Archive | Tone From the Top RSS feed for this section

Schedule C, Point #2: Tone at the Top

6 Feb

Belatedly, the second in my series explaining the elements in the DOJ’s famed “Schedule C,” comes point #2, the tone at the top element.  As always (but since this is my second entry in the Schedule C Series, “always” should more accurately be “again”), I will start out with the actual language of the Schedule C point.  As I did before, I’m using the Alcatel settlement documents for my examplar.

Alcatel-Lucent will ensure that its senior management provide strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

Such a short requirement to occupy so much time and attention from consultants, compliance people, outside counsel, the press, and the commentariat.

Here’s a secret—probably the secret—of tone at the top: the more effort you expend on tone at the top, the more likely you’re doing it wrong.  Tone at the top should be effortless.  It should be part of the everyday fabric of how senior management interacts with their employees.  If senior management would worry less about whether there’s a video on the intranet and worry more about metrics and getting employees engaged with the brand, we’d all be better off.

But that’s more of an “ought to” than an “is.”

Let’s start from the beginning.  What is “tone at the top” exactly?  Forget everything you’ve heard or read.  It’s all wrong.  Think about it instead as your response to a question from the DOJ: “What did your top executives do to make this workplace one where bribery wouldn’t take place?”  Really, is your answer to that going to be “we videotaped him saying that bribery was bad and we put that video on our intranet?”  Or that we included it in the Code of Conduct introduction?

The DOJ always talks about the difference between a program that is operationalized and one which is paper only.  Tone needs to be analyzed in the same way.  How have you integrated executive buy-in to anti-corruption compliance into the fabric of the company’s relationship with its employees?  You need two or three really good answers to that question.  Think in terms of bullet points.  When you’re presenting your program to the DOJ, what are some bullet points that will really impress them?

I’ll give you several.  You can pick and choose from this list: I would suggest at least three for your presentation to the DOJ.

1.  Ask the Question.  Make it the company culture for managers—from the CEO down to first-level people leaders—to ask one simple question.  Of anything you do, asking this one question will have more of a long-term impact on the culture of the company than any other single thing you can do.

The question is “what does Compliance think about that?”  Such a simple question.  But if the CEO, when hearing about ideas for a new market or a new product asks that question every time, his or her subordinates will quickly learn that they need to have an answer to that question before they go in to see the CEO.  Which means that their direct reports will have to answer the question.  All of a sudden, Compliance is seen as necessary in a business process.  Maybe a necessary evil, but necessary.  And if you hire the right people, Compliance will be seen as a creative solutions vendor to the business and not the “business prevention department.”  But let’s keep that last bit for point number 4.  I always say that 80% of compliance is being “in the room.”  Having your senior execs ask that question gets you in the room.

2.  Openness about the good and the bad: More important than the CEO video, or any other messaging, is a culture of openness emanating from the top.  This isn’t just a compliance mandate, it has business consequences too.  In the Harvard Business Review this month, Keith Ferrazzi talked about this issue in his article “Candor, Criticism, Teamwork“.

We found that the teams that scored lowest on candor saw the poorest financial returns….  In contrast, groups that communicated candidly about risky securities, lending practices, and other potential problems were able to preserve shareholder value.  Indeed, in our research…we identified “observable candor” as the behavior that best predicts high-performing teams.

This good business practice extends its benefits into the Compliance space.  When senior management is open about bribery risks and candid about their successes and their failures, it creates an atmosphere of openness that blunts potential miscommunications.  Employees who have never discussed bribery with their bosses would feel more comfortable doing so if the team is open about risks generally.  Senior management giving rewards for good compliance performance is more important than the on-the-intranet video.  Senior management talking about a miss is also hugely influential.  And what a great point to make with the DOJ!  “We spent 20 minutes last week on an all-employee call talking about a decision we wish we could undo.”  And since you document, you can provide the Department with a tape, or at least the senior leader’s talking point.

3.  Metrics: This is where I get adamant.  All the bromides in the world from senior managements about the importance of ethics don’t mean anything if the only thing anyone is measured on is results.  I always say that the profession of Compliance is self-selecting for cynics.  I’m a cynic by nature, training, and experience.  So forgive my cynicism when I say that given a choice between just about anything—short of unjustifiable law-breaking—and their paycheck, people will choose their paycheck.  By “unjustifiable” I mean crimes that a person has a harder time rationalizing: violence, open theft, crimes with an identifiable victim, and others.

Short of those, however, if you don’t metric compliance, and your only marker of success is the sale itself, people will “bend the law” to get the sale.  And when it’s acceptable to bend the law, it’s inevitable—believe me, inevitable—that someone will break it.

