Archive | Programmatic Issues RSS feed for this section

Counting to 10, Internet Fact-Checkers, and Integrating Acquisitions

6 Aug

My saintly mother used to tell me that when I get upset, I should count to 10 before I opened my mouth. It saves you, she would tell me, from saying something that you don’t mean, or that will make you look stupid. This wisdom applies doubly for a writer. Just like you shouldn’t shop when you’re hungry, you shouldn’t write when you’re riled up. I ignored that advice. But thanks to the wonder that is the Internet, I always have people fact-checking my work.

To this particular fact-checker—and you know who you are—thank you for pointing out what I should have caught the first time.

On Friday, I wrote about the Nordam Group non-prosecution agreement, and how Dan Kahn and Stephen Spiegelhalter at DOJ, along with their boss Chuck Duross, plus Nordam’s counsel Carlos Ortiz all had a brain freeze and included a requirement that Nordam train all their third parties.

Turns out, it was me who had the brain freeze, not them.

I wasn’t wrong: requiring a company to train all their third parties is stupid and unrealistic. Totally unworkable.

And if that’s what the Nordam Group agreed to, that would be ridiculous. This is an example of why it’s so important that you actually read all of the NPA, not just the single paragraph that generated so much ire. If I had bothered to actually research rather than just react, I would have written something entirely different, and much more complimentary.

As it turns out, both DOJ and Nordam’s counsel were actually pretty reasonable about training. More than that…very reasonable, incredibly reasonable, perfectly reasonable. Let’s look at what the Nordam Group NPA actually requires Nordam to do vis-a-vis training.

In paragraph 8, Nordam agrees that its compliance program needs to be communicated effectively both internally and “where necessary and appropriate” to agents and business partners. This requirement comprises training employees and, “where necessary and appropriate,” training third parties. It also requires annual certifications of compliance with the training requirements signed by its internal employees and by its third parties, but again, only “where necessary and appropriate.

In fact, I’d find it difficult to find another place where Dan, Stephen, and Chuck could have included “where necessary and appropriate” without it looking like subliminal advertising. “The company agrees to implement financial [cough…where necessary and appropriate…cough] controls that [cough…where necessary and appropriate…cough] ensure transactions will accurately [cough…where necessary and appropriate…cough] reflect….” You get the idea.

What the DOJ required of Nordam makes perfect sense, and allows for exactly the kind of flexibility I accused the Department of neglecting. I would also argue that it’s a loophole that you can drive a truck through, and I would suggest using the biggest 18-wheeler you can find, but that’s another post.

Upon reflection, and upon doing the work I should have done last Friday, I now think this was just the DOJ suggesting that training third parties is a good practice, but recognizing that third parties present their own challenges.

If I were in Chuck’s seat (or Dan’s or Stephen’s) I would likely take a different approach. I would probably require companies ensure that third parties have their own program; I wouldn’t make Nordam export their training to anyone. But the difference isn’t nearly the chasm that I thought it was on my reading of just the one paragraph—which I’ll get to in a second—that I wrote about in the last post.

We’re much closer together than I thought we were, as it turns out. Just a short hop, as it were. I can’t argue with an approach that doesn’t make it too prescriptive. The DOJ seems to recognize that each company in each market is different, and each company’s risk profile is something that can change over time. And the DOJ seems to be indicating that this is something companies should be thinking about based on what’s practical, the market risk, business risk, transaction risk, and other red flags. The DOJ is trying to thread the needle here, and does a damn fine job of it, IMHO (more H, now that I’ve actually read the thing).

As it turns out, the requirement as it’s actually written seems to prove a different one of my central contentions: that the DOJ is extremely reasonable and measured in how it prosecutes corporations.

So where does the offending paragraph from my last post come from?

In paragraph 13 of the NPA, the DOJ talks about how Nordam should integrate new acquisitions. The NPA requires Nordam to do appropriate due diligence [n.b. is “appropriate due diligence” redundant?]

It also requires that Nordam apply its policies to the new acquisition “as quickly as practicable.” Including requiring Nordam to “train directors, officers, employees, agents….” Even here, it only requires this training “promptly.”

Plus, the DOJ includes a separate qualifier: it only requires training of employees of a new acquisition “who present corruption risk to the Company.” I would suggest that this qualifier has exactly the same effect as “where necessary and appropriate” that we saw above.

