Tag: Due Diligence

Categories
Compliance Into the Weeds

Stericycle FCPA Enforcement Action


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take a deep dive into the recently released Stericycle FCPA enforcement action. Highlights include:

  • What is a business strategy based upon corruption?
  • Over-expansion and under due diligence in M&A.
  • Document Document Document
  • The Monaco Doctrine at work.
  • Lessons learned going forward.

Resources
DPA
SEC Order
Matt in Radical Compliance
Tom in FCPA Compliance and Ethics Blog

Categories
Blog

Cookies, Chocolates and IP: The Stericycle FCPA Enforcement Action – Part IV

Last week, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced a Foreign Corrupt Practices Act (FCPA) enforcement action, involving the waste management company, Stericycle, Inc. (Stericycle). According to the Information and Deferred Prosecution Agreement (DPA), Stericycle entered into a three-year DPA. The company was charged with two counts of conspiracy to violate (1) the anti-bribery provision of the FCPA, and (2) the FCPA’s books and records provision. Under the DPA, Stericycle agreed to a criminal penalty of $52.5 million of which the DOJ agreed to credit up to one-third of the criminal penalty against fines the company pays to authorities in Brazil in related proceedings. According to the SEC Cease and Desist Order (Order), Stericycle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and agreed to pay approximately $28.2 million in disgorgement and prejudgment interest. The SEC Order also provided for an offset of up to approximately $4.2 million of any disgorgement paid to Brazilian authorities. Today we consider the lessons learned.
Rapid Expansion
Similar to what we saw in the WPP enforcement action, Stericycle engaged in rapid expansion in a series of foreign jurisdiction. In this case it was Latin America. Stericycle does not seem to have made the same mistakes as WPP in holding back part of the overall acquisition payout to the owners in the locales where they purchased entities and thereby incentivizing corruption to meet sales goals. Under Stericycle, there was nothing about this same type of incentive plan used by WPP. However, Stericycle did appear to keep the former owners on as the executives in these new foreign subsidiaries without taking into account how those former owners may have done business or the risk model it entailed.
Which brings us to pre-acquisition due diligence, which is not simply looking at the financial issues involved but also considering the potential purchase from the compliance perspective. How did the companies which were purchased to form the foreign subsidiaries in Latin America do business before they were purchased? Did Stericycle review those companies from the compliance standpoint?
Moreover, and as Candice Tal, founder of Infortal, continually reminds us, due diligence is more than simply a site investigation or a couple of interviews. It should include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.” Clearly, Stericycle did not engage in this level of due diligence in either the acquisitions of the entities which became Stericycle subsidiaries in Latin America, nor in their key personnel. Employees up and down the chain of an organization do not simply wake up one day and decide to engage in bribery and corruption and create a full set of records so the effectiveness of your bribery-based business process can be evaluated. 
Impact of the FCPA Corporate Enforcement Policy
The Stericycle enforcement action once again demonstrates how the FCPA Corporate Enforcement Policy can benefit even the most corrupt organization and allow a significant reduction of the overall fine and penalty under the US Sentencing Guidelines. According to the DPA, Stericycle received a 25% discount off the bottom of the applicable Sentencing Guidelines fine range for its cooperation during the pendency of the investigation and the extensive remediation.
I have previously estimated Stericycle saved between $25 million to $30 million from their final criminal fine. That is certainly a significant amount and one every Chief Compliance Officer (CCO) needs to have ready to submit to your CEO to demonstrate the power of committing time and resources to both internal investigations and remediation during the pendency of the investigation.
Impact from the Lisa Monaco Doctrine
a. The Monitor
The is first FCPA enforcement action to show the full impact of the change in DOJ enforcement priorities after the Lisa Monaco speech of October 2021, in a variety of ways. The first is the imposition of a monitor. It was required under both the DPA and the Order. Interestingly, even though the company was long aware of its compliance and ethical failures and even though it had been investigating this matter since at least 2016; the company could not seem to get its collective act together enough to fully implement and test the new compliance regime set out in the DPA. The DPA stated, “despite its extensive remedial measures described above, the Company to date has not fully implemented or tested its enhanced compliance program, and thus the imposition of an independent compliance monitor for a term of two years, as described more fully below and in Attachment D, is necessary to prevent the recurrence of misconduct.” [Emphasis supplied] Clearly the DOJ (and SEC) did not trust that the company would follow through with its resolution documents obligations and was “necessary to prevent the recurrence of misconduct.”
b. Culture
One part of the Monaco speech which drew much criticism from the White-Collar defense bar and others were her remarks around culture and that the DOJ would start assessing corporate culture in the context of other fines, penalties and regulatory enforcement actions from outside the FCPA context. Many articulated fears that conduct completely unrelated to a FCPA enforcement action could form the basis of a FCPA enforcement action. Those fears were alleviated in the Stericycle DPA which stated, “the Company has some history of prior civil and regulatory settlements, but no prior criminal history”. At least at this point, no unrelated civil or regulatory actions were assessed in the context of a FCPA enforcement action.
There was and continues to be much to consider and learn from the Stericycle FCPA enforcement action. I am sure we will be revisiting it in the future.

