“The Limit Should Be Zero Dollars”

If you don’t read Mark Herrmann’s column on Above the Law, you should.

Today’s column was on one of my favorite topics: the UK Bribery Act, and the semi-ridiculous advice that companies are getting from “experts.”  By the way, if you want an expert, go talk to Barry Vitou at Pinsent Masons.  There’s an expert.  Let’s remember that there hasn’t been a case brought under the UK Bribery Act yet.  (Yes, I know.  But no, there’s hasn’t been).  So most of the so-called experts are people who have just read the statute, and attended some conferences where other people who have no idea what they’re talking about talk about the UK Bribery Act.

Herrmann talks in today’s column about advice he got about complying with the UKBA.  His approach was that the firm who gave him the advice violated that advice about thirty seconds later.  He said “I could rant at this point about law firms giving utterly impractical advice, but I won’t.”

I will.

What was the advice that Herrmann got?  He attended a law firm presentation on the UKBA, and there was a question asked about what the right entertainment limits were.  The answer he got back exemplifies the problem I have with some outside counsel:

The limit should be zero dollars.  That will keep you safe.

Really?  Zero?

Leave out for a moment that the rest of Herrmann’s column is about how that same law firm sponsored a dinner for some in-house folk.  Let’s just talk about how advice likes this harms not just the giver, but the receiver too.  First, the giver.  The person who gives this advice will give it to one of two types of people: people who know what they’re talking about, or people who don’t.  I don’t know which comes out on the bottom.  If the lawyer is giving this advice to a knowledgeable person, that person will likely politely smile, nod, and then put the lawyer in the “idiot” box in his head, and not listen to another thing that lawyer says.  Which is a problem, because maybe in the future—even a stopped clock is right, twice a day—that lawyer will give some advice the client should listen to.  But getting out of the “idiot” box is a rare feat.

Or the recipient won’t know what they’re talking about.  In which case, like a wide-eyed doe, they’ll just accept what the lawyer says as a best practice.  Heaven forbid they go back to their own company and repeat that advice out loud.  (We’re back to the “Idiot” box).  Or even worse, that they’re in a position of authority, and could implement that advice.

Like I said, I don’t know who comes out worse.  Either way you go, someone’s in the Idiot box.

When it comes to hospitality—and here’s my opinion on this—everyone needs to calm down.

Zero is not the answer.  Herrmann’s concern about “killing the business” is probably also a little overblown, if someone wants to go that way.  It’s uncompetitive, certainly.  But you’d be amazed what the market will adjust to.  It’s not something I would recommend.

The number you come up with is entirely less important than the process by which you determine it.  The number can’t be outrageous, but here’s the thing: the DOJ has never brought a case against a company that came up with a reasonable number, and enforced it.  There are few cases where gifts play any role, none where they play a truly primary role, and absolutely none where the DOJ overruled a business decision.  That’s not something the DOJ does, as a rule.  They don’t take a reasoned decision and say “you made the wrong choice.”  Almost all of the time, the company failed to consider the problem, or considered it but said, “who cares,” or the equivalent.

So pick a number.  I’ve heard companies pick one number globally—say, $150 per person—or use different numbers for each region, or each market.  I’ve seen people use their own internal numbers—that is, whatever they’ll reimburse an employee for, that employee can spend on others.  That’s not a bad idea.

The point is, there is no “right answer” here.  It’s what’s right for you.

Just remember, as my friend and colleague Tom Fox always says, “document, document, document.”  Be prepared to tell the DOJ what your number is, why you chose it, who was involved in the decision, and how you’re enforcing it.  Remember, this is a company decision on how it wants to act.  People should know the number.

This applies not just to meals, but to gifts as well.  Same idea applies.  Whatever you decide, just decide.  Pick a number and stick with it.  Enforce it.

By the way, that “zero dollars” idea doesn’t keep you safe.  The business will ignore it, sidestep it, and will do that for just about any advice you give from now on.  You lose credibility with the business, and that’s the ball game!

I have to admit, though, I was always a softy when it came to gifts.  Absent some totally inappropriate gesture, most gifts are harmless, in my opinion.  Tickets to a ball game (or the Olympics) are not, absent something more, really a problem.  Where you need to be a little more careful is when you’re inviting someone where you have an open tender and that person is the decision-maker.  I’ve seen rules which say “here are the rules for everyone except people from whom we’re awaiting a decision, and for those people, they get gornisht.”  That’s a damn fine rule.  Sometimes, zero might be the answer.

But not usually.  And telling people that in a public setting, in my opinion, puts you in the idiot box.

“Luncheon Law” and a Lesson from the Professor

Let me start by saying that I disagree with Prof. Mike Koehler about 95% of the time. That’s not to say he’s wrong; he rarely is. It’s just that he and I have widely disparate views on enforcement, and we read the same facts in different ways. Because of that, we almost invariably come to different conclusions. But reasonable people can disagree, and the Professor is always reasonable.

This is not that. We’re squarely in the 5% here. I found myself nodding in agreement throughout my reading of his post on “Addressing the ‘Luncheon Law’ Nature of the FCPA.” Even within the post, however, I disagree with some of Prof. Koehler’s conclusions. But his thesis is dead on.

To briefly recap his post, he feels that the current practice of DOJ and SEC officials speaking at sometimes pricey conferences is, if not an outright conflict of interest, somehow anti-democratic. Certainly it’s not praiseworthy. It leaves practitioners with too little guidance publicly, and freely, available. And we can all get behind the idea that it’s not how we want law, policy, or even best practices to develop, on the lecture circuit.

I agree with one part of this: while I don’t agree that it’s a conflict or otherwise even remotely improper, I do agree that it’s not how we want the Department to inform us of trends.

I feel for the single practitioners and small-firm lawyers out there. These things are expensive. One of the reasons I started speaking at conferences, frankly, was that they waive the entry fees for speakers. And I’ve either been a regulator or worked for huge corporations that have budgets for this kind of thing. Budgets that I wasn’t responsible for. When I was in-house, I never was told, “it’s too expensive.” But even I choked a little bit seeing the price tag for this year’s ACI conference. I’m still trying to figure out a way to bribe Matt Kelly to get me into Compliance Week this year at a discount.

I used to go to these conferences with the expressed purpose of “reading the DOJ tea leaves for this season.” The “used to” in that sentence is important, but we’ll get to that in a minute. Because “reading the tea leaves” was a crucial part of my risk assessment process. That’s a pitiful state of affairs, but there you are. During that period, several years ago, there really wasn’t anywhere else to go. I would reach out to fellow in-house practitioners and benchmark all the time, and I’d follow Mark Mendelsohn around like a puppy looking for scraps. It was a little sad, really. I know I’m a bit of a geek, and I know Mark Mendelsohn ain’t the Grateful Dead. But there I was, an FCPA Mendelhead. Back then, there was no SEC vertical unit for FCPA prosecution, and Cheryl Scarboro wasn’t nearly as well known as she is today, except to those illuminati like Martin Weinstein and Dan Newcomb, who were doing multiple self-disclosures. She was the unofficial head at SEC, but not as visible.