I’m actually blown away at how reasonable the DOJ is being in this thing, yes? [One assumption I’m making is that this wasn’t something that the DOJ didn’t want in there, but outside counsel did. It’s possible, but I would think, unlikely]. I hear outside counsel say all the time “train everyone.” Even the DOJ isn’t saying that. The DOJ is saying that companies need first and foremost to think. Where’s the risk? How does that risk impact my operations? What’s the most reasonable way to respond to that risk?

In this context, the requirement to train all employees who present corruption risk makes perfect sense. I would suggest the DOJ could have reasonably gone further and required training every employee in a new acquisition.

This requirement isn’t about training everyone in a third party, it’s training everyone in a new acquisition. One problem that we see over and over is companies not integrating new acquisitions. Watts Water comes to mind. If that new acquisition has or initiates problematic transactions, the DOJ has little pity (and rightfully so). Requiring Nordam to integrate “as quickly as practicable” and “promptly” seems eminently fair and reasonable.

I would love to blame Dick Cassin. After all, he made the same mistake. But what’s written on my site isn’t Dick’s responsibility, it’s mine. As soon as I hit “publish,” it became my error.

So, let’s just get past this little SNAFU, shall we, and back to our regularly scheduled ranting and raving? Just better informed.

“The Limit Should Be Zero Dollars”

16 Jul

If you don’t read Mark Herrmann’s column on Above the Law, you should.

Today’s column was on one of my favorite topics: the UK Bribery Act, and the semi-ridiculous advice that companies are getting from “experts.”  By the way, if you want an expert, go talk to Barry Vitou at Pinsent Masons.  There’s an expert.  Let’s remember that there hasn’t been a case brought under the UK Bribery Act yet.  (Yes, I know.  But no, there’s hasn’t been).  So most of the so-called experts are people who have just read the statute, and attended some conferences where other people who have no idea what they’re talking about talk about the UK Bribery Act.

Herrmann talks in today’s column about advice he got about complying with the UKBA.  His approach was that the firm who gave him the advice violated that advice about thirty seconds later.  He said “I could rant at this point about law firms giving utterly impractical advice, but I won’t.”

I will.

What was the advice that Herrmann got?  He attended a law firm presentation on the UKBA, and there was a question asked about what the right entertainment limits were.  The answer he got back exemplifies the problem I have with some outside counsel:

The limit should be zero dollars.  That will keep you safe.

Really?  Zero?

Leave out for a moment that the rest of Herrmann’s column is about how that same law firm sponsored a dinner for some in-house folk.  Let’s just talk about how advice likes this harms not just the giver, but the receiver too.  First, the giver.  The person who gives this advice will give it to one of two types of people: people who know what they’re talking about, or people who don’t.  I don’t know which comes out on the bottom.  If the lawyer is giving this advice to a knowledgeable person, that person will likely politely smile, nod, and then put the lawyer in the “idiot” box in his head, and not listen to another thing that lawyer says.  Which is a problem, because maybe in the future—even a stopped clock is right, twice a day—that lawyer will give some advice the client should listen to.  But getting out of the “idiot” box is a rare feat.

Or the recipient won’t know what they’re talking about.  In which case, like a wide-eyed doe, they’ll just accept what the lawyer says as a best practice.  Heaven forbid they go back to their own company and repeat that advice out loud.  (We’re back to the “Idiot” box).  Or even worse, that they’re in a position of authority, and could implement that advice.

Like I said, I don’t know who comes out worse.  Either way you go, someone’s in the Idiot box.

When it comes to hospitality—and here’s my opinion on this—everyone needs to calm down.

Zero is not the answer.  Herrmann’s concern about “killing the business” is probably also a little overblown, if someone wants to go that way.  It’s uncompetitive, certainly.  But you’d be amazed what the market will adjust to.  It’s not something I would recommend.

The number you come up with is entirely less important than the process by which you determine it.  The number can’t be outrageous, but here’s the thing: the DOJ has never brought a case against a company that came up with a reasonable number, and enforced it.  There are few cases where gifts play any role, none where they play a truly primary role, and absolutely none where the DOJ overruled a business decision.  That’s not something the DOJ does, as a rule.  They don’t take a reasoned decision and say “you made the wrong choice.”  Almost all of the time, the company failed to consider the problem, or considered it but said, “who cares,” or the equivalent.