Categories
This Week in FCPA

Episode 291 – The Rams Win It All Edition


Super Sunday passed with fun but poorly played, poorly officiated, and poorly coached. Tom and Jay are back to look at some of the week’s top compliance and ethics stories this week in the Rams Win It All Edition.
Stories

  1. Ericsson is in more FCPA trouble. Mengqi Sun in the WSJ Risk and Compliance Journal. Aaron Nicodemus in Compliance Week(sub req’d)
  2. DD impeding compliance in developing markets? Katya Lysova explores in the FCPA Blog.
  3. ESG-no longer a nice to have. Karen Alonardo in Risk and Compliance Matters.   
  4. State AGs are waiting. Ashley Taylor and Chris Carlson in CCI.  
  5. The latest case on CCO liability. Matt Kelly in Radical Compliance
  6. Broken windows and compliance enforcement. Anthony O’Reilly in Compliance and Enforcement
  7. Companies yet again ask the EU for rules around ESG. Lawrence Heim inpracticalESG.
  8. White-collar enforcement trends in 2021. Jamie Rosenberg in Grand Jury Target.  
  9. HP-Autonomy from the auditors’ perspective. Francine McKenna in The Dig
  10. South African courts deny Zuma’s attempt to remove the SA corruption prosecutor. Rick Messick in GAB.  

Podcasts and More

  1. In February on The Compliance Life, I visited Ellen Smith, a former Director of Trade Compliance who recently started her consulting firm. In Part 1, she discussed her academic background and early professional career. In Part 2, Ellen discussed her move in-house. In Part 3, Ellen discusses being a part of the Compliance Dream Team at Weatherford.
  2. Tom and Richard Lummis are in the middle of their annual review of Best Picturing winning movies on 12 O’Clock High, a podcast on business leadership. Part 1 reviews Schindler’s List for leadership and ethical lessons. In Part 2, the look at Gladiator.
  3. CCI releases a new e-book from Mike Volkov, “Compliance Culture Revolution.” Available free from CCI.
  4. Tom looks at some innovation in compliance with a 3-part blog post series in the FCPA Compliance and Ethics Blog. Topics include Compliance Ecosystem GovernanceCompliance Branding, Building Culture & Compliance Coaching.
  5. Are you a Star Wars fan? How about an uber-Geek? You will love the 5-part series appearing next week on the Greeting and Felicitations podcast series on the Compliance Podcast Network if you are either or both. In this series, Tom visits astrophysicist Dr. Ben Locwin on the following topics: Traveling in Hyperspace, Fighting with a Light Saber, Mechanical Prosthetics, Cyborgs and Robots, and the Death Star. It is a ton of fun, and you will love it. Each episode will post at 10 each day next week. Check it out daily. 

