I. Reflections on Being Prepared
We recently had a 1000-year storm and flood in South Texas. Even with this cataclysmic event, I think there are lessons to be garnered by the compliance professional which hopefully you can use during less eventful times.
The first is to be prepared for the true emergency. Early on at my tenure with Halliburton, when the long-forgotten Hurricane Rita was barreling towards Houston I received a call at home at 6 AM from the then EVP of Legal Services telling me he wanted the Law Department’s Emergency Response Plan ready in the next hour and he would call me at my office number to hear what I came up with. About all I could come up with in the next hour was to stop at every open gas station on the way to the office to purchase maps so all the lawyers would know the routes out of Houston. When he called me at 7 AM, I duly reported these purchases and that I would get everyone’s primary and secondary emergency contact numbers. I then went around to everyone’s office to get the information as the Law Department had somehow never thought to obtain this information previously.
I garnered three important lessons from this exercise were to have this information kept on file and kept up to date. Equally important was the information I had to impart to everyone, which was your secondary emergency contact information was not your spouse but someone you would call to let know if you were safe (or not). Since your spouse and immediate family would be with you, they would be of little use as an emergency contact in a situation such as an evacuation.
But the over-riding lesson was to be prepared for such an eventuality. While you may not have put plans in place for the 500-year or 1000-year floods; if you live on the Gulf Coast, you can certainly prepare for the eventuality of a hurricane and an evacuation. For the compliance practitioner, the emergency you can predict you will face is a potential unknown claim of a Foreign Corrupt Practices Act (FCPA) violation which suddenly becomes public, as when the New York Times (NYT) broke the story of Wal-Mart’s alleged bribery and corruption in Mexico in April 2012. An equally plausible event could be an internal whistleblower report of similar conduct. Equally hair-raising for the General Counsel (GC), could be the situation where the Department of Justice (DOJ), with FBI agents in tow, show up at your company offices, bright and early one morning, search warrant in hand.
It is easy to see that you can anticipate such an eventuality. It means that you should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is brought to your attention. One of the best investigation protocols is derived from a presentation I saw by Jay Martin, Vice President (VP), Chief Compliance Officer (CCO) and Senior Deputy Counsel for Baker Hughes, a GE company, and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global, which was entitled "FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets."
The five steps were: (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained.
Step 1: Opening and Categorizing the Case. This first step is the triage step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.
Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. If there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. Step 2 should be accomplished with another one to three days.
Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks.
Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week.
Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week.
Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
Equally important is the government requirements for an effective investigation. The Securities and Exchange Commission (SEC) considers a variety of factors around giving credit to corporate investigations including: Did management, the Board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?
But simply having written up an investigation protocol is not enough. You need to be ready to implement it. Even if you cannot perform drills similar to those for hurricane preparedness, you can walk through the steps you have laid out in your investigative protocol, listing who should be notified with multiple contact points to make sure you can get through to them. My hope is that you will never have to face a true emergency but it is certainly plausible you might so having prepared will certainly help you going forward.
II. How Weather Can Bring Analytical Clarity to Compliance
Next, I want to focus on the decision-making process that General Dwight Eisenhower used around the one factor he could not control around the D-Day invasion - the weather. The story has been well told many times. According to This Day in History, in early June, 1944, some 156,000 allied troops, were marshalled on the southern coast of England, “poised to travel by ship or plane over the English Channel to attack the German army dug in at Normandy, France, on June 5. Eisenhower had a window of only four days of decent weather in which an invasion would be possible. When bad weather hit the channel on June 4, Eisenhower wrestled with the idea of postponing Operation Overlord. Weather conditions were predicted to worsen over the next two weeks and he had thousands of personnel and thousands of tons of supplies that were in his words, hanging on the end of a limb. After a promising but cautious report from his meteorologist.” After a few minutes of reflection, Eisenhower told his staff, “I am quite positive that the order must be given.” June 6, 1944 became forever known as D-Day.