I completely believe this axiom: what gets measured gets done.  If you want to show real tone at the top, have senior management visibly care about something other than the sale. Have them show through metrics that they care about ethics. A key value add of your compliance people is to create hard metrics for compliance. Senior management should (1) demand that of their compliance officers and (2) implement those metrics.

Imagine again the story for the DOJ: we have compliance metrics that affect the compensation of the sales team. A leader cannot get a bonus if it’s credibly determined that any of his or her reports obtained favorable treatment through a bribe. That’s commitment from the top.

4.  HR: Get Human Resources involved.  You need good anti-corruption compliance people.  You have to tie a lot of your employee-related objectives to HR-related consequences.  HR must be a partner to the anti-corruption compliance program.  Does your head of HR serve on a risk committee?  Is there a consequence management structure in place for (1) violations of the FCPA, (2) violations of policy, (3) failure to take training, or (4) repeated quarters where anti-corruption requirements are late?  You need process around all four of those things, and you’re living in an HR world for all of them.  How would you show that senior management has recognized the important role HR plays in anti-corruption compliance?  [ed. note: this applies to all of compliance, not just anti-corruption].

5.  Budget & Resources: Put your money where your mouth is.  I’ve heard that one question the DOJ sometimes asks is “how much do you spend on Compliance?  OK, now how much do you spend on office supplies?”  You’d be amazed at how many companies come out on the wrong side of that question.  I’m reminded of that age-old axiom, actions speak louder than words.  Don’t get me wrong, I’m not saying that you have to spend oodles on Compliance.

I would suggest that just as important as absolute spend—if not more important—is year-over-year spend.  YOY spend is an indicator of priority.  Even today, two years after the worst of the financial crisis, a lot of companies are cutting back or staying even with last year’s spend.  The Department is not deaf to such arguments nor blind to the reality of the new normal.

It’s therefore a powerful statement to say that, despite cutbacks, Compliance had YOY spend up 2%.  In my old company, one thing the business leader did to show his commitment was during the budget discussions: anything compliance proposed was automatically approved.  No trade-offs, no arguments.  It made me careful to only propose that which I thought necessary (and wary of lots of others who suddenly needed their projects approved because of “compliance,” but that’s another story).  But how much would you love to have a bullet point in your presentation to the DOJ: “Compliance spend doesn’t go through the normal approval process, it’s automatically approved.”

Resources is a special form of budget, and I almost listed it separately. Welcome to the world of in-house practice: more people equals more importance. Don’t blame me, I didn’t invent the rules. And the fact is, the more people you have, the more you can get done. In fact, one of the key functions of a Compliance Officer is to identify for the business what activities can be done with what incremental additional resources.

What’s probably more important than everything is to have a budget and resources plan that’s already in existence (meaning, before you have to justify everything to the DOJ). If you get into trouble, you need to be able to trot out a document showing that you’ve recognized the issues, and that senior management has (1) seen it, (2) approved it, and (3) care about it. This last can be shown by senior management demanding periodic updates—say, once a month—on how the program is coming along, and addressing any roadblocks to the plan’s success.

6.  Air Cover: Similar to the metrics discussion, senior management needs to put their actions where their mouth is.  When a salesperson misses a target and credibly claims that their problem was a refusal to bribe, that should be taken into account.  Visibly taken into account, and by senior management.

And if you can’t do that on an individual basis, you should include in market goals an adjustment for bribery.  That way, you can show the DOJ that senior management recognizes how hard it is to avoid bribery in certain markets, and a willingness to support the sales efforts in those markets in a way that makes bribery less to avoid bribery.

The worry—and I don’t discount the worry—is that salespeople will use bribery as an excuse for why they missed their targets.  Really, though, I’m not suggesting that someone get a commission for a sale that’s not made, but there needs to be an adjustment, and the business community has ignored this point for so long, a little pendulum swing too much the other way probably isn’t a bad thing.  Even if the adjustment isn’t that large.  The bullet point comes in, really, as soon as you make any adjustment.

The imperative is the same outside of sales. When your Real Estate people miss a target date because they wouldn’t bribe the zoning board, one of two things needs to be true: you either adjust the date or you can show you took the bribery issue into account when you set up the original date. This falls into what my This Week in FCPA co-host Tom Fox always says: document, document, document. If you can show that, when setting up the target date for action, you took the risk of bribery into account, that’s tone from the top.

