Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 27 – Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

 Three key takeaways:

1. How is compliance treated in the budget process?

2. Has your compliance function had any decisions over-ridden by senior management?

3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

How to Evaluate a Risk Assessment

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his BioProcess International article, entitled, Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies:

Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

William C. Athanas, a partner in Holland and Knight, in an article in Industry Week entitled, Rethinking FCPA Compliance Strategies in a New Era of Enforcement, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.

The 2023 ECCP provided the following:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

In the Treasury Department’s 2019 Framework for OFAC Compliance Commitments (OFAC Framework), the provided greater clarity by stating in the section entitled, Risk Assessments, the following:

II. The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

There are several ways to look at ‘Likelihood’ factors. An Event can be highly likely if it is expected to occur. An Event can be likely with a strong possibility than an event will occur Event may occur at some point, even if there is no history to support it. It can be possible and there is sufficient historical incidence to support it. Finally, an Event can be unlikely and not expected, with only a slight possibility that it may occur. Responses to likelihood factors to consider include the existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs.

The priority rating is the likelihood rating and ratings that reflect the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from the commercial perspective, on how your organization has identified, assessed, and defined its risk profile and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality it should be done each time your risk changes. Over the past couple of years, every company’s risks changed in going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, supply chain or even potential compliance risks in the 2024 election cycle. Have you assessed each of these new paradigms for risks from the compliance perspective?

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Having made clear what was risks needed to be assessed, the 2023 ECCP was focused on the methodology used in the risk assess process. It stated:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

Rick Messick, in his article, entitled, Corruption Risk Assessments: Am I Missing Something?, laid out the four steps of a risk assessment as follows:

First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurrence is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.

What should you assess? In 2011, the DOJ concluded three FCPA enforcement actions which specified factors that a company should review when making a risk assessment. The three enforcement actions, involving Alcatel-Lucent S.A., Maxwell Technologies Inc. and Tyson Foods Inc., all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices compliance program. The Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed seven areas of risk to be assessed, which are still relevant today:

1. Where your company does business;

2. Geography-where does your Company do business;

3. Interaction with types and levels of governments;

4. Industrial sector of operations;

5. Involvement with joint ventures;

6. Licenses and permits in operations; and

7. Degree of government oversight.

The 2020 FCPA Resource Guide, 2nd edition, laid out the following approach, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

Another approach, as detailed by David Lawler in his book Frequently Asked Questions in Anti-Bribery and Corruption, is to break the risk areas into the following categories: 1) company risk, 2) country risk, 3) sector risk, 4) transaction risk, and 5) business partnership risk. He further detailed these categories as follows:

Company risk. Lawler believes this is “only to be likely to be relevant when assessing a number of different companies—either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve some of the following characteristics:

• Private companies with a close shareholder group;

• Large, diverse and complex groups with a decentralized management structure;

• An autocratic top management;

• A previous history of compliance issues; and/or

• Poor marketplace perception

Country risk. This area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. The Transparency International Corruption Perceptions Index (TI-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.

Sector risk. These involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

• Extractive industries;

• Oil and gas services;

• Large scale infrastructure areas;

• Telecoms;

• Pharmaceutical, medical device and healthcare; and/or

• Financial services

Transaction risk. Lawler says this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up.” Indicia of transaction risk include:

• High reward projects;

• Involves many contractor or other third-party intermediaries; and/or

• Do not appear to have a clear legitimate object

Business partnership risk. This prong recognizes that certain manners of doing business present more corruption risk than others and may include:

• Use of third-party representatives in transactions with foreign government officials;

• A number of consortium partners or joint ventures partners; and/or

• Relationships with politically exposed persons (PEPs)

There are a number of ways you can slice and dice your basic risk assessment inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Conduct at The Top

The 2022 Monaco Memo emphasized the basic point that the key to every company is culture. The bottom line is that corporate culture matters, and corporate culture that fails to hold individuals accountable or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

 

Categories
Blog

DAG Monaco on Cooperation and Compliance Incentives for M&A

Early in October at the 2023 SCCE Compliance and Ethics Institute, Deputy Attorney General Lisa Monaco delivered a long-anticipated speech expanding and formalizing the Department of Justice’s (DOJ’s) new Safe Harbor for mergers and acquisitions in the Foreign Corrupt Practice Act (FCPA) context. The latest M&A Safe Harbor expanded on an old and frankly cumbersome Opinion Release from 2008 and some old FCPA enforcement actions from the last decade to create a clear, concise, and most welcomed announcement.

The Halliburton Opinion Release (08-02) gave some very tight deadlines for engaging in due diligence post-acquisition and reporting to the DOJ. The deadlines were 90 days to identify and report high-risk agents, 120 days to identify and report medium-risk agents, and 180 days to identify and report low-risk agents. For those scoring at home, that is three, six, and nine months, which for most corporations is the blink of an eye.

