Over the past few blog posts, I have been considering the recent settlement by the Department of Justice (DOJ) with The Boeing Company (Boeing) around its fraud in the certification of its 737 MAX aircraft. The resolution was via a Deferred Prosecution Agreement (DPA). Under the DPA, Boeing agreed to pay a total amount of $2.5 billion. According to a DOJ Press Release, this total amount consisted of “a criminal monetary penalty of $243.6 million, compensation payments to Boeing’s 737 MAX airline customers of $1.77 billion, and the establishment of a $500 million crash-victim beneficiaries fund to compensate the heirs, relatives, and legal beneficiaries of the 346 passengers who died in the Boeing 737 MAX crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302.” This enforcement involved a fraud by Boeing on the US government.

Although the matter was based upon fraud against the US government, largely around Boeing employees misrepresenting facts to the Federal Aviation Administration (FAA), there are some valuable lessons for every compliance professional. First, about fraud risk management. Never forget that corruption is a subset of fraud. Indeed, the ACFE 2020 Report to the Nations reported that corruption was the most common fraud scheme in every region across the globe. Having a strong fraud risk management program is not simply a “nice to have” but is a must in today’s world.

Snežana Gebauer, Executive Managing Director and head of Investigations and Risk Advisory for the Americas, K2 Integrity, has noted that fraud around COVID relief is the investigation and prosecution priorities for the DOJ in 2021. You should also remember that there will be many willing whistleblowers for False Claims Act litigation in the hospital and medical care space concerning government distributions from the Pandemic and related issues. Finally, Gebauer  also believes that there will an increased focus on financial and corporate fraud by the Securities and Exchange Commission (SEC) as a by-product of the economic downturn caused by the pandemic.

Another key lesson learned is about the structures within your organization. For Boeing it was having engineers report to the business unit they worked in. At Boeing this had the effect of putting product safety far down the list below generating profits. Boeing centralized product safety by pulling it from the business units and centralizing it into a separate corporate function. This is also a best practice for a corporate compliance function. It must be independent from reporting to or even being influenced by the business unit in performing its job. Simply put, if the business unit has authority over compliance, compliance will not be able to do its job. This same reorganization was made for Boeing’s engineering function.

Once again Boeing reminds all compliance practitioners about the need for the critical risks of the company to have Board of Director oversight and participation in that risk management function. For the compliance function, this means having a Board of Director’s committee, dedicated to compliance. Just as Blue Bell ice cream learned, you have to actually manage risk at the Board level. The days of compliance being shunted to some small part of the Audit Committee’s remit are far behind us. Companies must commit to managing their compliance risk and that means at the Board level.

Another lesson learned was, once again, no matter how egregious the conduct which led to the violation, either fraud or corruption, if a company turns it around, cooperates and extensively remediates it will (not can) receive a reduction in the overall fine and penalty under the DOJ Corporate Enforcement Policy. Recall that the then Chief Executive Officer (CEO) of Boeing personally called President Trump and asked him to intercede with the FAA to prevent the federal agency from grounding the 737 MAX planes. This was after EU regulators had grounded the planes and well after the CEO had known about the failures in the 737 MAX and the system failures which led to the two airplane crashes. As the DPA somewhat dryly noted, “Boeing also made significant changes to its top leadership since the offense occurred.”

For almost one year after the two airline crashes, Boeing continued a non-cooperation stance with the FAA. However sometime in late 2019 or early 2020 Boeing finally saw the light and began to cooperate with the FAA and the DOJ. Boeing also moved towards a very robust remediation from an obviously broken culture and non-existent fraud risk management system. The changes made by Boeing in its fraud risk management system are worth reiterating; they included:

• creating a permanent aerospace safety committee of the Board of Directors to oversee Boeing’sgoverning safety and its interactions with the FAA;
• creating a Product and Services Safety organization to strengthen and centralize the safety-related functions;
• reorganizing Boeing’s engineering function to have all Boeing engineers report through Boeing’s chief engineer rather than to the business units;
• structural changes to Boeing’s Flight Technical Team, including moving Boeing’s Flight Technical Team under the same organizational umbrella as Boeing’s Flight Test Team;
• adopting new policies and procedures and conducting training to clarify expectations; and
• requirements governing communications between Boeing’s Flight Technical Pilots and regulatory authorities.

Finally, Boeing agreed to “ensure that its compliance program does not become stale”. It will do so by conducting periodic reviews and testing of its compliance code, policies, and procedures to evaluate and improve the effectiveness in “preventing and detecting violations of U.S. fraud laws and the Company’s code, policies, and procedures regarding U.S. fraud laws, taking into account relevant developments in the field and evolving industry standards.” This final point demonstrates the importance of continuous monitoring and continuous improvement in any compliance program; whether it be fraud management or anti-corruption.

[View source.]