The city of Houston has seen a multi-year economic downturn from the drop in the price of oil. Every company in the energy space has been required to dramatically cut its work force, including unfortunately, it compliance function. Yet the response by compliance functions in the energy space provides an excellent roadmap for any company which goes through a similar experience.
Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term.
Almost any energy company of any size has gone through a Foreign Corrupt Practices Act (FCPA) investigation, whether internal or formal by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Many had gone through enforcement actions. The risk profiles of these companies did not change because of the drop in oil prices. Extractive resources are still located largely in countries with a high perception of corruption. In others, the inherent compliance risks that currently exist for energy companies will certainly not lessen. Unfortunately, they usually increase in an economic downturn, for a couple of reasons.
The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangential but equally important component of this is that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures.
Moreover, what is the pressure on the business folks of such companies to ‘get the deal done’ with this slashing of oil prices? When there is a 10% to 30% overall employee reduction, what additional pressures is on those employees remaining to make their numbers or face the same consequences as their former co-workers?
I think both of these scenarios are fraught with increased compliance risks. For companies to engage in behaviors as I have outlined above would certainly bring them into conflict with the Ten Hallmarks of an effective compliance program as set out in the FCPA Guidance. For instance on resources, the FCPA Guidance does not say in a time of less income, when your compliance risk remains the same or increases, you should cut your compliance function. Indeed it intones the opposite, when stating, “Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” Moreover, the FCPA Guidance adds, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” So the resource issues is stated in reference to the risk profile of the business and not the current or fleeting economic issues of the day.
Also note that the FCPA Guidance speaks to an analysis from the DOJ side, which would presumably be a criminal side review. For instance, when a company cuts its compliance staff while its risk profile has not decreased, does this provide the required intent to commit a criminal act under the FCPA? Moreover, who would be the guilty party under such an analysis? Would it be the Chief Executive Officer (CEO) who ultimately decides we need a fixed percentage cut of employees or simply a raw number to be laid off? How about the department head (as in the CCO) who is told to cut your staff 10% or we will make the cuts for you? Or is it a company’s Human Resources (HR) department who delivers the dreaded knock on a compliance practitioner’s door (I’m from HR and could you come with me). What if a company’s decision-making authority is so decentralized that there is no one person who can be held accountable?
You should also note the SEC role in FCPA enforcement, as alluded to in the quote from the FCPA Guidance. There will be an assessment of internal controls. Now that the COSO 2013 Framework has become effective, will companies delay plans to implement the new Framework and to begin to audit against it? If so, would that be a per se FCPA violation?
The second reason risk profiles increase in this industry-specific downturn. Unfortunately it will come from those employees who survive the lay offs. They are under increased pressure to do the jobs of the laid-off folks so there is a greater chance that something could slip through the cracks. When you are already working full time at one job and one, two or three other employees in your department are laid-off, which job is going to get priority? Are you only be able to put out fires or will you be able to accomplish what most business folks think is an administrative task?
But more than the extra work the survivors will have laid upon them is the implicit message that some companies senior management may well lay down, that being Get the Deal Done. When economic times are tough, senior management is looking even more closely at the sales numbers of employees. The sales incentives could very well move from a question of what will my bonus be when I close this transaction to one of will I be fired when I do not close this transaction. When senior management makes clear that it is bring in more business or the highway, employees will get that message.
Once again, where would the DOJ look for to find intent? Would it be the person out in the field who believed he was told that he or she either brought in twice as much work since there were half as many employees left after lay-offs? Would it be the middle manager who is more closely reviewing the sales numbers and sending out email reminders that when sales do not increase, there may well have to be more cuts? What about the CEO who simply raises one eyebrow and says we need to hunker down and get the job done?
What might be the DOJ or SEC reaction to the downsizing of compliance in the face of such increased compliance risk? The energy industry has not gone through this type of economic downsizing in the new age of FCPA prosecutions, largely since 2004, so there is no relevant time frame of FCPA enforcement to draw upon. However, the financial industry did go through such a contraction in the 2007-2010 time frame. We have seen the DOJ and other financial industry regulators draw huge penalties for a series of anti-money laundering (AML) and LIBOR scandals. My guess is that the DOJ and SEC will not allow companies to use economic arguments in the face of known and recognized increase in compliance risks. Indeed they may focus on some of these points as reasons for increased compliance vigilance in an energy company’s compliance function going forward.
I - Mapping of Your Internal Compliance Controls
As they made clear with several FCPA enforcement actions from last fall, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, the Chief, FCPA Unit; Division of Enforcement of the SEC, who spoke at the recently concluded Compliance Week 2015, in a session entitled “A New Look at FCPA Enforcement”, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.
So, in the midst of an economic downturn, what can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point.
As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?
Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.
You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.
As a CCO or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.
II. Of Layoffs and Whistleblowers-Employment Separation Issues
In Houston, energy companies have experienced laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when HR shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.
Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the SEC v. KBR Cease and Desist Order regarding Confidentiality Agreement language which purports to prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC/KBR language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.
