I conclude my five-part series on the soft skills a Chief Compliance Officer (CCO) needs to employ when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I have been joined this week by Dan Chapman, well-known in the compliance community for his in-house compliance roles at Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step five: post resolution.
If you have successfully navigated the four prongs of the Department of Justice’s (DOJ’s) 2016 FCPA Pilot Program of (1) self-disclosure; (2) extensive cooperation; (3) thorough remediation; and (4) profit disgorgement; you should have been able to make a resolution with the government. While you would certainly hope to achieve a declination with disgorgement, it may be there was a penalty assessed as well.
Whatever your result your company will, in all likelihood, be required to have ongoing reporting obligations to the government. This can be in the form of an independent monitor, retained to ensure adherence to the obligations set forth in the resolution documents, such as Deferred Prosecution Agreement (DPA), Non-Prosecution Agreement (NPA) or other forms of settlement. It can also be the company reporting to the government on its continuing remediation efforts after resolution. In this area, I want to focus on two aspects, transparency and feedback, as I believe they are inter-related and tie into the DOJ’s 2017 Evaluation of Corporate Compliance Programs (Evaluation).
In the area of transparency, this is something which should have overlaid your entire remediation effort and, indeed, your interactions with the government during the investigative phase. But this is not simply ‘opening the kimono’ to be open and honest with the government. In the post settlement phase this means having clear reporting lines for compliance. This is important so there is both accountability and action-ability. The accountability comes from know who to go to in an organization to implement and then enforce a compliance issue. In my final corporate position, that was one of the clearest requirements from our corporate monitor, demanding know who was responsible.
The corporate monitor wanted to know how compliance initiatives, monitoring and assessment were done on an ongoing basis, and he worked to assess that transparency. He made clear there should be not be any inconsistency between our company’s organizational charts, what supervisory lines would infer and what happened in practice. If there was an issue regarding the hiring of a third party, whether on the sales side or through the Supply Chain (SC), the monitor wanted to be able to go directly to the responsible person and determine if the compliance requirements had been fulfilled. He would do so via the written record and then follow up with an in-person interview. If the person interviewed had not done the appropriate compliance steps, it was immediately apparent.
This ties into the final topic noted by Chapman, feedback. When you consider the Evaluation’s emphasis on feedback through the questions it poses and the few public remarks of former DOJ Compliance Counsel Hui Chen; it is clear that not only must you ask substantive questions and obtain data, but you must use that data as well. Two of the topics found under Prong 9 of the Evaluation (Continuous Improvement, Periodic Testing and Review) are as follows:
Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken?
Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
It is clear how important the DOJ considers this for any compliance program. For one just coming out of a FCPA enforcement action, it is even more critical.
Chapman emphasized this criticality in the post-settlement phase, noting, “you have to show that the feedback loop works by obtaining data through solid testing and taking corrective action based upon that data.” It is also critical that you actually “test your testing methods” to demonstrate that the validity of the data going into this feedback loop. Chapman noted that unfortunately “not a lot of people think about this,” but that it is critical. Chapman provided an example around the area of compliance training, stating “if you are using a questionnaire to assess the strength of training, you need to be able to show and demonstrate that your sample for gathering this data is sufficient. You simply did not ask five people about training when you’ve trained 2,000, that you did sample testing of at least, a reasonably appropriate percentage of trainees, and you need to be able to explain how you selected these trainees for their feedback and your survey methods used in developing and deploying the questionnaire.”
This type of information is clearly important when you begin your initial discussions with the government. Yet this requirement extends through the life of the enforcement action and into the post-settlement phase. Chapman concluded by saying, “You do have to show that your input into that feedback loop has been sufficiently tested and that your data is solid.” It is not limited to training but in all areas of your compliance program, as expressed in the Evaluation.
As Chen stated, in an interview with Matt Kelly on his podcast Radical Compliance, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines. When you say you have a great compliance portal, don’t just show us screenshots of it. Show us the hit rates and how you use that data to help you refine how you communicate with your audience.” The same is true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. That is the essence of a feedback loop.
I hope that you have enjoyed this week-long exploration of some of the key soft skills needed in any compliance program remediation. There are many offerings on the technical aspects of performing an extensive remediation during a FCPA investigation, but I think this series demonstrates that the soft skills not taught in law school or business school are equally important. This is yet another reason it is critical for any company which is facing such a challenge to have top notch compliance talent in the CCO seat and compliance function. My other suggestion would be for you to get in contact with Dan Chapman.
[View source.]