7.  Optics: When I say “optics” in conversation, I’m reminded of something that used to happen when I was a kid: I would say something, and my mother would say “don’t take that tone with me.”  I never knew that I had used a tone.  When I say optics, I can hear the tone I take (no pun intended).  Usually, frankly, I use “optics” as a pejorative.  But let’s not discount the importance of optical controls.  You need the CEO video, not because it’s effective to deter bribery, but because it would be conspicuous in its absence.  You need company-wide Code of Conduct training annually, even if by video.

Tone at the top is not a one-and-done affair.  That said, it also should seem effortless.  If senior management is truly committed to the success of their anti-corruption compliance program, this element will take care of itself.


Intro to Schedule C: What’s All the Fuss?

23 Oct

This is not going to be easy. Or short. What I’m going to attempt is only to elucidate the parameters of an effective compliance program, using the DOJ’s list of elements found in recent deferred prosecution agreements as my guide. I will take the thirteen (or twelve, or fourteen, or however many it ends up being depending on how you read the DPAs and which DPAs you use as exemplars) specific compliance areas and expand on them with my own experience and the experience that others have shared with me. I hope it proves useful, and I hope to spark a discussion on which elements people feel enhance their programs and which are, frankly, overkill and only agreed to because the DOJ is holding a hammer over their heads.

Which makes it sound like I’m not in favor of DPAs. Nothing could be further from the truth. I’m a fan. And more than DPAs, I’m a tremendous fan of the Schedule Cs that the Department has included in DPAs as far back as Metcalf & Eddy. The Department has never played hide-the-ball with FCPA enforcement. It’s ironic, if that’s the right word, that companies complain that they don’t understand enforcement and what the DOJ expects. The DOJ has essentially given us a color-by-numbers guide to compliance. The problem is more a lack of will and skill than a lack of information. This is a theme I’m going to come back to again and again. There’s a lack of will on behalf of companies, and a lack of skill on behalf of people giving them advice. By “skill,” I also mean ability to implement, which oftentimes puts the blame right back on the business. But one of the things we need to face is the abominable advice companies sometimes get from their counsel. We’ll talk about theoretical risk and training on policy versus on the law. We’ll talk about what my colleague Alexandra Wrage describes as “lawyers describing themselves as FCPA lawyers because they know how to spell it.” There is a difference—something a lot of people outside of corporations don’t understand—between legal advice and compliance advice.

So what is the dysfunction that prevents companies from following the rules? Why, given that the DOJ has been so incredibly descriptive, do we still have companies so incredibly non-compliant? This is one of the things we’ll discuss over the next 12 or 13 essays on compliance. We’ll engage in that favorite of compliance pastimes: the root cause analysis.

So why don’t we jump right in?

The intro to the DPA, before element #1, talks about the obligations the company has. I’m going to use the Lucent case as my exemplar.

After agreeing to conduct periodic reviews of its controls, the DPA obliges Alcatel-Lucent in an overall sense:

Where necessary and appropriate, Alcatel-Lucent agrees to adopt new or to modify existing internal controls, policies, and procedures in order to ensure that it maintains: (a) a system of internal accounting controls designed to ensure that Alcatel-Lucent makes and keeps fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance code, standards, and procedures designed to detect and deter violations of the FCPA and other applicable anti-corruption laws. At a minimum, this should include, but not be limited to, the following elements to the extent they are not already part of the company’s existing internal controls, policies, and procedures.

We spend a lot of time on anti-bribery controls, but as this introductory paragraph should make clear, companies need to spend some time on their financial controls. As much as I say that outside counsel needs work on their advice, boy do compliance officers need work on this one. I love quoting Manny Alas who always asks about your chart of accounts. Most compliance officers wouldn’t know a chart of accounts if it came up and bit them. But getting a good handle on finances goes a long way—a long way indeed—to mitigating bribery risk.

Even if your internal controls aren’t, shall we say, state of the art, you should still “link and label” them with your anti-corruption program. For companies just starting to implement programs, they should concentrate on how they ensure large dollars don’t go unnoticed. Where is money left on the table? The nice thing about this kind of analysis is that companies have people in sales and operations who know this stuff, who can answer the questions you’re asking. Find them, talk with them, learn from them. Because nothing breeds success—in any compliance venture—like knowing the business. When you understand how deals are structured, you know where bribes could come from, and where you need to start enhancing your program.

The first piece of advice for companies, and the best piece of advice I’ll give, is this: start. Just start somewhere. Pick some area, and enhance something. And if you don’t know where to start, read on. Over the next couple of months, we’ll discuss 12 or 13 different areas where you can jump right in and create a program that will actually “detect and deter” violations.

Next up: number 1, policies.

