On August 8, 2010, the chairman of China North East Petroleum’s audit committee, Robert Bruce, tendered his “noisy resignation” from the company’s board of directors. Mr. Bruce resigned because the board’s chairman, Edward Rule, had days earlier declined Mr. Bruce’s request that the company investigate potential violations of the Foreign Corrupt Practices Act (“FCPA”). In denying Mr. Bruce’s request, Mr. Rule reasoned that, among other things, such an investigation “could last as long as a full year and cost the Company as much as several millions of dollars” and could even lead to the delisting of the company from the stock exchanges. Mr. Rule ended his letter by noting that “the course of action you recommend that the Board pursue seems at odds with the prudent discharge of duties to the shareholders.”1 Chairman Rule’s refusal to investigate possible FCPA violations, whether or not warranted under the circumstances, squarely raises the issue of an independent director’s role in FCPA compliance.
There is no doubt that a board has a role to play—in fact, a duty under law and critical government policies to discharge—with respect to FCPA compliance. The Federal Sentencing Guidelines, for example, state that a board must be knowledgeable about the content and operation of the company’s compliance program and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”2 Likewise, the Department of Justice’s prosecution guidelines consider whether the board exercises independent review of the compliance program and whether the board is provided with information sufficient to enable the exercise of independent judgment.3 Directors have similar oversight “Caremark” duties arising under case law, 4 and various other sources, such as stock exchange rules, Sarbanes- Oxley, and audit committee charters.5
To be sure, although not in the context of the FCPA, the SEC has recently sued an independent director for failing to adequately discharge oversight responsibilities.6 And directors of companies with FCPA problems frequently find themselves named as defendants in shareholder derivative actions.7 Finally, if the worst happens, the FCPA prohibits companies from indemnifying directors for fines assessed for violations of the FCPA,8 and insurance will not usually be available to cover such fines. In short, there is no doubt that directors are well-advised to closely oversee FCPA compliance. To that end, what follows below are 10 key questions that every director should ask about FCPA compliance.
1. Do We Set and Communicate the Right “Tone at the Top ”?
The Guidelines provide that, as part of an effective compliance program, an organization “shall … otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”9 Indeed, “[t] he effectiveness of internal controls cannot rise above the integrity and ethical values of the people who create, administer and monitor them.”10 Consequently, at a minimum, the health of a company’s compliance culture is judged by (a) whether the organization explicitly encourages ethical conduct and compliance with the law; (b) whether management “buys in” to the requirement of ethical conduct, thus creating an appropriate “corporate culture”; and (c) whether management reinforces the company’s proper corporate culture by enforcing compliance with appropriate standards of behavior.11
Minimally, directors should not tolerate upper management who fail to themselves act ethically—whether in the context of the FCPA or otherwise. Directors should thoroughly understand senior management’s efforts to frequently discuss company values and ethics; discuss, guide, and empower middle management to resolve ethical dilemmas; and make clear to all levels of management that ethical performance is being watched as closely as financial performance.
2. Do We Effectively Assess Our FCPA Risk?
A primary component of any effective compliance program is risk assessment. Generally, an appropriate risk assessment consists of setting objectives, identifying risks, and analyzing those risks and the performance of related controls.12 FCPA risk assessment in particular requires that a company, at a minimum, give thought to several specific questions.
First, the company must consider where it does business. A company that is pursuing business in Nigeria or Afghanistan, for example, must view compliance through a different lens than a company pursuing business in a country with a lower corruption risk. Second, the company must consider with whom it does business. A company that seeks business from a foreign government, or an entity in which a foreign government has some interest, triggers increased FCPA concerns. Third, a company must consider how it does business. A company that uses sales agents or other third parties, for example, introduces an additional level of risk that it must be prepared to address. Directors should understand how the company adequately addresses and documents these issues as part of its FCPA compliance program.
