Tag: Policies and Procedures

Categories
Greetings and Felicitations

Great Structures Week II: Structures from Ancient Egypt and Greece and Written Standards

Welcome to the Greetings and Felicitations, a podcast where I explore topics which might not seem to be directly related to compliance but clearly influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this episode 2, I consider the great structures of ancient Egypt and Greece and how they inform the building blocks of a compliance program: Code of Conduct, Policies and Procedures. Highlights include:

  • Greek Column and Egyptian pyramid.
  • What should go into your Code of Conduct.
  • How should your policies be structured.
  • How do implement policies through procedures.
  • Training and communications of Code of Conduct/policies and procedures are mandatory yet complimentary strategies.

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.

Categories
Blog

Great Structures Week II – Structures from Ancient Egypt and Greece and Written Standards

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, stated a company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Resource Guide 2nd edition, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique.

The FCPA Resource Guide 2nd edition ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Join us tomorrow where we look at the Roman Arch and resourcing your compliance program.

Categories
Blog

Use Your Eyes in Compliance

One thing compliance professionals are rarely trained to do is trust your eyes. This may be because it seems too obvious. After all the well-known Howard Sklar maxim of “Water is Wet” is largely based on the fact that if something is so obvious you may not need to train on it. Yet two recent events make clear we all need to ‘trust our eyes’ in a variety of settings. The first is in the National Football League (NFL) and it involves Miami Dolphin quarterback, Tua Tagovailoa. Three weeks ago, he was tackled, thrown to the ground and his head snapped against the tuft. This is clearly a sign a concussion may be coming. After Tua got up, he stumbled and fell and then had to be helped up by a teammate and off the field.

I say all of this with absolute certainty as I was watching the game Dolphins v. Bills and saw it along with some 70,000 in the stadium and millions on television. Unfortunately, those who did not see these actions of Tua after the hit was the Dolphins medical staff who, rather amazingly (or perhaps not), cleared him under the NFL Concussion Protocol and sent him back to play in the second half of the game. Again, finding he was fine under the concussion protocol, he was allowed to play. The Dolphins claimed that he had sustained a “back injury” and that was why he stumbled and fell, not motor impairment. The next week, Tua took another shot to his head and this time he did not get up, stumble and fall. He did not get up at all. According to New York Times (NYT), he left the field on a stretcher and was taken immediately to a local hospital.

It was clear to anyone who saw the first concussion, that it was just that a concussion. However, “because of the incident, the league and union said they were considering changing the protocols, which currently allow a player with “gross motor instability” to return to the game if doctors decide there is an orthopedic reason for his unsteadiness.” Some doctor said the instability was due to Tua’s bad back and that was good enough. The NYT went on to further note, “The expected change will be to instead establish ataxia, a term describing impaired balance or coordination caused by damage to the brain or nerves, as a sign that automatically disqualifies a player from returning to the game.”

All of this informs compliance programs and compliance professionals as sometimes actions do not simply pass the eye test. I thought of this in the context of the recent Oracle Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. In this Oracle matter, the bribery schemes involved distributors, which were used as not only conduits to pay bribes, but as the mechanism to create a pot of money to pay bribes. The Oracle compliance program allowed sales employees at the subsidiaries to request monies meant to reimburse distributors for certain marketing expenses associated with selling Oracle products. There was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

You can no doubt see where this is going as this internal control gap allowed for abuse. Indeed the Orderstated, “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to [distributors] in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” That is at least 23 different expense requests to reimburse for marketing made under the threshold. Of course, there were no marketing efforts by the distributors and no follows up audits, inspections or even questions to confirm that the marketing expenses had actually occurred. The entire business unit was in on the fraud, and it stole money from the corporate office to fund it slush fund to pay bribes.

Clearly compliance was not using its eyes for if it had, it would have seen that there was a large number of marketing reimbursement requests at or below the threshold which required additional oversight and approval. Using your eyes does not mean that it is simply your eyes which catch nefarious conduct, it means that you use your eyes and if it something unusual occurs then additional investigation is warranted.

All of this brings to the second lesson from the NFL’s sordid tale involving Tua Tagovailoa; which is if the protocol does not work, change the protocol. Renee Miller, writing The Athletic, said, “The purpose of the onsite concussion “exam is to determine if any symptoms are apparent in a neurological exam (looking at reflexes, cranial nerve function and limited cognitive skills), and if so, whether they arise from a neurological origin.” It does not take into account what we all saw with our eyes, the stumbling, Tua grabbing his helmet and inability to focus. The NFL will now make a change to consider the other factors Tua exhibited. In other words, they changed the protocol to require and allow for additional information about the injured player in making a determination of that player’s returning to the game.

