This is a guest post from noted FCPA expert Tom Fox. You can find Tom on Twitter @tfoxlaw and on his blog, the FCPA Compliance and Ethics Blog. If you missed Part One of this series, you can find it here.
II. Doing Less with Less
The current economic downturn in the energy space seems to follow a pattern, with businesses’ exhibiting predictable Pavlovian responses. When oil prices drop precipitously, companies who are overstocked, over-leveraged or generally over-panicked may over-react and cut head count and spending dramatically, to some level that is not based on rational economic analysis. Then they get a handle on where the numbers might be heading and the cuts begin to flatten out and they reach an equilibrium.
Right now, the energy space is in the first phase, which translates into loss of personnel and resources, even if calculated last year based on a summer or fall 2014 economic projection. This means that you will have to figure out a way to accomplish more with fewer people. While I often advocate that the compliance function can and should draw on other disciplines such as human resources, IT, internal audit and marketing for support; those functions have most probably been ‘right-sized’ as well, so they may not be able to assist the compliance function as much they could have previously.
Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But doing this requires understanding what your highest compliance risks are. Since you will not have additional resources to perform such an analysis, I would suggest now is a very good time for you to assess your compliance program and your business model to see where your highest risks lie. You can then prioritize them so you’re able to assign your ever-scarcer compliance resources to your highest risk areas.
While I do not believe the DOJ or SEC will be sympathetic to some unsubstantiated claim along the lines of I did my best with what I had, they also made clear in the FCPA Guidance that, “An effective compliance program promotes an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought¬fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (Emphasis added)
So while the DOJ and SEC will not accept bold-faced claims such as “our company simply did not have the money to spend on compliance,” they will most-probably consider a compliance program where a company can demonstrate that it looked at its risks, in the context of an economic downturn, and strategically delivered its compliance resources among its risks. But remember: Document, Document, and Document your decision-making calculus and your implementation.
In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective.” She cited the Prussian General Helmuth von Moltke for “devising one of the world’s first management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:
- Dim and lazy – Good at executing orders.
- Dim and energetic – Very dangerous, as they make the wrong decisions.
- Clever and energetic – Excellent staff officers.
- Clever and lazy – Top field commanders as they get results.
The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned, “The sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”
From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite FT columnist Lucy Kellaway or Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “a well-constructed, thought-fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.
III. Technological Solutions as a Response to the Economic Downturn
As with economic cycles, corporate response to them is cyclical. Here in Houston we are in the panic phase of ‘we have to cut employees and expenditures now’ but (hopefully) within the next couple of quarters, companies will stop their collective over-reaction and budgets will loosen up and rise to some sort of equilibrium. For the CCO or compliance practitioner who has gone through the doing less with less phase, that may become the time that you have additional resources and some money to spend.
This might be the time that you consider a technological solution to help manage your FCPA anti-corruption compliance program going forward. It may be that if you can spend between $50-100K on such a solution, you can come out running a more effective program, yet ultimately spending less because you don’t have to replace the employees who were laid off during your company’s initial response to the downturn. What are some to the areas that a technological solution will work most efficiently for you?
A. Third Party Management
Ranked as the highest FCPA risk, at least on the sales side, is general third party management. This is a process that can be automated through the onboarding process, due diligence, contracting and management of the relationship after the contract is signed. While nothing will ever take the place of a well-trained compliance practitioner reviewing and evaluating due diligence, if you can automate the document obtaining and retention process coupled with the back end relationship management you can significantly cut your costs going forward. Moreover, this process will help you in the Document, Document, and Document function of any best practices compliance program.
B. Internal Controls
There have been several high-profile cases of companies with FCPA problems specifically around lack of internal controls. There are many technology solutions available that can help in this area. Policy management solutions can ensure employees all attest to an anti-bribery policy; other solutions can require a second set of eyes on expenses to detect fraudulent charges or bribes.
Additionally it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in company policies. It should fall to a compliance officer, by putting a second set of eyes on any such requests to finalize (read: prevent) and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow on from such definition or criteria set by the company. Further, by automating this process, you also have a fallback protection on the detect prong.
C. Ongoing Monitoring
Saving the best and most important for last, a final technological solution compliance officers should consider is around monitoring, which allows companies to review and detect compliance risks in real time and then react quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis..
Here I want to focus on two technological solutions of ongoing monitoring which can help you to manage your FCPA compliance risks more effectively. The first is relationship monitoring. Relationship software imports and analyzes communications data, like email, IM, telephony and SMTP log files and leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.
The second type is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. For example, companies with large sales forces that have company credit cards, might use transaction monitoring software to run analyses each month, looking for red flag transactions that are outside an established norm so the company can investigate.
How might the DOJ or SEC react to the contraction of compliance in the face of such increased compliance risk? The energy industry has not gone through this type of economic downsizing in the new age of FCPA prosecutions, largely since 2004, so there is no relevant time frame of FCPA enforcement to compare. However, the financial industry did go through a similar contraction in the 2007-2010 time frame. We have seen the DOJ and other financial industry regulators draw huge penalties for a series of anti-money laundering (AML) and LIBOR scandals. My guess is that the DOJ and SEC will not allow companies to use economic arguments in the face of known and recognized increase in compliance risks. Indeed they may focus on some of these points as reasons for increased compliance vigilance in an energy company’s compliance function.
Yet every crisis brings learning opportunities, even economic contractions. Yes, you may have to learn to do less with less, but after this initial radical downsizing, you may be able to demonstrate greater efficiency and a longer cost effectiveness using a technological solution in your compliance program. Perhaps that is exactly the message that your senior management wants to hear and that will open the purse strings and provide you some funding. But, regardless of the crises or timeframe, you will always have to do your homework and be able to demonstrate value going forward.