My kids are reading Harry Potter, which is where the title comes from. Given Harry’s UK origins, I thought it appropriate. I’m also a little worried because I’m coming to the UK next week. I’ve been, ahem, somewhat critical of the UK government recently, and I’d like to be admitted to that wonderful country. So for this last case study, let me say that I’ve never read a more cogent and convincing risk mitigation plan.
*cough cough* I can’t do it. I’ll risk getting turned around at Heathrow.
It’s bad. It’s also typical of the lot: it is so shallow that if a company were to follow all of the requirements, they wouldn’t have adequate procedures to cover the risk that they’ve incurred.
Let me digress for just a moment for my first caveat. I started this case study series because Tom Fox was writing about the Guidance and started at the beginning. I figured I’d start at the end. I’ve had a fun time writing some scathing criticism of the eleven case studies. And it’s not that they didn’t deserve it. But let me say one thing. I’ve been there. I’ve had to write guidance for compliance with policy. It’s not easy. What’s easy is my sitting in the background criticizing the people who are in there doing the work. The MOJ employees who wrote the Guidance did a tremendous job putting it together while under an incredible amount of pressure. My hat is off to the authors.
That said, I’m sticking to my assessment of this case study. It’s just bad. I have respect for the authors, but I don’t know what they were thinking. Let’s go point by point, shall we? For one last time?
We have a small export company operating through agents in a number of foreign countries. It recognizes that its reliance on agents increases its bribery risk and wants procedures proportionate to the risk. Let’s walk through what the Guidance suggests:
- Using trade fairs and trade publications to communicate to the market that it is strongly against corruption
- Oral or written communication of its bribery prevention procedures to its agents
- Controls on its associated persons including
- questionnaires and internet background searches
- Checking references
- Representations in the contract
- Using information training opportunities to raise awareness of red flags (including evasive answers to straightforward questions, overly elaborate payment arrangements, and unusual expense reimbursement requests)
- Using external sources to “inform” relationships with the agents
- Having a confidential reporting channel
This is a small company, and the UK government has made clear that it doesn’t want small companies too affected by the need to implement intrusive procedures. Let me give you a quote from Kenneth Clarke, from before when the Guidance was issued (just before). He said the guidance to be issued will allay
fears sometimes aroused by the compliance industry, the consultants, the lawyers who will of course try to persuade companies that millions of pounds must expended on new systems which in my opinion no honest firm will require to comply with the act.
Pretty strong words. Remember also, right before the Guidance was issued, the rush to “review” the law’s effects on business interests. It has been felt that those business interests influenced what has been perceived since as a watering down of the act through enforcement pronouncements.
So the purpose of the Guidance is to calm the worries of smaller UK companies. (It’s worth it, by the way, to watch Ken Clarke talk about this, pre-Guidance.)
Here’s the basic problem, and you should take this to heart: risk is a function of transaction, geography, and agent; it is not a function of company size. The fact that the smaller company is engaging in risky transactions doesn’t self-mitigate because the company is small. In fact, I think a good argument can be made that larger companies have more sophisticated financial controls, so the risk is actually greater in smaller companies. [There’s another argument, of course, that smaller companies have more immediate control over employees. Even if that’s a wash, it’s still true that company size is not a major factor in risk assessment.]
The Principle behind the case study recognizes this.
“Some small organizations can face quite significant risks, and will need more extensive procedures than their counterparts facing limited risks. However, small organizations are unlikely to need procedures that are as extensive as those of a large multi-national organization.”
I understand the challenge. Or, in consultant-speak, I admire the problem. Controls in smaller companies do not have to be as robust as in larger ones. There’s two ways to approach that, however. The first is to put controls in a list, A,B,C,D,E, and F. Larger companies have to do A-F. Medium from A-D. Smaller just have to do A & B. That’s this chart, via Tom Fox:
But there’s another way.
When I have something to write, I use the “Madman, Architect, Carpenter, Judge” method. It’s a four-stage writing process designed to get all your thoughts down onto paper before you begin editing. I find it effective. Here’s the twist: no matter how little time you have, you always go through all four stages. Just because you have 30 minutes, you don’t skip a step. You just spend less time on each stage. If you have 30 minutes, you spend 10 on madman, 5 on architect, 10 on carpenter, 5 on judge. Or whatever split works for you. If I have weeks, I’ll spend 8 days on madman, etc.
