May 28, 2010

Three Things I Know

There aren’t too many weeks in the year that I’m not out speaking somewhere on the importance of integrity in the workplace or sharing benchmark and other statistical data on the risks faced by organizations around the world. These past two weeks were no exception. On May 17th, I traveled to London to attend the Society of Corporate Compliance and Ethics’ (SCCE) conference on “Managing Third Party Anti-Corruption, Compliance and Ethics Risk.” And this past Monday, EthicsPoint hosted a breakfast on the recently passed UK Bribery Act in which we were extremely fortunate to have Vivian Robinson of England’s Serious Fraud Office and Neill Blundell a partner with Eversheds as additional speakers. The event had an incredible turnout of over 100 senior executives from the London area.

Lately, I have been beginning my speaking engagements with the “three things I know.” The first thing I know is that the level of regulations and regulatory pressure on organizations around the world is constantly increasing. The second is that this constant influx of new rules, laws and guidelines makes it very difficult for a multi-national firm because many of these requirements are in conflict. For example, Sarbanes Oxley requires any company listed on a US stock exchange to have an anonymous whistleblowing mechanism for reporting misconduct. However, these types of systems are illegal in Spain and Portugal - this is just one example and unfortunately there are many, many more. The third thing I know is that every regulatory agency has shifted their focus from writing these guidelines to enforcing them with a vengeance - the monetary fines associated with regulatory non-compliance are often upwards of hundreds of millions and can even include jail time for culpable individuals.

This April, the United Kingdom passed the Bribery Act. While similar to the Foreign Corrupt Practices Act (FCPA) in the United States, the jurisdictional reach and view of facilitation payments (legal under the FCPA) is considered bribery under the Bribery Act. This presents a significant conflict between these two Acts.

While addressing the audience in London, I couldn’t help but think it was 2002 all over again, when we were just learning about the potential impact of SOX and the mountain of undefined work ahead of us. Based on the very broad jurisdictional reach of the Bribery Act, a UK company, as well as any non-UK company that conducts business in the country will fall under the scrutiny of the Serious Fraud Office – this provision certainly provides for a great deal of anxiety for obvious reasons.

I had the opportunity to have lunch with Neill following the session and he told me that his multinational clients, especially those from the US, had no real fear of the Bribery Act. This lack of alarm may stem from the fact that companies have become desensitized by the onslaught of regulatory pressures and view the Bribery Act as just one more requirement. On the other hand, the Brits, who have never seen such enforcement, do indeed harbor serious fear, uncertainty and doubt (FUD). The FUD surrounding Sarbanes generated three years of “full employment and empowerment for all US legal and accounting firms” - no doubt it will have a similar affect in the UK.

In 2004, I had the privilege to work with some very bright and dedicated people while helping to craft the original Open Compliance and Ethics Group (OCEG) Red Book guidelines for Sarbanes compliance, I therefore feel I have a solid understanding of what needs to occur in the UK. I have tried to boil it down and I am in the process of completing a white paper on the “Ten Simple Steps to UK Bribery Act Compliance.”

These 10 simplified steps are as follows:

1. Assign an individual the authority and responsibility to understand and address the requirements of the Bribery Act and if/how they apply to your organization

2. Assess and prioritize your risks

a. Look for potential impact areas and stakeholders
b. Devise your organization’s “risk profile” and understand how to apply your organizations unique sensitivities to risk

3. Create, gain approval and communicate your strategy for reacting to these risks

4. Review, revise or create a Code of Conduct that includes all salient requirements of the risk and regulatory requirements your organization faces

a. Build a separate code specifically for vendors, suppliers and agents
b. Don’t overlook the impact of reputational risk when crafting a Code of Conduct

5. Review, revise and train to the policies, procedures and guidelines that support the principles contained in your Code of Conduct

6. Ensure you have a proven and effective means for gaining stakeholder feedback

a. Track “open door policy” communication
b. Create an “alert criteria” for exit interviews
c. Have a publicized and visible “whistleblowing” system

7. Workflow Consistency is the key to the Serious Fraud Office’s satisfaction with your solution

a. Triage all reports according to the same check list
b. Investigate reports of misconduct following a standard workflow
c. Ensure resolution and adjudication is consistent across your geographies
d. Have a system to audit and monitor all the above

8. Create or extend your internal controls to ensure compliance with policies, procedures and guidelines that support the Act

9. Report regularly on the status and impact of your compliance solution

a. Develop incident and trending reports
b. Foster Board of Director access and awareness
c. Publish sanitized reports of misconduct as training aids to your stakeholders

10. Review all of these processes at least once a year and refine any and all that can be improved or enhanced

These steps are merely the product of my experience and are an extrapolation of the Seven Essential Elements found in Chapter 8 of the US Federal Sentencing Guidelines and the OECD Guidelines for Multinational Enterprises. Since 1991, the US Sentencing Commission has worked to revise these guidelines and provide organizations an instruction manual to help mitigate the risk of prosecution. These guidelines have been revised in 2003, 2007 and are currently under review for revision once again in 2010. Our friends across the pond will do well to study these “essential elements” and learn from the mistakes we made formulating a strategy of compliance.