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.  

Categories
Blog

Due Diligence Lessons from Elizabeth Holmes and Theranos

Elizabeth Holmes was found guilty this week on 4 of 11 charges against her. The jury was unable to reach agreement on the remaining seven charges against her. Multiple media outlets have reported on the verdict. They include the Verdict itself in the Wall Street Journal (WSJ); what the verdict means for Silicon Valley, in the New York Times (NYT); questions on the victims of the Theranos fraud in Bloomberg and, of course, the lingering questions or how or even will Holmes serve any time, as reported in Fortune. Others have questioned whether the guilty verdict is an indictment of the entire Silicon Valley “fake it ‘til you make it” culture, as reported in The Verge.
I had two recent podcasts on the trial, Holmes and Theranos. The first, with white collar defense lawyer Kevin O’Brien, looked at the trial itself, the prosecution and defense cases as well as whether Holmes testimony hurt or helped her defense. The second, with Exiger President Brandon Daniels, considered the types of due diligence which you should engage in when considering a major investment. Both episodes were well received, pointing to the ongoing fascination with this major fraudster and how to parse out some lessons learned for the compliance professional.
From the testimony it was clear that Holmes knew exactly what she was doing all along. As reported by The Verge, “When it came to the investors, prosecutors had Holmes dead to rights. Unlike with the patients, she was in the room. There were emails and recordings. Holmes’ ties were clearer, and what she knew was clearer, too. The easiest part of this case to prove was about money, and that was where the prosecution spent the bulk of its time. Did Holmes lie to investors? The jury thought so on three counts”. In other words, the Theranos blood testing scam never did work.
But what are the lessons for the compliance professional? Daniels made clear in his podcast there were several lessons not only for companies looking to invest but in multiple business relationships such as potential joint venture partners, funded development partners and other types of business partnerships and ventures. He pointed out one thing to look at is your potential partner’s supply chain purchases; check it and challenge it. With Theranos, if someone saw the supply chain relationships with traditional blood testing equipment, it would lead him/her to ask, “Why is that occurring?” So why would Theranos be purchasing a competitor’s equipment?
If the answer came back the equipment is for testing and development comparison, why were those purchases at scale? Why did Theranos need so much of its competitor’s testing equipment. We now know it was because Theranos was testing blood samples on the Siemens blood testing equipment and claiming it was done on Theranos equipment.  If it was for comparison purposes, you would not have expected Siemens’s equipment to have been purchased in such large numbers.
Another area for due diligence is whether the potential partner has the production capacity to build the units that they intend to achieve. This is critical when you are moving from protype to a commercial enterprise, as Theranos did with Walgreens. Of course, Walgreens not only failed to do the basic due diligence required on the Theranos blood testing machine but actually removed experts from its pre-acquisition due diligence team who raised such questions.
Another difficult area in investment due diligence is how to evaluate the founder(s) of a startup as potential post-acquisition or post-merger leadership candidates. Many startups have a leader who has a vision. Holmes did have a vision. I am firmly convinced that Holmes had a vision of a bloodless draw for testing. But often visionaries are not really execution people. They may not even be operational people, but they are visionaries.
Daniels noted, “maverick leaders, who have a unique vision, a unique idea, and then tap into a fundamental, almost primal need in a market are always going to get a lot of attention. Especially ones that are cult to personality which Elizabeth Holmes rightly has in place.” But even here, you need to ask some direct questions. Does the company really have the expertise at the very top to understand that what they are attempting to do is possible? Moreover, do they have the capacity, the expertise, the fundamental understanding of the component of the device, or the innovation that would be necessary to know if full scale production is even possible
A key step in the production process is a prototype. Is there a minimum viable product (MVP) that can be built and tested? This would help inform if key management personnel have “a fundamental understanding of how the core parts of the process work? Do they have an understanding how they lived the market need? Finally, have they prototyped the product to the point where you could actually demonstrate that it will work, even if you’re eons away from it being productized and scaling?” From there you should move on the to having a “seasoned medical professional, a seasoned medical device expert either in-house or as a company partner and the right management team to assess whether or not what they were doing is viable is so important.”
Theranos also serves as an excellent example of the mandates from the Department of Justice (DOJ) in Mergers and Acquisitions (M&A) in a best practices compliance program. You must start with pre-acquisition due diligence but that is only the starting point. The data you glean in pre-acquisition due diligence should serve as your baseline for ongoing monitoring of any company you acquire in the post-acquisition phase. It is this coupling of pre-acquisition due diligence with the post-acquisition phase in a best practices compliance program which is another key lesson from Theranos.
In investment due diligence, due diligence tends to be a point-in-time which looks at the dynamics of the business, but you need to couple due diligence on an ongoing basis because the risks you assess today may well change tomorrow. Daniels noted, “you have to continuously monitor the issues to make sure that your investments decisions in terms of production, your decisions in terms of your capabilities are sound and there is continuous monitoring.”
The Holmes verdict will be studied as a part of the overall story of Theranos. There are many lessons to be learned from Theranos for the compliance professional. But perhaps we should start with one of the most basic forms of due diligence. If it sounds too good to be true, it probably isn’t true. Or if you want to channel your inner Ronnie Reagan, “Trust but verify” even in due diligence.

