FCPA – coming to a mid-sized company near you! Thanks for the interview, Mike Volkov!


Having read blogs for close to 5 years now, I always look forward to this time of year when predictions are made. I tend to select my reading based on subject matter expertise and style, focusing on people I like and respect. I have also learned to leave the predictions to the experts rather than making my own!

Last week at Catelas we interviewed Mike Volkov to gain his insights into FCPA Compliance and try to get a sneak peak into 2012. If you have not already read his blog (here) I highly recommend that you do. We thought we would share a 3 minute audio clip of our interview with Mike,which covers many of the same topics, but reinforces the message through our auditory senses. I hope we played a small part in helping Mike compile his thoughts.

One key prediction that resonated with me was “FCPA coming to a mid-size company near you”. Okay, this is a play on words, but the gist was that FCPA enforcement will expand beyond large multi-national companies and into mid-size or smaller public companies. These companies, who for the large part I assume do not have the people or money resources to handle these types of inquiries, will need some help. Both in the form of advice from people like Mike Volkov but also in the form of “audits or assessments” of where to start and what to prioritize from companies like Catelas.

For example: Mid Size company  – 20% of their business (and growing) comes from China. Step 1 and Priority 1 is to understand how the company does business in China, in particular understanding the relationships it has with its Partners and 3rd Parties in China.

Our interview goes on to discuss how resource-sensitive companies can use Catelas in a very targeted and cost-effective way – ie pinpointing the relationships they have in high-risk FCPA countries where they do business that is of importance to them.

I hope you enjoy the audio clip. Feel free to contact me if you want to listen to the full webcast or discuss the topic in more detail.

Rob (robert.levey@catelas.com)

Advertisements

Annual Performance Reviews – love or hate ’em ?


The time between Thanksgiving and the Holiday Season break is most typically when companies review their employees performance. Most everyone has their views on Annual Performance Reviews since we are all involved either as a reviewer or reviewee. I created the following poll on LinkedIn to gauge what people thought about the annual review process – take a look here. I was very surprised by the results.

The post today is not a lesson in Human Resource Management, but I do often think about how people in Compliance, Legal and Information Security are really reviewed in terms of their job performance. In sales its easy – how much did you sell?

The conversation for a Compliance Officer or a Chief Security Officer is more complicated – how many FCPA infractions did you investigate or how many security breaches did you uncover? These roles are about protection and prevention and for the most part the teams operate in stealth mode and are seen to be doing their best work when nothing bad is happening. So a good performance review is about “nothing bad happened or nothing bad was uncovered”. Right? Wrong!

The best Compliance or Security Officers are actually “looking for bad stuff”, they are not sitting back complacently believing that their fort is secure. The very fact that “bad stuff has not happened” is the very reason to look harder. They are pre-emptive or pro-active and their mantra is to “find bad stuff before it happens”. Lofty aspirations, perhaps?

So shouldn’t performance be [at least partly] measured on vigilance and awareness rather than simply policies, processes and how well a team reacts to bad stuff as and when it happens?

Believe it or not we come across the “don’t tell me what I don’t want to know” attitude everyday. Catelas has an ability to look inside the business and monitor, yes monitor, how business gets done. Or more accurately we visualize the communications patterns of a company to understand “who knows who” and “how well”. For compliance and security groups we are used as a monitoring solution to better understand company relationships – who in my company has relationships with X, where you can fill in the blank X to be competitor, press, government official, etc.

But my point is that for many companies we often have to water down the “monitoring” term because our audience (the Compliance or Security Officer) does not want to look deeper than the job dictates. They are not interested in pro-actively seeking out potentially bad stuff for fear of finding something. Sure I understand that these teams are max’ed out or are operating within the Risk Profile of their company, etc, but in this age of Whistle-blowers and Self-Reporting, I honestly believe that the CCO in particular needs to step out of his or her comfort zone and start being more proactive. Blind ignorance is no longer an excuse.

What do you think?

Dinner [and Pearls of Wisdom] with Tom Fox


It is not often that you can get time with someone like Tom Fox and pick his brain on FCPA and compliance issues. Eddie Cogan, the CEO and Founder of Catelas, was fortunate enough to sit down with Tom for dinner this week in Chicago at a World Compliance FCPA event. We  thought we would share some of Tom’s Pearls of Wisdom.

