Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for business – Pre-acquisition Due Diligence in Mergers and Acquisitions

A company that does not perform adequate due diligence before a merger or acquisition may face legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation and potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the FCPA Resource Guide, 2nd edition, focused many compliance practitioners on the need to engage in robust pre-acquisition due diligence.

The 2020 Update made the need for a robust compliance presence in the pre-acquisition phase even more apparent. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing harm to a business’s profitability and reputation and risking civil and criminal liability.”

Multiple red flags could be raised in this process, which might warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breaches of policies and procedures. A target that is in financial difficulty would bear closer scrutiny. Structurally, this could present issues if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level. From the CCO perspective, if the position did not have Board or CEO access or had no regular reports, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management override of compliance controls, or no consistent consequence management for violations, it could present clear red flags for further investigation.

Three key takeaways: 

  1. Your pre-acquisition due diligence results will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Pre-acquisition Risk Assessment

One of the clearest themes from the original 2012 FCPA Resource Guide was the importance of your pre-acquisition work in any M&A on a target company. In the section on Declinations, the 2012 FCPA Resource Guide provided an example of a company that had received a declination in large part because of its pre-acquisition work, which then served as a basis for its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase to closing and then to remediation, integration, and self-reporting in the post-acquisition phase. These same concepts were brought forward in the 2020 FCPA Resource Guide, 2nd edition.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst-case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The pre-acquisition risk assessment can be critical in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally, use this pre-acquisition risk assessment as a base document to plan, resource, and budget for your post-acquisition remediation, integration, and reporting.

Three key takeaways: 

  1. One never has enough time to engage in all the pre-acquisition reviews you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination, so if you are limited in time and scope, try something new and different.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Auditing Joint Ventures

JVs provide many FCPA risks that other types of business relationships do not bring. For instance, the JV may interact with foreign government officials or employees of a state-owned enterprise; then leverage those relationships for an improper benefit relating to contracts, regulatory licenses, permits or customs approvals. It is difficult to regulate a JVs interaction with foreign government officials when your partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience.

The risks are compounded when the U.S. company does not exercise control of the JV. This is further compounded by the fact there is no minimum threshold for a FCPA enforcement action against a U.S. company for the actions of a JV in which it holds an interest. If a company holds something less than majority rights, it must to urge, beg and plead for the majority partner to adhere to anti-corruption compliance standards and controls. Often, these requirements are established in the JV agreement but the success in securing such contract protections depends on the importance of the global company to the JV itself.

Another set of issues comes from the JV when it seeks to retain third-party agents and/or distributors. Depending on the amount of control, the U.S. company usually can impose its set of standards for conducting due diligence of third-party agents and distributors. These risks become more difficult when the JV partner brings a proposed third-party agent or distributor and vouches for the agent or distributor. If the JV partner is a state-owned enterprise, the issues become even more complicated as such a referral creates an obvious red flag for a government-sponsored referral.

Three key takeaways: 

  1. JVs present unique FCPA risks and must be managed accordingly.
  2. Your final report needs to consider the final viewer of the document, potentially the DOJ or SEC.
  3. Be sure to follow up on any red flags raised but not cleared and action items for remediation or additional scrutiny.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Compliance Terms and Conditions for Joint Ventures

Numerous U.S. companies have come to FCPA grief for their overseas JVs, which continues to be a bane for many companies under the FCPA. Some basic compliance terms and conditions should be considered for any foreign JV agreement to help U.S. companies manage these compliance risks.
As a starting point, it is important to have compliance terms and conditions, and these reasons can include some of the following: 1) to set expectations between the parties; 2) to demonstrate the seriousness of the issue to the non-U.S. party, and 3) to provide a financial incentive to do business in a compliant manner.

This all must be spelled out for them, so you should have language regarding the following:

  • Prohibition of all forms of bribery and corruption. 
  • Right to cancel and recoupment rights.
  • Duties in JV Governance.
  • Audit rights.
  • Prohibited Parties.
  • Certifications.

After the contract is signed, your company will have to work just as hard to keep the compliance program for any JV robust and meaningful. However, with these terms and conditions in place, you can maintain your FCPA obligations and manage the risk involved when working jointly with non-U.S. companies.
Three key takeaways: 

  1. Failure to secure appropriate compliance terms and conditions in a JV agreement can cause great FCPA risk for a U.S. company.
  2. Certifications are important requirements to obtain.
  3. Audit rights must be secured and, equally importantly, exercised.
Categories
31 Days to More Effective Compliance Programs

Day 30 – What is a Root Cause Analysis?

One of the most significant changes in the 2020 FCPA Resource Guide, 2nd edition, was the addition of a new Hallmark entitled “Investigation, Analysis, and Remediation of Misconduct,” which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

Ultimately, performing a root cause analysis is not simply sitting down and asking many questions. It would be best if you had an operational understanding of how a business operates and how they have developed its customer base. Overlay the need to understand what makes an effective compliance program with the skepticism an auditor should bring so that you do not simply accept an answer provided to you, as you might in an internal investigation. Marks noted that “a root cause analysis is not something where you can ask the five whys. You need these trained professionals who understand what they’re doing.”