Categories
FCPA Compliance Report

John Katsos – Due Diligence in Conflict Zones


In this episode of the FCPA Compliance Report, I visit with John Katsos, Assistant Professor and Scholar at American University of Sharjah. John has researched and performed due diligence in conflict zones in the Middle East and Africa. He was part of a research team that published a series in the Big Idea section of the Harvard Business Review entitled Preparing for the Era of Uncertainty, which is a must read for every compliance professional. He brings a unique perspective to a variety of compliance topics. Highlights of this podcast include:

  1. Academic and professional background.
  2. Why due diligence in conflict zones so difficult?
  3. What are some of the important differences in performing DD in conflict zones?
  4. What are some keys to successfully performing DD in conflict zones?
  5. Key lessons you observed on DD in Cyprus?
  6. Where did you come up with the idea for this series of articles, Preparing for the Era of Uncertainty?
  7. A discussion of each article in the series.?
  8. What is it like teaching anti-corruption and other forms of compliance outside the US?
  9. How do you see your work tying into a broader ESG discussion?
  10. How does climate change and migration across borders influence your thinking?

Resources
Preparing for the Era of Uncertainty-Harvard Business Review
John Katsos website, including some great research and papers
John Katsos LinkedIn profile

Categories
Blog

On the Naughty List – Urban Meyer

We conclude our pre-Christmas Naughty List review and today we have one person who is on the Very Naughty List. That person is now former Jacksonville Jaguars head coach Urban Meyer. The missteps, inanity and downright irresponsible actions taken by Meyer during his abortive less than one season with the Jags is not only one for the annals in National Football League (NFL) history but provides multiple lessons learned for the compliance professional.
Meyer was a very successful college coach winning national titles at two schools, Florida and Ohio State. But he was clearly out of his depth in the NFL, which of course is professional football and not college football. But the red flags were all there for any who cared enough to look. Clearly, they were ignored by the Jags owner, now to his shame and humiliation. It began almost immediately after Meyer’s hiring when he tried to retain a strength and conditioning coach who had been fired at Iowa for allegations of racial abuse.
Michael DiRocco reported, “In February, Meyer hired former Iowa strength coach Chris Doyle, who was accused of making racist remarks and belittling and bullying players while with the Hawkeyes. Doyle resigned a day later after the Jaguars were criticized for the hire by the Fritz Pollard Alliance.” Before the resignation, Meyer had claimed he had done his due diligence on Doyle with Meyer adding, he “did not consider the implications of hiring him.” Later in the summer, the NFL “fined the Jaguars $200,000 and Meyer $100,000 for excessive contact during a June 1 organized team activity. The team also must forfeit two OTAs during the first week of the 2022 offseason, meaning they will have only eight.”
Please note the season had not even started yet.
The Jags got off to an ignominious start losing to the pathetic Houston Texas and began the season 0-4. It was at this point, missteps turned into inanity. After losing to the Cincinnati Bengals to reach 0-4, Meyer did not travel back to Jacksonville with the team but went to Columbus OH to unwind, relax with friends and to visit with his grandchildren. Almost immediately, “a video began circulating on social media on Oct. 1 that showed a woman who was not Meyer’s wife dancing close to his lap at his Columbus restaurant. Meyer apologized in positional group meetings early in the week, then at a news conference and again in a team meeting later in the week. Khan also issued a public rebuke.”
As the losing wore on, Meyer’s true personality came out. Andrew Gastelum, reported that in November Meyer “was involved in multiple disputes with players and coaches over the last two weeks, including a heated argument with receiver Marvin Jones and that Jones was reportedly so angry with Meyer’s criticism of Jaguars receivers that he left the team facility. According to Pelissero, staff convinced the receiver to return only for him to get into a heated argument with Meyer at practice.” Moreover, “Meyer reportedly challenged assistants to defend their résumés individually during a staff meeting where he told his coaching staff that he was a winner and that they were losers.” Of added significance to this reporting was, according to Tom Pelissero, that the sources for this story came from the NFL office, not simply Jag players. Predictably, in an incredibly inane move, as reported by Jordan Dajani, Meyer denied both events ever happened.
