Tag: compliance

Categories
Blog

Great Structures Week III – The Roman Arch and Resourcing Your Compliance Program

I continue my Great Structures Week with focus on structural engineering innovations from ancient Rome. I am drawing these posts from The Teaching Company course, “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler who said “When I think of Rome, the first image that comes to mind is an arch.” It is present in aqueducts, in the triumphal arches that adorn the city of Rome, in the city gates and even in the Coliseum.

The arch was a major engineering advancement because the prior method for traversing horizontal distance was the beam, which was limited in its use. Ressler notes “because the arch carries its load entirely in compression, its span isn’t limited by the tensile strength of the material, the size of its stones, and it can span greater distances which might be conceived of with stone beams”. The arch itself has two essential characteristics. First it carries an entire load in compression, that is it counter-balances against itself, which allows for construction using the most basic building materials known in the ancient world: stone, brick and concrete.

Yet the second characteristic of the arch is equally significant. An arch requires “both vertical and horizontal reactions to carry a load. The downward load of the arch is balanced by an upward reaction from the base”. Both the Arch of Titus and Pont du Gard aqueduct are still standing and can be seen today as magnificent examples of this Roman innovation.

I wanted to use the dual load system whereby an arch supports not only great weight but also esthetic engineering designs to discuss how a Chief Compliance Officer (CCO) or compliance practitioner might develop resources to implement a best practice anti-corruption compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery law. Funding of a compliance program is always one of the biggest challenges. Short of being in the middle of a worldwide FCPA, UK Bribery Act or other anti-corruption investigation, you are never going to receive all the funding you want or even think that you are going to need.

However, this corporate reality is not going to save you if the government comes knocking. The FCPA Resource Guide 2nd edition, provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

Stephen Martin, CCO at  Skillsoft, often says that an inquiry a prosecutor might make is along the lines of the following. First what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), the next inquiry would be, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. Then the KO punch question would be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, most companies spent far more on Post-It Notes than they were willing to invest into their compliance program.

However this corporate reality will allow you to look to other areas to assist the compliance function. An obvious starting place is Human Resources (HR). There are several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touches every site in the company, globally. HR is generally seen as more approachable than many other departments in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document, and Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert (SME) so you can turn to them for any of your compliance program requirements, which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If your company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

All of these other corporate functions can greatly assist you in the actual doing of compliance. Moreover, in a resource-constrained environment, these other corporate disciplines can be used to strengthen your compliance program, in a manner similar to vertical and transverse integration of structural integrity presented in an arch. Finally, just as the arch utilized some of the most basic construction elements in existence, by using the other corporate disciplines, engaging in precisely their corporate functions, you can create a strong foundation in your compliance program going forward.

Join us tomorrow where we look at the intersection of Gothic Cathedrals and compliance incentives.

Categories
The Compliance Life

Bridget Abraham-Bridget Abraham-Into the CCO Chair

The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced, and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Bridget Abraham, CCO at Remitly, who had a decidedly non-traditional path to the CCO Chair.

From Western Union, Bridget moved to the CCO Chair at Remitly, a remittance payment company. She discussed the mission-driven approach of Remitly to do the right thing. She talked about some of her early challenges and how she could leverage her economics background into a full compliance program. Some of her challenges included scaling up the compliance program and moving into new markets.

Resources

Bridget Abraham LinkedIn Profile

Categories
Blog

Great Structures Week II – Structures from Ancient Egypt and Greece and Written Standards

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, stated a company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Resource Guide 2nd edition, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique.

The FCPA Resource Guide 2nd edition ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Join us tomorrow where we look at the Roman Arch and resourcing your compliance program.

Categories
Blog

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

In “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, by Professor Stephen Ressler, he explores some of the world’s greatest structures and the development of structural engineering throughout history. Many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for an anti-corruption compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Resource Guide 2nd edition says regarding internal controls, that being “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Resource Guide 2nd edition states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry.”