On Contracts

18 Jul

You never get very far disagreeing with Michael Volkov. It’s a low statistical probability that you’ll be right and he’ll be wrong. I’ve just read his article on FCPA contract provisions.

Now, Michael (or, as I like to call him, Mr. Volkov) and I come at this from two different directions.  Two different points of view.  Because of that, I read his work with the eye of someone who with the best of intentions will try to implement what he says I need.

The problem isn’t that I disagree with him, the problem is that from a compliance perspective what he wants is, in my opinion and in my experience, next to impossible to implement in practice.

You see, I live in a messy world.  A world where the lawyers in a company generally think—and their pay backs this up—that they’re better than their fellow compliance officers.  A world where Procurement often plays a huge role in contracting.  Procurement, in turn, either sidesteps the lawyers, or is sidestepped themselves by the businesspeople they service.  A world where the first time a lawyer sees a consultant’s contract is often after the consultant is on site, working.  A world where the company you work for might not have the leverage to force a contract provision, and yet can’t afford to walk away.  A world of horsetrading for contract provisions.

In my world, saying that we need to have the following in all contracts is a bit more than I can chew:

  • Indemnification
  • Cooperation
  • Material Breach
  • No Sub-vendors without approval
  • Audit rights
  • Acknowledgement
  • On-going training
  • Annual certification
  • Re-qualification

To be fair, Michael does call these a “wish list.”

Here’s where I have my problems.  First, from a compliance perspective, the key to a strong program is consistency.  I can live with just about any policy as long is it is implemented in a consistent way.  You want an audit right?  That’s fine, but it has to be in every single contract without fail.  What are you willing to give up to make that happen?  Because believe you me, there’s no such thing as somethin’ for nothin’.

Here’s my point-by-point reaction to Michael’s points:

  • Indemnification: good luck.  I wish you the best.  Because there’s no chance—none, zip, zero, zilch—that you’ll be able to get this in every contract.  Especially for the costs of the underlying investigation.  Really?  That cost often far outstrips the cost of the fine or penalty.  I would never approve this in a contract someone asked me to look over.
  • Cooperation: sounds good, but in my experience almost never happens when the sh*t hits the fan.  But at least it should be easy to get in the contract.  At the front end, when everything is happy, happy, joy, joy, people will say “sure, of course I’ll cooperate.”  At the back end, it’ll be all, “talk to my lawyer.”
  • Material Breach.  The right to terminate is tricky.  You have to specifically say what the standard is.  If it’s a criminal conviction, that’s easier.  It’s tough to argue in a negotiation that a criminal conviction for bribery isn’t solid grounds for termination.  But that’s not what you want.  You want “suspicion,” or “in the company’s sole discretion.”  Or some similarly loose standard.  That’s going to be a sticking point in the negotiation, and one which you might have to relent on.
  • No sub-vendors.  Sounds good.  How do you monitor it?  If you’re not going to monitor it, don’t ask for it.
  • Audit rights.  Don’t get me started.  It’s great, but it’s going to cost you a ton of money.  If you’re not willing to actually conduct the audits in a consistent manner, it’s worse to have them than not to have them.
  • Acknowledgment.  Okay.  Go for it.  Feel better?  As an optical control, maybe it would look good from the bottom of a fifth of scotch.
  • On-going training.  Again, great.  But how are you going to monitor it?
  • Annual certification.  I’ve never met someone willing to bribe but not willing to lie about it in a certification.  ‘Nuff said.  Plus, it can be seen as insulting.
  • Re-qualification.  Sounds good, but who does the requalification?  As it stands, you have to update your diligence on vendors every once in a while.  What’s the difference?

Again, my main issue is summed up in the old adage, “be careful what you wish for, you just might get it.”

Here’s the essence of contracts and the FCPA: Anything you demand in a contract has to be included  in every contract, and everything that’s in a contract you have to (a) enforce and (b) monitor for.

If you can live with those things, hey, go to town, ask for everything.

Here’s what I think:

Divide up your universe into two buckets: (a) contracts with people who are really risky, and (b) everyone else.  The latter should represent at least 80-85% of your third-party universe.

For (b), have a one-paragraph addition saying something along the lines of “the third party recognizes that the Company has to live with and comply with the FCPA.  We promise we won’t do anything to cause the Company to violate it.”  That’s it.  No one should have a problem with that.

For third parties that are “high risk,” have senior management tell all interested parties—GC, Compliance, Procurement, and the business—that (a) all contracts MUST have termination rights if we have a non-frivolous belief that the third party has violated the FCPA, annual certifications, and audit rights; and (b) senior management will receive quarterly reports from Infernal Internal Audit on the metrics of compliance with (a).  If they really hammer that message home, you can also check the box for “tone at the top.”

