By: Rebekah J. Poston/Squire Sanders & Lamar Casparis/Fitts Roberts & Co. PC
Nov/Dec 2011

You are operating in emerging markets and have read our first two articles about the Foreign Corrupt Practices Act (FCPA). You are convinced that compliance is a good thing and you want to make sure you are “doing the right thing” and can demonstrate that to others. Now what?

The following will provide you with a general road map toward building a compliance model within your organization and then demonstrating that your compliance model is effective and working as prescribed. Having an effective compliance model will serve you well should the Department of Justice (DOJ) ever come calling. Compliance work is initially expensive, but well worth the effort in the long run. It can be tedious and detailed so don’t let the simplicity of the discussion lead you to believe that it’s not. This discussion is meant to be an introduction to the process, so consider it a high level discussion that focuses on the following five goals: (1) Risk recognition and assessment; (2) Risk measurement and mitigation; (3) Avoidance of civil and criminal penalties; (4) Cost savings; and (5) Seamless approach to compliance.

Risk recognition and assessment
The first step is determining your current level of compliance with a general assessment and development of a risk profile. This effort involves discussions with C-Suite officers, key stakeholders, corporate counsel and product line officers. You want people involved who understand the potential for risk and who understand the actual activity in the field. The goal is to discover the potential for violations of any compliance code you want to test. It can be as broad or as focused as you like, but should be broad enough to expose the full range of the business model (everything you do) to the alignment objective (the code to which you want to adhere). This is where the team learns your business model and compares it to the requirements of the particular code(s) that it may touch. It’s only by this discovery and recognition activity that you can assess whether your business model conforms to the applicable code(s).

Understand the assessment can involve business activities not usually considered international. For example, giving a citizen from a country banned by the Trading with the Enemy Act (TWTEA) access to certain software applications can be considered a “deemed export” of that software and in violation of the TWTEA. So it’s important for the team to understand the full range of your business model even though it doesn’t appear to be international. Don’t hold anything back. One key to a successful engagement is for your assessment team to be fully versed with the business model you want to assess for compliance. It’s only with that grounding that they will be able to provide you the most accurate results.

This part of the compliance process can also be referenced as the design phase of your compliance model so it’s important to get the design right! This is also where the possibility of the risk is determined. Some risk can be eliminated in this phase by a small change in the business model, but other risks cannot. By comparing the current business model elements to expected elements, the team can determine whether there are gaps in your existing compliance model and determine if your corporate policies, chain of command, communication methods and corporate training are effective in addressing risk. If found lacking, the compliance team can help you draft, amend and implement policies and procedures to close discovered gaps. They can also assist in communicating and implementing geographically and culturally appropriate compliance procedures and behavior.

Risk measurement and mitigation
Measuring your risk is closely related to the recognition and assessment activities except that in this phase you have determined that you can’t eliminate the activity causing exposure to a compliance failure. So the focus changes to measuring the extent of the identified risks by classifying them according to the product of their occurrence probability using a numerical scale and the effect that a failure would have on the business (also a numerical scale). The resulting matrix is a blended result of the two subjective measures that enables a triage of the identified at risk business activities. Many refer to the presentation as a heat map because the items having the highest product are generally shown in red (hottest) while those having the lowest product are shown in green (cooler) and the results are used as a tool (map) for moving forward with solutions in the most critical areas. See Figure 1.

This process also helps better define the level and type risk of identified, a side benefit. Often properly defining the problem leads to an obvious solution so the goal here is to quantify the at risk behavior, triage the findings and address in order of urgency.

Avoidance of civil and criminal penalties

Of course you want to avoid civil and criminal penalties, but have you been acting like you want to avoid them? You may not realize that civil and criminal penalties are often decided by examining the underlying compliance profile of the business before and after the event and whether the response was appropriate once it was discovered. If the business was lax about its compliance efforts and had little more than window dressing as a compliance model, one can bet the penalties will be significant. If the business had a robust compliance model with a strong tone at the top, an effective audit committee and compliance officer, a good compliance communication infrastructure, effective coaching, guidance, training, and an employee hotline coupled with a speedy and effective response to the event, one might expect lower penalties or possibly none. The key to avoiding civil and criminal penalties is simple, build a strong and effective compliance program that monitors and quickly and effectively responds to any notice, or suspicion, of compliance failure. That effort starts with proper legal guidance, compliance assessment, program development and monitoring.

