Counting to 10, Internet Fact-Checkers, and Integrating Acquisitions

My saintly mother used to tell me that when I get upset, I should count to 10 before I opened my mouth. It saves you, she would tell me, from saying something that you don’t mean, or that will make you look stupid. This wisdom applies doubly for a writer. Just like you shouldn’t shop when you’re hungry, you shouldn’t write when you’re riled up. I ignored that advice. But thanks to the wonder that is the Internet, I always have people fact-checking my work.

To this particular fact-checker—and you know who you are—thank you for pointing out what I should have caught the first time.

On Friday, I wrote about the Nordam Group non-prosecution agreement, and how Dan Kahn and Stephen Spiegelhalter at DOJ, along with their boss Chuck Duross, plus Nordam’s counsel Carlos Ortiz all had a brain freeze and included a requirement that Nordam train all their third parties.

Turns out, it was me who had the brain freeze, not them.

I wasn’t wrong: requiring a company to train all their third parties is stupid and unrealistic. Totally unworkable.

And if that’s what the Nordam Group agreed to, that would be ridiculous. This is an example of why it’s so important that you actually read all of the NPA, not just the single paragraph that generated so much ire. If I had bothered to actually research rather than just react, I would have written something entirely different, and much more complimentary.

As it turns out, both DOJ and Nordam’s counsel were actually pretty reasonable about training. More than that…very reasonable, incredibly reasonable, perfectly reasonable. Let’s look at what the Nordam Group NPA actually requires Nordam to do vis-a-vis training.

In paragraph 8, Nordam agrees that its compliance program needs to be communicated effectively both internally and “where necessary and appropriate” to agents and business partners. This requirement comprises training employees and, “where necessary and appropriate,” training third parties. It also requires annual certifications of compliance with the training requirements signed by its internal employees and by its third parties, but again, only “where necessary and appropriate.”

In fact, I’d find it difficult to find another place where Dan, Stephen, and Chuck could have included “where necessary and appropriate” without it looking like subliminal advertising. “The company agrees to implement financial [cough…where necessary and appropriate…cough] controls that [cough…where necessary and appropriate…cough] ensure transactions will accurately [cough…where necessary and appropriate…cough] reflect….” You get the idea.

What the DOJ required of Nordam makes perfect sense, and allows for exactly the kind of flexibility I accused the Department of neglecting. I would also argue that it’s a loophole that you can drive a truck through, and I would suggest using the biggest 18-wheeler you can find, but that’s another post.

Upon reflection, and upon doing the work I should have done last Friday, I now think this was just the DOJ suggesting that training third parties is a good practice, but recognizing that third parties present their own challenges.

If I were in Chuck’s seat (or Dan’s or Stephen’s) I would likely take a different approach. I would probably require companies ensure that third parties have their own program; I wouldn’t make Nordam export their training to anyone. But the difference isn’t nearly the chasm that I thought it was on my reading of just the one paragraph—which I’ll get to in a second—that I wrote about in the last post.

We’re much closer together than I thought we were, as it turns out. Just a short hop, as it were. I can’t argue with an approach that doesn’t make it too prescriptive. The DOJ seems to recognize that each company in each market is different, and each company’s risk profile is something that can change over time. And the DOJ seems to be indicating that this is something companies should be thinking about based on what’s practical, the market risk, business risk, transaction risk, and other red flags. The DOJ is trying to thread the needle here, and does a damn fine job of it, IMHO (more H, now that I’ve actually read the thing).

As it turns out, the requirement as it’s actually written seems to prove a different one of my central contentions: that the DOJ is extremely reasonable and measured in how it prosecutes corporations.

So where does the offending paragraph from my last post come from?

In paragraph 13 of the NPA, the DOJ talks about how Nordam should integrate new acquisitions. The NPA requires Nordam to do appropriate due diligence [n.b. is “appropriate due diligence” redundant?]

It also requires that Nordam apply its policies to the new acquisition “as quickly as practicable.” Including requiring Nordam to “train directors, officers, employees, agents….” Even here, it only requires this training “promptly.”

Plus, the DOJ includes a separate qualifier: it only requires training of employees of a new acquisition “who present corruption risk to the Company.” I would suggest that this qualifier has exactly the same effect as “where necessary and appropriate” that we saw above.

I’m actually blown away at how reasonable the DOJ is being in this thing, yes? [One assumption I’m making is that this wasn’t something that the DOJ didn’t want in there, but outside counsel did. It’s possible, but I would think, unlikely]. I hear outside counsel say all the time “train everyone.” Even the DOJ isn’t saying that. The DOJ is saying that companies need first and foremost to think. Where’s the risk? How does that risk impact my operations? What’s the most reasonable way to respond to that risk?

In this context, the requirement to train all employees who present corruption risk makes perfect sense. I would suggest the DOJ could have reasonably gone further and required training every employee in a new acquisition.

This requirement isn’t about training everyone in a third party, it’s training everyone in a new acquisition. One problem that we see over and over is companies not integrating new acquisitions. Watts Water comes to mind. If that new acquisition has or initiates problematic transactions, the DOJ has little pity (and rightfully so). Requiring Nordam to integrate “as quickly as practicable” and “promptly” seems eminently fair and reasonable.

I would love to blame Dick Cassin. After all, he made the same mistake. But what’s written on my site isn’t Dick’s responsibility, it’s mine. As soon as I hit “publish,” it became my error.