Q1: looking across the entire spectrum of FCPA violations what things stick out:

A:

  1. the continued increase in FCPA enforcement actions. It is not going away anytime soon.
  2. the DOJ is focusing industry by industry and we can definitely see their current focus on Pharma/medical devices and Private Equity; on top of the usual suspects. Now the DOJ seems to looking at aerospace and defense industries.
  3. finally I think we are seeing a greater focus on individual executive responsibility – a recently the President of Terra Telecom received  a sentence of 15 years

Q2: So what should a compliance officer do in the face of this scrutiny? Especially when such officers are sitting in offices very far removed  from the action:

A: well for starters not knowing is not a defense.  The DOJ have advised on what is a minimum best practice for compliance and most recently indicated “Enhanced Compliance Obligations”.  You need to incorporate these into your program.  If I were to focus on 3 things it would be 1) know your third parties, 2) training and 3) documentation, documentation, documentation.  The latter I repeat because its so important to be able to show the regulator when they come calling that your do have systems in place and that you do have a systematic reasonable approach to the task.

Q3: One of the things I am seeing more of recently is the concept of due diligence and ongoing audit programs.  That seems to be much more substantial than policy and training.

A: yes it is.  In the recent J&J case, we saw mention of obligations like “J&J will conduct due diligence reviews of sales intermediaries, including agents, consultants, representatives, distributors, and join venture partners” .  There is also a recognition that risk changes over time and that you need an ongoing program of review & audit in place.

Q4: What advice do you have for Compliance Officers trying to tackle this problem {of knowing your Partners} ?

  1. You need to fully assess, in writing, your overall risk parameters in a Risk Assessment. That is your starting point.
  2. Your due diligence should be based on the risk you assess for the third party.
  3. You should continue to perform and update your due diligence at greater than one year intervals, particularly if the risk profile has changed.
  4. Follow the DOJ enforcement actions and Opinion Releases for your best sources of information on the DOJ’s latest thinking on best practices.

The over-riding theme to the discussion was “know your partners” which is all well and good, but it is no trivial exercise. Large multi-nationals could typically have hundreds if not thousands of partners around the world; distributors who partner with 3rd party resellers or partners who sub-contract with local businesses. This can quickly and easily become a complex web of business relationships which is constantly evolving and changing. As Tom intimates, the only way to stay on top of it is to leverage technology, systems and documented processes so that company’s can more confidently say, “yes we know who our partners are” and “yes we know how business is being conducted”.

For more information about Catelas 360 degree Partner Assessments, look here.

Pharma’s in the cross-hairs – turning up the heat!


There seems to be a lot of heat in the Pharma compliance kitchens right now with a series of federal investigations and settlements. Stephanie Rabiner’s blog post summarizes the recent activity –  “Glaxo pays $3B fine, Pfizer paid $2.3 billion in 2009, while Eli paid $1.4 billion the same year. And Abbott Laboratories agreed to a $1.3 billion settlement in recent weeks.”

These cases center around fraud, off-label promotions and/or kickbacks and many go back over the last 10 years. Viewed holistically and considering the consumer suits that accompany these federal one’s, it is a very big deal. The Pharma Industry is certainly in the cross-hairs right now. And the heat is being turned up.

Another blogger, Richard Cassin, last month wrote about “a flock of Pharmas”, asking the question, was the Pharma industry simply prone to these types of investigations, given the business they are in?

The allegations being investigated are certainly broad – the illegal marketing of a number of drugs, de-frauding the Medicaid program, FCPA violations, to name a few. Is this the culmination of the big investigations or is this the tip of the ice-berg?

I also looked a little closer into the Pfizer case, started by a whistle-blower lawsuit. Turns out that the list of 10 whistle-blowers includes two former employees who had spent 24 years and 16 years respectively with Pfizer.  Long careers certainly, long memories, perhaps? This is not to say that the industry is inherently corrupt, but like the financial services industry, which was placed under massive scrutiny following Madoff, these types of investigations force every company in the industry to look in the mirror.