The nice thing was that Mark and others would throw scraps out. I remember this gem, “people have to realize that the FCPA isn’t fun and games, it’s a federal crime and people have to go to jail.” Don’t think that quote didn’t end up in every presentation I gave. I heard about the idea of industry sweeps at a conference, the push into the tech sector, the push into individual prosecutions, the evolving ideas of when to self-disclose, and current expectations around due diligence, all at conferences.

As I said before, that’s no way to run a railroad. A practitioner’s ability to learn the current state of the law for FCPA compliance shouldn’t cost that attorney the entry fees that conference organizers charge. Not to mention the travel, lodging, food, and other expenses that accrue on a three to four-day trip.

But all this was years ago. I don’t think the same argument could be made today. Well, the conference fee and expense argument can still be made: they’re still really, really expensive. But I don’t think anyone can argue with a straight face that they can’t learn—from free, publicly-available resources—the current state of FCPA law and compliance. Let’s just go through a few of those, shall we?

First, there’s the DOJ Web site, including the Layperson’s Guide. Every opinion release is available for download. When I was first starting out in this space, I took an afternoon and read every single Opinion Release. You’d be absolutely amazed how much is in there.

The TRACE compendium is free—every FCPA case ever is available to read and analyze. TRACE’s publicly available resources are staggeringly useful.

Several law firms have been incredibly generous—Shearman & Sterling is at the top of that list—in making serious pieces of research available to the public, for free: The FCPA Digest is a must-download. I don’t care how many pages it’s up to now, it’s worth the paper and ink. If you don’t think I have a copy, you’re crazy. Many FCPA-savvy firms have similar client briefs available to the public: Gibson Dunn and Miller Chevalier are two good ones. But there are so many others I hesitate to even begin to list them here.

My This Week in FCPA colleague, Tom Fox, reminded me on this week’s episode that compliance advice goes back as far as Opinion Release 04-02. That’s 2004. I think it goes back farther, to the Metcalf & Eddy documents, but I have to check that, I might be mis-remembering.

Plus, we have an expanding group of writers—I call us the “commentariat”—that write almost exclusively on the FCPA. For straight-up compliance advice, I don’t think there’s anything that beats Tom Fox and Mike Volkov. Delve into their archives and you’ll have everything you need. For the UK Bribery Act, bookmark Barry Vitou’s and Richard Kovalevky’s “The Bribery Act.” You can also look at Chadbourne’s site on that—truth be told, however, no matter how much I love those guys (and Heidi) at Chadbourne, their site comes in second to Barry and Richard’s.

Even as I disagree with Prof. Koehler, I acknowledge that he’s probably the most knowledgeable guy in the world on the history of FCPA law and enforcement. Maybe if you put Mark Mendelsohn, Chuck Duross, and Peter Clark in a room, they’d be his equal. Maybe. For current information, there’s the Godfather of FCPA blogs: Dick Cassin and his FCPA Blog. He’s literally the Godfather: we all pay him protection money. Kidding. Sir, really, I was kidding.

Plus, there are a number of books about FCPA compliance. I have a few on my bookshelf, and I reference them all the time. [ed note: I’m on the Amtrak to DC now, but when I get back home I’ll update this post with the titles]. I just bought Mike Volkov’s book: if you’re interested in FCPA compliance, it’s a must-buy.

Not to pile on, but DOJ lawyers aren’t silent when they’re not at conferences. They are constantly communicating with the public through their language in DPAs, NPAs, and prosecutions. Schedule C—the compliance program explanation that I’m reviewing in a series on this very blog—is an invaluable guide to compliance. It’s a damn checklist, not to put too fine a point on it.

I agree some changes could be made. I once suggested to the DOJ that they publish on their website a schedule of speaking engagements where DOJ representatives would be speaking. But perhaps the DOJ should go further: they should absolutely prepare formal statements based on the conference presentations and publish them on their Web site. I would also get behind a DOJ mandate to conference organizers that if they want DOJ speakers, those sessions must be open to the public. [To all those conference organizers who read this and might consider having me as a speaker…I was just kidding about that].

To close, while I agree that “Luncheon Law” isn’t the state of affairs we want, I don’t think it’s the state of affairs we’ve got.

By the way, if you want to know what Charles Cain said about declinations, read the rest of the post Prof. Koehler links to.

If I Were a Law Firm Managing Partner

I’ve never worked at a law firm.  Never.  It’s an unusual path to take as a lawyer, I admit.  I worked as a research assistant for professors during my summers, and interned at the DOJ.  I became a prosecutor, then a regulator, then went in-house.  So of course I’m the perfect person to give advice to law firms about how to structure their FCPA practice.  Free advice is worth what you pay for it.

All that said, here are three reasons why firms should establish separate FCPA practice areas.  I’ve seen several different structures.  The worst is no segmentation: lawyers in the “white collar” (or even worse, “litigation”) practice list FCPA in their personal bios.  Next are firms who list FCPA as a practice, but combine it with other areas, like internal investigations, still under “litigation” or “white collar” type umbrellas.  If you’re going to combine it, I think “corporate compliance” is a good mix.  I wouldn’t suggest internal investigations as a combination, because I usually gave internal investigations to firms who were already involved in my program.  The best are firms that have distinct practice areas for FCPA.

Why is it more important than ever for firms who want—and have a realistic shot at—FCPA-related business to distinguish themselves?  Simple: FCPA work is already huge, but it’s going to get bigger.

What’s the driver of the upcoming significant increase in FCPA practice work?  Three reasons, in my opinion.

1.  Dodd Frank’s whistleblower provisions. 

I don’t know whether there will be a lot of whistleblowers.  The latest numbers I’ve heard are 1-2 whistleblower reports are coming in per day to the SEC.  On initial view, that doesn’t seem like a lot.  But think about it for a minute.  That’s about 400-700 new investigations per year.  The SEC cannot afford to not investigate one of these.  Besides the fact that whistleblowers are coming into the agency with significant packages of documents (two inches thick, according to one very knowledgeable FCPA lawyer), the SEC cannot afford to blow off another whistleblower like they did in the Madoff case.  There’s no judgment there, by the way.  I blew off my share of crazy people when I was a regulator.  The SEC found out—the hard way—that just because someone is foaming at the mouth doesn’t mean they aren’t speaking the truth.  So the number of investigations will go up.