Categories
FCPA Compliance Report

Erica Salmon Byrne on Ethisphere Partnership with Alpine Investors

In this episode, I visit with Erica Salmon Byrne, now CEO at Ethisphere. We review the firm’s recent acquisition by Alpine Investors, a B-Corp. Key areas we discuss on this podcast are:

  • What does this new partnership mean for Ethisphere?
  • Who is Alpine Investors, and what is a B Corp.
  • What is People Focused Private Equity, and why was this a good fit for Ethisphere?
  • What will be Erica’s role going forward?
  • How this move will refocus Ethisphere’s efforts in ESG.

 Resources

Ethisphere Press Release

Ethisphere

Alpine Investors

Categories
Popcorn and Compliance

Leadership Lessons from The Wolfman

I have always loved the classic Universal monster movies from the 1930s. I am exploring one movie each week to mine it for leadership and compliance lessons this month. For this first entry in this short series on Popcorn and Compliance, I look at the original 1941 version of The Wolfman, which starred Lon Chaney Jr as the Wolfman. Chaney embued the Monster with great pathos, and in this podcast, I explore some of the dichotomies found in the movie, which I believe move beyond simply good v. evil. Some of the supporting roles of Claude Rains as Laurency Talbot’s father, Bela Lugosi as the werewolf who attacks Chaney, and Maria Ouspenskaya as Maleva, the mother of the original werewolf, who is an empathic and wise character that provides guidance, comprehension, and comfort to the others. The movie is very atmospheric and has a ton of fun.

Categories
Great Women in Compliance

GWIC x The Ethics Experts-Mary’s Episode

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

For the next two weeks, the GWIC team are presenting a collab with ComplianceLine: GWIC X The Ethics Experts! Mary and Lisa start their throwback Wednesday sessions by harking all the way back to the early days of COVID19, where Mary’s episode was recorded while she was in the New Zealand coronavirus lockdown.

Gio Gallo interviewed Mary about her leadership style – especially focused on giving (junior) staff substantive, meaningful work and wings to fly while setting out a safety net, how not to slip into complacency in your Compliance program by being reassured of historical achievements, and understanding that there is no lowest common denominator. Learn how you can use surveys to tap into your most vulnerable areas you don’t even know you have.

 Check out Lisa’s interview on the Ethics Experts here on the Great Women in Compliance Podcast on 19 October!

 On 26 October, Mary and Lisa will return to their regular programming with a joint episode on learnings, insights, and observations from the Society of Corporate Compliance and Ethics Compliance and Ethics Institute. Want to be a part of the fun? Introduce yourself to Lisa and Mary at the conference – you’ll be able to spot them by their GWIC tote bags that Lisa kindly procured for the duo.

The Great Women in Compliance podcast is excited to look at topics like this one, and we are always open to suggestions for guests.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings. If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it. If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.

You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast. Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020). If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Ongoing Compliance Assessments: FCPA, UK Bribery Act and OCED Best Practices

One of the requirements consistent throughout the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs; the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, and the UK Bribery Act’s Consultative Guidance is the need for continued assessment of an anti-corruption and anti-bribery compliance program. This posting will review the specifics of each of these documents and will provide to the compliance and ethics practitioner some ideas on how to implement what each of these protocols stress is key component of any best practices compliance program.

US Sentencing Guidelines

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. The OECD Good Practice states that a compliance program should be periodically re-assessed and re-evaluated to take into account any new developments. The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing monitoring and review by noting that a compliance program and procedures should be reviewed regularly and a company should consider whether an “external verification [of the compliance program] would help.”

Speaking at the Compliance Week 2010 Annual Conference, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that a company could continue to evaluate its own compliance program with reference to compliance standards which are evolving on a world wide basis.

OECD

In this same speech, Breuer cited as a benchmark for a best practices compliance and ethics program the protocols set forth in the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. In this protocol the OECD suggested that “periodic reviews of the ethics and compliance programs or measures, designed to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and evolving international and industry standards.” Writing in the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3), Russ Berland explained that this guidance meant that companies should regularly reassess their anti-bribery and anti-corruption compliance program to evaluate and improve its overall effectiveness. Although he did not give a time frame for this regular assessment, Berland noted that any such assessment “should take into account new developments in the area and evolving standards.