In the case of Oracle, there was a high risk of business unit employees using the marketing reimbursement requests to create a pot of money to pay bribes. We know this because this same bribery scheme was used by Oracle India to pay bribes and do business corruption, all of which was the subject of a prior FCPA enforcement action. Pretty clearly allowing business unit employees to obtain marketing reimbursements was something that would lead to disaster; which it did just as the Dolphins allowing Tua to come back into the second half of the Bills game where he sustained his first concussion was disastrous for Tua as he was much more seriously injured just the next week.

In compliance never forget to ‘use your eyes’ in testing your compliance program. If something does not look right, do additional investigation. If you do not do so, you may end up like Oracle, now one of 15 FCPA recidivists, a list no company wants to be on.

Categories
Compliance Into the Weeds

The Oracle FCPA Enforcement Action

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we look at the recently announced SEC Foreign Corrupt Practices Act enforcement action involving Oracle. Highlights include:

  1. Recidivist behavior in some countries with similar schemes.
  2. Policy, procedure, and internal controls failures.
  3. Why no monitor.
  4. Compliance programs lessons learned.
  5. What about the DOJ?

 Resources

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Background
  2. The Schemes in Action
  3. Parking in India
  4. The Comeback and DOJ
  5. What it all means
Categories
Compliance Into the Weeds

Compliance Lessons from the Army

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, we take a deep dive into the recently released GAO report on failures in the US Army SHARP program, largely around policies and procedures, with a dash of culture thrown in.  Highlights include:

·      Why has SHARP failed?

·      What is the role of policies and procedures in compliance? What about culture?

·      How can assess your own internal training and communications?

·      What are the 3 questions every compliance professional should ask?

·      What are the lessons for the civilian compliance world?

·      Where does the Army go from here?