So, let’s just get past this little SNAFU, shall we, and back to our regularly scheduled ranting and raving? Just better informed.

Unrealistic Expectations: Training Third Parties

Thanks to the FCPA Blog for pointing this out. I think we covered Nordam on This Week, but I glossed over the piece that Dick Cassin wrote about today.  Buried in Nordam’s non-prosecution agreement is a requirement that the company train its third parties. The company is required to:

train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to the Company, on the anti-corruption laws and the Company’s policies and procedures regarding anti-corruption laws.

Um…no.

I’m hoping that the DOJ prosecutors assigned to the case, Dan Kahn (who I know) and Stephen Spiegelhalter (who I don’t), just overlooked this. Or more likely—since I know for sure that Dan is a really smart, reasonable guy, and since they both report to Chuck Duross, who is another really smart, very reasonable guy—this was something that Nordam proposed.

It’s possible that Nordam doesn’t have a whole lot of third parties.  I’m willing to buy into that for two reasons.  First, like I said, Dan and Chuck are reasonable people: they don’t want to put a company in a position of adopting an impossible requirement.  Second, Nordam was represented by LeClair Ryan’s Carlos Ortiz.  Ortiz is the real deal, from what I can tell (I’ve never met the guy…we’re not even connected on LinkedIn), and LeClair Ryan had the incredible intelligence to hire Mike Volkov, so it’s a firm that has its head on straight.

But what Nordam agreed to?  Training everyone?

Um…no.

This is such a misguided requirement. I sincerely hope it doesn’t become a part of DPAs and NPAs going forward.

Let’s take a step back from training third parties for a moment. Let’s talk about audit rights. Because I see in the training requirement the same drawbacks that I see in audit rights.

Audit rights come in two forms, when-something-goes-wrong audit rights, and once-a-year audit rights. The former I’m fine with, the latter, not so much.

Don’t get me wrong, it’s a great story, if you can pull it off. But it’s a classic example of “be careful what you wish for.” Take a moment and think about what it takes to do periodic audits of your third parties. This might actually be easier for smaller companies to pull off than larger ones. Because for larger ones, it’s a nightmare, bordering on impossible. Actually, I’m temporizing. It’s not bordering on impossible, it is impossible.

Some larger companies have literally a hundred thousand third parties. Or more. Putting aside the actual work of sending people to 100,000 companies around the globe, how about just the administrative burden of arranging the audits, collating the results, analyzing the results, deciding on action plans. Just collecting the list takes time, a lot of time.  It took Tyco more than 6 months just to pull together a preliminary list that was 1/8 of the final list.  Plus the follow-up on any management action plans that results from the audits. Consequence management for companies that fail to implement or successfully implement action plans. Or for companies that fail to allow audits. Following up to make sure that issues aren’t recurring. Just think about all the electronic detritus that would be generated from auditing 100,000 companies every year.

Ah…I hear you. If done right, it wouldn’t be 100,000. You’d risk-rate the third parties. No reason to audit the people from whom you buy copier paper, right? First, that assumes you get competent advice from outside counsel on how to properly risk-rate anything. Asking a risk-averse industry how to risk-rate will only lead to agita. Sorry, I’ll end this foray into that particular frustration of mine.

So assuming you get good advice, you’ll actively be auditing maybe 5% of your total number of third parties (Tyco’s program had 5.6% rated high risk). So…5,000 third parties, every year. All of them the highest of the high risk. Or maybe I’m being overly risk averse myself. Let’s say 1%. So…1,000 independent companies to audit, every year. That’s 2 1/2 companies a day, every day, every year (if you go with business days, and national holidays, it’s 4 companies a day).

Oh yes, one other thing: do you have 4-5 people who are competent to even do these types of audits?  Do you have even one?

All of this, by the way, for a totally non-profit-generating activity, which will have the gratuitous side effect of pissing off your suppliers, distributors, and agents.

Now let’s transition the topic back to training. You have 1,000 companies to train. Who do you train in those companies? Everyone? “Directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof”?  How do you even figure out who the “relevant” employees are?  How do you ensure that your high-risk partner is training the right people?  Who pays?  How do you monitor? What’s the consequence management program? What do you do if the third party says no?

That’s a serious consideration, by the way. Sure, sometimes, it’s a huge corporation whose business is so important to the third party that the huge company can pretty much force the smaller company to do anything they want. Including training.

But sometimes it’s a huge company contracting with another huge party. How do you enforce your training requirement on, say, Hewlett-Packard? Or Siemens, for that matter? Do you require HP to train all of its 300,000 employees? Do you accept their training program? How do you evaluate their training program to see if it meets your standards? Do you require American Express to put their board members through your training? Ursula Burns, the CEO and Chairman of Xerox is on there. What about Microsoft? Are you going to require Microsoft to go through training? Their Board?

The ability to get anyone to train is heavily dependent on your bargaining position. Nordam is a big company in its space, so perhaps it has negotiating power. But what about smaller companies? How are they supposed to get their larger distributors to agree to training?

By the way, the companies you’re required to train are the same companies you’re going to audit.  Control fatigue, anyone?

It’s an impossibly complicated task, just that one little paragraph. The company has overpromised, in my opinion.

Let’s hope this doesn’t become SOP for the DOJ, like the FCPA Blog thinks it’s going to.