So pick a number.  I’ve heard companies pick one number globally—say, $150 per person—or use different numbers for each region, or each market.  I’ve seen people use their own internal numbers—that is, whatever they’ll reimburse an employee for, that employee can spend on others.  That’s not a bad idea.

The point is, there is no “right answer” here.  It’s what’s right for you.

Just remember, as my friend and colleague Tom Fox always says, “document, document, document.”  Be prepared to tell the DOJ what your number is, why you chose it, who was involved in the decision, and how you’re enforcing it.  Remember, this is a company decision on how it wants to act.  People should know the number.

This applies not just to meals, but to gifts as well.  Same idea applies.  Whatever you decide, just decide.  Pick a number and stick with it.  Enforce it.

By the way, that “zero dollars” idea doesn’t keep you safe.  The business will ignore it, sidestep it, and will do that for just about any advice you give from now on.  You lose credibility with the business, and that’s the ball game!

I have to admit, though, I was always a softy when it came to gifts.  Absent some totally inappropriate gesture, most gifts are harmless, in my opinion.  Tickets to a ball game (or the Olympics) are not, absent something more, really a problem.  Where you need to be a little more careful is when you’re inviting someone where you have an open tender and that person is the decision-maker.  I’ve seen rules which say “here are the rules for everyone except people from whom we’re awaiting a decision, and for those people, they get gornisht.”  That’s a damn fine rule.  Sometimes, zero might be the answer.

But not usually.  And telling people that in a public setting, in my opinion, puts you in the idiot box.

Schedule C, Element #5

9 Jul

At this rate, I know, it’ll take quite a while to get through all 13 steps.  But one small step at a time.

Today’s step is all about reviewing your program on a regular basis.

I want to lay out the importance of this element first, then go into the specifics.

Not too long ago, Morgan Stanley got a bye—a total pass—because of their pre-existing compliance program.  The DOJ issued a press release on the case, and listed three things in it about Morgan Stanley’s compliance program that influenced the decision.

The first one:

“…Morgan Stanley maintained a system of internal controls meant to ensure accountability….  Morgan Stanley’s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery….”

Now let’s turn to the language of the DPA itself, and element #5:

Alcatel-Lucent shall review its anti-corruption compliance standards and procedures, including internal controls, ethics, and compliance programs, no less than annually, and update them as appropriate, taking into account relevant developments in the field and evolving international and industry standards, and update and adapt them as necessary to ensure their continued effectiveness.

What does this mean, and how do you implement this in a real way?

Some might take a look at this and see a requirement to pull their policies off the shelf once a year, dust them off, and put a new coat of polish on them.  Then, after their “annual review” they can put their program on the shelf for another year, and check that box.

And don’t think that this description doesn’t apply to you.  I know I stated it a little more bleakly than usual, but if you’re really paying attention to this series, you are probably open-minded about the state of your program.  Think realistically about how you approach your policies and processes.  Because the annual review—and yes, you need to do an annual review—is not what this element is all about.

“Update them as appropriate” is important, and even more important is “taking into account relevant developments.”  Because this is the crucial piece of the program: the ability to be nimble.

This is something that Tom and I talk about all the time.  It’s crucial, but don’t get the impression that it’s easy.  Like all things worthwhile, this is difficult, and it’s going to take effort, willpower, and resources to get it right.  Let’s talk about the most cost-effective way to make this happen.  Because as Morgan Stanley found out, getting it right generates some huge benefits.

So what does it mean for a program to be “nimble?”

It means a few things:

  1. You need lines of sight into your program so you can find information quickly.  For example, when you read new enforcement actions, and see a corrupt third party identified, you should be able to ping your program to see whether you’ve ever had dealings with that third party.  If you do find something, you need to be able to adjust to that fact.  In the case of a third party, you need to adjust your transaction monitoring of that individual, the risk ranking, and potentially start an audit.  (n.b. a lot of attorneys would tell you “terminate the relationship.”  Terminate, terminate, terminate.  That’s their answer to bad news.  I don’t think that’s always—or even usually—the right call.)  Whatever you decide, it should be a decision, not a default.
  2. You need to review your policies and procedures when they fail.  This is also not so easy.  The main reaction to a failure is usually “move on.”  No one wants to dwell on—and certainly not to take ownership of—a compliance failure.  But the failures are where you learn.  And learning from failure is exactly what we’re supposed to do.  Revel in it.  Own it.  And make sure that you figure out what went wrong.  A side note: my practice is to figure out what went wrong, but I rarely dig too deeply into whowent wrong.  That is, why the old process—the one that failed—was like it was.  You must find out—and potentially discipline—the employee who did something wrong.  But figuring out why the old policy was like it was is usually a wasted effort.
  3. You need a line of sight into the business. If you’re doing compliance right, you are a partner to the business. I often say that 80% of compliance is “being in the room.” That is, knowing what the business is doing at any particular time. In this case, it’s knowing what the business is going to be doing. Is the business entering a new market? Developing a new product? Is there a new push toward opening new stores? (Not to think of any company in particular). If you know what the business is up to, you can anticipate new risk.