But it’s not just that; the new investigations will have two collateral effects that will impact the use of outside counsel.

a.  Too many investigations: notice that Congress hasn’t opened up the piggy bank for the SEC.  This means that investigative attorneys will have additional investigations handed to them, with no support relief.  I think this will translate into an investigative slowdown.  And when things drag out, it’s not like the lawyers will stop working.

b.  The self-disclosure calculus: perhaps the only math that attorney’s know, the calculus of the self-disclosure decision has dramatically changed.  In-house counsel who ignore this are just asking for trouble.  The vast majority of internal investigations are never disclosed to the DOJ or the SEC.  Cases are closed with “insufficient evidence” all the time.  Or there are employees who are internally disciplined, minor process changes adopted, additional training given, and case closed.  I would suggest that these kinds of internal closures represent 90%, if not higher, of all internal investigations.  The math here is that these cases will never be public.  Everyone moves on.  And normally they’re right: these kinds of cases never come to the public’s attention.  Frankly, I don’t even think the DOJ wants to know about these internal investigations (see “a” above).  Maybe these investigations would bear public scrunity, but probably not (the lights are a lot brighter and hotter when you’re in the squared circle).  There’s a certain safety, however, when you’re the needle in the haystack.  Plus, there’s no immediate downside to not disclosing.  It’s a risk, sure.  As one person said, “not disclosing is like having a gun with a thousand chambers, putting in one bullet, pointing it at your head, and then pulling the trigger; self-disclosing is like putting six bullets in a six-shooter, pointing it at your leg, and pulling the trigger.”  I have yet to find a more succinct statement encapsulating the self-disclose-or-not decision.  Thousand-to-one odds against a particular investigation coming back to haunt you.  When it does, it’s devastating (see Madoff, above), but it’s so rare.

Those odds have changed.

The funny thing is, we don’t really know how much those odds have changed.  After all, one to two whistleblower reports a day isn’t that much.  But the confidence level that investigations will remain internal only?  Way down.  Perception trumps reality.  The effect of this perception gap will be that more investigations will be outsourced to outside counsel as companies want more comfort that their investigations will be seen as independent and thorough.

2. Lauren Stevens.  Ah, the Lauren Stevens case.  Probably my second favorite after the Alcatel/ICE matter.  On the one hand, she was acquitted, so what effect can it have?  In fact, it’s beyond an acquittal: the Judge threw out the case.  But it’s still an important case.  Why?  Because she was indicted in the first place.  Even more important?  The reason that Judge Titus gave for granting the motion to dismiss.  The Judge including in his reasoning that Stevens had been in constant contact with outside counsel, and had worked with outside counsel on the response to the FDA that got her in trouble.  Because her use of outside counsel showed her reasonableness and good-faith, the Judge threw out the case.  I can’t imagine any in-house counsel ever responding to a regulatory without input from counsel, but I think that now that same reflexive, of-course-we’ll-use-outside-counsel mindset will seep into the investigations space.  I know that if I were a compliance officer tasked with a major internal investigation, especially one where there might possibly be a disclosure (see “b” above), my first call would be to outside counsel.  It saved Lauren Stevens, and that’s good enough for me.

3. Internationalization.  Sometimes, you don’t need complicated, external reasons for there to be more investigations.  Sometimes, there are just simply more people doing the investigating.  The UK Bribery Act will lead to some.  Not just because there’ll be more investigations to deal with (though there will be), but also because companies will need outside counsel to help structure revamped compliance programs.  If they’re smart, they’ll use outside counsel who have in-house experience—and those are few and far between.  If they’re really smart, they’ll hire compliance consultants who have worked in-house before.  People like Tom Fox.  So the initial remediation work will generate more outside counsel work.  And by “initial” I’m talking at least three years.  This will go in stages.  First, companies will hire outside counsel who advertise their expertise in the UK Bribery Act even though they’ve had exactly zero UKBA cases.  But an Associate wrote up a comparison with the FCPA, and knows how to spell FCPA, so the Partner who reads it suddenly becomes a UK Bribery Act specialist.  Phase one ends when companies realize that the lawyers who they’re working with have no idea how to set up a compliance program.  The company then goes looking for a new lawyer to help fix what the first lawyer broke.  The lawyers they look at to hire all have the same experience, from Phase 1.  So all that actually happens in Phase two is the lawyers from phase 1 all shuffle around.  Then comes phase 3, when the SFO starts bringing cases, and companies that haven’t started phase 1 start now.  Lather, rinse, repeat.  Am I coming off a little cynical?  Smart companies will just hire Barry Vitou and be done with it.

The effect of these three circumstances will be increased work for outside counsel.  Outside counsel would do well to heed my advice and revamp how they advertise their FCPA expertise.  It’s big enough now to be its own category under litigation or white collar or even better, compliance.  If I were a law firm managing partner, I’d back up a Brinks truck and hire away Raja Chatterjee from Morgan Stanley, or Noreen Fierro from Prudential, or Sarah DiLorenzo from McDonald’s, or someone like that.  Someone who’s spent significant time in-house doing this stuff day to day.  As much as two years in a firm followed by six years in a US Attorney’s Office (even the Sovereign Southern District of NY) followed by another four years in a firm makes you a good lawyer, it makes for a sucky compliance officer.  Someone like that has no idea how to get things done inside a company.  Raja, Noreen, Sarah, and others like them know what pressures are in-house, to take employees off the line for training, to balance tech spend versus benefit, to think like a businessperson.

With the upcoming increase in work, it’d be good to get someone inside your firm who knows how to get things done.  Just my opinion.

Who is Hughes Hubbard?

That’s not a serious question; everyone knows it’s a good firm.  It’s been around for a while (the latter part of the 1800s).  The White Collar & Compliance team isn’t that big: about 30 lawyers come up when you search under that practice group firm-wide.  And I don’t think it’s particularly well-known in the FCPA space.  That is, I’ve never heard of any of their FCPA lawyers (take that as you will).  Their head of FCPA is a guy named Kevin Abikoff, who, from his bio, seems like a serious guy, and is one of the few outside counsel I’ve seen that actually has real in-house experience.  It’s smart that HH puts videos he’s done in his bio page (although in that American Lawyer interview, I’m not sure if I would have gone with a silver tie to go with the white shirt and light grey suit, but that’s just me).  I’m not convinced that combining FCPA with Internal Investigations practice puts them in the right position.  At least it’s under a corporate compliance rubric.  So it seems like they’re serious, if not subject-area heavy hitters.

But wow, can they put out work product.  In a publication rivaling the Shearson Year-End report, HH put out a Spring Alert 2011.  Weighing in at 349 pages—yes, 349 pages—it includes an overview of the UK Bribery Act, and a writeup of all criminal settlements, DPAs, and even related civil cases.  It includes an analysis of recent trends and even goes through efforts to reform the FCPA.

It also begins with an overview of where FCPA prosecutions have been going, and what’s up next.  I can’t pretend that their analysis contains particularly penetrating insights, but it certainly covers the basics, and does so very well.  The material also includes some foreign jurisdiction investigations of which frankly I was unaware, so good on them.

Any associate out there who wants to get into this very hot area—hot, and looking like it’s only getting hotter—would be well-advised to download the report.  By the way, everyone should send a letter to HH, via Mr. Abikoff, thanking them for keeping this publicly available, and for free.  Very generous.  In fact, as soon as I’m done with this, I’m going to do just that.

 

UPDATE: The universe likes to show me how dumb I am sometimes: the day after I wrote this post, Hughes Hubbard & Reed took the #1 spot on American Lawyer’s A-List of firms.  Congratulations to HH&R!  I’ll be home wiping off the egg on my face.  Anyone want omelets?

