Star Wars and Compliance - Lessons from the Movies for Compliance Officers

Part I – A New Hope Informs How to Evaluate a Risk Assessment?

This white paper reviews the Star Wars oeuvre to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VIII - The Last Jedi. Please note that I will only use the first three movies, now known as Episodes IV-VI. So if you are a millennial and the prequels are your Star Wars sorry but you can write about them yourself as the first three are my Star Wars movies. 

It all began with Episode IV - A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and steals a computer program detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, it told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star. 

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate anti-corruption compliance risk under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption regime. Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations” in which she looked at the risk evaluation process used by Timken Company (Timken). 

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups. 

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit and monitoring plan going forward. One of the methods used by the compliance group to manage such risk is to provide employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

A second approach to reviewing the results of a risk assessment was detailed in a Harvard Business Review (HBR) article, entitled “Managing Risks: A New Framework”, by Robert Kaplan and Annette Mikes. The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. Companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units. 

Category II: Strategy Risks. These risks are those that a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors listed several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”  

Category III: External Risks. These are risks that arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.” 

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless, without such preparation, the authors believe that companies will not be able to weather risks that turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself. 

Whether you utilize one of these approaches or another approach, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent DOJ remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course, for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal. 

Part II - The Empire Strikes Back and Levels of Due Diligence

Next, we honor Episode V - The Empire Strikes Back, which is my personal favorite of the original three movies. The film begins with a cool battle on the ice planet of Hoth; has some great HR lessons as Darth Vader executes officers for work place errors; demonstrates some dangers involving ineffective training for Luke Skywalker on the tropical plant of Dagobah, where he travels to learn under the Jedi master Yoda who utters the immortal line “Try not! Do, or do not. There is no try”; and ends in Cloud City, a floating gas mining colony in the skies of the planet Bespin run by Han Solo’s old buddy, Lando Calrissian. It also has one of the greatest movie lines of all-time, thundered by Darth Vader to Luke Skywalker, “I AM YOUR FATHER”, at the end of the film. 

Solo and Calrissian go way back and Solo trusts him. Of course, Solo won his starship, the Millennium Falcon, from him but they are still good friends and this friendship is sorely tested when Vader and his Imperial Troops arrive to entice Luke to come to save his friends and battle Vader, which is where the reveal of fatherhood occurs. 

I thought about these last two points, in the context of knowing who you are doing business with under the FCPA or UK Bribery Act. I once heard a company President say he did not need to perform due diligence because he looked a man in the eyes and that was enough to know if he was honest. (I should add, this President also evaluated the strength of a handshake as an additional level of due diligence.) Hopefully we have moved past this level of sophistication for due diligence and its evaluation thereof. 

One of the areas I still receive questions about are the different levels of due diligence. Based upon the information provided by the DOJ over the years, from Deferred Prosecution Agreements (DPAs) to Opinion Releases and enforcement actions, I break due diligence down into three stages: Level I, Level II and Level III. Candice Tal, Founder and Chief Executive Officer (CEO) of Infortal Worldwide, in an article entitled “Deep Level Due Diligence: What You Need to Know”, laid out some of these concepts. 

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing Level I due diligence with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed Internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation and is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.”  

You may need to engage a foreign law firm to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party is willing to stand up under the FCPA and are you willing to partner with the third party. 

The Risk Advisory Group, created a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

If Han Solo had done a deep dive into his friend Lando Calrrisian, he might have well determined that the Empire had arrived at the Cloud City before he and his team did. Then again, we might not have heard that seminal line “I AM YOUR FATHER”. 

May the force be with you. 

Part III – Return of the Jedi and Growth in Compliance

Next, we consider Episode VI. Return of the Jedi. In this final movie from the original three, the good guys win in the end after overcoming incredible odds. Many fans and critics panned it for including the incredibly cute and furry Ewoks on the moon named Endor as a part of the storyline. Many thought one very tall Wookie was enough cuteness for the series. Yet the Ewoks did provide the setup to one of the movies best lines. The Ewoks thought one of Luke’s robots, C3PO, was a god. Solo asked him to demonstrate some ‘god-like’ powers to which C3PO replied, “It is against my programming to impersonate a deity.” 