Recognizing the business priorities and the concomitant risk, and working the new issues into your risk assessment and plan, is what “nimble” is all about.

Notice, by the way, that this is an entirely different effort from the yearly review.

These three things aren’t easy. Developing a relationship with the business takes time and effort. It takes not saying “no” so much. It takes not being the “business prevention department.” Saying “yes” requires more work, on our part. You need to get creative. I used to call myself a creative solutions vendor to the business. You also need the right “ask.” Make sure you’re in the room. Get yourself invited to meetings. Don’t say anything in the meetings. Just listen. Add value where you can. Offer to help. Get one-on-one time with senior leaders. Listen to them.

Getting a line of site into your program is technology. You need the ability to interrogate the data you already have. This means payment data, contract data, salesforce.com data (or whatever CRM system you use). Plus, if you want to get advanced, you can use your eDiscovery technology to search your actual data. I love this convergence, because you already own the technology. Why not get the most out of it? That’s the essence of compliance convergence: using technology you already own in a different silo. I’m sure you have eDiscovery people: get to know them. For payments, talk to your finance people. You need to understand your finance controls to know where, and how, to interrogate your payments data. Plus, remember there are different kinds of payments: wires, ACH, checks, refunds, credits, loyalty point grants, and more.

Being willing to face your program head on takes investment of an entirely different type. Emotional investment. Or emotional humility. Either one. Both, more likely.

I heard Charles Cain at a conference. He was asked what factors in a company’s compliance program he considers important to a decision to decline prosecution. The first answer he gave was the ability of a program to be nimble.

And because I’m a fan of multi-channel return on investment, I’m happy to say that being nimble presents benefits beyond the immediate—and immense—positives for the program. There are controls that look good and there are controls that actually prevent bribery. You need both, but I’d rather have the latter. What you gain from being nimble—a partnership with the business, technology use efficiencies, and an ability to look dispassionately at your own program—actually prevents bribery. When you add value to the business, when the business knows that all you want is their success, you get something valuable: credibility.

We always talk about credibility in terms of your relationship with the DOJ. And we’re right to. It’s among the most important things.

Credibility with the business is more important.

Being nimble, going through what you need to go through to be nimble, leads to credibility, which leads to sticky advice. And that’s the endgame.

A nimble program has its priorities in order, a nimble program learns from itself, a nimble program can adapt, change, and actually works to decrease bribery across the business.

Defending Wal-Mart

23 Apr

I’m thinking that if I wanted to cement my standing as the reigning anti-corruption iconoclast, a headline like this one would do it.  In the face of the indefensible, let me offer a defense.  Or, at least, some mitigating facts which you should take into account.

The overriding thing I thought of when I read the New York Times article was a quote from the New Testament:

When they kept on questioning him, he straightened up and said to them, “Let any one of you who is without sin be the first to throw a stone at her.”

I remember the first thing I thought of when I heard about the Madoff case, and how it was a closed investigation that came back to bite someone.  I thought, “please Lord, let it not be one of my closed cases.”  Because I knew that it could have been me, easy peasey.

For all the trashing of Wal-Mart that’s going on right now, let he who is without sin cast the first stone.

Because while I don’t agree with the FCPA Professor—shocking, I know—that there was barely a violation, I do believe that Wal-Mart’s actions weren’t as uncommon as you’d think.  Parts of them, anyway.  Let me explain.

I would guess that about 95% of corporate internal investigations remain undisclosed to the regulators.  That number may be a bit low.  And while the allegations that the Mexican subsidiary—it’s not really a subsidiary, I suspect, as it’s all just Wal-Mart—changed the reports, and then got assigned, and quickly scuttled, the investigation seem pretty bad, it’s not something that doesn’t happen, and more frequently than you’d think.

So what’s the normal path of an investigation?