Guidance By Howard

After finishing the case study series, I now turn to keeping my word and writing my own Guidance. Rather than try to write the whole thing at one fell swoop, I will write it section by section, and publish as I write. I’ve tried to make it humorous, but readable. And while it is written half tongue-in-cheek, it’s only half. I actually mean every word; I wish this is the guidance that the UK would have written. It’s certainly more forthright: I’ve tried to say some things that I think the UK would have liked to have said, but couldn’t for fear of starting an international incident.

I will follow the general format of the Guidance as it was published, starting with the forward, general policy, principles, and then case studies. The first section, the Foreward, is the most unserious of the entire lot. But it sets the tone for what I want to accomplish, which is giving a realistic assessment of what a Bribery Act Compliance Program should look like, in my opinion.

[Disclaimer time: as I always say, “I’m a lawyer, but I’m not your lawyer.” This is commentary, not legal advice. If you want legal advice, hire outside counsel or a consultant. In case you haven’t noticed, there are one or two out there that would love to structure your program for you. If you want my advice on who, look below (well below) for my post entitled “Getting Advice.” I say plainly who I’d recommend. I’m not on that list. I’m not licensed to practice in the UK, and I wouldn’t know a barrister from a solicitor if both were sitting next to me.]

Begins the Guidance:

Foreword

The UK has come under criticism for being soft on foreign bribery. It is an embarrassment that the criticism is entirely justified. To be fair and just, however, we should point out that the UK government’s priorities stem from the colonialist era where foreign bribery was more than accepted, it was diplomatically necessary to maintain peace in an empire that exceeded Alexander’s.

In that vein, our allies should remember that those leveling the criticism—mainly in the US—also have only recently been enforcing their own anti-corruption laws. How many prosecutions were there in the first 10 years of the Foreign Corrupt Practices Act? In the first 20? Like a reformed addict, the US, after decades of paying hundreds of millions of dollars (probably billions of dollars) in bribes in every country around the globe now finds it expedient to find fault, and presumptuously believes in their right to express that feeling. Like a child who believes he knows better than his parent, the US would instruct us in an area of law that we were enforcing when the US was merely a glimmer in George Washington’s eye.

But if “the times” can be defined in such short duration as the last 5 years, then mea culpa, the UK has fallen behind them. One thing that is certainly true, we have been infected with the regulatory overreaction virus that originated and incubated in our wayward progeny, and has now found it’s way across “The Pond.” As Sarbanes-Oxley was a reaction to the new millennium’s corporate governance scandals, so to the UK Bribery Act is a reaction to our humiliating surrender in the investigation of BAE. I believe we would have made a different decision in that case, had we known we’d come to this.

Some criticism is obviously justified, but the judgmentalism must stop.

In publishing this Guidance, we seek to further two goals: first, to reassure UK companies that their world is not over and certain harmless activities may continue. Second, we wish to inform UK companies, as brightly and clearly as we can, where the new line is, so they should not step over it.

The challenge we face is providing companies—especially smaller companies with more limited resources—with enough guidance through which they can achieve comfort that they remain within the law, while maintaining prosecutorial discretion. We will not surrender our right to prosecute companies that cross the line, even if we’re not quite ready to tell them exactly where the line is. That is not the fault of the MOJ, however. It is the fault of the ingenious fraudsters and those who use corruption as a tool to bend the marketplace to their will. They are more creative in their construction of bribery schemes than we are imagining rules to stop them. We will therefore not bind ourselves in the face of the unknown to a strict set of prescriptive rules which we might in the future wish were different. Rather, this Guidance will provide minimum standards for smaller companies, and leave larger companies guessing whether we will find their procedures adequate. To be fair, however, that’s not really a change from where they stand now.

I say to our US colleagues who might be critical of such a stance, where’s your Guidance?

As with many things, the proof of the pudding is in the eating. The toughest law in the world means little without rigorous enforcement. The UK Bribery Act is the strictest law of its kind. For those who would use corruption as a tool of commerce, I put you on notice that the MOJ and the SFO (and the FSA and the FCA and whatever other agencies we create in the next year…we’ll see how the infighting goes) will use the tools the Bribery Act gives us. In fact, to make it clear that our stand on corruption is real and enduring, I am directing the SFO to bring their first case under the Act before the end of July. Don’t be surprised if it involves private-sector bribery, either.

And to all companies who do business in or through the UK, a warning: there’s a new Sheriff in town, and his name is Ken Clarke.

Signed,

The Ken that Exists in Howard’s Head
Secretary of State for Justice

****

Tom Fox and I have posted our second episode of This Week in FCPA. We hope you enjoy it.

Case Study #11: I Open at the Close

My kids are reading Harry Potter, which is where the title comes from. Given Harry’s UK origins, I thought it appropriate. I’m also a little worried because I’m coming to the UK next week. I’ve been, ahem, somewhat critical of the UK government recently, and I’d like to be admitted to that wonderful country. So for this last case study, let me say that I’ve never read a more cogent and convincing risk mitigation plan.

*cough cough* I can’t do it. I’ll risk getting turned around at Heathrow.

It’s bad. It’s also typical of the lot: it is so shallow that if a company were to follow all of the requirements, they wouldn’t have adequate procedures to cover the risk that they’ve incurred.

Let me digress for just a moment for my first caveat. I started this case study series because Tom Fox was writing about the Guidance and started at the beginning. I figured I’d start at the end. I’ve had a fun time writing some scathing criticism of the eleven case studies. And it’s not that they didn’t deserve it. But let me say one thing. I’ve been there. I’ve had to write guidance for compliance with policy. It’s not easy. What’s easy is my sitting in the background criticizing the people who are in there doing the work. The MOJ employees who wrote the Guidance did a tremendous job putting it together while under an incredible amount of pressure. My hat is off to the authors.

That said, I’m sticking to my assessment of this case study. It’s just bad. I have respect for the authors, but I don’t know what they were thinking. Let’s go point by point, shall we? For one last time?

We have a small export company operating through agents in a number of foreign countries. It recognizes that its reliance on agents increases its bribery risk and wants procedures proportionate to the risk. Let’s walk through what the Guidance suggests:

• Using trade fairs and trade publications to communicate to the market that it is strongly against corruption
• Oral or written communication of its bribery prevention procedures to its agents
• Controls on its associated persons including
• questionnaires and internet background searches
• Checking references
• Representations in the contract
• Using information training opportunities to raise awareness of red flags (including evasive answers to straightforward questions, overly elaborate payment arrangements, and unusual expense reimbursement requests)
• Using external sources to “inform” relationships with the agents
• Having a confidential reporting channel

This is a small company, and the UK government has made clear that it doesn’t want small companies too affected by the need to implement intrusive procedures. Let me give you a quote from Kenneth Clarke, from before when the Guidance was issued (just before). He said the guidance to be issued will allay

fears sometimes aroused by the compliance industry, the consultants, the lawyers who will of course try to persuade companies that millions of pounds must expended on new systems which in my opinion no honest firm will require to comply with the act.

