Thanks to the FCPA Blog for pointing this out. I think we covered Nordam on This Week, but I glossed over the piece that Dick Cassin wrote about today. Buried in Nordam’s non-prosecution agreement is a requirement that the company train its third parties. The company is required to:
train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to the Company, on the anti-corruption laws and the Company’s policies and procedures regarding anti-corruption laws.
I’m hoping that the DOJ prosecutors assigned to the case, Dan Kahn (who I know) and Stephen Spiegelhalter (who I don’t), just overlooked this. Or more likely—since I know for sure that Dan is a really smart, reasonable guy, and since they both report to Chuck Duross, who is another really smart, very reasonable guy—this was something that Nordam proposed.
It’s possible that Nordam doesn’t have a whole lot of third parties. I’m willing to buy into that for two reasons. First, like I said, Dan and Chuck are reasonable people: they don’t want to put a company in a position of adopting an impossible requirement. Second, Nordam was represented by LeClair Ryan’s Carlos Ortiz. Ortiz is the real deal, from what I can tell (I’ve never met the guy…we’re not even connected on LinkedIn), and LeClair Ryan had the incredible intelligence to hire Mike Volkov, so it’s a firm that has its head on straight.
But what Nordam agreed to? Training everyone?
This is such a misguided requirement. I sincerely hope it doesn’t become a part of DPAs and NPAs going forward.
Let’s take a step back from training third parties for a moment. Let’s talk about audit rights. Because I see in the training requirement the same drawbacks that I see in audit rights.
Audit rights come in two forms, when-something-goes-wrong audit rights, and once-a-year audit rights. The former I’m fine with, the latter, not so much.
Don’t get me wrong, it’s a great story, if you can pull it off. But it’s a classic example of “be careful what you wish for.” Take a moment and think about what it takes to do periodic audits of your third parties. This might actually be easier for smaller companies to pull off than larger ones. Because for larger ones, it’s a nightmare, bordering on impossible. Actually, I’m temporizing. It’s not bordering on impossible, it is impossible.
Some larger companies have literally a hundred thousand third parties. Or more. Putting aside the actual work of sending people to 100,000 companies around the globe, how about just the administrative burden of arranging the audits, collating the results, analyzing the results, deciding on action plans. Just collecting the list takes time, a lot of time. It took Tyco more than 6 months just to pull together a preliminary list that was 1/8 of the final list. Plus the follow-up on any management action plans that results from the audits. Consequence management for companies that fail to implement or successfully implement action plans. Or for companies that fail to allow audits. Following up to make sure that issues aren’t recurring. Just think about all the electronic detritus that would be generated from auditing 100,000 companies every year.
Ah…I hear you. If done right, it wouldn’t be 100,000. You’d risk-rate the third parties. No reason to audit the people from whom you buy copier paper, right? First, that assumes you get competent advice from outside counsel on how to properly risk-rate anything. Asking a risk-averse industry how to risk-rate will only lead to agita. Sorry, I’ll end this foray into that particular frustration of mine.
So assuming you get good advice, you’ll actively be auditing maybe 5% of your total number of third parties (Tyco’s program had 5.6% rated high risk). So…5,000 third parties, every year. All of them the highest of the high risk. Or maybe I’m being overly risk averse myself. Let’s say 1%. So…1,000 independent companies to audit, every year. That’s 2 1/2 companies a day, every day, every year (if you go with business days, and national holidays, it’s 4 companies a day).
Oh yes, one other thing: do you have 4-5 people who are competent to even do these types of audits? Do you have even one?
All of this, by the way, for a totally non-profit-generating activity, which will have the gratuitous side effect of pissing off your suppliers, distributors, and agents.
Now let’s transition the topic back to training. You have 1,000 companies to train. Who do you train in those companies? Everyone? “Directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof”? How do you even figure out who the “relevant” employees are? How do you ensure that your high-risk partner is training the right people? Who pays? How do you monitor? What’s the consequence management program? What do you do if the third party says no?
That’s a serious consideration, by the way. Sure, sometimes, it’s a huge corporation whose business is so important to the third party that the huge company can pretty much force the smaller company to do anything they want. Including training.
But sometimes it’s a huge company contracting with another huge party. How do you enforce your training requirement on, say, Hewlett-Packard? Or Siemens, for that matter? Do you require HP to train all of its 300,000 employees? Do you accept their training program? How do you evaluate their training program to see if it meets your standards? Do you require American Express to put their board members through your training? Ursula Burns, the CEO and Chairman of Xerox is on there. What about Microsoft? Are you going to require Microsoft to go through training? Their Board?
The ability to get anyone to train is heavily dependent on your bargaining position. Nordam is a big company in its space, so perhaps it has negotiating power. But what about smaller companies? How are they supposed to get their larger distributors to agree to training?
By the way, the companies you’re required to train are the same companies you’re going to audit. Control fatigue, anyone?
It’s an impossibly complicated task, just that one little paragraph. The company has overpromised, in my opinion.
Let’s hope this doesn’t become SOP for the DOJ, like the FCPA Blog thinks it’s going to.