Let me digress here for one minute to disclose my own bias.  My background is in prosecuting, and later in creating and managing compliance programs for, large multinational corporations.  My bias when I describe investigations—and compliance in general—is to describe life in large corporations.  Not just the ones I’ve worked at, but at others against whom I’ve benchmarked and with whose compliance officers I’ve spoken informally.  But even then, my extended experience is similarly with large corporations.  Keep that in mind.

The normal investigation path is this: something comes to the attention of legal or compliance.  This can be just about anything: a call from the Wall Street Journal, a formal whistleblower complaint, a “quick question” from someone in the field, or an email.

Assuming that the person receiving the initial information works in the general area of the complaint, he or she might do a little preliminary digging to see if there’s anything worth really looking into.  Just a couple of phone calls, or checking generally available company resources (like who reports to whom kind of stuff).  Then, thinking, “oh, crap!” the person goes to his or her boss and says, “here’s a new issue; I think we need to look into this.”

The case then gets sent to someone to investigate.  Some companies have dedicated investigation resources, some don’t.  Assuming not—I tend to think it’s rarer to have a dedicated investigation staff than not to have one—the person doing the investigation will be in legal or compliance for the affected business unit.  That person may or may not have real investigative experience.  Conducting an investigation isn’t something that comes naturally, even to lawyers.  It’s a skill, and like all skills, disuse causes atrophy.  This assumes, of course, that the person doing the investigating ever knew how to do it properly.  I’ve seen people conduct interviews, and it’s often a combination of NYPD Blue episodes, Matlock, and Columbo.  I learned from the best, starting with Bronx ADAs Linda Tacoma and Bill Zelenka and going through to some incredible people at the SEC.  I learned the art—yes, it’s an art—of the interview from a couple of first-grade detectives, and plenty of second-grade detectives (first and second grade are ranks within the detective bureau; first-grade detectives are the best of the best that the NYPD has to offer).

But since I don’t do it every day, I’m incredibly rusty.  If I were to start up again, my first 10-20 interviews would be awful.  This is my point: a lot of times the person doing the investigating isn’t an investigator.  Besides that this kind of investigation is even more difficult: multi-national, different languages, specialized financial knowledge.  How many lawyers had even heard of the term “gestores” before the article?

Of course, Wal-Mart had internal investigators, but the unit was mired in political haggling.  I’m sorry, but that doesn’t particularly shock me either.  If you don’t think there are politics flying around during an investigation, especially an investigation of a high-performing person or unit, you’re out of your mind.  And remember the all-important distinction: investigators are a cost center.  Wal-Mex was a profit center, and an important one at that.  So those investigators had the chips stacked against them to begin with.

Even so, they found enough to generate some worry.  Here’s where there are some things we don’t know.  Were the results ever disclosed to the Chief Compliance Officer?  Did the CCO go to the Board?

In any event, they reassigned the investigation back to the Mexican subsidiary.  It’s hard to see the thought process behind that, now that we know how things turned out.  On the front end of that decision, who better to investigate the alleged misconduct within the Mexican subsidiary than the people who traditionally probably did investigations in Mexico?  One of the key questions, from a blame perspective, is what did the person who made that decision know before he or she made it.  Was that decision-maker aware of specific and credible information linking the illegal conduct with the person proposed as the new investigator?  If so, that’s a bigger problem.  I suspect, however, that it’ll be somewhat less black-and-white than that.

Once the investigation got turned over to the people allegedly involved in the wrongdoing, it’s clear to us that the investigation would be scrapped.  But that’s a certainty that comes again from hindsight.

And corporate headquarters took that conclusion and said, “fine, we’re closing this out.”  Again, in hindsight, that looks horribly bad.  But look at it from their perspective: they turned over the investigation to the proper in-country team, and heard back that there were no issues.  What was HQ supposed to do?  Yes, certain people within Wal-Mart knew that the watchers needed watching, and it’s an open question who knew what, and when.

Again, what doesn’t shock me is that an investigation—even one started with serious allegations—ended internally.

Because let’s face it, what if they had found illicit conduct?  Does that mean that there’d be an automatic self-disclosure to the regulators?  Not on your life.  Investigations that end with a finding of wrongdoing are hardly ever reported to the government.  I think the small subset of self-disclosed internal investigations generally get reported because there’s a calculus that they can’t keep it quiet.