Pretty strong words. Remember also, right before the Guidance was issued, the rush to “review” the law’s effects on business interests. It has been felt that those business interests influenced what has been perceived since as a watering down of the act through enforcement pronouncements.

So the purpose of the Guidance is to calm the worries of smaller UK companies. (It’s worth it, by the way, to watch Ken Clarke talk about this, pre-Guidance.)

Here’s the basic problem, and you should take this to heart: risk is a function of transaction, geography, and agent; it is not a function of company size. The fact that the smaller company is engaging in risky transactions doesn’t self-mitigate because the company is small. In fact, I think a good argument can be made that larger companies have more sophisticated financial controls, so the risk is actually greater in smaller companies. [There’s another argument, of course, that smaller companies have more immediate control over employees. Even if that’s a wash, it’s still true that company size is not a major factor in risk assessment.]

The Principle behind the case study recognizes this.

“Some small organizations can face quite significant risks, and will need more extensive procedures than their counterparts facing limited risks. However, small organizations are unlikely to need procedures that are as extensive as those of a large multi-national organization.”

I understand the challenge. Or, in consultant-speak, I admire the problem. Controls in smaller companies do not have to be as robust as in larger ones. There’s two ways to approach that, however. The first is to put controls in a list, A,B,C,D,E, and F. Larger companies have to do A-F. Medium from A-D. Smaller just have to do A & B. That’s this chart, via Tom Fox:

But there’s another way.

When I have something to write, I use the “Madman, Architect, Carpenter, Judge” method. It’s a four-stage writing process designed to get all your thoughts down onto paper before you begin editing. I find it effective. Here’s the twist: no matter how little time you have, you always go through all four stages. Just because you have 30 minutes, you don’t skip a step. You just spend less time on each stage. If you have 30 minutes, you spend 10 on madman, 5 on architect, 10 on carpenter, 5 on judge. Or whatever split works for you. If I have weeks, I’ll spend 8 days on madman, etc.

I think the same method, suitably altered, should be used with risk mitigation. You use all the tools, just less of each one. Youhave a questionnaire, you just don’t have a lot on it. You have contract provisions, monitoring, etc. Just less of them. Reasonable people can disagree on this, I think. I come down the way I do because I can’t envision skipping a major control area simply because I’m a small company, if the risk is high.

Say what you will about the US Department of Justice, but they tell us what their expectations are. Adequate procedures in the US include the following:

• Clearly worded policies
• Tone at the top
• Standards and Procedures
• Risk Assessment
• Involvement of senior management
• Financial controls
• Effective communication
• System to provide advice
• Disciplinary measures
• Due diligence on 3rd parties
• Contract provisions
• Periodic testing and review

I would suggest that larger companies need to have lots of each of these. Smaller companies can have less of each of these, as long as they have something in every category. Can you look at that list and tell me which ones you can live without?

As I read Principle #1, I see that “Proportionate Procedures” is a way to say “your entire program.” Given that, I think that this case study’s list—even for smaller companies—is totally inadequate.

According to this case study, as long as you have internal and external communications, some diligence, some contract provisions, you’re good to go, Mr. Small Company. Nothing is mentioned about risk assessments, ongoing monitoring of third parties to detect risk (you could argue it’s shoe-horned into the red flags review, I guess), nothing about financial controls, nothing about auditing (internal, rather than of third parties, nothing about ongoing auditing of third parties (which I hate, but which my colleague Tom Fox sees benefits from).

What are adequate procedures for a small company, IMHO? (Remember my disclaimer, everyone. I’m a lawyer, but I’m not your lawyer. I offer commentary, not legal advice. If you do what I say, it’s at your own risk.  Besides, I’m not licensed to practice law in Great Britain.  If you want legal advice, call your barrister, or solicitor, or whatever they call outside counsel there. If I were in London, I’d call Gary DiBianco at Skadden or John Rupp at Covington. They’re in London, and they really know this stuff.)

Here are what I think should be sufficient for small companies operating in a risky environment:

• Have a policy that clearly says “we don’t bribe, ever.” That policy should be sent out by the CEO with a personal plea to avoid bribery as a business practice, and laying out a confidential reporting channel
• See above: have a confidential reporting channel
• Conduct a risk assessment yourself. Rate your geographic footprint into high and low risk. Risk determines procedures.

HIGH RISK:

• Contract provisions MUST include termination rights at the UK company’s sole discretion in the event there is suspicion of bribery
• Training to employees that includes how to handle requests for facilitation payments, travel, and hospitality (think “modest.”). If the company can afford it, live training. If not, conference calls plus informal training at team meetings, etc.
• Hiring of third parties must be approved by the COO or similar senior position (remember, this is a small company, so there will be supposedly less bureaucracy. Hiring will only be approved after the agent has filled out a basic questionnaire asking if any senior employees are related to government officials, whether the service to be provided touches government officials, and whether the company has ever been investigated for bribery-related offenses. Also, no hiring will happen until the agent has been run through an internet news check, a reference check, and a check with the local embassy. Every invoice submitted by the agent requires dual approval
• All expense reports require approval by someone outside the chain of command of the person submitting the report.

LOW RISK:

• Contracts must include either termination rights or a clear statement by the agent that it understands anti-corruption laws, and agrees not to pay bribes in the service of the company
• Computer-based training for all employees. Informal training opportunities will be used to discuss hospitality and facilitation payments
• Third parties must submit a questionnaire asking whether any senior managers are related to government officials, and whether the services to be provided touch government officials. Agents must undergo an internet check and a reference check. Every invoice submitted must get co-approved
• Every expense report must be approved by someone outside the chain of command of the submitter.

That list should be tailored to your company, but you get the idea, right?

Thus ends the case study series. As I said, though, the next thing I’m going to attempt is my own guidance document. That might take a while. Check back.

Also, make sure you check out Tom Fox and I in our new weekly videocast: This Week in FCPA. Sure to entertain and inform.

Case Study #10: Tone Deaf

I had thought that with the amount of bile I’ve spewed on these case studies, my supply must be low. I’ve found, reading case study #10, that I actually have plenty left.

The case study purports to discuss what we call in the US “tone at the top,” but which in the UK they call “Top-level commitment.” Here, we have a similar buzz phrase that’s recently come into fashion, “Commitment from the Top,” which is more similar. I’m not personally a fan of either phrase, nor of the concept.

Let’s digress for a moment into what I call “optical controls.” Optical controls look good, but don’t do much. Most contract provisions are optical. Any written certification (maybe there’s one certification that’s not; Tom identified it on our videocast: a Sarbanes-Oxley-type certification to be signed by senior management). There’s a place for optical controls. At times, they are actually important, so don’t neglect them.

But I think tone from the top is optical. That’s not to say it’s optional. You need visible tone from the top. You need senior management to talk about anti-corruption, ethics, honesty, integrity, etc.