Yet it was Eisenhower’s lengthy decision making process which allowed him to synthesize the facts and move to a correct decision quickly and decisively. Eisenhower himself has been quoted as saying “Make big decisions in the calm”. In a recent book by Raymond M. Kethledge and Michael S. Erwin, entitled Lead Yourself First, they call this process “analytical clarity”. It is this process which I believe can be useful for any CCO or business leader faced with a decision which allows “the breaking down of complexity to a single point of clarity.” It requires a CCO or business leader to “identify as clearly and precisely as he can, the goal he seeks to achieve or problem he seeks to solve.” This type of process is particularly well suited to today’s information overload business world where there may literally be thousands of inputs and data points.
Analytical clarity allows a CCO or business leader “to focus clearly and specifically, on the key variable that will determine whether a decision brings success or failure.” It is through identification of this key variable which can lead to analytical clarity. Once you have focused on the key variable, you are in the best position to determine in which direction the variable will go.
Interestingly one of the techniques Eisenhower used to help crystalize his thinking was to write himself Memoranda. His son John Eisenhower was quoted that “throughout his life, my father put many of this thoughts on paper, partly for the information of others but even more to clarify thoughts in his own mind.” Eisenhower took the time and energy to use this creative practice for distilling his thinking throughout his military career. The historian Stephen Ambrose has said, “one of Eisenhower’s characteristics was his desire to simplify. Faced with a complex situation, he usually tried to separate it into its essentials, extract a principal point, then make that point his guiding star for decisions.” For the final decision on when to go, Eisenhower had distilled the issue down to “we must go unless there is a real and very serious deterioration in the weather.”
The meteorologist Group Captain James Martin Stagg had initially predicted clear skies for June 5. However, on the morning of June 4, he reported an incoming storm over the Irish Sea which had the “lowest barometric pressures ever recorded that century around the British Isles in June.” In other words, June 5 was going to be one very bad weather day. However, at their 9:30 p.m. meeting, Stagg had indicated he saw a break in the weather later that evening and through the day of June 6th. Further, this window would only be open for 36 hours or so, as Stagg believed stormy weather would reappear over the channel on June 7. On the morning of June 5, after a 4 AM staff meeting, Eisenhower considered his decision one more time and gave his final order Let’s go.
This process for analytical clarity can be a powerful tool for any CCO or business leader. It requires discipline and structure in your decision-making process. Indeed, it is the rigor in the process which makes it so powerful. However, Kethledge and Erwin note there is one other requirement which may be particularly prescient for the 2017 CCO or business leader, “because of its difficulty, and its glacial pace—it is best done, and perhaps only done, in solitude.
Consider the decision by a CCO about resources for a compliance initiative, particularly involving a technological change. You will begin with a large amount of often disparate information. The first step is to logically sort the information by considering such questions as the changes it will require to your current compliance infrastructure, how it will impact related systems such as IT and data governance issues, then what will be the use by or preferences of your compliance customer base; i.e. your employees. Your next step is to put together “a series of logical premises” which begins “with certain facts that are known or likely to exist.” You then proceed to “certain rules or principles” such as the initiative must be come in at a certain cost, be a date certain or under certain legal or corporate compliance standards. This process should lead to a distillation of information “which at first may seemed important, is in fact immaterial” as it does not impact the decision in either way. This allows you to focus on the key variable which will determine whether the decision “brings failure or success.”
Any CCO or business leader is going to make multiple, crucial decisions. Fortunately, they will not be as critical as the decision made by Eisenhower to go on June 6th. Yet the same skills and techniques he brought to bear can be used by you if you are faced with a decision with multiple source inputs and data. Eisenhower’s technique of memo writing and reflection are techniques you can use going forward which, at the end of the day, will make your compliance program and company stronger.
III. How the Storms of “The Scottish Play” Inform Your Compliance Program
Next, I consider the use of weather in Macbeth “the Scottish play” where Shakespeare uses utilizes the weather to create an ominous dark mood throughout much of the play. One commentator has noted, as with other Shakespearean tragedies, “Macbeth’s grotesque murder spree is accompanied by a number of unnatural occurrences in the natural realm. From the thunder and lightning that accompany the witches’ appearances to the terrible storms that rage on the night of Duncan’s murder, these violations of the natural order reflect corruption in the moral and political orders.” Yenised Ramirez-Ajete, writing for Prezi, has noted several weather themes in Macbeth. Using fog, Shakespeare “creates a sense of mystery and suspense and shows that things are going to turn around. The fog first starts off in the play when King Duncan says he’s going to kill the Thane of Cawdor.” Shakespeare makes abundant use of rain throughout the tragedy. At the beginning of the play, “the sky is sunny, and then when something bad starts to happen the rain starts to pour. Or another thing that occurs, is the sun will be out yet it will be raining. All the storms at beginning of the play will foreshadow all the bad things that will happen in the future.”
