I’m in the middle of a long piece on risk assessments that is surely going to be the death of me.
A couple of random thoughts:
- Since I wrote the “Getting Advice” entry, I’ve spoken with Tom Fox several times, and we’ve corresponded on a number of issues. Add him to the “advice” list. If you’re looking for someone with practical knowledge of how to implement a program, he’s got it, in spades. And I’m not just saying that because he linked to the piece.
- I’m a fan of a SHTF policy. If you don’t know what SHTF is, the last three letters stand for “hits the fan.” This is a policy that lays out what happens when the government unexpectedly comes calling, or there’s a dawn raid in your offices in Frankfurt, or the Wall Street Journal calls and asks for comment on a story about how you’ve been bribing officials in Freedonia since 1982. The point of an SHTF policy is to avoid the confusion that comes in the initial stages of an incident. Everything gets laid out beforehand. You name crisis team members, their responsibilities, you identify all the key stakeholders and have pre-laid action plans. The policy should be specific enough to be easily implemented, but loose enough that you can remain nimble. As Mike Tyson once said, “everyone has a plan until I hit them.” Not everything in the policy will work in every situation, but having a plan is always better than not having one.
- I see a lot of programs digressing into inertia because they want a holistic program. I was at a dinner the other night where someone raised a question about data remediation, “where do I start?” My advice was, “start anywhere.” Same with FCPA compliance. You’re going to have a much better story to tell if you pick a place, and dig in. I know that you’re changing the tires on a car traveling at 60mph, but if you just stare at the tires and the spedometer, nothing will get done. Someone at a consulting firm once said—and I love the quote—“you have to stop admiring the problem.” “Admiring the problem” will get you into trouble. Pick something. Training is a good place to start. Do some. Get your Board together and have your Chief Compliance Officer, or your FCPA person, train them on FCPA. Then schedule business unit leadership team meetings and give your FCPA person 90 minutes. Yes, it’s a lot of time, but take it, it’ll look great. 50 minutes of training, 15 minutes roll-playing, 25 minutes Q&A. In person. Then pick your 10 riskiest countries (this isn’t rocket science, get the Corruption Perceptions Index and start from the bottom, wherever you have 10 or more people on the ground, add it to the list.) Train the sales, finance, marketing, and leadership teams in those countries, in person. I don’t care if you have tests or not: it’s better to conduct training without tests than it is to not conduct training because you’re evaluating how to administer testing. Or, if you want, pick policies. Get a professional compliance person to write a new policy. Get one sales, one marketing, one operations, and one compliance person together, lock them in a room, and come out with a policy that isn’t written by lawyers for lawyers. Have it translated into the languages of your 10 riskiest countries, and then make the country leader make a big deal out of it. Mention it in town halls, send messages to front-line supervisors with a copy and a message from the in-country leader saying how important it is. Or, pick due diligence. Talk to business leaders about red flags, and ask them to identify the 10 riskiest vendors, contractors, or agents. Do some diligence on all 10. Present the findings to your risk committee. You have a risk committee for something, right? Operational risk? AML? Something? If yes, use it. I don’t care that they don’t know FCPA (they’re ripe for some training, though, right?) because you’re not asking untrained people to opine on FCPA, you’re “integrating your FCPA compliance into pre-existing risk mitigation functions.” Or, pick monitoring. Have your CFO pull the last 50 payments into the 30 lowest countries on the CPI. Arrange them in order of amounts. Start at the top and justify each by talking to the person who signed off on it. Ensure that actual goods or valuable services were received by your company. Repeat this exercise once a month. None of these are sufficient in and of themselves, but it’ll show that you’ve acknowledged the problem, and are beginning to enhance your controls. Action is always better than inaction.
- I find it ironic that Renault is in trouble because of how they reacted to a whistleblower. Take that, France.
- I had dinner with Tom Fox last night. Can I said that again, I had dinner WITH TOM FOX last night! He’s really a great guy. And he knows his stuff.
- I said above that you should have your FCPA person conduct training. What if you don’t have an FCPA person? My advice is not to hire outside counsel to conduct training. There are lots of outside counsel I like, lots of great lawyers. But what you need is a teacher, and that’s not necessarily in a lawyer’s wheelhouse. You’re probably better off with someone from a consulting firm. PWC, Deloitte, that kind of thing. Or a total outsider. I know a few. Send me an email if you want more information on that.
- Once again the Global Ethics Summit has turned into an FCPA conference, or so I’m told. What happened to Privacy, ethical obligations of cloud storage, antitrust, health care law, etc? Did they just disappear? Or AML? Sanctions? Is there nothing GCs are concerned about other than FCPA? Is it a legitimate excuse that your sanctions compliance program isn’t up to snuff because you’ve been diverting limited resources to your FCPA compliance program? I wonder what Adam Szubin would say about that.