May 17, 2010

27625 The UK Bribery Act

I’ve been on an airplane quite a bit these past few weeks and this last week was no exception. The Conference Board of Canada was kind enough to invite me to address their Corporate Ethics Membership Council in Vancouver and on my return flight I was able to catch up on some reading. We have a few analysts on our EthicsPoint team and one supports me by looking at hundreds of websites and blogs that address trends in our industry and passing on the most important or informative of these for my review.

In all honesty, it is a necessity. I couldn’t possibly do what I do without Bryan keeping me “in the know” with information from a variety of sources. I read hundreds of pages a week on new developments which means that he must read thousands. (Note to self: remember to say thank you more often.)

Looking through this week’s folder, I found a tremendous amount of detail surrounding the new UK Bribery Act. The Bribery Act is the companion regulation, if you will, to the United States’ 33 year-old Foreign Corrupt Practices Act (FCPA). The Bribery Act has not yet been fully promulgated by England’s Secretary of State, but the hand-writing is clearly on the wall.

The Bribery Act extends its reach far beyond the FCPA and as it is currently written should send shivers down the spine of every multinational company with operations or sales in the United Kingdom. It does not just deal with corporations, it also empowers the Serious Fraud Office to set fines and demand jail time for individuals associated with answerable organizations, corporate managers & officers and even board directors. Like the FCPA, the Bribery Act also makes organizations responsible for the actions of their vendors, suppliers and agents.

However, the Bribery Act goes further than the FCPA in other areas as well, such as rejecting facilitation payments as acceptable behavior- this will be important to watch how this conflict of opinion plays out. Facilitation payments are payments for services or positioning to which you are entitled. For example, suppose your passport has expired and you need to travel immediately. You can fly to a passport office and stand in line to get an expedited passport, or you can overnight your information and pay $300 to a “facilitator” who will immediately furnish the passport you were entitled to receive. Under the FCPA, this type of payment is fine but the Bribery Act deems it as bribery.

The territorial reach of the Bribery Act is also broader than that of the FCPA. The US Department of Justice’s (DOJ) involvement is somewhat restricted and requires local cooperation. However, under the Bribery Act, even if a company “conducts business” in the UK, the Serious Fraud Office (SFO) has the jurisdiction to take a primary position in punishing organizations for misconduct.

As concerning as this jurisdictional reach may be, I began to realize that the typical fines imposed as a result of a bribery violation are ‘chump change’ when compared to the other related costs. For example, Daimler paid a combined $185 million dollar fine for bribery and improper influence. A tidy sum, but they reportedly paid over $400 million in additional legal and accounting support. This realization was an inflection point for me. It isn’t just the fines but also the related costs and business distractions associated with these types of violations that organizations should be concerned about.

To make matters worse, just as we saw with Sections 404 and 302 within the Sarbanes-Oxley Act, the oppressive fines, fees and reprioritization of management time do not discriminate between small to mid-sized businesses and larger corporations. Therefore, the 3 to 4 times expense ratio for legal and accounting fees to support the actual fine amount are the norm. This total magnitude is far more impactful and injurious to a small organization when you consider it as a percentage of EBIT.

There is hope, however. The Bribery Act and FCPA are mandates that can be mitigated, but it takes an acute understanding of the risks associated to the individual organization, a demonstrated plan of action to minimize these risks and an audit trail that the organization is walking the talk. The Federal Sentencing Guidelines established a direct link between the ‘Seven Essential Elements’ contained within Chapter Eight of the Guidelines and mitigation. I have long been both a student and believer of these seven elements and the mitigation value they hold for organizations.

This is a big proactive bill to fill (pun intended), but when you consider the financial and reputational consequences and damages, it is the most cost effective and prudent position for an organization to take.

What do you think?

About Me

David Childers
of EthicsPoint

View David Childer's profile on LinkedIn contact david Email Me

Favorite Quotes:

Ronald Reagan
There are no easy answers, but there are simple answers. We must have the courage to do what we know is morally right.

John Quincy Adams
If your actions inspire others to dream more, learn more, do more and become more, you are a leader.

We are what we repeatedly do. Excellence, therefore, is not an act but a habit.

Ray Kroc
The quality of a leader is reflected in the standards they set for themselves.

John Maxwell
The first step to leadership is servanthood.