quotes from the SEC’s cease-and-desist proceeding (the least stringent of the SEC’s enforcement channel options):
For example, key personnel responsible for dealing with customs officials remained at Formametal [ed. note: Ball's subsidiary in Argentina], even though external due diligence performed on Formametal suggested that Formametal officials may have previously authorized questionable payments.”
I found this interesting: it highlights a disconnect between the enforcement agency’s belief in the reality of in-house life, and the reality of in-house life. Compliance officers in-house are not unlike politicians. Compliance sometimes is the art of the possible. You need political capital, just like in politics. A compliance officer’s ability to earn political capital is crucial to his ability to succeed in his role. As are his decisions on where to spend that capital.
The first thing enforcement agencies should remember is that compliance is a cost center. For those government employees who have never been in the private sector (and I’m not being pejorative: before I moved in house, I was an enforcement agent who had never been in the private sector), a “cost center” is a department within a corporation that does not add revenue. Legal, compliance, HR, marketing, public relations, investor relations, are all cost centers. The opposite of a cost center (at least, at successful corporations) is a “profit center.” Profit centers are those operational areas within the corporation that actually sell what the corporation makes.
Corporations—at least, those with decent management—structure their expenditures to support their profit centers. T. Boone Pickens had it right, the purpose of a corporation is to make money. So when a company has money to spend, most times, the profit centers of that company get to spend it. In other words, it is more likely that if a company has an extra $100,000 to spend, they’ll spend it on one year’s salary for a sales manager versus one year’s salary for a compliance manager. Every dollar that’s spent on a cost center is one more dollar with an ROI of zero. Yes, we can have a fascinating conversation about the ROI of ethics, but whatever it is, that ROI is awfully hard to monetize. [And for those no-private-sector-experience government folks, an ROI is "return on investment." It's the idea that if you are going to spend a dollar, figure out a way to spend it that you get $1.50 back. That's a 50% ROI. A salesperson will bring in more in sales than the corporation spends on his salary. Thus, dollars spent on salespeople have a positive ROI.] Cost centers, traditionally, have zero ROI. There are exceptions, like when the legal department at American Express brought the antitrust suit against Visa and Mastercard, and the settlement was worth more than all the operating profit of the “profit centers” that year. By a lot. But I digress.
The point is, for a cost center to disrupt a profit center, that’s a big deal. And the source of disruption is irrelevant, whether it’s outlandish budget requests or new policies that restrict the ability of salespeople to make money. Each of those requires an expenditure of political capital, as well as significant “internal marketing” to get it done. Sometimes, like right after a major issue, it gets easier. But that effect, in my experience, lasts 6-9 months. After that, it’s back to cost-center-ness. Remember also that there are internal-to-compliance issues. I know it’ll come as a shock, but compliance programs are just as, if not more so, subject to the silo issues as the business. In a typical financial services compliance program, for example, you have sanctions people who need a new sanctions-monitoring tool, you have FCPA people who want increased spend on due diligence, you have anti-money laundering people—the 800 lb. gorilla of financial services compliance programs—who need more AML people, plus you have country-level compliance people. Your people in Asia, probably, are operating with older technology, and need money for upgrades. So if an FCPA needs money for new diligence programs, first they need to justify it in their own budget, then they need to get the CCO on board to prioritize the FCPA request over various AML requests, sanctions requests etc. After they get the CCO on board, depending on the amount, then it needs to go to corporate planning, which is where it bumps up against new Sales requests etc. And remember, the inherent bias is to give the operational divisions what they need first.
Now we come back to the SEC’s cease-and-desist action against Ball, and what they cited Ball for. Ball’s due diligence suggested that employees of a subsidiary authorized bribes. So why didn’t Ball just fire those people? Well, first, firing someone, especially in a worker-friendly place like Argentina, isn’t such an easy process. Have you ever tried to fire someone in Germany? Next to impossible. Even in the UK, you have “consultation periods,” etc. There’s an image in government that corporate workers can get fired for anything. In reality, especially in larger corporations, it’s a process. Plus, and here’s where tone at the top becomes important, what if those people were big revenue generators? It’s a rare corporation that will fire top performers for a compliance-related issue. Discipline? Maybe. Fire? Hardly ever. So those employees who Ball left in place? Not so unusual.