Yet even Meyer was capable of achieving another low, moving to complete irresponsibility.
Enraged and wrongfully believing that the source of this latest escapade came from inside the Jags, he announced anyone that blew the whistle on him would be unceremoniously shown the door, as in immediately. Then last week, Ryan Glasspiegel, reported that former Jags kicker Josh Lambo accused of Meyer of kicking him at practice in August. Lambo said, “It certainly wasn’t as hard as he could’ve done it, but it certainly wasn’t a love tap. “Truthfully, I’d register it as a five (out of 10). Which in the workplace, I don’t care if it’s football or not, the boss can’t strike an employee. And for a second, I couldn’t believe it actually happened. Pardon my vulgarity, I said, ‘Don’t you ever f–king kick me again!’ And his response was, ‘I’m the head ball coach, I’ll kick you whenever the f–k I want.’”
Unsurprisingly Meyer denied this also ever happened. Yet this is where complete irresponsibility turns to the surreal. While Meyer was denying the event ever took place, he had his lawyers threatening the reporter who broke the story. But here is the surrealness, as the lawyers did not dispute that Meyer kicked Lambo, only how hard. So, Meyer’s lawyers admit there was an assault, it just was not serious.
Finally, even the Jags owner had enough and when the assault allegations broke, he fired Meyer that night. The owner, Shad Khan claimed that he had intended to fire Meyer after the latest loss on Sunday, but it took him several days to get his ducks in a row. Of course, while the owner was doing so, Meyer was still coaching the Jags. Me thinks something is rotten with that story.
What are the lessons for the compliance professional in all of this?
Let’s start with due diligence. Meyer was penalized in Columbus for his less-than-ethical behavior around an assistant coach accused of assaulting his wife. He somehow managed to lose or deleted multiple text message on the topic. He was suspended for three games by Ohio State for his conduct. All of this was in the public record and there for all to see. Think executive due diligence is not important? Think again (and while you are thinking about it call Candace Tal.)
Internal Controls. Yes, there are internal controls in football. One such control deals with player safety based upon amount of physical contact which can occur during offseason training camp (OTA). Meyer and the Jags were fined for having players engage in contact drills. In typical Meyer fashion, he had the Jags deny the team had done anything wrong as it was the players who simply could not contain themselves.
Discipline. Pro football has a Neanderthal governance structure (with the noted exception of the Green Bay Packers, who exist in a parallel socialist world). There is no public company, no Board overseeing the company. There is an owner and every significant employee reports directly to the owner. Clearly the owner, who did not do due diligence on Meyer’s character, was not going to discipline him. Although he belatedly claimed he was going to do so after the most recent loss, that seems like “Monday Morning Quaterbacking” to me. Do you really think that if any other Jag employee engaged in any of this behavior they would not have been sacked? Discipline must be delivered uniformly and fairly. That is called Institutional Fairness and is the responsibility of the Chief Compliance Officer (CCO). It is also a requirement of a compliance program. As was noted in the original FCPA Resource Guide, compliance has to apply from the “Board room to the shop floor.” Even in the recent Securities and Exchange Commission (SEC) enforcement action involving JPMorgan, the SEC required “an evaluation of who violated policies and why, what penalties were imposed, and whether penalties were handed out consistently across business lines and seniority levels.”
Perhaps now you might understand why Urban Meyer is on the Very Naughty List. But you can use the lessons learned to help keep your organization off the Naughty List in 2022 and beyond.