This movie’s big reveal was that Luke and Princess Leia were twins and that she was now free to unabashedly pursue bad boy Han Solo. While Episode VI was the lowest grossing film of the original three, coming in at only $572MM worldwide, it was still a great ride and visually stunning. George Lucas’ in-house organ, Industrial Light & Magic (IL&M) certainly earned their title for their special effects in the movie. The Sarlacc battle sequence was great, the speeder bike chase on the Endor moon was way cool and the space battle between Rebel and Imperial pilots was a great ride. At the Academy Awards ceremony for movies of that year, Richard Edlund, Dennis Muren, Ken Ralston, and Phil Tippett, all from IL&M received the Special Achievement Award for Visual Effects Oscar award. 

I thought that the growth in special effects and how IL&M grew was a good introduction into growth in the compliance profession, which I experienced first-hand at the SCCE 2017 Compliance and Ethics Institute (CEI). On the preconference Sunday, I participated in two events the Speed-Networking and Speed-Monitoring and my participation in both events where I met with some compliance professionals who were either new to the field or were one-person compliance shops in their organizations. They were struggling with where to go for resources and support. In speaking with both groups of folks, I tried to drive home a couple of key components of the SCCE 2017 CEI and beyond that which I believe are central to the experience of compliance professionals literally across the world. 

The compliance profession is different than any other corporate profession that I have been a part of or have observed. The first is that there are no trade secrets in compliance to protect. The principals of a best practices compliance program are well-known. Whether you follow the Ten Hallmarks of an Effective Compliance Program, the Six Principles of Adequate Procedures, the US Sentencing Guidelines or some other recognized standard; every compliance practitioner has access to them. You can always adapt them to your organization. 

The second thing about the compliance profession is that you are never alone. Unlike other corporate functions where lawyers from major energy companies are all in room, which might draw the attention of the Department of Justice (DOJ) Anti-Trust division, the compliance function is well known for its collaborativeness. A compliance professional can pick up the phone and call another compliance professional who has faced the same or similar situation. Even if this first level of contact does not have the experience required, there will be someone in the concentric circles outward who has faced the same dilemma. 

For a new compliance professional, the most expeditious thing to do is join your local ethics and compliance organization. For Houston, that is the Greater Houston Business and Ethics Roundtable (GHBER). From the national perspective, the largest organization by far is the SCCE. Membership not only gives you access to a wide range of conferences, resources and tutorials but also membership in a diverse group of like-minded professionals. 

Jay Rosen and I were joined by Louis Sapirman, Chief Compliance Officer (CCO) at Dun & Bradstreet, Inc. (DNB), to record our first live podcast of This Week in FCPA. The recording can be found on my Facebook feed and I will post the audio portion as a podcast later this week. Both spoke expressively about not only what they saw at the event but also how this conference allowed them both the opportunity to give back to the profession of which they have both been a part for several years. It was eloquent testament to the character of those in the compliance profession.

My thought to the compliance professional out there is that you are not alone. All you have to do is reach out and there will be someone there to answer your question. I met a female compliance professional from the mid-west who was looking for a female compliance mentor in the Chicago area. I later saw one of my good friends who fits that bill to the letter. I asked her if she would be willing to mentor the woman and she immediately responded yes. 

Her response speaks directly to what makes the compliance profession so unique. Immediate outreach followed by immediate acceptance. Compliance professionals are always willing to help other compliance professionals. This is very different from the mental makeup of the corporate legal department which circles the wagons to fulfill its role to protect the corporation. 

The evenings event was a tailgate held in the section of the conference where the vendors are located. People were encouraged to wear shirts from their favorite teams and many of did. Presaging the Astros World Series championship, my Astros jersey was well received. But more than using sports favorites to break the ice, the event held more importance for the compliance profession. Unlike many other conferences, at SCCE vendors are viewed as part of the solution to compliance. Many vendors now gear their marketing efforts around the CEI and will announce new products or service offering at the conference. This makes it a quite exciting time, with many innovative practices appearing on the compliance scene. 

It does not matter what your length of time in the compliance profession might be. The SCCE has a place for you. If you are a newbie or will attend a Compliance and Ethics Institute for the first-time next year, take advantage of the Speed-Mentoring. Not only will you meet some great new colleagues but you will most probably teach me something.