Given the revelations coming out of Penn State University this week, I would say that every Compliance Officer should be looking a little harder into their company’s Ethics programs to be sure that their company is not the next big Wall Street head-line.

How well do you know your Partners and 3rd Parties?


Reading through the Mike Volkov and Tom Fox blogs certainly provides food-for-thought around FCPA violations and infringements. Mike is holding a webinar next week to talk about FCPA with respect to Private Equity and Hedge Funds, in particular when such companies are considering international mergers or acquisitions; Tom talks about whether FCPA scrutiny revolves around the oil and gas company because of the places where they operate or the ‘cowboy tradition’ of the industry.

These articles got me thinking about the partners and 3rd parties that such companies contract with to conduct business in countries like Russia, China and Mexico. My question for companies with significant international operations is simply “How well do you really know your Partners and 3rd Parties?” I posed a similar question in my blog last month, but the point is worth repeating.

Most companies it seems, who are expanding their international businesses or looking at potential M&A activity, do a pretty good job at the front end – ie the due diligence stage. Vetting partners, 3rd party relationships, etc. The problem is that business relationships are not static – they change and evolve. Personnel changes, from sales to research and development teams to supply chain partners. With these changes, so does ‘who we do business with’ and more importantly ‘how business is conducted’.

At Catelas we are not advocating that companies need to monitor every business relationship every minute of the day, but we certainly recommend regular check-ups (or assessments). For example, a company might be have expanded its business operations into South America. Well it would not hurt to conduct a business partner / 3rd party assessment after 1 year to examine what those business relationships look like. Or a major pharma company conducting clinical trials in Indonesia may find it makes sound business sense to identify the key relationships that exist between the company, partners, 3rd parties and hospitals, six month into those trials.

As this picture shows, these 360 degree assessment need not be a massive, expensive investigation in-country. Nor is it a major audit of the company’s financials and partnership contracts. Rather they are designed to be a non-obtrusive examination of how  business is really being done on a day-to-day basis – ‘who is talking to who’, and ‘what are the key business relationships in place’. It provides first and foremost ‘peace of mind’ that the company is conducting business ethically. But if red flags are raised as a result of the assessment, then it provides a process for undertaking a more detailed examination.

And hence the MRI analogy we have used before – the Catelas 360 degree assessment provides an MRI into your foreign business operations – answering the question “How well do you know your 3rd parties?”. To learn more take a look here or give us a call. I would love to hear your views.

Internal Investigations continue to rise


The latest Fulbright & Jaworski Litigation Trends Survey is out – slightly less litigation in 2011 compared to 2010, yet the cost of litigation per company rose. However, regulatory actions and internal investigations are climbing.

The report also reveals that whistle-blowers remain a concern in the coming year stating that one-quarter of respondents anticipate an increase in the number of claims or lawsuits brought by whistle-blowers next year. This year, 22% of respondents said their organizations were subjected to whistle-blower allegations. I suspect that this percentage has been increasing steadily over the last few years, but 25% !!! That certainly registers on the “take-notice” meter.

I also listened to a TechLaw10 podcast #42 this week, where Jonathan Armstrong was talking about the many challenges of internal investigations… more regulations, businesses being more global, more value on corporate data, more employee turnover. This last one certainly resonated – the work force of today statistically averages 2.2 years per company, a far cry from our Dads’ generation when jobs were for life. Whether people today are stealing corporate secrets more than they were before is not the issue; but the chance of this happening is significantly higher simply because people move around more and it is much easier to ‘take’ secret data with you.

All put together, I sense the perfect storm brewing to corroborate this trend of increasing investigations.

So to the people who actually have to do the work and respond to this trend, my question is how are you coping? In this economy it is not simply a case of asking General Counsel for a bigger budget – more people and more technology. It’s more complicated than that. It requires putting together a well thought out “mini-business plan” – what are the key areas of focus, how do you prioritize investigations, when and how do you deploy resources (locally and internationally), what policies and processes do you have to train and educate employees, etc. And of course if additional resources are required they need to be justified via an ROI calculation. This last piece is absolutely key – coming from the sales side, believe me, sales commission are directly proportional to a customer’s ROI.