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
 

Categories
Blog

Lessons Learned from L’Affair Gruden

The fallout from the John Gruden imbroglio has widened and deepened. Many have asked why the NFL sat on the Gruden emails which were uncovered in the investigation of the toxic culture of the Washington football team, known to the NFL since the spring of this year, are only now coming into the public eye. Additionally, if the first email where Gruden disparaged the head of the NFL’s players union with a racial slur, which if it had not been brought to light by the Wall Street Journal (WSJ) on Sunday of this week, would it have been released by the NFL or Las Vegas Raiders at all? Finally, why did the NFL only send the first email to the Raiders when clearly there were many, many more that were unearthed. All good questions and they demonstrate several salient factors, not the least being as how the fallout from one event and investigation, can impact an entire industry. However, even without current answers to these and other questions there are several very important lessons for the compliance professional.
Don’t Put Stupid Stuff in Emails
Before we get to compliance, consider the most basic problem here. Not that Gruden is simply a racist, homophobe, sexist, misogynist and a person with little moral compass. We might have never known what was in his heart, if Gruden had not put those immoral values into emails over eight years. The reason he is now out of professional football, probably forever, is that he put his values into emails, in the crudest terms possible. Twenty years ago, I did corporate training on this very topic. That training is apparently still needed. Imagine how the civil litigation will look when all this gets to trial. All the plaintiff’s lawyer(s) will have to do is read the emails to demonstrate a wide variety of civil wrongs and regulatory breaches and the only question left will be damages.
Fallout from Unrelated Investigations
In the 21st century, nothing happens in a vacuum. The offending emails were uncovered in an unrelated investigation. These emails largely came from outside the entity being investigated (the Washington football team) and the investigative firm turned them over to the entity overseeing the investigation, here the NFL. As noted above, it is not clear what action the NFL might have taken against Gruden, his former employer ESPN or his current employer, the Las Vegas Raiders. Gruden’s resignation from the Raiders may well forestall an answer into those questions.
Now imagine the same scenario when the Securities and Exchange Commission (SEC) investigates Activism for its toxic work environment (or the Department of Justice (DOJ) for that matter) or when the SEC investigated Lordstown Motors for a variety of other fraud and accounting issues. What if a set of similar emails appeared, all coming from an outside 3rd party, such as Gruden’s did to the Washington football team President Bruce Allen? Would the company employing that same 3rd party receive an email from the SEC requesting all emails from the offending employee? Would the SEC want to look at all emails? How would your company respond? Is the EEOC going to get involved? Will they (or the SEC) be contacting ESPN, owned by the Walt Disney Company, a publicly traded organization about the culture at ESPN which allowed Gruden to send those emails. Are you ready to respond to them? 
What is Due Diligence?
No person wakes up in their mid-40s or 50s and thinks, today is the day I will start sending out racist, homophobic, sexist or misogynist emails and a throw away my moral compass. No one. They were like that long before they started doing so. Gruden had thought and felt those things long before he put them into print. Put another way, a leopard does not change it spots overnight. They were there for a long time.