A Great Comment

4 May

Via LinkedIn, I got the following comment on my Tone at the Top post, below (until I get permission from the person who wrote the comment, I won’t post his name.):

Howard, I have to say that I agree with your comments.  The one thing I think should also be considered is that middle management must have bonus or compensation dependant targets that drive them to achieve or reward them for compliance rather than it being a sidebar to their key compensation drivers of sales targets.

If the tone from the top ( I hate that term because it only implies messaging not actual activity) hits a middle manager whose performance targets are driven by deals or sales or units produced will they listen to the tone or see it as extraneous?  If they have to achieve 80% or more on compliance audits before performance rewards kick in it is a far stronger message.

keep up the good work


Great point, and one which I often make, but overlooked here, obviously.

Part of an effective compliance program, and one which also implicates tone from the top, is how sales people are compensated.  In 99.999%, the answer is “according to how much they sell.”  One of the important training pieces is being consistent in your messaging. That means you can’t tell people: it’s okay if you lose business if you refuse a bribe, and at the same time, tell people that they’ll only get paid if they make the sale.

It’s a great point, and one worth remembering.

UPDATE: I spoke with the commenter, and he gave his blessing.  If you want to check out an interesting and insightful person, go here to David Harley’s LinkedIn page.  He’s at PriceWaterhouseCoopers.

Case Study #10: Tone Deaf

3 May

I had thought that with the amount of bile I’ve spewed on these case studies, my supply must be low. I’ve found, reading case study #10, that I actually have plenty left.

The case study purports to discuss what we call in the US “tone at the top,” but which in the UK they call “Top-level commitment.” Here, we have a similar buzz phrase that’s recently come into fashion, “Commitment from the Top,” which is more similar. I’m not personally a fan of either phrase, nor of the concept.

Let’s digress for a moment into what I call “optical controls.” Optical controls look good, but don’t do much. Most contract provisions are optical. Any written certification (maybe there’s one certification that’s not; Tom identified it on our videocast: a Sarbanes-Oxley-type certification to be signed by senior management). There’s a place for optical controls. At times, they are actually important, so don’t neglect them.

But I think tone from the top is optical. That’s not to say it’s optional. You need visible tone from the top. You need senior management to talk about anti-corruption, ethics, honesty, integrity, etc.

First, we need to define tone at the top. Once, back in 2009, I was on a panel about tone at the top. I wrote a definition that got the highest praise possible: it was quoted by Alexandra Wrage. If you’ve read more than two articles on mine, you know I’m a huge fan of Alexandra, and of TRACE. Every company I’ve worked in, I’ve either gotten us to join, or convinced us to renew membership. Anyway, what I said was

Tone at the top is a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors—including financial results—and to expect all others in the organization to do the same.

If you’re going to do tone at the top right, you need more than just words, you need senior management to act. There’s a hierarchy of actions. At the top is publicly praising someone who lost a deal because he refused to pay a bribe. Less, but just as key, would be to change a unit’s sales targets. In fact, I would probably advocate the latter as a first measure because it directly impacts the line staff.

In general, in fact, I’m much more a fan of tone from the bottom, but we’ll get to that in a minute.

As always, the Guidance lays out a series of optional controls for our small to medium size manufacturer:

  • Making of a clear statement disseminated to its staff and key business partners of its commitment to carry out business fairly, honestly and openly, referencing its key bribery prevention procedures and involvement in a sectoral anti-corruption initiative.
  • Establishing a code of conduct that includes anti-bribery provisions and making it accessible to staff and third parties on its web site.
  • Considering an internal launch of a code of conduct, with a message of commitment from senior leaders.
  • Senior management emphasizing among its workforce and other associated persons the importance of understanding and applying the code of conduct and the consequences of breaching policy
  • Identifying someone at a senior level to be the point-person for queries and bribery-related issues

Of all the lists of all 10 case studies I’ve reviewed, this list might be the worst.

Seriously, spending three of five bullets to discuss three aspects of the same control—and an incredibly weak control, at that—is worse than useless. It’s counterproductive. And even worse than counterproductive, it gives a false sense of security. Let me be clear, and you should take this to heart: no code of conduct ever actually changed someone’s behavior. Sorry, all you Code writers out there. This is not to say that you shouldn’t have a code. You should. And I’m not suggesting that you don’t train on it, or that you don’t have an internal launch, or even that senior management shouldn’t emphasize…or whatever it says to do. But a code of conduct isn’t a control, it’s window dressing. Important window dressing, but that’s it.