First, we need to define tone at the top. Once, back in 2009, I was on a panel about tone at the top. I wrote a definition that got the highest praise possible: it was quoted by Alexandra Wrage. If you’ve read more than two articles on mine, you know I’m a huge fan of Alexandra, and of TRACE. Every company I’ve worked in, I’ve either gotten us to join, or convinced us to renew membership. Anyway, what I said was

Tone at the top is a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors—including financial results—and to expect all others in the organization to do the same.

If you’re going to do tone at the top right, you need more than just words, you need senior management to act. There’s a hierarchy of actions. At the top is publicly praising someone who lost a deal because he refused to pay a bribe. Less, but just as key, would be to change a unit’s sales targets. In fact, I would probably advocate the latter as a first measure because it directly impacts the line staff.

In general, in fact, I’m much more a fan of tone from the bottom, but we’ll get to that in a minute.

As always, the Guidance lays out a series of optional controls for our small to medium size manufacturer:

• Making of a clear statement disseminated to its staff and key business partners of its commitment to carry out business fairly, honestly and openly, referencing its key bribery prevention procedures and involvement in a sectoral anti-corruption initiative.
• Establishing a code of conduct that includes anti-bribery provisions and making it accessible to staff and third parties on its web site.
• Considering an internal launch of a code of conduct, with a message of commitment from senior leaders.
• Senior management emphasizing among its workforce and other associated persons the importance of understanding and applying the code of conduct and the consequences of breaching policy
• Identifying someone at a senior level to be the point-person for queries and bribery-related issues

Of all the lists of all 10 case studies I’ve reviewed, this list might be the worst.

Seriously, spending three of five bullets to discuss three aspects of the same control—and an incredibly weak control, at that—is worse than useless. It’s counterproductive. And even worse than counterproductive, it gives a false sense of security. Let me be clear, and you should take this to heart: no code of conduct ever actually changed someone’s behavior. Sorry, all you Code writers out there. This is not to say that you shouldn’t have a code. You should. And I’m not suggesting that you don’t train on it, or that you don’t have an internal launch, or even that senior management shouldn’t emphasize…or whatever it says to do. But a code of conduct isn’t a control, it’s window dressing. Important window dressing, but that’s it.

The last point is as obvious as it is optical. And often done badly. Seriously, if you’re going to implement an optical control, at least make it good optics. How many times have I seen a random officer, like the CIO, report to the CEO, but the Chief Compliance Officer report to the General Counsel? At least now in the US, with the recent revisions to the Sentencing Guidelines, we now know that the CCO has to independently report out to the Board of Directors. Most CCOs I’m aware of do that on a periodic basis, most frequently quarterly.

The first point is also optics. It’s also, in my opinion, almost impossible. Have you ever seen a clear statement by senior management on anything? And on ethics? Really? The statements I’ve heard all talk about ethics as if it were one factor to consider while making a deal. Make the deal, but remember to be ethical. That’s not how we talk about ethics outside of the business world. In every other context, ethical behavior is the underpinning of proper action. But when it comes to business, it’s one factor among many.

So how should companies show proper tone from the top?

Let me give you my suggestions:

1. Concentrate on the bottom, not the top. Rather, let’s properly define “the top.” The job of a compliance officer is to change behaviour. When a line worker has a problem, he or she doesn’t go to the CEO. So having the CEO “have an open door to all employees to answer questions,” (this or something similar is on virtually all CEO videos I’ve seen) doesn’t help. Who do people go to? Their supervisor. If you can hit front-line supervisors, that’s how you change behavior.
2. Connect with employees on their terms. That is, let them know that their bonus or other compensation won’t be affected by ethical behavior. An FCPA compliance officer has to run interference for the business. It might be his or her most important job, in fact. The best tone at the top would be for a leader to alter a sales target because a big loss from refusing to pay a bribe. In fact, you wouldn’t even need to advertise it; believe me, your employees will know.
3. Observe the formalities. You need a Chief Compliance Officer. That person should report—or at least have access to—the Board of Directors. You need a code of conduct, you need a video from the CEO, you need publicized compliance successes, and if you want to get fancy, compliance failures. You need these things because optics matter.
4. Treat tone like diligence, it’s not a one-time thing. Tone at the top is ethics over time. You can’t just have the CEO do a video and be done. You need to emphasize and reemphasize, with the message coming from all levels in many formats. Email, live, written, etc. Hit your riskiest employees from every direction. Have informal chats.
5. Ask the question. There is one question that senior leaders can ask that’s the best question in the whole world. The best question. If you have one “ask” when you talk with senior leaders, this should be it. What’s the question? Here you go: “what does compliance think about that?” If senior leaders start asking it, then their direct reports will start soliciting compliance’s opinion before meeting with the senior leader. It gets compliance included in the process, any process, in a constructive way. It’s the perfect force multiplier. It’s the perfect question. Have your senior leaders ask it, often.
6. Do your best to keep your messaging consistent. I’ve said this before, in the training case study critique, but consistent messaging is also a leadership function, and thus a tone from the top issue. The best indicator of ethical behavior is when employees feel free to report misconduct without fear of reprisal. You can’t afford to have one employee sending one message by their conduct and another employee sending another message.

So there you go. And only one more left. After that, I’ll write my own guidance, and publish it, chapter by chapter.

Case Study #9: Everything Old is New Again

Case Study #9: Everything Old is New Again

I’m having a bad case of vu-ja-day.  Not deja-vu, Vuja-day.  It’s the feeling that you really didn’t want this to happen again.

Case study #9 is a return to due diligence of agents.  I’ll go through it point by point, but let me give away the ending: it’s really, really bad.  Bad in the sense that if you actually do what it says—everything it says—you’re going to get yourself in a ton of trouble.

This is going to be painful, so I’ll try to be quick.

Case Study #9 posits a small UK company which relies on agents in Bribe-istan from which it imports perishable produce and to which it exports finished goods.  The company is offered a new opportunity in Bribe-istan through a new agent, but it’s a rush deal.

The Guidance again provides a list of controls that the small UK company can consider, any or a combination.

• Conducting due diligence and background checks on the new agent that are proportionate to the risk before engaging the agent that can include (a) making inquiries through existing business contacts, local chambers of commerce, or business associations, and internet searches; and (b) seeking business references and a financial statement from the agent and reviewing the agent’s CV
• Considering how best to structure the relationship with the agent, including how the agent gets paid and how to ensure the agent’s compliance with relevant laws
• Making the contract with the agent renewable annually or periodically
• Traveling to bribe-istan every once in a while to review the agency situation

That’s it?

The best thing I can say about this list is the last one.  I completely agree that on-site visits are an essential part of effective due diligence.  But I’m getting ahead of myself.

Here’s the problem: risk isn’t determined by size.  Just because it’s a small company doesn’t mean the risk is small.  There’s an essential difference here: when I’m the compliance officer for the company, I don’t want an affirmative defense, I want to avoid the crime.  Avoiding the crime involves significant due diligence.

