Robert Sallee died last week. A smoke jumper, he was the last survivor of the Mann Gulch Fire, one of the worst disasters in the history of the US Forest Service. Sallee’s story and that of the Mann Gulch Fire was detailed in Norman Maclean’s posthumously published book, Young Men and Fire. There are only a handful of books I have ever read that drove me to tears and this was one of them. It was that powerful to me.
As reported in Sallee’s obituary in the New York Times (NYT), “In 1978, both Mr. Rumsey [one of two other survivors out of 15 men] and Mr. Sallee went back to Mann Gulch with Mr. Maclean, whose detailed account of their recollections and their court testimony fails to unravel precisely what happened; rather, it succeeds in illustrating the terror of being caught in such a monstrous natural maelstrom. Mr. Maclean wrote: “Sallee talks so often about everything happening in a matter of seconds after he and Rumsey left Dodge’s fire that at first it seems just a manner of speaking. But if you combine the known facts with your imagination and are a mountain climber and try to accompany Rumsey and Sallee to the top, you will know that to have lived you had to be young and tough and lucky.””
Sallee was only 17, and not yet a high school graduate, at the time of the Mann Gulch Fire; he had only just finished his fire service training course. The Mann Gulch jump was his first as a smoke jumper. The Forest Services was “accused of insufficiently preparing the smoke jumpers and sending them into Mann Gulch recklessly.” One of the Forest Service’s responses was to increase its research into fire behavior and also “to develop new training techniques and better safety measures for its firefighters.” As you might be able to ascertain from my lengthy discussion Maclean’s book and the event itself, I am still moved by the story of the Mann Gulch Fire. When I was growing up I thought smoke jumpers were about the bravest men I had ever heard of, parachuting into the wilderness to fire wildfires.
What are the lessons for the compliance practitioner? As with many such events, it is to evaluate factors from the risk perspective. One of the questions I am often asked is how far down the chain a company must go in managing its third party relationships? While a black book legal answer is that you are responsible for all your third parties down the chain under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act; the practical reality is that a company cannot manage all of its direct relationships and those direct relationship sub-relationships. They are too far down the chain and too remote to effectively control.
Jan Farley, the Chief Compliance Officer (CCO) at Dresser-Rand, has said that it is important for compliance officers, not to stretch your compliance program so thin that you try and cover everything; so that you miss the larger FCPA or UK Bribery Act risks that your company faces. I believe Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA then the Department of Justice (DOJ) may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.
The Guidance also makes clear that each company should assess and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
One of the approaches which I thought made a lot of sense in this area was comes from a presentation made by Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc., where he describes a a five-step process for his evaluation of third parties. I found his questions to be very relevant when considering how far down the chain a company must go.
Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties.
Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier.
Step 3: What Do You Need To Know? While with your first tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties.
Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared.
Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process.
Fortunately, we in compliance do not deal with life or death situations like those th smoke jumpers faced. . But that does not diminish the lessons we can derive from experiences from the practice of safety and evaluation of risk. In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.