Three key takeaways:

  1. A root cause analysis is required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need trained professionals who understand what they’re doing.
Categories
Blog

Incentives in Compliance: Part 1 – Financial Incentives

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation and incentives. However, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance.

This was made clear once again in the Monaco Memo which stated, “Corporations can help to deter criminal activity if they reward compliant behavior and penalize individuals who engage in misconduct. Compensation systems that clearly and effectively impose financial penalties for misconduct can incentivize compliant conduct, deter risky behavior, and instill a corporate culture in which employees follow the law and avoid legal “gray areas.””

Moreover, the Monaco Memo tied compensation to a company’s culture of compliance. It stated, “Similarly, corporations can promote an ethical corporate culture by rewarding those executives and employees who promote compliance within the organization. Prosecutors should therefore also consider whether a corporation’s compensation systems provide affirmative incentives for compliance-promoting behavior. Affirmative incentives include, for example, the use of compliance metrics and benchmarks in compensation calculations and the use of performance reviews that measure and reward compliance-promoting behavior, both as to the employee and any subordinates whom they supervise. When effectively implemented, such provisions incentivize executives and employees to engage in and promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”

Yet compensation incentives have long been seen as a key element of any best practices compliance program. As far back as 2004, then SEC Director of Enforcement Stephen M. Cutler noted that integrity, ethics and compliance needed to be part of promotion, compensation and evaluation processes: “At the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.”

The 2020 FCPA Guidance, 2nd edition, stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” The Monaco Memo takes it a step further by asking more broadly has your company, “incentivized employee behavior as part of its efforts to create a culture of ethics and compliance within its organization.”

The 2020 Update, in the section entitled “Incentives and Disciplinary Measures”, provided some key questions for a company to ask about its incentive system:

Incentive System—Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

The first question posed in the 2020 Update requires you to start with the basic question of what does your employee compensation consist of? Is it a straight salary? Is it variable? If so, what does the variable component consist of? Is it a discretionary bonus based upon the overall success of the entire business enterprise or some small subset, such as a business unit or geographic region? Is it solely personal? Or is it some combination of all of the above?

Under the second question, you need to demonstrate that you have thought through this issue. The DOJ does not mandate one solution or formula, only that it be well considered. And, of course, the approach you come up with must be documented. A good starting place is Marc Roberge’s 2015 Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, that discusses the design and redesign of an employee’s compensation system to help drive certain behaviors. The article’s subtitle, “To shift strategy, change how you pay your team”, echoed Cutler’s message from 2004. The article lays out a framework for a Chief Compliance Officer (CCO) or compliance practitioner to operationalize compensation as a mechanism in a best practices compliance program.

As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue—the sales force—understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to integrating anti-corruption compliance within the DNA of your company.

There are three key questions you should ask yourself in modifying your compensation structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effect on behavior immediate due to the change?

Simplicity. Keep the compensation plan simple when designing your program. The simplest way to incentivize employees is to create metrics that they readily understand and are achievable in the context of the compliance program.

Alignment. You need to state the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. The beauty of this alignment is that it works with your sales force throughout the entire sales cycle, whether employee-based or through third parties such as agents, representatives, channel ops partners or distributors.

Immediacy. It is important that such structures be put in place “immediately” but in a way that incentivizes employees. As a part of immediacy, there must be sufficient communication with your employees. In the world of employee compensation incentives, there should be transparency as to the expectations.

Under the third question from the 2020 Update, you need to have documented examples where additional compensation or promotions were made to employees who did business ethically and in alignment with the corporate compliance program. The fourth question goes in a different direction by asking who in the organization is evaluating and then setting the compensation of the CCO and compliance personnel?

Obviously, the power of a compensation plan is to motivate employees to not only sell more but to act in ways that support your company’s business model and overall culture and values. For the compliance practitioner, one of the biggest reasons is to first change a company’s culture to make compliance more important, and then integrate it into the DNA of your organization. But you must be able to evolve in your thinking and professionalism to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process. The Monaco Memo makes it clear that the bottom line is the “use of financial incentives to align the interests of the C-suite with the interests of the compliance department can greatly amplify a corporation’s overall level of compliance.”

Categories
Greetings and Felicitations

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this episode 1, I consider the Roman architect Vitruvius and what makes a structure great. Highlights include:

·      The Vitruvius Triad.

·      Compliance Program formulations.

·      What are form, function, and structure

·      Continuous risk and continuous risk management.

·      Risks assessments after Covid 19.

Resources

Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity,” taught by Professor Stephen Ressler from The Teaching Company.