Part IV - Disruption Innovation in Compliance

Next, I return to the original Star Wars movie entry, Episode IV - A New Hope. I do not think I can say too much about the movie, which has not been already said or written, but it is still one of my all-time favorites. It still resonates with me and I still watch it more than occasionally. When it came out in 1977, my father remarked, with great prescience, that it would change the way movies are made and seen. In short, it would change everything about the Hollywood movie-making business model. I think he was referring to the use of special effects but his statement had more than a ring of Carnac the Magnificent. 

It is this disruptive nature of the Star Wars franchise that I will focus on today as it relates to FCPA compliance. One of the key things the DOJ has communicated over the past few months is the importance of doing compliance rather than having a paper compliance program in place. In her remarks while she DOJ Compliance Counsel and consistently thereafter, Hui Chen has emphasized it is the operationalizing compliance which demonstrates that a company has a best practices compliance program in place in the context of a FCPA enforcement action. 

All of this was driven home in an article I read in the Harvard Business Review (HBR), entitled “Disruptive Innovation?”, by Clayton M. Christensen, Michael E. Raynor and Rory McDonald. The authors were concerned that many of the commentary around the phrase ‘disruptive innovation’ were “in danger of losing their usefulness because they’ve become misunderstood and misapplied.” To answer this critique, the authors revisited the central tenets to the theory and how it had developed over the past 20 years. In doing so they detailed three key elements of disruption theory, which I have adapted to the compliance context. 

The first is that compliance is a process. While this may seem as about the most self-evident statement one can make, as late as last week, I was contacted by someone who wanted an ‘off the shelf’ compliance package. They wanted me to do a couple of interviews of senior management and they put in some canned software program so they could claim they had a compliance program. 

This attitude demonstrates the continuing battle the DOJ and Securities and Exchange Commission (SEC) face when communicating their expectations around compliance programs. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful. 

The second key point is that Compliance 3.0 is very different from compliance programs of the past decade. As compliance programs have matured and the structural changes brought about in the Compliance 2.0 model, as articulated by Donna Boehme and others, we have now moved on to Compliance 3.0 where compliance is put into the fabric of an organization. The compliance function is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front-line business team can use technology and other tools to operationalize compliance. DOJ Compliance Counsel spoke to this concept in her recent remarks around how well a company would operationalize compliance by incorporating the business functions inputting to compliance around appropriate internal controls. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate office in the US. 

The third point is that not all disruptive innovations succeed. Here the authors write that disruption is only one step in both the creative and growth process. Throughout their article, they discuss Uber in the context of a disruptive business. However, Uber uses the smart phone platform, coupled with a superior rider experience as a part of its business model. For the compliance practitioner, I think the key concept is what SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. You could also plug in here McNulty’s Maxims (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?).

This is why any successful compliance program should have multiple levels of oversight built into it. If something does slip through, a level of oversight should be in place to review it and hopefully prevent it. Consider the BHP Billiton’s FCPA enforcement action. It involved gifts, travel and entertainment around the 2008 Beijing Olympics. The issue was not that foreign officials were feted at the event. The issue that got the company into trouble was that they did not perform proper oversight over their carefully crafted program. A similar issue was seen in the Lily FCPA enforcement action where charitable donations were approved by an oversight committee without any substantive review and distributor commission rates were approved outside the standard range without appropriate review. 

Disruption innovation has come to the compliance arena. One of the best examples is Louis Sapirman, the Chief Compliance Officer at Dun & Bradstreet, who has incorporated not only social media tools but also the concepts of two-way communications into his company’s compliance program. As many compliance practitioners are lawyers, we are naturally reticent to embrace such change, however I think the pronouncements of the DOJ this year have made it even clearer the need for continued evolution of anti-corruption compliance going forward. 

I hope you have had some fun reading about or listening to some of the compliance lessons that I have put forth using Star Wars as the focal point. With the upcoming release of Episode VIII-The Last Jedi, we come to a close in the first full cycle of entertainment which sprung from the head of George Lucas and has thrilled us for 40 years now. With the release of Episode VII - The Force Awakens the saga will continue.