As our colleague Candice Tal, founder of Infortal, continually reminds us, due diligence is not a one-time event nor a cursory google search. It is a sustained deep dive investigation. Gruden did not become a racist, homophobic, sexist and misogynist overnight. You can bet there are other pieces of evidence of his values and beliefs out there. The then Oakland Raiders signed Gruden to the richest professional football contract ever given to a coach, $100 million over 10 years. Yet they apparently did little to no background due diligence on him. Was there evidence of his racist, homophobic, sexist and misogynist views in the public record? Would it have mattered to the Raiders? Would the Raiders have hired him anyway? Perhaps so but at least they might have known about Gruden’s racist, homophobic, sexist and misogynist values and tried to manage that risk. Of course, they might have passed on hiring him altogether if they knew what the fallout could look like.
Culture, Culture and More Culture
What is the culture of your organization? Why did the NFL allow such a culture to flourish that would allow a Monday Night Football commentator on ESPN to hold the job and then become the highest paid professional coach? Is it because the Maga-hatter wearing NFL owners are all Trump supporters? What about the other employees who make up those organizations? Professional football players are 70% African American. What do Gruden’s remarks, the NFL’s non-response and the Raiders hiring communicate to them about how management thinks of them? Raider owner Mark Davis advised people to look to the NFL for answers.
Bill Rhoden, writing in The Undefeated, an ESPN publication, put it succinctly, “my concern is about the legion of enablers who supported Gruden all of these years. What about them? Who are they? The NFL has gotten rid of its Gruden problem. It has not gotten rid of Gruden-ism: regressive sensibilities that stand foursquare against diversity, inclusion and tolerance.” He went on to say, “The reality is that the NFL, for all of its attempts to move forward, has been revealed as a regressive organization populated by white men who hold views about race and power that are antithetical to progress and enlightenment. Trust me, Gruden is not the only person who holds these beliefs. He’s the only one stupid enough, or emboldened enough, to express them via email.”
In short, the NFL has a huge culture problem. But you cannot change unless you admit you have a problem. We have seen nothing from the NFL that indicates it believes the problem is beyond John Gruden.

Categories
Innovation in Compliance

Compliance, Diligence and M&A: Part 1-Core Investigative Diligence

Welcome to a special five-part podcast series sponsored by K2 Integrity. This month we consider the intersection of compliance, diligence and mergers & acquisitions (M&A). I am joined by Hannah Coleman, Managing Director in K2 Integrity’s Investigations and Risk Advisory practice. She specializes in fast-moving, complex, and specialized research assignments in a variety of areas including investigative due diligence, corporate contests, intellectual property investigations, media transparency assessments, and litigation support. Also joining this week’s series is Tom Pannell, Managing Director in K2 Integrity’s Investigations and Risk Advisory practice. With a focus on financial investigations, Tom leads multi-disciplinary teams working with corporate clients and their legal advisors responding to crisis events, including multi-jurisdictional white-collar crime, misconduct, financial statement fraud, anti-bribery and corruption incidents, and compliance risk advisory work. In this first episode, I visit with Hannah on issues relating to core due diligence issues.
Join us in our next episode where consider concerns in today’s deal making scene.
For more on K2 Integrity, check out their website, here.

Categories
31 Days to More Effective Compliance Programs

Day 18 | Levels of due diligence


Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.
Three key takeaways:

  1. A Level I due diligence should only be used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
  3. Level III due diligence is deep dive, boots on the ground investigation.