Be prepared to identify your C-Suite Leadership regardless of your business size. Organizations are led by the “tone at the top” so that becomes critical. Work with counsel to develop an effective compliance policy that both states and demonstrates your commitment to organizational compliance. Move the policies forward by communicating them to all the stakeholders in the business, particularly those managers with the ability to recognize and stop behavior leading to compliance failure. Support those front line managers with sufficient tools to deliver the required results. Make sure they are regularly trained, empowered and rewarded for delivering compliance results. Make sure your compliance model is sensitive to the geography and culture within which you want it to operate. Some cultures are comfortable with business models that are contrary to the laws under which you operate. You will need to be effective, yet patient, with your training, implementation and monitoring.

Prepare to be responsive to any knowledge of compliance failure by having an investigation plan of action. You will have 120 days to fully investigate any prospective failure so have your team in place.

Cost savings and a seamless approach to compliance
These topics usually work together since an engagement designed to be a good steward of corporate funds will also look for compliance solutions within your existing business model. Remember that compliance work can be costly, so a knowledgeable team leader should focus on the elements of the engagement that bring the highest value first. That raises your return on invested engagement dollars. That also includes finding and using data already captured by your current business system and using it to address compliance matters. The capturing of more data outside your current system adds complexity and may not be necessary unless it’s required to monitor specific behavior you want to control. A team leader with systems experience will add value.

Scoping the measurement and mitigation phase to build upon and complement the recognition and assessment phase findings will provide clarity and direction that should lower overall engagement costs by narrowing the focus of the subsequent activities. If those activities are increasing in scope you may be looking at higher costs and scope creep.

Keep an eye out for scope creep. A good leader will keep the team focused within the scope of the engagement while alerting management of findings that may be outside the original scope. You are the ultimate decision maker on whether to pursue these other findings or wait until another time. This is your compliance model and your engagement. Ultimately, you pay the bill and will answer for the consequences of a well designed and effective compliance model. What you get should be able to scan the legislative horizon for additional compliance risks and provide a way to easily incorporate solutions to the current structure, disseminate that information to your stakeholders, and provide a way to monitor your business for compliance.

ABOUT THE AUTHORS: Rebekah J. Poston is a partner in the Miami office of Squire Sanders who, after serving as an Assistant U.S. Attorney with the U.S. Attorney’s Office in Miami, Florida and as a Special Attorney with the Department of Justice’s Organized Crime and Racketeering Section in Cleveland, Ohio, now focuses her practice on defending complex U.S .and non-U.S. white collar criminal cases and corporate compliance. Rebekah has counseled and defended on matters involving a wide range of charges and issues including the Sarbanes-Oxley Act, the USA PATRIOT Act, the FCPA, money laundering, environmental crime, Internet fraud and identity theft, tax evasion, bank and securities and tax fraud, customs and embargo violations, asset seizures, forfeitures and health care fraud and abuse. She has written corporate compliance programs and conducted FCPA trainings, audits and investigations for Fortune 500 companies and conducted numerous corporate internal investigations around the globe. She can be emailed at rebekah.poston@ssd.com.

 

Lamar Casparis is a shareholder with Fitts Roberts & Co., PC in charge of delivering forensic, litigation and valuation services. He has 20 years experience as a controller and corporate controller for businesses in the construction, manufacturing and consolidated industries sectors developing compliance models and compliance monitoring systems. His consulting practice continues to serve construction, real estate development, manufacturing, energy and energy service providers in matters of internal investigations, litigation, damages and valuation. His anti-fraud practice currently provides confidential and client focused domestic support for international investigations and leverages his behavioral modeling experience in the field of international compliance. He holds dual accreditations in valuation and forensics and is a Certified Information Technology Professional and the Chairman of the American Board of Forensic Accountants. He can be emailed at alc@fittsroberts.com.