3. Do We Have Effective Standards, Policies, and Processes to Address Those Risks?
It is crucial to have written standards, policies, and procedures to guide employees and agents. In the context of the FCPA, this usually means, at a minimum, that a company have a written code of conduct that reinforces the core ethical values of the company. Most companies also benefit from having a specific FCPA policy that is clearly written, regularly updated, and tailored to actual operating risks. A sound FCPA policy explains the law (including applicable local laws) and generally provides guidance on permissible behavior. Such a policy will also provide guidelines for other sensitive FCPA areas, such as facilitating payments, gift giving, travel and entertainment, and charitable and political contributions. Furthermore, although receiving less publicity than the
anti-bribery provisions, the FCPA also contains accounting provisions that require companies to maintain accurate books and records and implement internal controls. A company must implement specific anti-corruption controls and cannot merely rely on its existing Sarbanes-Oxley § 404 controls because, unlike § 404, the FCPA does not have a materiality threshold. A focus only on material dollar amounts can easily overlook potential FCPA issues. Even small bribes can result in the award of large amounts of business and potentially huge penalties.13 Furthermore, typical Sarbanes-Oxley § 404 controls simply may not catch many types of even material corrupt payments. For example, a corrupt charitable contribution or political donation may be duly processed through accounts payable with the required documentation and authorizations. Companies need specific anti-corruption controls.
4. Do We Adequately Communicate and Train on FCPA Standards, Policies, and Processes?
The Principles of Federal Prosecution of Business Organizations expressly contemplate that prosecutors should “attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed and implemented in an effective manner.”14 To illustrate that principle, one need only to look to the Siemens case where, even though Siemens had FCPA and other anti-corruption policies, the government charged it with having only a “paper program” that it failed to implement. Siemens has, as a result, paid $1.6 billion in FCPA penalties to various authorities.15
Accordingly, directors should inquire as to which persons receive training with an eye toward the risk assessment. A sound compliance training program will inevitably recognize that many areas of the company besides just the sales force have a role in FCPA compliance; for example, employees involved in the accounts payable function. The risk assessment may likewise compel that the company train some third parties, agents, or consultants. It is also important that the “trainers” are qualified, and that the content of the training is appropriately tailored to the job function and the risks specific to the particular audience being trained. One size may not fit all. The goal of any FCPA training program is not to create an army of FCPA experts, but to ensure that each employee has sufficient background to be able to identify and report “red flags” within their areas of responsibility.
5. How Do We Know that Our Training Is Effective?
Part and parcel of adequately communicating and training on company policies and processes is assessing the effectiveness of the training. At a minimum, a meaningful training assessment includes a “quiz” during or at the end of the training that is “graded” to ensure that the employee has learned at the least the required concepts. The results of such grades also provide important feedback regarding the content of the training materials and where the training needs to be clarified or improved. Many vendors are available to assist in FCPA training and assessment.
6. What Incentives Do We Provide for Compliance and Disincentives for Noncompliance ?
To create a proper corporate culture, management must take appropriate remedial action in response to departures from approved policies and procedures.16 Likewise, employees should be given incentives to perform in accordance with the compliance and ethics program. In short, good enforcement of compliance requires both the “carrot” and the “stick.”
Companies should create explicit links between good behavior and compensation. Compliance with corporate policies and ethical behavior should, at a minimum, factor into employee performance evaluations. Although it raises tricky questions of corporate culture, companies may consider offering incentives to employees who report unethical behavior— especially now that new “whistleblower” provisions in the Dodd–Frank Wall Street Reform and Consumer Protection Act incentivize employees to report compliance issues externally to the government.
On the other side of the coin, the Federal Sentencing Guidelines reinforce that “[a]dequate discipline of individuals responsible for an offense is a necessary component of enforcement.”17 More to the point, however the message gets delivered, employees must believe that if caught violating behavioral standards, they will suffer consequences.
7. How Do We Monitor and Audit to Detect Improper Conduct?
The Guidelines state that a company shall take reasonable steps “to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”18 Monitoring and auditing is also critical to the Board’s discharge of its duties under Delaware law to oversee the implementation of an effective compliance program.19
It is helpful to appreciate the difference between “monitoring” and “auditing.” Monitoring is a different type of control process than auditing. Monitoring is an ongoing activity frequently embedded directly into controls or systems. Monitoring can include regular management and supervisory activities such as worksite and document inspections, and supervisor and employee interviews. Audit-style testing can be included in monitoring. Auditing in general, however, is much less frequent and more focused on back-testing of compliance with requirements remote in time from the actual operation of the underlying control process.20 Both are key aspects of an effective compliance program.