The last point is as obvious as it is optical. And often done badly. Seriously, if you’re going to implement an optical control, at least make it good optics. How many times have I seen a random officer, like the CIO, report to the CEO, but the Chief Compliance Officer report to the General Counsel? At least now in the US, with the recent revisions to the Sentencing Guidelines, we now know that the CCO has to independently report out to the Board of Directors. Most CCOs I’m aware of do that on a periodic basis, most frequently quarterly.

The first point is also optics. It’s also, in my opinion, almost impossible. Have you ever seen a clear statement by senior management on anything? And on ethics? Really? The statements I’ve heard all talk about ethics as if it were one factor to consider while making a deal. Make the deal, but remember to be ethical. That’s not how we talk about ethics outside of the business world. In every other context, ethical behavior is the underpinning of proper action. But when it comes to business, it’s one factor among many.

So how should companies show proper tone from the top?

Let me give you my suggestions:

  1. Concentrate on the bottom, not the top. Rather, let’s properly define “the top.” The job of a compliance officer is to change behaviour. When a line worker has a problem, he or she doesn’t go to the CEO. So having the CEO “have an open door to all employees to answer questions,” (this or something similar is on virtually all CEO videos I’ve seen) doesn’t help. Who do people go to? Their supervisor. If you can hit front-line supervisors, that’s how you change behavior.
  2. Connect with employees on their terms. That is, let them know that their bonus or other compensation won’t be affected by ethical behavior. An FCPA compliance officer has to run interference for the business. It might be his or her most important job, in fact. The best tone at the top would be for a leader to alter a sales target because a big loss from refusing to pay a bribe. In fact, you wouldn’t even need to advertise it; believe me, your employees will know.
  3. Observe the formalities. You need a Chief Compliance Officer. That person should report—or at least have access to—the Board of Directors. You need a code of conduct, you need a video from the CEO, you need publicized compliance successes, and if you want to get fancy, compliance failures. You need these things because optics matter.
  4. Treat tone like diligence, it’s not a one-time thing. Tone at the top is ethics over time. You can’t just have the CEO do a video and be done. You need to emphasize and reemphasize, with the message coming from all levels in many formats. Email, live, written, etc. Hit your riskiest employees from every direction. Have informal chats.
  5. Ask the question. There is one question that senior leaders can ask that’s the best question in the whole world. The best question. If you have one “ask” when you talk with senior leaders, this should be it. What’s the question? Here you go: “what does compliance think about that?” If senior leaders start asking it, then their direct reports will start soliciting compliance’s opinion before meeting with the senior leader. It gets compliance included in the process, any process, in a constructive way. It’s the perfect force multiplier. It’s the perfect question. Have your senior leaders ask it, often.
  6. Do your best to keep your messaging consistent. I’ve said this before, in the training case study critique, but consistent messaging is also a leadership function, and thus a tone from the top issue. The best indicator of ethical behavior is when employees feel free to report misconduct without fear of reprisal. You can’t afford to have one employee sending one message by their conduct and another employee sending another message.

So there you go. And only one more left. After that, I’ll write my own guidance, and publish it, chapter by chapter.

After the Bribe

28 Mar

The first thing I do in the morning, via my Google Reader, is read a few FCPA-related blogs.  One of these is the FCPA Professor.  An excellent source of information.  Today, he brings word of a quiet settlement by the Ball Corporation.  Reading it, Prof. Koehler quotes from the SEC’s cease-and-desist proceeding (the least stringent of the SEC’s enforcement channel options):

For example, key personnel responsible for dealing with customs officials remained at Formametal [ed. note: Ball’s subsidiary in Argentina], even though external due diligence performed on Formametal suggested that Formametal officials may have previously authorized questionable payments.”

I found this interesting: it highlights a disconnect between the enforcement agency’s belief in the reality of in-house life, and the reality of in-house life. Compliance officers in-house are not unlike politicians. Compliance sometimes is the art of the possible. You need political capital, just like in politics. A compliance officer’s ability to earn political capital is crucial to his ability to succeed in his role. As are his decisions on where to spend that capital.

The first thing enforcement agencies should remember is that compliance is a cost center. For those government employees who have never been in the private sector (and I’m not being pejorative: before I moved in house, I was an enforcement agent who had never been in the private sector), a “cost center” is a department within a corporation that does not add revenue. Legal, compliance, HR, marketing, public relations, investor relations, are all cost centers. The opposite of a cost center (at least, at successful corporations) is a “profit center.” Profit centers are those operational areas within the corporation that actually sell what the corporation makes.