Yet for me it is the storms that form the central motif in Macbeth. When the witches (or three sisters) appear both thunder and lightning appear to foreshadow that something bad is going to happen or that something unnatural is going to occur. In Act 1 the first witch asks Macbeth when they will meet again, noting whenever they meet up, there is always thunder, lighting, or rain or all three at the same time. She makes this clear when they all meet in Act I when she says, When shall we three meet again? In thunder, lightning, or in rain? Of course, the murder of Duncan is in the midst of a terrible storm as well.
How does this relate to the compliance practitioner and more importantly, a best practices compliance program? If weather is a risk that you face, it needs to be put through your risk management process. Even in the Foreign Corrupt Practices Act (FCPA) arena weather can be a factor you need to reflect in your risk management process. Consider if your company is an agriculture based business where your suppliers require rain or even allocated irrigation waters to grow the plants which go into your products, such as grain for ethanol products. If your supplier-farmers must rely on a governmental water district for their irrigation water allocations, what could be the risk they might pay bribes to increase their allocations? What happens if there are bribes paid by suppliers in your supply chain to produce any part of your final product?
Now consider building permits and other government licenses which are necessary in a large construction project, such as a major hotel and gaming complex at or near a seashore with a gorgeous vista. What if your company directly makes what it believes are facilitation payments to obtain permits to build in low-lying areas which are prone to flooding? Now consider if these facilitation payments were actually bribes to get around local zoning or other flood control ordinances? Does any of this sound far-fetched? Perhaps but the point is these are clearly risks which must be assessed and then managed through your risk management protocol.
The DOJ clearly expects such risks to be evaluation, properly assessed and then managed. In its Evaluation of Corporate Compliance Programs (Evaluation) under Prong 9, Risk Assessment, the DOJ posed the following questions: Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced? Information Gathering and Analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program? Manifested Risks – How has the company’s risk assessment process accounted for manifested risks?
Working backward from that list, consider manifested risks. Any reading of Shakespeare will inform you of the manifested risk of bad events during harsh weather conditions. The same can be said for weather related events which are known to occur. In Houston, we are now in the middle of the 1000-year flood event, having exceeded the 500-year flood event that happened way back two days ago. Is this a manifested risk? Is it a known risk? Right now many Houstonians are finding out that several commentators had predicted this type of flooding in Houston could occur.
These types of questions also point out how integrated compliance should be in your overall business processes. These are the types of questions you should be considered in your business operations for a variety of reasons. Just as clearly, if there is a risk of a compliance perspective, it needs to be assessed and managed. Continuing to reverse up the question chain, the DOJ wants to know how you have used the information. If your suppliers are farmers, have you provided them any training your company’s expectations that no bribes be paid? Is that training in their local language? Was it documented? For the facilitation payment example, when was the most recent full review and assessment of all facilitation payments, including the documentation of to whom, the amount and method of payment.
Finally, at the first two questions under Risk Management Process, what is your entire process? Does your organization even have a fully document process to do so and integrate it into your ongoing business process? What was your methodology, as did you even assess events such as the weather, geographical consideration or geopolitical events?
We are reminded that Shakespeare is our greatest playwright and greatest author of the English word. Although he wrote in fiction, most of his plays were based on prior stories built around historical events. The use of weather may have been a motif but as most fellow Texas can attest, it is real and the effects can be catastrophic. I hope you can use the lessons from Macbeth to consider your compliance program going forward.
IV. Holmes, the Fog of London and Root Cause Analysis
How does fog and its purported use as a literally symbol inform your compliance regime? Quite a bit it seems. If one were to think of one scene involving the city of London up to about 1950, it would most probably involve fog. More particularly, it would be what is generally known as ‘pea-soup’ fog. In almost any movie ever made, featuring Victorian to mid-20th century London, the overwhelming motif was all-encompassing fog. The same holds true for literature.