UK Bribery Act 

Principle Six of the UK Bribery Act’s Consultation Guidance discusses the need for ongoing monitoring and review. The Principle states “The commercial organization institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organization implements improvements where appropriate.” The reasons for this continued monitoring was to ensure that if, external events like government changes, corruption convictions, or negative press reports occur, an appropriate compliance response is triggered. The Guidance noted that it would be prudent for companies to consult the publications of relevant trade bodies or regulators that could highlight examples of good or bad practice. Organizations should also ensure that their procedures take account of external methods of issue identification and reporting as a result of the statutory requirements applying to their supporting institutions, for example money laundering regulations reporting by accountants and solicitors.

The Consultative Guidance provided advice for companies which covered several specific suggestions. The senior management of higher risk and larger organizations may wish to consider whether to commission external verification or assurance of the effectiveness of anti-bribery and anti-corruption policies. An independent review can provide to a company, which is undergoing structural change or entering new markets, with an insight into the strengths and weaknesses of its anti-bribery policies and procedures and in identifying areas for improvement. Such independent assessment would also enhance a company’s credibility with business partners or to restore market confidence following the discovery of a bribery incident, to help meet the requirements of both voluntary or industry initiatives and any future pre-qualification requirements.

Ongoing Assessment as ‘Best Practices’ 

All three cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing assessments as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. An assessment is key to measuring where your program currently stands to allow you to know where it needs to be updated.

Attention should be paid to who and how the assessment is conducted. The entity, be it a law firm; professional consultant or other, which designed the FCPA compliance program for your company should not be the assessor. Such assessment would obviously be a conflict of interest. Additionally a drafter usually has blind spots when assessing one’s own work. An outside FCPA compliance professional should be engaged to assess your compliance policy, at no less than every two years, to review and make recommendations to keep your program at the best practices standard.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2010

Categories
Innovation in Compliance

Innovating Compliance in the Middle East and Africa with Tomell Ceasar

 

Tomell Ceasar is the Group Head of Ethics and Compliance at Careem (An Uber Company). He is one of the founders of the Middle East and Africa Compliance Association (MEACA). This organization strives to raise awareness on business ethics and provides tools to build stronger and more responsible businesses. Essentially, they promote global regulatory compliance and effective governance in the Middle East and Africa. In this week’s episode, he explains to Tom the intricacies of practicing compliance outside the US, specifically the EAME. 

 

 

Compliance Practice in the EAME

Tom asks Tomell to describe what it is like practicing compliance in EAME. Tomell responds that it’s difficult to make broad generalizations on compliance region-wide since the EAME is such a huge territory. Compliance is a “Western value in terms of the way one approaches international business”, Tomell remarks, so adoption would take some time. However, appreciation of compliance roles and professionals grew exponentially over the past decade. International companies are seeing compliance through the US lens, and “they identified values of compliance being important enough to them to adopt similar frameworks and ideological perspectives as it relates to commercial enterprise, to be equivalent to the United States,” Tomell remarks.

 

The Birth of the MEACA 

As a co-founder of the Middle East and Africa Compliance Association, Tom wants to know how Tomell came up with the idea for the MEACA. Tomell explains that “the values of compliance have traditionally not been a staple of commercial enterprises in these regions.” Compliance has had a real maturation process over the last 10 years, and Tomell and his team saw a major opportunity to support the development and growth towards that end. There was a need for an organization willing to serve the distinct purpose of “serving and supporting the compliance community and to give them an avenue to connect, to network, to broaden their skill set.” Thus, the MEACA was born. To this day, they help companies promote and catalyze the compliance movement toward fighting corruption in companies and society. 

 

Resources 

Tomell Ceasar | LinkedIn

The Middle East and Africa Compliance Association

 

Categories
Blog

Use Your Eyes in Compliance

One thing compliance professionals are rarely trained to do is trust your eyes. This may be because it seems too obvious. After all the well-known Howard Sklar maxim of “Water is Wet” is largely based on the fact that if something is so obvious you may not need to train on it. Yet two recent events make clear we all need to ‘trust our eyes’ in a variety of settings. The first is in the National Football League (NFL) and it involves Miami Dolphin quarterback, Tua Tagovailoa. Three weeks ago, he was tackled, thrown to the ground and his head snapped against the tuft. This is clearly a sign a concussion may be coming. After Tua got up, he stumbled and fell and then had to be helped up by a teammate and off the field.