Corporations—at least, those with decent management—structure their expenditures to support their profit centers.  T. Boone Pickens had it right, the purpose of a corporation is to make money.  So when a company has money to spend, most times, the profit centers of that company get to spend it.  In other words, it is more likely that if a company has an extra $100,000 to spend, they’ll spend it on one year’s salary for a sales manager versus one year’s salary for a compliance manager.  Every dollar that’s spent on a cost center is one more dollar with an ROI of zero.  Yes, we can have a fascinating conversation about the ROI of ethics, but whatever it is, that ROI is awfully hard to monetize.  [And for those no-private-sector-experience government folks, an ROI is “return on investment.”  It’s the idea that if you are going to spend a dollar, figure out a way to spend it that you get $1.50 back.  That’s a 50% ROI.  A salesperson will bring in more in sales than the corporation spends on his salary.  Thus, dollars spent on salespeople have a positive ROI.]  Cost centers, traditionally, have zero ROI.  There are exceptions, like when the legal department at American Express brought the antitrust suit against Visa and Mastercard, and the settlement was worth more than all the operating profit of the “profit centers” that year.  By a lot.  But I digress.

The point is, for a cost center to disrupt a profit center, that’s a big deal.  And the source of disruption is irrelevant, whether it’s outlandish budget requests or new policies that restrict the ability of salespeople to make money.  Each of those requires an expenditure of political capital, as well as significant “internal marketing” to get it done.  Sometimes, like right after a major issue, it gets easier.  But that effect, in my experience, lasts 6-9 months.  After that, it’s back to cost-center-ness.  Remember also that there are internal-to-compliance issues.  I know it’ll come as a shock, but compliance programs are just as, if not more so, subject to the silo issues as the business.  In a typical financial services compliance program, for example, you have sanctions people who need a new sanctions-monitoring tool, you have FCPA people who want increased spend on due diligence, you have anti-money laundering people—the 800 lb. gorilla of financial services compliance programs—who need more AML people, plus you have country-level compliance people.  Your people in Asia, probably, are operating with older technology, and need money for upgrades.  So if an FCPA needs money for new diligence programs, first they need to justify it in their own budget, then they need to get the CCO on board to prioritize the FCPA request over various AML requests, sanctions requests etc.  After they get the CCO on board, depending on the amount, then it needs to go to corporate planning, which is where it bumps up against new Sales requests etc.  And remember, the inherent bias is to give the operational divisions what they need first.

Now we come back to the SEC’s cease-and-desist action against Ball, and what they cited Ball for.  Ball’s due diligence suggested that employees of a subsidiary authorized bribes.  So why didn’t Ball just fire those people?  Well, first, firing someone, especially in a worker-friendly place like Argentina, isn’t such an easy process.  Have you ever tried to fire someone in Germany?  Next to impossible.  Even in the UK, you have “consultation periods,” etc.  There’s an image in government that corporate workers can get fired for anything.  In reality, especially in larger corporations, it’s a process.  Plus, and here’s where tone at the top becomes important, what if those people were big revenue generators?  It’s a rare corporation that will fire top performers for a compliance-related issue.  Discipline?  Maybe.  Fire?  Hardly ever.  So those employees who Ball left in place?  Not so unusual.

This also brings up another question: when you have due diligence on third parties, what do you do with that information?  The government has said, over and over, that if a JV partner does some bad stuff, that you have to react, even to the extent of pulling out.  Oh, please.  Given the foreign-ownership rules in China, pulling out of a JV could mean pulling out of the market.  Even if you don’t exit the market entirely, the Chinese are not above making you suffer for embarrassing a Chinese company by ending the relationship.  And when I say “not above,” I mean that culturally, it won’t even be questionable.  There will be payback.  Plus, who’s to say that you can pull out?  Some of these JVs date back a while, and who knows what termination language there is.  Plus, even if you can, there could be litigation for breach of contract if you terminate.  You’ll then be litigating against a local company in their courts.

Even less drastic, what if the supplier about whom you have negative information is a crucial supplier?  Do you have to cut them off?  Just because they are important to you doens’t mean you’re important to them.  If you try to tell them that they need to reform themselves or else you won’t do business with them, what if they answer “tough noogies?”  They’re a crucial supplier.  Do you just stop?  What if the closest competitor is 14% more expensive?  There goes 14% of your profit margin right there?  What if that makes you uncompetitive?  Do you have to cease operations entirely?  Plus, sometimes there just aren’t that many choices.  Halliburton got jobs in Iraq because, frankly, it was the only company with the capabilities to do what needed to get done.  Political connections are nice, but if you’re the only game in town, you’re going to get the business. 