Faced with an increase in internal investigations, the key is to use technology to your advantage – at Catelas, we are all about upfront intelligence – arming you with the facts about a case as early as possible, so that you can prioritize your investigations, spending time on the important, not the trivial, one’s, collecting only the relevant data specific to that investigation and thereby saving time and cost per investigation.

If you are interested in learning more, look here.

Voluntary Disclosure of FCPA violations


To disclose or not to disclose… that is the question. Definitely a thorny issue which Compliance Officers have to deal with. From my standpoint, I am seeing more voluntary disclosures hitting the press – here Maxwell and here Analogic, which is a good thing. Right?

Personal Disclosure – I have never been inside a Compliance Officer’s shoes when he or she is being chewed out by the CEO, so my opinion may not count for much. But what I have observed over the last few years being around corporate FCPA investigations is the following:-

1. We will investigate, prioritize and disclose potential violations that are brought to the Compliance Team’s attention:  what this means is that most companies have an investigation process in place and when they find something wrong and potentially serious, for the most part they will voluntarily disclose. Clearly, this begs the question what is “serious”, but most companies I would hope will not deliberately try to hide blatant stuff.

2. I don’t want to know what I don’t need to know: this is really about proactive monitoring or going out and finding potential violations. We work with a few companies in highly regulated industries where this is a must, but for most companies it is a step too far – ie I don’t want to uncover stuff that I don’t need to know about. This does not mean that these companies have blinders on, simply that they are doing what is necessary from a compliance and enterprise risk perspective. They feel they no not need to go the extra 9 yards.

3. Cover my backside principle:  this is about policies, processes, employee training, ‘walking the walk’, ‘top down approach’, etc. It’s what all good Compliance Teams do: they enforce and remind employees, partners, etc about good business practices. Often this is driven by past experiences – has the company been investigated by the authorities before, have they had whistle-blower incidents, etc?

4. Who is the target?  The company or the Executive: this is probably the one dynamic that has changed the most in the last 2 years. The charges are becoming personal, in that CEO’s (SEC charges CEO $20M in fraud case) or Compliance Officers are being charged for violations, resulting in possible jail time. No longer is it simply the company that stands to be charged.

Of course each company is different, but the underlying theme is reputation risk – enterprise and personal. Voluntary disclosure provides an avenue for ‘coming clean’, for putting some level of  ‘positive spin’ out of a bad situation and hopefully ultimately saving the company money in fines, etc. To all Compliance Officers – are you feeling the disclosure heat? Or is it still business as usual? I would love to hear your views.

How corrupt are your foreign business operations?


Welcome to the first of the Catelas blog posts. We have been working with companies on FCPA compliance for the past 3 years and continue to be astounded at just ‘how in the dark’ most Compliance Officers are with respect to their overseas business operations.

While the lure of doing business in countries like China, Russia and Indonesia is certainly great, the risks that come with it are equally so. Our experience is that most companies do a pretty good job at vetting potential partners, 3rd parties and individuals when they first enter a new country (through fairly rigorous background checks), but apart from re-inforcing policies and codes of conduct, that is pretty much where it ends.

The full-time, round the clock monitoring of these partners (or individuals) to uncover potential bribery or corruption is clearly cost-prohibitive and not usually practical. And most of the monitoring is focused on the financials, ie expense reports to try to uncover unreasonable or unwarranted spending.

That is why Catelas has approached the problem from a totally different perspective. If we could analyze the daily communications of a company (both inside and outside the company) and focus on those high-risk countries, partners and individuals, then we could uncover potential risks to the company, before potential FCPA infractions occur.

Tall order? Sure. And costly too? Perhaps. So we have developed a fast, effective and non-disruptive way to audit and report high-risk relationships, typically at 6 monthly intervals. Like an MRI, Catelas is able to provide Compliance Officers peace-of-mind with respect to potential FCPA violations. We identify ‘who is doing business with whom’, providing 360° profiles for companies to help them understand which countries, partners or individuals pose the highest risk based on the day-to-day communication patterns inside and outside the company.