In fiction, one of the characters most closely associated with fog is Sherlock Holmes. However, there is very little use of fog in Doyle tales, almost all of which are set under clear skies. I could find three references to fog in the work of Holmes. In A Study in Scarlet there was “a dun-coloured veil hung over the house-tops.” In The Sign of Four, Holmes rapses; “What else is there to live for? Stand at the window here. Was ever such a dreary, dismal, unprofitable world? See how the yellow fog swirls down the street and drifts across the dun-coloured houses”, and, later “...the day had been a dreary one, and a dense drizzly fog lay low upon the great city. Mud-coloured clouds hung over the muddy streets.”
Only in The Adventure of the Bruce-Partington Plans, did Holmes make use of fog as a plot device, using it to conceal the criminal as he hides the body of his victim on the roof of an underground train. Holmes describes the scene “a dense yellow fog” that has settled down over London, and later notes “a greasy, heavy brown swirl still drifting past us and condensing in oily drops on the windowpane”. Holmes never even used the phrase ‘pea-soup’ fog.
Today’s compliance connection is the root cause analysis. From a through root cause analysis of Doyle’s writings, it is clear fog is a not a major player in the tales or even a mood or scene motif in the Sherlock Holmes stories. This revelation ties directly into the concept of a root cause analysis that was set out in the DOJ’s Evaluation. Under Prong 1, entitled “Analysis and Remediation of Underlying Misconduct”, it states Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?
A root cause analysis is a method to learn more about your business process and what occurred so that the controls, systems and process can be remediated. A root cause analysis allows you to determine the true cause of an incident, not one that simply hypothesizes a bad actor within a company going rogue. If you just fire someone, without changing the process, you are going to keep getting similar or the same results. Assessing blame does not help, as you want to get deeper into those root causes. The reason the entire process is named ‘root cause analysis’, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are driving the outcomes and the behaviors.
As Mike Volkov has noted, “Companies often face situations where they discover misconduct, impose discipline and remediate the problems discovered and then move on. This happens more often than misconduct resulting in a government disclosure or a government investigation. In either case, the questions are certainly relevant. The questions appear to be fairly basic but depending on the circumstances can be deadly accurate in pointing out compliance deficiencies. A root cause can implicate not only employee misconduct or failure to exercise proper oversight, but can extend to such issues as a company’s culture, tone-at-the-top and other issues with significant implications for the company’s operations.”
When root cause analysis is done correctly and utilized as a part of your remediation strategy going forward, it principally is there in order to develop preventive actions. A preventive action is something to prevent recurrence of the problem. You can correct with a corrective action, but the ultimate goal is to engineer out or fix the system and processes so you do not have the opportunity for that flaw to occur again.
Ben Locwin put it another way, stating “We have a problem. Let’s not run away from it. Let’s embrace it.” What you are really doing is looking at your program from the inside out. Locwin advocates beginning with such questions as “What can we do better? What can we do next?” He went on to explain “you’re looking for examination from an external and not an internal prospective. Internal perspectives tend to follow along the quotas. If you always do what you always did, then you’ll always get what you always got.” He went on to say, “continuous improvement approaches benefit most from” its “frequent exposures to radical change.”
It is the willingness of a company to look at itself that is the key to continuous improvement. Locwin said that while “typically these things come from external pressures and not from internal, incremental changes. If you take a step back, or maybe several steps back to say, what are we actually trying to do, and are we reaping the value that we’re intending to get out of what we have. If we’re not, then we should look for this really systemic overhaul of things, and not just try to tweak a little thing here and a little thing there.”
A root cause analysis can be used to strengthen the prevention prong of your best practices compliance program. Thinking of the proper manner to use a root cause analysis, to find facts and not assess blame will take your compliance program to an entirely higher level of proficiency. If the DOJ ever comes knocking you can demonstrate your adherence to the suggestions put forth in the Evaluation in a documented manner.
I find the confusion of Sherlock Holmes and the use of fog as a mood setter an excellent way to think about a root cause analysis. By using a root cause analysis, one can see that the popular perception of Doyle using fog as a story tool is simply not correct. Doyle has many motifs and symbols in his Holmes stories but fog is simply not one he used but a mere handful of times. Even then, in The Adventure of the Bruce-Partington Plans, fog was used only in one scene, to shroud the murderer.