What is it about this situation that makes it risky?  The fact that it’s in Bribe-istan is a problem, obviously.  But what sets off the flashing red lights in this situation is the rush.  The worst situations always present as must-do-quickly deals.  You have salespeople screaming at you that you’re delaying the deal, everyone wants this done.  I’ve had situations where the deal had to get done in a weekend.  We did the deal, and then the costs starting rising.  We had remediation costs up the wazoo.  It’s the rush jobs that are going to bite you in the behind.

What also makes this riskier is that the small UK company makes perishable goods.  That gives customs officials and others in a position to delay shipments a considerable amount of leverage.  While computers sitting on a palette in port is bad, fruit sitting on the palette is a disaster.

If the small company wants “adequate procedures,” that’s one thing; if it wants to avoid the violation, that’s something different.  Telling small companies they have to do less makes sense on the one hand, but on the other, it’s going to get them into trouble.

Let’s go through the points though, shall we?

Conducting due diligence is important.  So the question is whether doing what the Guidance suggests is sufficient due diligence.  The one thing that’s right is that the Guidance says that the diligence needs to be “proportionate to the risk.”  Not to the size of company, the size of the risk.  Here, the risk is very high.  Should the procedures be reduced to match the size of the company?

The last due diligence case study (#6) has a medium to large company doing a questionnaire and lots of other things.  How does the smaller company justify doing less, when the risk is just as high, if not higher.  I know that adequate procedures for smaller companies should be less, but is this the place to cut?

The diligence here involves, according to the Guidance, making inquiries through business contacts and conducing Internet research, plus getting references and a CV.  These are good.  Do these.  But you have to do more.

Does a small company need a questionnaire?  Yes.  It does.  Maybe the back-end procedures can be reduced, but if you’re going into a high risk market in a high risk venture, running a Google search just ain’t gonna cut it.

Payment is an easier question.  I can tell you, given everything, if the agent gives me screwy payment instructions—payments into a third country, or via some other corporate identity—I’m putting the kibosh on the whole deal.  What I want to ensure here is that the agent is charging me a reasonable amount for what I’m getting.  If he tells me anything other than “send me the check when I invoice you,” I’m out.

I’m frankly not sure what considering how best to “seek to ensure the agent’s compliance with relevant laws and codes applying to foreign public officials” even means.  I’m not sold on the ability to affect how your agent does business.  You can find out, with effort, how they’re going to do business.  But I don’t think you can change it.  Certainly not with the blunt tools you have to work with, which are contract provisions, maybe a little training, maybe audit rights.  None of those, even reps and warranties, or undertakings, are going to get the job done.  All you can do is figure out what kind of situation you’re getting into.  Go in with open eyes and structure some rudimentary monitoring to protect yourself.

In fact, here’s my prescription for smaller companies:

1.  Have decent contract provisions.  I’m not a huge believer in the efficacy of contract provisions, but some are better than others.
a.  Most important?  Termination rights.  And make sure your partner knows that keeping your business means keeping clean.  Let them know that if you even think there’s an issue, you’re going to exercise your right to walk away.
b.  Next? A clear statement in the contract that you don’t want them to bribe.
c.  Rather than have them agree not to bribe, I would suggest having them agree to some monitoring requirements.  What you need to monitor is fact-specific, but can be things like monthly spend variations kept within a certain amount; double-checks on the value of what’s being delivered, regular discussions about how they’re achieving their results, specific itemization of invoices (the more specific the better), including no “miscellaneous” entries, and no expenditures that are outside of the specific needs of the SOW.
2.  Have the right to audit their books in the event you believe they’ve committed a violation
3.  Do a site visit, even if done by a third party
4.  Ask for and check references
5.  Do an internet search

The key thing here is not to overdo the up front diligence.  The key is to figure out the monitoring piece, and do that religiously.

6.  I would also suggest that your highest risk third parties be reviewed regularly by a risk committee formed for that purpose.

I agree with the last two points from the guidance: the contract should be renewable annually, not evergreen.  And do at least some of this in person.  In my experience, nothing beats looking a person in the eye and telling them what’s unacceptable to you.

What to Do About the UK Bribery Act

This past week, I was on a webinar with Mark Mendelsohn (the replay can be found here: http://bit.ly/gTAeKB).  One of the things we spoke about was what companies need to do now to comply.  I was a little more sanguine than Mark was; I thought that we should wait and see whether the UK actually enforces the Act before people spend a lot of money.

Mark made an excellent point right then.  Can a company have “adequate procedures” if their compliance program doesn’t include anything about preventing private-sector bribery?

It’s a fair point.  Let me think out loud for a minute about it.  My first thought is that no one ever got very far disagreeing with Mark Mendelsohn about the FCPA or the UK Bribery Act.  It might be a question of life not being fair, and companies just have to adjust to something that may turn out to be a theoretical risk.  The difficulty is that it’s going to be a significant change.

Let me be Devil’s Advocate here for a moment.  Can a company have adequate procedures without measures to prevent or detect private-sector bribery?  Let’s play it out.  A company has issues with a third party in Bribe-istan regarding a public-sector contract.  The UK government comes in.  Are they going to be looking at the private-sector pieces of your program?  Now, if you have an issue with private-sector bribery, that’ll be problematic.  The company, its officers and directors, and employees involved will all be in trouble.  The difficulty here is that while I don’t believe the UK government will be looking for private-sector bribery cases, it’s often the fact that cases come to the regulator.  This will become more true once the whistleblowing provsions of Dodd-Frank come into effect.  So maybe not so theoretical at that.

Let’s pause for a second and talk about the cost.  The cost of changing your program to include private-sector bribery.  First, your training costs go up.  It’s currently the case that programs spend time identifying who their public-sector-related employees are, and train them to a higher level.  That effort involves cost as well.  So those costs will go away, but training your entire sales force will cost you also.  More.  It’s time, and money.  And just because the UK government passes an Act doesn’t make your company any more willing to donate time and money to compliance.  One useful thing about the prescriptive rules the US puts into place is that you can go to your business and say “Reg C says we have to do x, y, or z.”  This principle-based paradigm is harder to sell.  Convincing your business to let you take every single sales and marketing employee out of commission for two or more hours is going to be tough.  It’s ridiculous that it’s tough, but that’s reality.  There’s also a monitoring aspect to it.  Here’s a truth that you need to internalize: if you have a rule, you must—absolutely must—monitor compliance and punish recalcitrant employees.  This is why I’m a fan of fewer rules, more stringently enforced.  If you don’t, you have what regulators call a “paper program.”  Disaster, if you’re ever challenged.

But training costs aren’t the biggest problem you have.  The biggest problem is your third-party due diligence program.  Unless you’ve spent considerable money on your DD program, you will likely have just a few employees involved, at minimal cost.  That’s gone.  Most programs were predicated on doing diligence on a small number of third parties.  Almost all programs lack scalability.  What might work for a 100 third parties won’t work for 1,000.  Most compliance programs are working on shoestring budgets as it is.  If you have to adjust to massively increased volumes, that Excel spreadsheet you have just won’t cut it.

You’re going to have to retool, not just readjust.