I think “we’ll be found out” is more of a self-disclosure motivator than “we did something wrong.”

Normally, investigations where wrongdoing was found end with some sort of discipline against the offending party, some remedial actions like additional training, maybe a change in controls, and likely an increased audit periodicity.  Maybe suspension or, less likely, termination for an employee.  A low-ranking employee.  Rarely, if ever, a high-ranking one.  And a high-performer?  Almost never.

Do I sound a bit cynical?  Maybe so.

So the investigation ends.  And the question is raised: do we self-disclose?

Ask any outside counsel and certainly any in-house counsel whether their default position is disclose or not to disclose, and you’re sure to hear “not to disclose.”  I don’t know whether, when push comes to shove, that opinion holds up, but it’s certainly the starting point.

A colleague of mine put it very well: not disclosing is like loading one bullet in a gun with 1,000 chambers and pointing it at your head; disclosing is like putting six bullets in a six-shooter, and pointing it at your leg.

You have a 1-in-1,000 chance of getting found out—like Wal-Mart just has been—and suffering a worse fate (like they will).  Those are betting odds.  But disclosing?  You’ll definitely get stung.

Most companies facing that decision will take the odds.

As did Wal-Mart, according to the article.

Some of what was reported seemed pretty bad.  I don’t think it spells the death knell for the reform-the-FCPA movement.  Nor do I think that it’s another example of the need to eliminate corporate subsidiary liability.

I think that it’s nothing out of the ordinary.  A company conducted an investigation, decided there was nothing to the charges, and didn’t disclose.

Happens every day.

 

Post Script: One personal story about Wal-Mart.  Several years ago, I reached out to one of their anti-corruption people—at the time, it was a guy named Martin Montes—to benchmark.  Incredibly generous.  So much so, in fact, that two of our people got invited to Bentonville to see it firsthand.  I forget why I couldn’t go, but there was some conflict that sent two others instead of me.  Our people went down there and saw how they worked.  They were open with their processes and policies, and it really helped in the development of our program.

The Nightmare Scenario

17 Apr

Please tell me where I go wrong here, because this is something I’ve been worried about for a long time.  So much so, in fact, that I call it my “nightmare scenario.”

It might be unlikely, but legally, am I wrong to worry about this?  And if legally correct, what’s the best argument about why I shouldn’t worry about it.

Here goes:

A business development executive—read, sales person—is traveling to…the location changes in my nightmare, sometimes Azerbaijan, sometimes Kazakhstan…and is stopped at Customs.  The Customs Official has his hand out, saying that there’s a new tax on entry, $5 US dollars.  The sales guy pays the $5 bucks, and sees the Customs Agent put the money into his pocket.  Having had his passport stamped, he doesn’t really care.  But he wants his $5 back, so when he fills out his expense reimbursement form, he says that he spent $5 on tips.  It’s not entirely inaccurate, he figures.

Now we’re off to the races.

Under Kazakh or Azeri law, Customs Agents have the theoretical power to turn people away at the border.  What that means, for those people who are always wondering exactly what a “facilitation payment” is, is that this isn’t a facilitation payment.  The best demarcation point for facilitation payments is discretion.  If what you’re looking for is discretionary action—getting someone to decide your way when the decision could go either way—and you pay for it, it’s a bribe.  So that $5 payment, it’s a bribe, not a facilitation payment.  So we have an FCPA violation, albeit a minor one.

But it’s the violation that matters.  Because let’s spend some time talking about what “material” means, in the context of financial misstatements.  Corporations must disclose material misstatements.

As a “rule of thumb,” corporations generally paint errors of less than 5% of income as immaterial.  That’s not the definition, however, and the SEC made it clear—read Staff Accounting Bulletin 99—that “materiality” is about more than just percentages.  The SEC laid out a non-exhaustive number of considerations for when a small misstatement is transformed into a material one:

  • whether the misstatement arises from an item capable of precise measurement or whether it arises from an estimate and, if so, the degree of imprecision inherent in the estimate
  • whether the misstatement masks a change in earnings or other trends
  • whether the misstatement hides a failure to meet analysts’ consensus expectations for the enterprise
  • whether the misstatement changes a loss into income or vice versa
  • whether the misstatement concerns a segment or other portion of the registrant’s business that has been identified as playing a significant role in the registrant’s operations or profitability
  • whether the misstatement affects the registrant’s compliance with regulatory requirements
  • whether the misstatement affects the registrant’s compliance with loan covenants or other contractual requirements
  • whether the misstatement has the effect of increasing management’s compensation – for example, by satisfying requirements for the award of bonuses or other forms of incentive compensation
  • whether the misstatement involves concealment of an unlawful transaction.