V. Practicing Compliance
I used Hurricane Harvey and the attendant weather-related disasters as a starting point for the lessons to be garnered by the compliance practitioner. I want to end at a place that I began, with a consideration of preparedness. But I want to expand beyond simply having a plan in place to discuss another aspect of preparedness; that is practice. For the compliance professional, one of the lessons from Hurricane Harvey is beyond simply being prepared but also to practice your preparations. While it may seem difficult to prepare for and practice these steps for a 1000-year flood; there some basics you can do like having emergency equipment and preparedness items ready, check they are working, line out your evacuation routes and other basic plans.
This same practice requirement holds true for the compliance professional. You must do more than prepare for a compliance emergency by preparing beforehand but you must also practice that preparedness. Secretary of Defense James Mattis made this clear in his Memo, entitled “Ethical Standards for All Hands”, which was released in August. One of the key lines was “To ensure each of us is ready to do what is right, without hesitation, when ethical dilemmas arise, we must train and prepare ourselves and our subordinates.”
In this sentence Mattis seemed to almost echo the DOJ’s Evaluation around training. In Prong 6 Training and Communication it asks the following question, Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? Here it seems Mattis is spot on that training must be real world based. In other words, you must practice the components of your compliance program so that when faced with the emergency or even the moment of truth, you will be ready to proceed with the right response.
As to practicing for an emergency, let me point to the Texas owned and based grocer H-E-B which unleashed their emergency response program for the first areas hit by Hurricane Harvey, Aransas Pass and Victoria. According to FreightWays.com, literally less than 24 hours after the eye of the hurricane passed these coastal towns, the company had fully mobilized its Disaster Relief Units (DRUs), “which are fully equipped with an H-E-B Pharmacies and mobile Business Services unit, which allows displaced residents to fill prescriptions, cash checks and pay bills, as well as provide access to an ATM. The H-E-B Mobile Kitchens, two 45‑foot‑long food preparation facilities that are each designed to serve up to 2,500 meals per hour, will set up and serve hot meals to first responders and storm victims. In addition, H-E-B dispatched a team of 100 employees to help assist in helping folks that have been impacted by the storm. H-E-B will be providing dry-ice, bottled water, dry-goods, and medicine.”
H-E-B could marshal and then muster this relief with such a quick turnaround because (1) they had a disaster relief plan in place and (2) they practiced executing it. Is it good business? You bet it is because the consuming public will remember who answered the call for help far before anyone else did or before even state or federal relief began to arrive in the ravaged portions of Texas. In words, it was a business response to an emergency where a business was able to deliver more direct and timely services.
The H-E-B example is but one of many such examples which are playing out in Houston and its surrounding environs now and will for the foreseeable future. Yet the compliance professional can learn from the H-E-B example. As set out by Secretary of Defense Mattis, practice your compliance program, your cultural values and ethics. Give your employees specific training on how to resist the call for a bribe. Provide them with the resources to call upon when they are faced with such an ethical and compliance dilemma. Make sure your organization’s hotline works literally from anywhere in the world by testing it periodically.
For your compliance organization practice taking an emergency call from oversees of major compliance violation. Go through your investigation and notification protocols. When was the last time you updated your contact list for the compliance department; both primary and secondary? How about the same question for senior management, the Compliance or Audit committee and full Board of Directors? How about your key third party sales agents and suppliers? Now do the same for your primary outside counsel investigative firm and make sure they are ready to respond.
This month I begin a new series in my monthly podcast series of one month to a more effective compliance program. In September, I am focusing on innovation in compliance. Sometimes innovation can be the simplest concept; such as practice. So, if you have not practiced using any of your emergency protocols for compliance in some time, I hope you will draw on the experiences of Secretary of Defense and HEB and practice emergency preparedness.
Finally, sit down and take some time to consider the compliance emergencies which could befall your company. Do not wait until your organization appears on the front page of the New York Times (NYT), Wall Street Journal (WSJ) or as in the case of Uber Technologies, you appear in a blog post and are caught unaware of your nefarious corporate actions.