When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the SEC, identifying bribery and corruption.
Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or DOJ) comes calling after that ex-employee has blown the whistle on your organization.
I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.
Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.
The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.
Next is what Jan Farley, the CCO at Dresser-Rand, calls the Desktop Risk Assessment. Both the DOJ and SEC have made clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.
One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course this can be a notoriously expense exercise and if you are in Houston, the energy industry or any sector in the economic doldrums about now, this may be something you can even seek funding for at this time. Moreover, you may also be constrained by reduced compliance personnel so that you can not even perform a full-blown risk assessment with internal resources.
However, if there is one thing that I have learned as a compliance profession, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.
Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:
Are resources adequate to sustain a culture of compliance?
How are the risks in the C-Suite and the Boardroom being addressed?
What are the FCPA risks related to the supply chain?
How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
Is the documentation adequate to support the program for regulatory purposes?
Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
Communication of information and findings - Are escalation protocols appropriate?
What are the opportunities to improve compliance?
There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.
You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the CFO, General Counsel, Head of Sales, CEO and all Board, Audit or Compliance Subcommittee members to assess “tone from the top” and their actual knowledge about the FCPA and your compliance program. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.
Such a review would lead to the next level of assessment, which would be generally labeled as communications within an organization regarding compliance. You can do this by assessing compliance policy communications to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.
A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on the reporting of suspected compliance violations and the actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.
There is no dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.
One area that I do not think gets enough play, is reviewing what might be characterized as employees’ commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.
This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.
As with the other suggestions, if you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Moreover, when funds and resources do become available to you and the compliance function, you will have a stronger program and one which move towards best-in-class. Finally, do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment during an economic downturn, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.
IV. Compliance Development and Internal Resources
When faced with reduced monetary resources and lessened head count you might want to consider the teamwork of compliance. To that end you might use a strategy of developing compliance talent and relationships for the compliance function. You could initiate a compliance talent development group where you rotate high potential individuals in your company through the compliance function in some manner.
My suggestion would be to work with senior management and your HR function to identify some of the key talent within your company. They can come from any other area of the company; such as accounting, finance, internal audit, HR itself, sales or any other discipline. From there you can task them to lead a working group on a compliance related project. The project itself can be any project you would like to try and implement when funding becomes more available.
One company I worked at had such an organization called the President’s Team which was an annual group that developed projects for the company CEO. The concept is the same but the goal is having the high talent employees learn more about compliance. Equally important for you as the compliance practitioner is to develop relationships with such up and comers so you can access to them if they continue to progress up the corporate chain. Remember it is important to have relationships with those in power and those who are in power.
In addition to the talent development group, you should also revisit your interactions with your Board or Audit Committee. You need to re-emphasize to them their responsibility for compliance going forward and that it will not diminish simply because the price of oil has gone south or any other reason why you may be in an economic downturn. If there are emergency projects or others which you believe should take priority this would be a good time to inform and educate the Board on them so that you can continue to maintain as much funding as is possible. This could come into play if you have a number of whistleblower complaints to triage and review in short order due to employee layoffs. But if you did not establish those relationships ‘yesterday’, you probably cannot call on them ‘tomorrow’ so you need to make sure they are in place now.
Another idea that you can try is something along the lines of a client advisory committee or peer group review. You can put together a peer group to help advise your compliance function. After all, one of your constituent groups is your employee base. So why not turn to that group to find out what is working and perhaps their views on what is not, in their eyes, from the compliance function. If they can provide feedback to you on how to streamline a compliance process you might well be able to incorporate such suggestions going forward. They will be aware of the resource constraints the company is under so it could be an avenue which you have not previously used. Further, as with the talent development group concept, you would have the opportunity to develop relationships with other leaders in your organization. Finally, the group would have greater investment in the compliance function going forward.
Next is one of your highest risks, that of third parties, which most compliance practitioners recognize as their highest risk in any FCPA anti-corruption compliance program. This risk does not lessen simply because of a downturn. My suggestion is that you test and review all of the indicia around the lifecycle of your third party risk management program. This is not a forensic audit or even standards that an auditor might use. But you can test and you can test the documentation around your program at little to no cost.
The lifecycle of a third party is the following: (1) Business justification, (2) Questionnaire, (3) Due Diligence and Evaluation, (4) Contract negotiation, and (5) Managing the relationship thereafter. You can perform testing on all of these steps by reviewing the documentation in your third party database. For each third party you should confirm that there is documentation in each file, which supports each of the five prongs. In addition to the document, document, document aspect of this exercise, you can also use it as a cross-check on your internal control mapping for each validated prong so this can also be considered an internal compliance control.
I hope that you have found some of these ideas for improving your compliance function in an economic downturn useful. Perhaps they have stimulated ideas or discussions within your organizations going forward. If you have any other ideas which you would be willing to share, I hope that you will pass them along to me. We are all in this compliance ride together anything we all can do to move things forward is progress in my mind.