I say all of this with absolute certainty as I was watching the game Dolphins v. Bills and saw it along with some 70,000 in the stadium and millions on television. Unfortunately, those who did not see these actions of Tua after the hit was the Dolphins medical staff who, rather amazingly (or perhaps not), cleared him under the NFL Concussion Protocol and sent him back to play in the second half of the game. Again, finding he was fine under the concussion protocol, he was allowed to play. The Dolphins claimed that he had sustained a “back injury” and that was why he stumbled and fell, not motor impairment. The next week, Tua took another shot to his head and this time he did not get up, stumble and fall. He did not get up at all. According to New York Times (NYT), he left the field on a stretcher and was taken immediately to a local hospital.

It was clear to anyone who saw the first concussion, that it was just that a concussion. However, “because of the incident, the league and union said they were considering changing the protocols, which currently allow a player with “gross motor instability” to return to the game if doctors decide there is an orthopedic reason for his unsteadiness.” Some doctor said the instability was due to Tua’s bad back and that was good enough. The NYT went on to further note, “The expected change will be to instead establish ataxia, a term describing impaired balance or coordination caused by damage to the brain or nerves, as a sign that automatically disqualifies a player from returning to the game.”

All of this informs compliance programs and compliance professionals as sometimes actions do not simply pass the eye test. I thought of this in the context of the recent Oracle Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. In this Oracle matter, the bribery schemes involved distributors, which were used as not only conduits to pay bribes, but as the mechanism to create a pot of money to pay bribes. The Oracle compliance program allowed sales employees at the subsidiaries to request monies meant to reimburse distributors for certain marketing expenses associated with selling Oracle products. There was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

You can no doubt see where this is going as this internal control gap allowed for abuse. Indeed the Orderstated, “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to [distributors] in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” That is at least 23 different expense requests to reimburse for marketing made under the threshold. Of course, there were no marketing efforts by the distributors and no follows up audits, inspections or even questions to confirm that the marketing expenses had actually occurred. The entire business unit was in on the fraud, and it stole money from the corporate office to fund it slush fund to pay bribes.

Clearly compliance was not using its eyes for if it had, it would have seen that there was a large number of marketing reimbursement requests at or below the threshold which required additional oversight and approval. Using your eyes does not mean that it is simply your eyes which catch nefarious conduct, it means that you use your eyes and if it something unusual occurs then additional investigation is warranted.

All of this brings to the second lesson from the NFL’s sordid tale involving Tua Tagovailoa; which is if the protocol does not work, change the protocol. Renee Miller, writing The Athletic, said, “The purpose of the onsite concussion “exam is to determine if any symptoms are apparent in a neurological exam (looking at reflexes, cranial nerve function and limited cognitive skills), and if so, whether they arise from a neurological origin.” It does not take into account what we all saw with our eyes, the stumbling, Tua grabbing his helmet and inability to focus. The NFL will now make a change to consider the other factors Tua exhibited. In other words, they changed the protocol to require and allow for additional information about the injured player in making a determination of that player’s returning to the game.

In the case of Oracle, there was a high risk of business unit employees using the marketing reimbursement requests to create a pot of money to pay bribes. We know this because this same bribery scheme was used by Oracle India to pay bribes and do business corruption, all of which was the subject of a prior FCPA enforcement action. Pretty clearly allowing business unit employees to obtain marketing reimbursements was something that would lead to disaster; which it did just as the Dolphins allowing Tua to come back into the second half of the Bills game where he sustained his first concussion was disastrous for Tua as he was much more seriously injured just the next week.

In compliance never forget to ‘use your eyes’ in testing your compliance program. If something does not look right, do additional investigation. If you do not do so, you may end up like Oracle, now one of 15 FCPA recidivists, a list no company wants to be on.