Moreover, while the 2012 FCPA Resource Guide did provide some guidance on what may constitute a safe harbor, the word “may” was a sticking point for corporate management when deciding whether and how to proceed with a potential merger or acquisition. There is a big difference between a theoretical outcome and one that is concrete and presumptively available. Finally, a series of FCPA enforcement actions involved mergers and acquisitions. It was unclear when remediation of any issues must be completed, from 18 months to “as soon as is practicable.”

This new DOJ policy is then aimed at encouraging cooperation and compliance in the corporate world, particularly during acquisitions. This policy allows companies to avoid charges for compliance violations discovered during the acquisition process as long as specific deadlines are met. Compliance officers are crucial in this process, conducting due diligence before and after the acquisition.

Monaco stated, “We are announcing a Department-wide Safe Harbor Policy for voluntary self-disclosures in the mergers and acquisition process context. In the future, acquiring companies that promptly and voluntarily disclose criminal misconduct within the Safe Harbor period, cooperate with the ensuing investigation, and engage in requisite, timely, and appropriate remediation, restitution, and disgorgement will receive the presumption of declination.”

Under this new policy, acquiring companies will not be held accountable for aggravating factors at the acquisition target. This means that the acquiring company will not be responsible if there are compliance issues at the target company. However, there are concerns about how this policy will be executed and its potential impact on different enforcement actions.

A key element is the clear and concise timelines articulated by DAG Monaco. She stated, “To ensure consistency, I am instructing this Safe Harbor policy to be applied Department-wide. Each part of the Department will tailor its application of this policy to fit its specific enforcement regime and consider how it will be implemented.

To ensure predictability, we are setting clear timelines. As a baseline matter, to qualify for the Safe Harbor, companies must disclose misconduct discovered at the acquired entity within six months from the date of closing. That applies whether the misconduct was found pre- or post-acquisition.”

After that, “Companies will have a baseline of one year from the closing date to fully remediate the misconduct. These baselines are subject to a reasonableness analysis because we recognize deals differ and not every transaction is the same. So, depending on the specific facts, circumstances, and complexity of a particular transaction, Department prosecutors could extend those deadlines.”

One essential tradeoff in this policy is the balance between encouraging cooperation and holding companies accountable for their actions. On one hand, the policy incentivizes companies to disclose compliance violations and cooperate with the Justice Department voluntarily. This can lead to more effective enforcement and greater transparency in the corporate world. On the other hand, there is a risk that some companies may take advantage of this policy and try to cover up compliance violations.

Compliance officers also face challenges in this new policy. If they are not involved in pre-acquisition due diligence, it could be a red flag for their career security. There is a concern that unscrupulous management teams may try to close a deal without proper due diligence and then blame the compliance officer if issues arise later on. Compliance officers must proactively ensure their involvement in the acquisition process to protect themselves and their companies.

The enforcement of this policy, particularly in antitrust cases, is also a subject of curiosity and anticipation. It is unclear how the policy will apply to corporate misconduct beyond bribery and corruption or anti-competitive actions. There are questions about whether the default position of the DOJ antitrust division will be a declination or if they will still bring charges against companies involved in antitrust violations.

While this new policy is a step forward for compliance, there are still concerns about its effectiveness and potential abuse. The Justice Department is trying to balance providing incentives for cooperation and holding companies accountable for their actions. However, there is a need for further clarity and guidance on how this policy will be executed in practice.

Overall, the new policy on corporate compliance during acquisitions is an essential development in the corporate world. It highlights the importance of considering compliance issues when making decisions about acquisitions and encourages companies to take proactive steps to address compliance violations. Compliance officers play a crucial role in this process and must be vigilant in ensuring their involvement to protect themselves and their companies. The execution of this policy and its impact on different enforcement actions will be closely watched in the coming months.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 12 – Policies on Charitable Donations

What should your compliance policy and procedures on charitable donations look like? What should you prohibit or even caution against? The starting point is the 2012 FCPA Guidance regarding charitable donations. The information on the red flags from the Opinion Releases and the best practices, as set out in the 2020 FCPA Resource Guide, have been available for some time. From the Schering-Plough and Lilly enforcement actions, your policy should consider the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business. Finally, in managing the relationship, you now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct.

Three key takeaways:

1.What are the basic inquiries to make around charitable donations?

2.Use all of the communication tools the DOJ has provided; written guidance, enforcement actions and Opinion Releases to inform your charitable donation policy.

3. Document, Document, and Document the basis of your charitable donations risk assessment.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Written Standards: Day 10 – Policies and Procedures on Gifts and Business Entertainment

If one were to reflect upon the providing of gifts and business entertainment to foreign governmental officials, one might reasonably conclude that after 40 years of the FCPA, companies might follow its prescriptions regarding gifts and business entertainment. However, there have been some notable FCPA enforcement actions in this area.
The 2012 FCPA Guidance clearly stated the FCPA does not ban gifts and entertainment. Indeed, it specified, “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”
These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.
And, as always, do not forget the gut check test.

Three key takeaways:

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

For more information, check out The Compliance Handbook, 4th edition, here.