Case Study #2: Proportionate Procedures
Continuing my series on the UK Bribery Act Guidance, what follow are my comments to the second case study in that document.
As I further consider the Guidance, I waver between “it met my incredibly low expectations,” and “it didn’t move the bar at all.” I think the truth lies between those extremes.
So here we go:
Before I even get into the hypothetical, can I just point out that by saying “proportionate,” that already injects uncertainty into the document? Because it does. The FCPA Professor, Mike Koehler (pronounced KAY-lur), said on a panel today that if anyone expected the guidance to be prescriptive, they were unrealistic in their expectations. He also pointed out that the UK has at least put out guidance. Both true. But still.
So here, a small to medium sized company is operating only within the UK. It relies on independent consultants in its overseas sales process. The consultants work on a cost-plus-fee basis. They are chosen because of their extensive business contacts. This setup registered as a medium-to-high risk on the company’s risk assessment.
Mitigation, according to the Guidance, could include all or some of the following:
–Communicate a zero-tolerance policy statement internally and externally, including “sectoral bodies and local chambers of commerce.” [You just have to know that if I put something in quotes like that, I’m going to criticize it later, right?]
–Due diligence on the consultants including a) making inquiries through local business contacts, chambers of commerce, business associations, b) internet searches, and c) following up on references and financial statements.
–Including stricter language in contract provisions with the consultants. The terms should a) reflect a commitment to zero tolerance, b) set clear criteria if the consultants want to provide hospitality, c) define specifically how the consultant is to be paid.
–Make the consultants’ contracts subject to periodic review and renewal,
–Draft a guide for salespeople
–Mentioning the commitment against corruption in business meetings, even to include anti-corruption as a topic regularly
–Running an anonymous hotline.
Let’s talk about each of these points in turn.
Zero tolerance is ridiculous. Here’s the problem with zero tolerance. Let’s say you have a critical supplier. That supplier does something you’re not comfortable with. The rational businessperson says, “let’s express our displeasure, figure out some reasonable mitigating controls, and move forward.” That’s the right call. Zero tolerance gives you two choices: abandon your critical supplier, or violate your own policies. That’s a terrible option. Violating your own policies is never a good option. It turns your whole program into a farce. So if you say “zero tolerance” you’re out of options. It’s never the function of a compliance officer to eliminate options. The job is to open up options. To be a creative solutions vendor for the business.
Again, I’m not apologizing for bribery, or suggesting that remedial actions can never include termination or severing a long-standing or even critical relationship. It’s just that, in my opinion, that “nuclear option” will almost never be used.
Also, they want companies to convey this zero tolerance policy to the community at large? Get real.
Remember also that this is a small to medium sized company. I’ve worked for two huge companies, and it was always, always a challenge to get language in contracts or alter the behavior of third parties. I don’t know that truly altering third-party behavior can’t be done, but it takes more skill than I possess to do it.
Next: diligence. The Guidance suggests inquiries through business contacts and chambers of commerce, etc., internet searches, and following up business references. Wow…that’s it? I mean, no OFAC/Sanctions lists checks? No questionnaires? No identification of beneficial ownership? No site visits? Don’t get me wrong, all they suggest is good stuff. I especially like the follow-up-on-references thing. A must do. I once prosecuted a woman that almost bankrupted the company she worked for through her embezzlement. Turns out, she had done the exact same thing before with the last company she worked for. The first company fully cooperated with the prosecution, and she went to jail. When she got out, she applied to the second company. When she applied, she put the first company—the one that prosecuted her for theft—as a reference! The second company she worked for never checked the references. So yes, please always check references.
All in all, none of the actions suggested by the guidance are useful in determining future conduct. Any prosecutor will tell you that the best indicator of future conduct is past conduct. So the best of all options is the internet search, which I presume includes a negative news search.
After diligence comes contract language, again with the zero tolerance. Setting criteria for hospitality sounds good, but what should the criteria be? Reasonable, non lavish expenses? Thanks so much. If you can’t tell me what the criteria should be, how can I tell my third parties? Defining the basis of remuneration…thanks so much. Is there a contract that doesn’t do that? And “consider” making the contracts subject to periodic review. To me, that’s mandatory. If you’re not going to do real diligence, you need to more closely monitor performance.
The key to third parties lies in three things. First, make sure you’re paying market value for whatever you’re buying. Second, make sure that you’re only paying that amount. Third, make sure you’re actually getting what you’re paying for. If you’re doing those three things, you’re mitigating most—if not all—of your risk. Where companies get into trouble is not knowing a) that there’s money left on the table, or b) where that money is going.
Point five is drawing up key points for sales staff. Okay. Do it. In fact, I’d say that with this little diligence, you better do a lot of training.
Point six, emphasizing these policies and procedures at meetings. Okay, do this too. I would think you’d do it anyway, and for compliance generally, not just FCPA. But if you don’t, FCPA is a great place to begin.
Finally: have a hotline. Yep, another blinding glimpse of the obvious. Thanks.
It amazes me that the preface to this list is that companies might consider “any or a combination” of the points. I would think that all seven are mandatory. More than mandatory: they’re the absolute minimum.
Once again, with this hypothetical, the UK government commits to nothing and guides no one. It lays out a list of optional points that, if a US company did all of them, would still be considered inadequate.
Yeah, I’m back with didn’t move the bar at all.
Tomorrow for Case Study #3.