One of the things that commentators incessantly complain about when it comes to the enforcement of the Foreign Corrupt Practices Act (FCPA) by the Department of Justice (DOJ) is that there are still companies which violate the law. They are simply shocked, shocked to find that bribery and corruption is still going on after all these years. Some complain that the DOJ uses Deferred Prosecutions Agreements (DPAs) to run up their enforcement statistics in a facile manner rather than going after bad guys for real jail time. Others believe that if the DOJ stopped enforcing the FCPA against companies and went after individuals, then people would sit up and finally take notice and begin to follow the now 36-year old law. Another group says that it is really the fault of the DOJ for not telling companies how to do business ethically and in compliance with the law. A final group falls into the category of that it is simply human nature to engage in bribery and corruption; it always has been and always will be and we should not be trying to legislate or criminalize human nature.
However I recently saw an article which suggested that there might be another reason: the complexity of compliance systems. In an article in the Financial Times (FT), entitled “The failures that lead to financial explosions”, John Kay looked to the discipline of engineering and the complexity of systems as a mechanism to review the failures of financial systems. His conclusion was that complexity will always lead to accidents. Put another way, Keep It Simple, Sunshine.
Kay began his story by reviewing the accident at Three Mile Island back in 1979. This accident was the worst nuclear plant failure in the US. The problem began with a “minor defect in the secondary cooling system” but several backup systems failed to due to unrelated problems. This caused a hydrogen explosion which allowed radiation to leak but the safeguard of the building itself as a containment structure saved a catastrophic failure.
Charles Perrow studied the accident and its causes and opined that there will continue to be similar accidents which he termed “normal accidents” because of the complexity of the systems involved; both mechanical and human. Perrow said that “The fundamental problems lie in system design, not the components or the people who try to make these systems work. Two features render systems particularly prone to failure: interactive complexity, which means that everything depends on everything else; and tight coupling, which means that there is little slack to permit self-repair or recovery.”
In the context of a compliance program, it may mean that less is more. The lesson for the compliance practitioner is that the “attempt to design a system for zero failure is impractical. The crucial issues are those of system design. Shorter, simpler, linear chains of intermediation are needed, and loose coupling that gives every part of the system loss absorption capacity and resolution capability.”
Based on the foregoing I would say that it all begins with clear lines of authority and reporting at the top. This means that the Chief Compliance Officer (CCO) needs to get in front of the governance authority of the company. Mike Volkov and Donna Boehme both continually talk about the authority and independence of the CCO. But Perrow’s perspective would appear to suggest that equally important is the clear line of reporting by the CCO to the relevant Board of Director committee.
However, this clear linear chain traverses downward as well. Company employees need to know who to call when they have a question regarding compliance. This means clear lines of reporting up to the compliance function. This also means appropriate staffing for the compliance function. The Pfizer DPA specified that the company staff with sufficient resources and maintain an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications. While the FCPA Guidance focuses more on adequate staffing, I think what needs to be understood is the direct centralized assistance and guidance function of a company’s compliance group to company employees.
I believe that this concept of ‘less is more’ also goes to an overall compliance policy and attendant procedures. I have read some compliance policies and procedures that were clearly written by lawyers for lawyers. They have relevant citations and are heavily footnoted. But these have little to no use for the average employee who is trying to do the right thing by reading, understanding and trying to implement such a program. The FCPA Guidance spoke to that issue when it stated, “the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” This also means that it should be comprehensible by your employee base, across the globe. The FCPA Guidance stated on this point, “it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.”
Kay ends his piece by stating, “The lesson for financial services is that the attempt to design a system for zero failure is impractical. The crucial issues are those of system design. Shorter, simpler, linear chains of intermediation are needed, and loose coupling that gives every part of the system loss absorption capacity and resolution capability. The direction of travel in the past two decades has been the opposite – the multiplication of interactive complexity through the explosion of trading between financial institutions, and ever tighter coupling as timescales are shortened and capital is used “more efficiently”. Finance needs to learn from engineers with experience of complex systems in the face of “normal accidents”.”
I think that the compliance world could also learn from Perrow’s research and Kay’s article. By making compliance programs more direct, with clearer and simpler lines of communication and authority, it could go a long way towards preventing violations of the FCPA. The same is true for the components of a compliance program designed to prevent or detect that well-worn ‘rogue employee’ who is determined to violate the law at all costs.
Of course, the simplest, most direct compliance program is the one stated by Greg Anders at the House Judiciary Committee in June, 2011. He said if companies do not want to violate the FCPA, they can simply not engage in bribery. It doesn’t get much simpler than that.
Episode 24 of the FCPA Ethics and Compliance Report is now available. In this episode, I interview Maurice Gilbert, founder of Corporate Compliance Insights and President of Conselium on what goes into a compliance position posting and how you can prepare to be a candidate for such a job opening. You can check it out here.