8. Does the Compliance Officer Have Adequate “Clout,” Resources, and Independence?
The 2010 amendments to the Guidelines provide that the compliance officer must be given “direct access to the governing authority or an appropriate subgroup of the governing authority.”21 There is some debate surrounding whether this provision of the Guidelines requires the compliance officer to report directly to the board or whether the compliance officer must merely have access to the board. In all events, the compliance officer should meet with the board at least annually and also annually meet with the independent directors in executive sessions.
Less controversial, the compliance officer must be given “adequate resources” and “appropriate authority” to perform his compliance duties. This means that the compliance function must have personnel and financial resources commensurate with the company’s size and risk profile. If portions of the compliance function are delegated to other areas of the company (often Legal or Human Resources), the company should formally memorialize that delegation of authority in writing to avoid miscommunication about who is responsible for what. Likewise, it is beneficial for the compliance officer to have a written job description that expressly states the officer’s authority with respect to compliance at the company.
9. How Do We Review the Effectiveness of Our Compliance Program ?
What can be measured can be controlled. Regular evaluations of program effectiveness are essential to ensuring the completeness and success of a compliance program. Thus, the Sentencing Guidelines state that an “organization shall take reasonable steps … to evaluate periodically the effectiveness of the organization’s compliance and ethics program.”22 Corporate compliance evaluation mechanisms can take many forms, including monitoring, auditing, self‑assessments, independent assessments and other systems to periodically “measure results and understand what is happening in the organization.”23 The characteristics of an organization’s evaluation efforts should be linked to a company’s risk assessment, as well as the size and breadth of the organization.
Some of the relevant effectiveness indicators that can be tracked include: the number of policies promulgated or revised; the number of third parties that have passed or failed the FCPA vetting process; “tone at the top” information such as the number of “ town hall” meetings conducted on compliance issues; the tracking of implementation of audit recommendations; employee discipline statistics; employee complaints and questions related to compliance; or the amount of compliance-related training conducted. Directors should understand the effectiveness measures—not just “activity measures”—of the program.
10. When We Find a Problem, Do We Ensure that an Independent and Thorough Investigation Is Done ?
The amendments to the Federal Sentencing Guidelines provide that a meaningful compliance program requires, among other things, that when criminal conduct is detected, the company implement “reasonable steps to respond appropriately … to prevent further similar criminal conduct.”24 Further, Sarbanes-Oxley § 301 requires that the audit committee be notified of complaints related to accounting, internal accounting controls, or auditing matters.25 As such, when confronted with a potential FCPA problem, it is imperative that a company appropriately investigate the complaint and consider whether to report to the audit committee.
It remains to be seen whether China North East Petroleum will be able to convince the authorities that it acted properly in refusing to investigate potential FCPA violations. Certainly, Siemens and countless other companies have been burned by their failure to investigate red flags.26 Furthermore, the DOJ and the SEC have both recently put senior executives personally in the crosshairs for failing to investigate FCPA red flags.27 And, as mentioned above, the SEC has recently shown a willingness to target independent directors for failing to adequately discharge their duties as a board member. In short, directors should satisfy themselves that when potential FCPA issues surface, an independent and adequate investigation is conducted and problems are thoroughly addressed.
FCPA-related prosecutions, enforcement actions, and private lawsuits are increasingly in the headlines. By some projections, by the end of 2010, the SEC and DOJ will levy $3 billion in fines and penalties and prosecute dozens of individuals. Companies need to minimize the risk associated with the FCPA by implementing strong compliance programs, and the board of directors is a key player in that process. To minimize the risk to their companies and themselves, directors need to exercise reasonable oversight with respect to the implementation and effectiveness of their company’s FCPA compliance program, including asking the “right” questions.