And isn’t that hypocritical of the government to get all righteous when the US government is a huge purchaser from Siemens (over $1 billion a year).  In fact, it’s been argued that the structure of the Siemens settlement (pleading to internal controls violations) was for the express purpose of it not being debarred from government sales.  And talk about bad information about a company!  Siemens engaged in a decade-long global bribery pattern of activity.   But if  Ball corp. gets some information that a couple of employees may have bribed a couple of customs officials, they’re supposed to divest?   Just to twist the knife, by the way, Siemens income from continuing operations in the period after its massive settlement, was up 21%.  No one stopped buying from Siemens, not just the US government.  What does that tell us?  (This was actually the subject of another FCPA Professor post from a while back.)

How is the business to react when its compliance officers are saying, “hey guys, we have issues here?”  The first question the business often asks—and I find it hard to argue with this line of logic—is “are we required by regulation to stop doing business with this third party?”  The answer is “no.”  Virtually never will a company fight if its compliance officers say, “according to Reg so-and-so, we can’t do this.”  So, the business says, “short of not doing business, what can we do to protect ourselves?”  Well, there’s regular auditing (which requires will, skill, and money: none of which you’re likely to have), there’s increased monitoring of KPIs, regular invoice review, etc.  But you’re still in business with the risky third party.  We’d love it if the business got righteous and said, “you’re dead to me,” to the offending third party.  But in all but the most extreme circumstances, that’s unlikely. 

I guess my point is, despite what the SEC says, it’s not always so easy for a company to fire people, stop doing business with third parties, or even affect how a third party does business.  I’m not justifying bad acts.  I’m really not.  Companies need to bite the bullet and increase spending on FCPA compliance.  Even more important than spending, however, is the need to allow compliance to define criteria for the business to onboard third parties. 

In fact, I would say that latter piece is so important that you can judge a company’s tone at the top based only on two criteria, that being one.  The other is whether compliance is in the metrics of the sales teams.  If you have those two things, I don’t care if the CEO puts a video on the intranet.  But it’s difficult, because of internal politics, to just say “don’t do business with them.”  The SEC and DOJ, in my opinion, need to be more okay with the concept, like in privacy, of “compensating controls.”  Meaning, you can still do business with risky third parties as long as you have specialized controls in place to protect yourself.   What should these controls look like?  Well, I have to leave something for another post.

Commitment From the Top

21 Mar

Commentators like me argue about the most important element of a compliance program.  Some say due diligence, some say policies, some training.  A common answer, however, is “tone from the top.” 

I once defined “tone from the top” as:

a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors—including financial results—and to expect all others in the organization to do the same.

I’ve been told that “tone from the top” has been replaced by a meatier phrase, “commitment from the top.”  I would still define it in the same way.  Essentially the entire discussion around tone/commitment from the top revolves around the same thing: which comes first, revenue or ethics, when you can’t have both?  Compliance officers will tell you that their job is to be a creative solutions vendor for the business (at least, good compliance officers will tell you that).  To get to “yes.”  Sometimes, however, the answer is “no.”  Sometimes, it’s “not only no, but ‘hell no.'”  Ethics is what happens next.

Tom Fox, quoting the Harvard Business Review, calls this “overvaluing outcomes.”    Results trump compliance. 

A quick question here: how is your sales team measured?  For 90% of you, I bet the answer is “how much they sell.”  Is there a compliance component?  What happens if, at the end of a deal, the counterparty throws in the need to pay a “special administrative fee” to a government official?  If your salesperson is a tremendously ethical person and loses the deal because he or she refused to pay the bribe, what happens?  Does his leader quote from Glengary Glenross and yell, “get them to sign on the line that is dotted!”  Or does the CEO call out the employee on the next all-employee call for special recognition of his ethics? 

I once heard a definition of integrity as how you act when no one can see you.  The same applies in business.  The best gauge of a company’s ethic is how employees act when the compliance officer is looking the other way.  I once had a situation where an employee I knew, and who I had worked with in the past, came to me with an issue.  She told me that when she told her colleagues that she was going to bring the issue to my attention, one of them asked her why she would “show her dirty laundry to Compliance.”  It’s an example of a great compliance win, and a huge loss, at the same time.  I had a great ethical force multiplier in the woman I knew, but someone else in the organization just didn’t get it.  How does the company deal with employees when they are a top salesperson, but show unethical tendencies?  Is the only judge of a person’s worth to the organization found in their sales numbers?

These are questions that the company needs to answer before it can claim it has good “tone at the top.”  It’s not just about a CEO posting a video on the intranet anymore.