This also brings up another question: when you have due diligence on third parties, what do you do with that information? The government has said, over and over, that if a JV partner does some bad stuff, that you have to react, even to the extent of pulling out. Oh, please. Given the foreign-ownership rules in China, pulling out of a JV could mean pulling out of the market. Even if you don’t exit the market entirely, the Chinese are not above making you suffer for embarrassing a Chinese company by ending the relationship. And when I say “not above,” I mean that culturally, it won’t even be questionable. There will be payback. Plus, who’s to say that you can pull out? Some of these JVs date back a while, and who knows what termination language there is. Plus, even if you can, there could be litigation for breach of contract if you terminate. You’ll then be litigating against a local company in their courts.
Even less drastic, what if the supplier about whom you have negative information is a crucial supplier? Do you have to cut them off? Just because they are important to you doens’t mean you’re important to them. If you try to tell them that they need to reform themselves or else you won’t do business with them, what if they answer “tough noogies?” They’re a crucial supplier. Do you just stop? What if the closest competitor is 14% more expensive? There goes 14% of your profit margin right there? What if that makes you uncompetitive? Do you have to cease operations entirely? Plus, sometimes there just aren’t that many choices. Halliburton got jobs in Iraq because, frankly, it was the only company with the capabilities to do what needed to get done. Political connections are nice, but if you’re the only game in town, you’re going to get the business.
And isn’t that hypocritical of the government to get all righteous when the US government is a huge purchaser from Siemens (over $1 billion a year). In fact, it’s been argued that the structure of the Siemens settlement (pleading to internal controls violations) was for the express purpose of it not being debarred from government sales. And talk about bad information about a company! Siemens engaged in a decade-long global bribery pattern of activity. But if Ball corp. gets some information that a couple of employees may have bribed a couple of customs officials, they’re supposed to divest? Just to twist the knife, by the way, Siemens income from continuing operations in the period after its massive settlement, was up 21%. No one stopped buying from Siemens, not just the US government. What does that tell us? (This was actually the subject of another FCPA Professor post from a while back.)
How is the business to react when its compliance officers are saying, “hey guys, we have issues here?” The first question the business often asks—and I find it hard to argue with this line of logic—is “are we required by regulation to stop doing business with this third party?” The answer is “no.” Virtually never will a company fight if its compliance officers say, “according to Reg so-and-so, we can’t do this.” So, the business says, “short of not doing business, what can we do to protect ourselves?” Well, there’s regular auditing (which requires will, skill, and money: none of which you’re likely to have), there’s increased monitoring of KPIs, regular invoice review, etc. But you’re still in business with the risky third party. We’d love it if the business got righteous and said, “you’re dead to me,” to the offending third party. But in all but the most extreme circumstances, that’s unlikely.
I guess my point is, despite what the SEC says, it’s not always so easy for a company to fire people, stop doing business with third parties, or even affect how a third party does business. I’m not justifying bad acts. I’m really not. Companies need to bite the bullet and increase spending on FCPA compliance. Even more important than spending, however, is the need to allow compliance to define criteria for the business to onboard third parties.
In fact, I would say that latter piece is so important that you can judge a company’s tone at the top based only on two criteria, that being one. The other is whether compliance is in the metrics of the sales teams. If you have those two things, I don’t care if the CEO puts a video on the intranet. But it’s difficult, because of internal politics, to just say “don’t do business with them.” The SEC and DOJ, in my opinion, need to be more okay with the concept, like in privacy, of “compensating controls.” Meaning, you can still do business with risky third parties as long as you have specialized controls in place to protect yourself. What should these controls look like? Well, I have to leave something for another post.