I’ve put into bold the two that most concern me.  Because the FCPA is a regulatory requirement, and the payment to the Kazakh/Azeri official is an unlawful transaction.

Does this mean that every FCPA violation, no matter how small, is a material event in the life of a company?

Because let’s bring in something else.  Right now, companies get credit for self-disclosure.  But the rules around self-disclosure aren’t without limits.  They’re cabined by factors which make the disclosure less-than-voluntary.  For example, if you get a call from the Wall Street Journal asking for comment on a bribery accusation to appear the next day, and you run into the DOJ, that’s not a “voluntary” disclosure.  Wouldn’t that also mean that if a company were required by regulation to disclose—say, if there were a requirement to disclose material misstatements in an SEC form—wouldn’t that mean that disclosures pursuant to that requirement wouldn’t be “voluntary” for purposes of the self-disclosure credit?  I would think so.

The form that companies use to disclose material events is an 8-K.  It’s an out-of-cycle disclosure form for events that won’t wait for the next 10-Q or 10-K.  They matter.  The market cares about 8-Ks.  So now we’re talking about a corporation having to file an 8-K disclosing a $5 payment in Kazakhstan.  That’s what I call a “stock price event.”

All because of a $5 payment.

That’s my nightmare.

Now, we haven’t seen cases based on this kind of thing.  But we contrive controls not based on the enforcement record, but on our perception of the risk.  I couldn’t in good faith recommend that you set up controls to cover this, but it’s something to think about.

Please, help me sleep: where am I wrong about all this?

Post Script: Mike Volkov and I are subconsciously on the same wavelength lately.  I write about the Compliance Defense, he writes about the compliance defense.  Now, I write this about a problem with customs, and he writes on the problems with customs.  Weird.

You’re Hired. Now What?

3 Apr

One of the pieces of advice I regularly give to compliance people wanting to know “where do I start?” is to pick a place and start.  The act of starting brings its own momentum.  And there’ll be enough to do that you can start anywhere.  Like in military parlance, any action is better than none.

But that’s advice for the curious.  Advice for the serious is slightly different.  It’s not that my advice isn’t good, it’s just that, for serious people, more specifics are necessary.

So, let me pretend for a moment that I’m a new compliance officer at a new company, and tell you how I would approach things.  Here are my requests to the Chief Compliance Officer.

  1. Show me the Code of Conduct and the Anti-Corruption Policy (and let me know when they were last updated).
  2. Show me the most current risk assessment
  3. Show me the training that we give to high-risk employees
  4. Show me the due diligence process we use for third parties

Those four things will tell you a lot about the compliance program.  The policy will tell you whether the program is designed and documented by lawyers, for lawyers.  Also, you can see if the company has made the hard choices: how do they want to handle facilitation payments, to use one example.  The current risk assessment will tell you about whether the company understands its risk.  The first question is whether there’s a separate risk assessment at all.  If so, you’re already one step ahead.  Same with the training to high-risk employees.  If the company has it, you know that (a) they understand their employee base, to understand risk and (b) whether the training is any good.  If you see training that’s all about the law, the company is doing it wrong.  If the answer is that the company has one training for all employees, they don’t recognize tiered controls.

Tiered controls is the way to maximize your return on compliance investment.  You want to spend the most money on those areas that address the highest risk.  Otherwise, you’re misallocating assets.  Compliance is hard enough without the business knowing that you don’t know how to spend money effectively.  Training everyone the same way is a waste of money on some, and an underinvestment for others.

Finally, I would want to see the due diligence process.  I’m looking for one thing: how does the risk rating—there’s sure to be a risk rating—change the going-forward relationship?  If you risk-rate, and then nothing, it’s a problem.  For a lot of companies, the risk rating affects the contract provisions, maybe the need for a certification, but doesn’t really affect things going forward.  There’s no transactional due diligence, no KPIs, no single-point-of-contact.  (In case you’re wondering, “KPI” stands for key performance indicators.  They’re how you measure the performance of your third party).

So that’s my preliminary analysis.

