M*A*S*H and Triage in Your FCPA Investigation Protocol

by Thomas Fox

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. At the Dow Jones Global Compliance Symposium, there were a couple of panels which discussed the need for triage in your compliance program around issues that are reported through a company’s internal reporting mechanism.

Given the number of ways that information about violations or potential violations of the Foreign Corrupt Practices Act (FCPA) can be communicated to the Department of Justice (DOJ) having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a FCPA problem. Kevin O’Connor, Vice President (VP) for Global Compliance, United Technologies Corp, said that one of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. Ty Cobb, a partner at Hogan Lovells, put it this way “How much information do you need to know before you go to outside counsel? Quite a bit.” Another panelist, Jamie Gorelick, partner at WilmerHale, put it in a different manner when she said “you have to kick the tires” so that you know the circumstances in front of you before you make the decision to go to outside counsel.

But even if you kick the tires and determine that you do need to involve outside counsel, there are still ways in which a corporation can work to control the costs of a FCPA investigation. O’Conner said that United Technologies is able to keep the costs down by having a very robust team of investigators embedded in many departments across the company, outside of the compliance function. O’Connor said that these employees come from employment and professional backgrounds which trained them in the basics of investigations. Many of these United Technologies employees come from law enforcement but there are other professions such as national security, foreign service, the intelligence community, human resources and others.

O’Connor said that the key is to hire people with a background and prior training investigations. These investigators receive FCPA and other compliance training while at United Technologies so that if a major incident arises they can be used to supplement outside counsel personnel who may lead an investigation. In this way, United Technologies is able to keep outside counsel from sending lawyers all over the world and thereby run up the costs of a FCPA investigation. This concept was put another way by another panelist, David Yawman, Senior Vice President & Chief Compliance and Ethics Officer, PepsiCo Inc., who said that he “wants to be building sprinkler systems and not fighting fires”. He explained this meant that he wants to have trained personnel available to him, who can have their primary function outside the compliance group but can be called upon as needed in such a FCPA investigation.

On another panel Paul McNutly, partner at Baker & McKenzie LLP, explained that he believed it would be important for a company’s regular outside counsel to partner more with the entity as a way to help hold down costs. McNulty explained that a law firm could work to help put on the additional FCPA and compliance focused training that O’Connor discussed on a more regular and ongoing training. This partnership relationship would allow the law firm to have confidence that the company’s investigators could handle a large or wide-ranging FCPA investigation. This confidence would help outside counsel in any discussions they might have with the DOJ during the pendency of a FCPA investigation.

McNulty was asked how do you help keep costs from reaching the ‘ridiculous’ level? He also mentioned that a company needs to initially scope any FCPA allegation which may arise through a company’s internal reporting mechanism or other manner. But said another step is to develop a reasonable investigation plan. This can be particularly important if you self-disclose to the DOJ. You will need to go into the DOJ and present your investigation plan so McNulty suggested an early discussion with the government on the scope of the investigation is critical.

Panelist Gorelick stressed that you should engage the DOJ to show not only the scope of your investigation but that it can be limited so that you do not face the dreaded ‘where else’ question. You should develop a logical plan with the nexus to the facts. However, she emphasized that you must have credibility with the government that not only will your investigation will be robust but that facts you have determined in your initial triage are a reasonable interpretation.

I found it very useful that there was a discussion relating to costs of a FCPA investigation that extended over two panels at the conference. Both in-house and outside counsel presented concrete and achievable solutions that can be implemented to help contain costs. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before the FCPA allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.