I think the same method, suitably altered, should be used with risk mitigation. You use all the tools, just less of each one. Youhave a questionnaire, you just don’t have a lot on it. You have contract provisions, monitoring, etc. Just less of them. Reasonable people can disagree on this, I think. I come down the way I do because I can’t envision skipping a major control area simply because I’m a small company, if the risk is high.
Say what you will about the US Department of Justice, but they tell us what their expectations are. Adequate procedures in the US include the following:
- Clearly worded policies
- Tone at the top
- Standards and Procedures
- Risk Assessment
- Involvement of senior management
- Financial controls
- Effective communication
- System to provide advice
- Disciplinary measures
- Due diligence on 3rd parties
- Contract provisions
- Periodic testing and review
I would suggest that larger companies need to have lots of each of these. Smaller companies can have less of each of these, as long as they have something in every category. Can you look at that list and tell me which ones you can live without?
As I read Principle #1, I see that “Proportionate Procedures” is a way to say “your entire program.” Given that, I think that this case study’s list—even for smaller companies—is totally inadequate.
According to this case study, as long as you have internal and external communications, some diligence, some contract provisions, you’re good to go, Mr. Small Company. Nothing is mentioned about risk assessments, ongoing monitoring of third parties to detect risk (you could argue it’s shoe-horned into the red flags review, I guess), nothing about financial controls, nothing about auditing (internal, rather than of third parties, nothing about ongoing auditing of third parties (which I hate, but which my colleague Tom Fox sees benefits from).
What are adequate procedures for a small company, IMHO? (Remember my disclaimer, everyone. I’m a lawyer, but I’m not your lawyer. I offer commentary, not legal advice. If you do what I say, it’s at your own risk. Besides, I’m not licensed to practice law in Great Britain. If you want legal advice, call your barrister, or solicitor, or whatever they call outside counsel there. If I were in London, I’d call Gary DiBianco at Skadden or John Rupp at Covington. They’re in London, and they really know this stuff.)
Here are what I think should be sufficient for small companies operating in a risky environment:
- Have a policy that clearly says “we don’t bribe, ever.” That policy should be sent out by the CEO with a personal plea to avoid bribery as a business practice, and laying out a confidential reporting channel
- See above: have a confidential reporting channel
- Conduct a risk assessment yourself. Rate your geographic footprint into high and low risk. Risk determines procedures.
- Contract provisions MUST include termination rights at the UK company’s sole discretion in the event there is suspicion of bribery
- Training to employees that includes how to handle requests for facilitation payments, travel, and hospitality (think “modest.”). If the company can afford it, live training. If not, conference calls plus informal training at team meetings, etc.
- Hiring of third parties must be approved by the COO or similar senior position (remember, this is a small company, so there will be supposedly less bureaucracy. Hiring will only be approved after the agent has filled out a basic questionnaire asking if any senior employees are related to government officials, whether the service to be provided touches government officials, and whether the company has ever been investigated for bribery-related offenses. Also, no hiring will happen until the agent has been run through an internet news check, a reference check, and a check with the local embassy. Every invoice submitted by the agent requires dual approval
- All expense reports require approval by someone outside the chain of command of the person submitting the report.
- Contracts must include either termination rights or a clear statement by the agent that it understands anti-corruption laws, and agrees not to pay bribes in the service of the company
- Computer-based training for all employees. Informal training opportunities will be used to discuss hospitality and facilitation payments
- Third parties must submit a questionnaire asking whether any senior managers are related to government officials, and whether the services to be provided touch government officials. Agents must undergo an internet check and a reference check. Every invoice submitted must get co-approved
- Every expense report must be approved by someone outside the chain of command of the submitter.
That list should be tailored to your company, but you get the idea, right?
Thus ends the case study series. As I said, though, the next thing I’m going to attempt is my own guidance document. That might take a while. Check back.
Also, make sure you check out Tom Fox and I in our new weekly videocast: This Week in FCPA. Sure to entertain and inform.