Categories
FCPA Compliance Report

Mike DeBernardis on 2020 Update to the Evaluation of Corporate Compliance Programs and FCPA Resource Guide, 2nd edition


In the Episode, I am joined by Mike DeBernardis, Counsel at Hughes Hubbard, in the firm’s Washington office and a member of the firm’s Anti-Corruption and Internal Investigations and White Collar & Regulatory Defense practice groups. He represents corporate and individual clients in criminal, civil and administrative enforcement matters, including matters involving the Foreign Corrupt Practices Act and securities and accounting fraud. In this episode we take a deep dive into the DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs and DOJ and SEC FCPA Resource Guide, 2nd edition.
Some of the highlights include:

  1. What were the top changes DeBernardis observed in 2020 Update to Evaluation of Corporate Compliance Programs?
  2. What were the top changes for you in FCPA Resource Guide, 2nd edition?
  3. How should one read the Resource Guide, 2nd with the 2020 Update? In conjunction, separately or in some other way?
  4. Is there any significance  to the two documents being released so close together in time?
  5. Should you advise clients to do anything different because of these documents?
Categories
Why a Duck

FCPA Resource Guide, 2nd Edition


From Vaudeville to the Silver Screen to the Small Screen, the Marx Brothers made an impact wherever people found them. Now Tom Fox and Mike Volkov have wedded their love of the Marx Brothers with their passion for compliance and bring them into the boardroom to help explain and explore the sometimes-chaotic world of governance, risk-management, ethics and compliance. In this episode Volkov and Fox consider the recently released FCPA Resource Guide, 2nd edition. Highlights from the podcast include:
1.     Is the 2nd edition an update or replacement?
2.     Why was it released now?
3.     What takes precedence; the 2nd Edition or the Evaluation of Corporate Compliance Programs?
4.     What is new in the 2nd Edition?
5.     What are the significant changes from the original FCPA Resource Guide?
6.     The FCPA Resource Guide is the best one volume on all things FCPA. It is a must have for every compliance professional.
Resources
Mike Volkov
Part 1-Introduction
Part 2-New Case Updates
Part 3-Updated DOJ Policies
Part 4-Legal Issues and Clarifications
Part 5-Effective Compliance Programs and Internal Controls
Tom Fox
Part 1-The New Hallmark
Part 2-FCPA Corporate Enforcement Policy
Part 3-the Accounting Provisions
Part 4-DOJ Policy and Case Law Updates
Part 5-Final Thoughts

Categories
This Week in FCPA

Episode 213 – the Second Edition edition


The DOJ/SEC drop the 2nd edition to the FCPA Resource Guide at 5 PM on July 2. As Tom and Jay brave the surge in covid cases to stay safe they are back to look at top compliance articles and stories which caught their eye this week.

  1.  FCPA Resource Guide, 2nd edition released. Tom takes a deep dive in a 5-part blog post series on the FCPA Complinace and Ethics Blog. Part 1-The New Hallmark, Part 2-FCPA Corporate Enforcement Policy, Part 3– the Accounting Provisions, Part 4– Policy and Case Law Updates, Part 5-What does it all mean? Jonathan Marks on Borad and Fraud. Tom and Matt Kelly in Compliance into the Weeds.
  2. After its FCPA settlement, Novatris pays another $678MM for corruption inside the US. Mike Volkov in Corruption Crime and Compliance.
  3. A plan to restore trust in South Africa ABC enforcement. Larry Kirsch guest posts in GAB.
  4. A reassessment of due diligence in China? Jenny Liang opines in the FCPA Blog.
  5. Venezuela can’t get its gold out of England. Jon Rausch in Dipping Through Geometries.
  6. Amazon settles OFAC sanctions enforcement action. Mengqui Sun in the WSJ Risk and Compliance Journal.
  7. How can you make a risk management committee effective? Jim DeLoach shows the way in CCI.
  8. Is Deutsche Bank the world’s most corrupt? Matt Kelly digs in on Radical Compliance.
  9. Going from disaster recovery to business continuity? Carrie Penman in Ethics and Compliance Matters.
  10. On Compliance and Coronavirus, I was joined this week by Paul Mueller on how to reset, restart and accelerate your business in the era of Coronavirus; Ian Denis on employment and communication during Covid-19 and Breeda Miller on caregiving in the era of Covid-19.
  11. On the Compliance Podcast Network, Tom started the topic of 3rd party risk management this month.This week saw the following offerings: Monday-Questionniare; Tuesday-Due Diligence,Wednesday-levels of DD; Thursday-evaluating DD and clearing red flags; and Friday-compliance terms and conditions. The month of July is being sponsored by Affiliated Monitors. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. If you want to binge out and listen to only these episodes, click here.
  12. Great Upcoming Webinars:

Navigating the Risks of Prescribing Opioids for Chronic Pain in the COVID-19 Era, Jul 22, 2020 12:00 PM in Eastern Time (US and Canada); with Jesse Caplan, Deb Waugh and Amy Fogelman, M.D. Registration and Inforamtion here.
Computer Say ‘No’: Mitigating Legal & Ethical Risks in Public Agency Use of Automated Decision-Making Tools, Jul 28, 2020 12:00 PM in Eastern Time (US and Canada); with David Shonka, Mikhail Reider-Gordon and Jonathan Redgrave. Registration and Information here.
ECI’s Best Practice Forum, a Q&A Session with Brian Rabbitt, Acting Assistant Attorney General for the Criminal Division on the FCPA Resource Guide, 2nd edition, Thursday, July 30 2:00 – 4:00 p.m. EDT. Registration and Information here.
Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.