Next, I would want to travel.  Go meet people.  Mainly, in my opinion, business people.  Talk to various levels of the organization in your riskiest markets first.  If you don’t have the budget to travel, the first people you need to talk to are your senior management.  Because talking to people—whether it be for training, or to enhance the risk assessment; which is what you’re doing—is something to spend money on.  And while you’re talking to your senior management, give them two messages: (1) anti-corruption compliance programs don’t come free and (2) they need to start asking one question, “what does compliance think about that?”  By asking that single question, you start driving compliance down into the business.  Because once people know that the question will be asked, they’ll start getting the answer through better engagement with compliance.  That’s your first ask.

Now you’re pretty deep into your program, but you’re still maybe 30 days in.

For the next 30 days, it’s all about learning the business.  Your mission is to dig into business processes.  You need to learn everything there is to know about how the business does business.  You need to learn their metrics, their language, their processes.  You need to engage with the business and let them get to know you.  Your travels should have introduced you to many of the key players.  Use those relationships—as new as they might be—to learn what their concerns are.  What keeps them up at night?  What are their pressures?  How are they measured?  Don’t make any suggestions at this point, no matter how tempted you are.  You’re just there to learn.

From day 60-90, you learn a new word, “tweak,” and you stay on message.  You’re not going to change processes, or institute new process.  You’re going to tweak processes that already exist.  The first thing you add to is the process for the ongoing evaluation of third parties.  Then the controls around paying third parties.  What you’re trying to do is answer the question: “how do I know that I’m getting what I’m paying for?”  If you have controls to address that question, you’ve significantly addressed the real risk you face.

Also, some low-hanging fruit.  Get a hotline number (either internal or through a third party), and advertise it.  Improve your training by focusing on your policies, not the law.  Find out what your existing finance policies are and link and label them into your anti-corruption program description.  For that matter, create an anti-corruption compliance program description.  You probably don’t have one.  Third, from your business “listening tour,” you should have an idea of how better to segregate your employee base by risk.  Do that.  Give some additional training—short, sweet, to the point, easy—to the highest-risk employees.  Include, at the end, a printable page with your name, email, and phone number.  Tell them to print it out, and keep it.  Follow up with an email that has the PDF of the same information.  Use that email list on a monthly basis to send around information you might want them to have, describing new cases, and what other companies did wrong.

Finally, use everything you’ve learned to sit down with the business and discuss where you want to improve the program.  This should be at least a half-day, if not a full day, activity.  At the end of the day, you should have crystal clear goals, designated resources within the business, budget, and a timeline for implementation.

Now you’re 90 days in.  You have a plan, you’ve used all your learnings to update your risk assessment, and you should start reporting out every month on your progress.  Start trumpeting your successes.  Let senior leaders know when new training has been rolled out.  Tell them why it’s better.  If you start getting calls into your hotline, let leaders know that you’ve established information chains, and are starting to see results.  Make sure to praise those business leaders who are helping you.  Be sincere, and make the praise visible.  I don’t care how senior someone is, they like seeing that their boss got an email saying how wonderful they are.

Eventually, you’re going to have to tackle the harder things: really improving your due diligence process, getting your CCO to report out to the Board, getting business-wide involvement in your risk assessment process, instituting technology fixes to your payment monitoring deficiencies (and you have payment monitoring deficiencies, I promise), getting Internal Audit involved in testing your program, and getting sufficient resources and budget to operate long term.  But those problems are the subject of another post.

What Does the DOJ Expect From You: Schedule C Explained

6 Mar

This FREE 3-Part webinar series will provide a step by step guide to ‘Schedule C’ – a list of elements found in recent deferred prosecution agreements by the Department of Justice (DOJ).  Register HERE for times convenient to Asia. (It’s noon, Singapore time, over one day a week for three weeks.)

In this webinar series I argue that Schedule C provides a colour-by-numbers guide to compliance. I will cover each of the ‘Schedule C’ elements and describe what they mean and how to implement them in a robust yet cost-effective way.

This webinar series is NOT just for US companies. For those organisations outside of the US which are still subject to FCPA enforcement, it can be argued that following Schedule C, while taking into account local anti-bribery law’s specifics, will certainly lead to “adequate” procedures. Particularly in jurisdictions where authorities may have been less explicit about their expectations.

Dates and Times

Wednesday 21st March, 12pm SGT (4am GMT)

Wednesday 28th March, 12pm SGT (5am GMT)

Wednesday 4th April, 12pm SGT (5am GMT)