Resources

Matt in Radical Compliance

Categories
Blog

ESG and Compliance: Policies and Procedures

This week I will be considering the role compliance and a Chief Compliance Officer (CCO) should play in a corporate Environmental, Sustainable and Governance (ESG) program. Over this series, I will explore how the StoneTurn Group, LLP (StoneTurn) ESG Framework provides a structure through which any compliance professional can create an organization necessary for an ESG program. Today we take up ESG policies and procedures.
There are numerous reasons to put some serious work into your ESG policies and procedures. They are certainly a first line of defense when stakeholders coming knocking. Having ESG policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies are critical for public companies under ESG regulatory scrutiny. The Securities and Exchange Commission (SEC) and other regulators will take a strong view against a company that does not have well thought out and articulated ESG policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to this area of anti-corruption compliance.
Additionally, a company’s ESG policies provide a basic set of guidelines for employees and others to follow. ESG policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable behavior, a company helps mitigate the risks posed by employees who might not always make the right ESG choices.
Bryan J. Sillaman and Alexandra Poe, Hughes Hubbard & Reed LLP, in an article entitled Five Steps to Establishing a Corporate ESG Policy for the Present Moment, suggested that an organization should focus their ESG policies and procedures that are “applicable generally with respect to your industry and then with greater specificity to the conditions, operations and geographic footprint of your particular company.” In the area of Environmental, that could mean your organization’s “contribution to climate change, including energy use (such as its carbon footprint and use of clean energy), waste management, pollution, resource conservation, impact to habitats and environmental remediation.” From there you could consider if your organization has opportunities to promote positive change, in reducing “energy loads, expanding organic food production, or adopting technologies that repair environmental damage.” Moreover, with the passage of the Germany Supply Chain Act and other legislation such as the UK Anti-Slavery Act, both regulators and investors “want to see companies consider their own operations and impacts arising from your supply chain.”
In the prong of Sustainability, what are your policies and procedures around conduct that affects your organization’s relationship with human communities, from employees to customers and local communities where the company operates? Obviously, social justice is a key component, but it quickly expands out to working conditions, whether a state will provide basic social and healthcare services and employ health and safety. From there it can include such disparate topics as “childcare, education, equal opportunity, pay equity, financial inclusion, job creation and social justice. Companies that make products that have the potential to harm people, like guns, toxic materials, alcohol and other addictive substances, have special considerations in this regard.” But all companies must justify having physical operations in geographic locations which will not protect employees from mass shootings or even pandemic related threats such as Covid-19 to the Delta Variant.
In the area of Governance, compliance continues to play a key role. Here consider your organization’s policies and procedures “relating to regulatory compliance and the conduct of
officers and directors and the expectations of integrity set at the top of the organization.” The concerns are as varied as ranging from “accurate and transparent financial reporting, to executive compensation practices, diversity and inclusion, and avoidance of conflicts of interest, sexual harassment and corrupt practices.” Governance policies and procedures should also evaluate the “composition of a board of directors or executive teams, to assess whether representatives to those bodies are well suited to address concerns of all stakeholders and potential ESG risks.”
Cowen Inc. incorporated all of these concepts into its corporate ESG Statement. In the area of Environmental, Cowen states:
Cowen recognizes that the world faces environmental challenges and is committed to promoting a healthy environment. As an organization that engages in the global financial markets, we believe that our business can and should do things to promote a positive influence in matters that improve the world.
In the area of Sustainability, Cowen states:
At Cowen, we pride ourselves in the long-standing culture of respect and empathy for our employees and the community at-large. 
We employ a fair pay practice which ensures that Cowen’s pay practice is competitive with the market for the same or similar jobs, qualifications and experience. 
We believe that diversity and inclusion strategies are the catalyst for success and innovation in the workplace. We believe that differing opinions and lived experiences are valuable and serve to support our business overall. 
Wellness, both physical and financial, is the cornerstone of our employee benefit programs. Our… programs, such as emergency back-up elder/child care, subsidized health club membership and flexible work arrangements, help employees balance work, life and family matters more effectively. 
We also work to create partnerships with vendors that share a commitment to sustainability. Vendors engaged in providing products and services to Cowen are expected to act in a manner that is consistent with our Code of Business Conduct and Ethics. During vendor evaluations, Cowen takes the appropriate steps to ensure ethical business practices, labor and human rights, vendor diversification and inclusion, environmental stewardship, management systems and governance are considered. 
We intend to further improve our social impact across our organization and within the greater community. 
In the area of Governance, Cowen states:
Strong governance, ethical business practices and prudent risk management are critical ingredients to Cowen’s achievement of its goal for long-term value creation for shareholders and driving sustainability.
 Corporate governance guidelines assist the Board in the exercise of its responsibilities and to promote the effective functioning of the Board and its committees. The Board’s goal is to oversee and direct management in building long-term value for the Company’s stockholders. In addition, the Board’s goal is to assure the strength, integrity and vitality of the Company for its customers, clients, employees and the communities in which it operates. 
Cowen’s Code of Business Conduct and Ethics, which applies to all officers, employees and members of the Board, serves as the foundation for high standards of integrity and ethics, the deterrence of wrongdoing and the promotion of compliance with applicable regulations.
The Board and executive management are ultimately responsible for the review and oversight of risk at Cowen. They are supported by a risk management framework which includes committees, departments and systems which monitor, manage and report on market, liquidity and operational risk.
 As we expand our ESG initiative, we will seek ways to further optimize our governance process.
Clearly a compliance function has a large role in filling out the policies and procedures to implement these statements.

Categories
31 Days to More Effective Compliance Programs

Day 7 | Policies and Procedures


There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The  2020 Update  made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.
The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2020 FCPA Resources Guide, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.
The 2020 FCPA Resource Guide ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedures are applied fairly and consistently across the organization. Institutional fairness demands that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, inconsistent application of your policies and procedures will destroy the credibility of your compliance program. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.
Three key takeaways:

  1. Written compliance policies and procedures, together the Code of Conduct,  form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.
  3. Institutional fairness for the application of policies and procedures demands consistent application across the globe.
Categories
31 Days to More Effective Compliance Programs

Policies and procedures


There are numerous reasons to put some serious work into your policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered” it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to this area of anti-corruption compliance.
The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company. Procedures are the documents that implement these standards of conduct.
Three key takeaways:

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrineholds for the application of policies and procedures.
Categories
31 Days to More Effective Compliance Programs

Day 7 | Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2012 FCPA Guidance, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.
Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.
Three key takeaways:

  1. Written compliance policies and procedures, together the Code of Conduct, with form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.
  3. Institutional fairness for the application of policies and procedures demands consistent application across the globe.