So you’re left with, on the one hand, a somewhat theoretical risk of having to justify your lack of a private-sector bribery program.  One quick digression: I’d hate to make the argument to the UK authorities that the reason you don’t have a private-sector bribery piece to your program is that your program is geared to FCPA compliance.  Somehow, I don’t think the SFO will be too receptive to that.  Anyway, it’s that cost, versus the certain cost of completely restructuring your due diligence and training programs.

I hate to disagree with Mark, but I’m going to.  I think you still don’t do anything too drastic to your FCPA compliance program (except enhance it…you know it needs it).  Wait and see what the UK does.  I said on the webinar that it would be bold of the UK if their first case was a private-sector case.  That would certainly change the playing field, and give the UK enforcement regime a much needed boost.

Anyway, just something to think about.

I sometimes give this disclaimer, which I think might be needed here: I’m a lawyer, but I’m not your lawyer.  This post is not legal advice, and you should not take it as directed at you.  If you do, frankly, you need your head examined.  This is a blog.  If you want legal advice, there are quite a few lawyers who’d just love to help you.  I’m offering informed commentary, not legal advice.

Case Study #7: Needed–Training…on how to write an effective case study.

Case Study #7: Communication and Training

I find it somewhat interesting that the case study calls it “Communication and Training” while the Principle (#5) calls it “Communication (including training)”. OK, I don’t find it particularly interesting, but it must mean something.

I find them to be two distinct issues. Training is training. Communication, however, should include the type of internal marketing effort that is so crucial to successfully implementing a compliance program. You could write a PhD thesis on internal marketing. In fact, I’m surprised there aren’t more books about it. Hmm…

So let’s jump right in. There’s no way this is going to be as long as the last one, so you can get a much smaller cup of coffee for this one.

Case study #7 gives us a small UK manufacturer who has engaged a local agent/advisor to help win contracts in Bribe-istan (as the Guidance puts it, “in a foreign country where the risk of bribery is assessed as high.”)

One of the guiding principles of the Guidance is that smaller companies don’t need to do as much as larger companies. I’m curious whether the author of this case study, when positing a small company, took that into account, and these are the absolute minimum that can be done if a company is to be found to have adequate procedures.

The optional list includes the following:

• Making employees of the UK company engaged in bidding for business fully aware of the company’s anti-bribery statement, code of conduct and, where appropriate, that details of its anti-bribery policy are included in its tender
• Including suitable contractual terms in its agreement with the local agent/advisor including a) requiring the local agent not to pay bribes, b) giving the UK company audit rights, c) requiring the local agent to report to the UK company any bribe requests, and d) in the event of “suspicion,” of bribery, a termination right.
• Making employees of the UK company fully aware of policies and procedures applying to hospitality and facilitation payments, and making its employees aware of financial controls, sanctions, and reporting channels
• supplementing the above with special training for UK company employees involved with activities in Bribe-istan.

There’s a lot here, and not much of it is good.

Here’s where “communication” and “training” should be separate: there’s a little too much going on here. I don’t like multi-tasking, you end up doing all tasks badly. You have a high-risk agent in a high-risk country. Of the four points above, fully none of them deal with communicating with the agent, or training the agent’s employees, or ensuring that the agent trains its own employees. One of them, the contract-rights point, deals with it a little, but it’s so bad, and so unrealistic, that I find it hard to even discuss it. But I will.

Let’s take each point as it comes, shall we?

Point #1: You have to make your employees aware of your anti-bribery policies. Said another way, water is wet. Thanks.

Point #2: Let me come back to this one.

Point #3: Making employees aware of rules around hospitality, facilitation, financial controls, disciplinary consequences, and reporting channels. I would have thought that this would be covered by point #1. But just in case you missed it the first time: water is wet. Yes, you need to make your employees aware.

Finally, point #4: supplement where appropriate with additional training to those employees who are involved with Bribe-istan. Do I need to say it again? OK, I will: water is wet.

Let’s talk about training. You need to have tiered and targeted training. The first piece to that is identifying who needs more training. Top tier are employees who sell to foreign governments. Finance people, marketing people are next tier. Third tier is all managers not included already. Finally, everyone else. In a small company, fourth tier get nothing, third tier get normal communications (some of which should include anti-corruption messages), second tier gets familiarization, first tier is where you spend your time. That’s for a small company. Larger companies should follow a stricter training regimen. Fourth tier get nothing special, third tier gets familiarization anti-corruption-specific training. Second tier gets specialized training to their function (e.g. Anti-corruption for Finance people), that should be specifically developed for that function. First tier should get regular, specifically designed, live training. Yes, live.

Let me digress for a second about training methods. Live is good. Everything else sucks. Yes, everything. Okay, maybe not the Cisco Telepresence stuff (full disclosure: Cisco is a client of my employer, Recommind. But I fell in love with Telepresence way back when I worked for Amex, so there’s no real conflict). Telepresence is very hi-def video conferencing. Fifty inch flat screen TVs. Very cool. It’s almost like begin there. No audio lag like on other video teleconferencing systems. None. It’s awesome. So that’s probably 90% of being there. Live works. Conference calls don’t work. Certainly e-learning doesn’t work. By “doesn’t work” I mean that it doesn’t stand a snowball’s chance in hell of actually changing behaviour. That doesn’t mean you don’t have conference calls, or web-based training. You certainly need it, because you won’t be able to do live training for everyone. But there’s just no substitute for live training.

So if you’re a large company, you need to give your highest risk employees live training.

You also need what I call “informal messaging.” This is keeping anti-corruption in front of your employee audience. You need more frequent informal messages for high-risk employees. These can be mentions in the CEO video or discussions in town halls about corruption issues, or other similar opportunities. As one of my old bosses used to call it, “teachable moments.”

Now let’s move over to point #2, contract provisions. The reason I really don’t like it very much is that it’s advice to small companies. But other than the first point, requiring the local agent not to bribe, they’re all not feasible for smaller companies. A small company won’t have the capacity to audit, neither in terms of resources, nor in terms of finances. And a small company won’t have leverage on its third party agent to force it to adopt these audit rights. Plus, in my experience, if there’s an issue, the odds of your third party agent in Bribe-istan letting you conduct a real audit are nill. So you’re in a situation where you’re asking for something that you can’t actually act on (and if you have the audit right and don’t exercise it, you are really in a pickle.)

Let’s go in order, though. I have yet to meet someone who would pay a bribe, but not sign something saying they won’t. A contract provision requiring a local agent not to pay bribes…hmmm…do you want to make him pinky swear? Same with making your agent swear to report bribe requests. If he lies, you can give him double-secret probation.

Let’s say a word about termination rights. First, if you have them and don’t use them when an issue happens, you look bad. Plus, having negotiated more of these things than I can count, they’re notoriously hard to get into contracts. And the people who negotiate these things have to know that it’s a deal-breaker, because otherwise, they’ll have termination rights in some contracts but not others. And you know how that looks to a regulator when the agent with whom you have an issue is one of the ones without.

And why are contract rights in a list of communication and training points?  I don’t think there was enough guidance her for smaller companies in their interaction with risky third parties.  What do you think?