Corporate Compliance & Ethics Week at The Home Depot

home depot

Crystal M. Consonery, PhD, CCEP shared the experiences of Home Depot during the 2008 Corporate Compliance & Ethics Week. The goal was increasing awareness of the Corporate Compliance department. So they decided to use Corporate Compliance & Ethics Week  to launch their departmental awareness and branding.

One of Home Depot’s eight core values is “Doing the Right Thing.” Corporate Compliance is the embodiment of the value: Doing the “right” thing was at the forefront when they were tailoring their message to meet the needs of the company’s diverse population and in the selection of events and topics of discussion that would appeal to associates at different levels
in the organization.

Their schedule of events was announced through various communication channels, including elevator posters, lobby easels, the company’s weekly communication newsletter, and a company-wide communication from the CEO. They also invited external corporate compliance colleagues to the week’s events.

corporate compliance and ethics week

See:

Swine Flu, Disaster Recovery, and Compliance

swine-flu

One aspect of a compliance program is disaster recovery. Investors want to know that your operations can be up and running if something goes wrong. Although first thoughts go to an extraordinary event like the World Trade Center attacks, the problem is more likely to be something less dramatic.

From today’s headlines, it may be time to look at your disaster recovery plans in case of a pandemic. If Swine Flu keeps most of your workforce at home, what do you do?

But first you should decide whether you need to worry about the Swine Flu. The culprit is an unusual new virus known as A/H1N1, which is a form of swine flu that has made its way from pigs into humans. This is an entirely new hybrid strain composed of pig, bird and human viruses. As to whether it risks becoming a pandemic, that depends on the severity of the effects and how easily it is transmitted.

Over 1,500 Mexicans have been afflicted with symptoms that may be the result of this new virus. But it is not yet confirmed whether the cause of most of these cases was A/H1N1 or commonplace strains of influenza. Five American states—California, Texas, Kansas, Ohio and New York—have confirmed mild cases of A/H1N1. So too has Canada,  Britain, Israel and New Zealand. One theory is that college students have been bringing the virus back to the U.S. after college spring break in Mexico.

On the very good side of things, reports indicate that the Mexican swine flu virus is susceptible to the most widely stockpiled flu antiviral drugs, Tamiflu and its relatives. If the effects are severe and it is very contagious, tools are available to fight it.

You can judge whether you should be alarmed at the Swine Flu outbreak. (I am not.) But you should take this as an opportunity to test your disaster recovery plan and make sure you can still be up and running if your workforce is not in the office.

And just to be safe, don’t kiss pigs.

See:

Image is from Cute Overload: Mmmmm, snoutlicioussss Thanks to Niki Black for pointing it out: Swine Flu Transmission solved from Twitter

Moral Hazard and Structural Compliance

danger sign

I have been tossing around the concept of structural compliance in my head. The idea is to focus on the alignment of employee incentives with the long term goals of the organization. Jeff Kaplan forwarded me an article he wrote for the April 2009 issue of CCH’s Federal Ethics Report: Boards of Directors, Moral Hazard and Corporate Compliance Programs.

“Moral hazard” is the phenomenon that reducing the effect of risk by providing insurance results in the encouragement of riskier behavior. A party insulated from risk may behave differently from the way it would behave if it were fully exposed to the risk.

Jeff point out the moral hazard in the economic crisis where individuals creating the risk did not have their interests aligned with those of the organization. I touched on these in my post about Countrywide: Did Compliance Programs Fail During the Financial Industry Meltdown? In that story, we saw that loan officers were compensated more for origination of sub-prime loans than standard loans. They were actually paid more to originate riskier loans. The loan officers were not compensated based on the repayment of the loan. They were isolated from the risk of non-repayment.

One of the problems with the securitization of loans is that the originators do not retain the risk. They originate, sell the loans, and transfer the risk. This continues as the loans are repackaged and tranched up into the collateralized debt food chain. There was a structural compliance failure. The risk was separate from the reward.

With the failure of Lehman Brothers, the term “moral hazard” was a hot topic in the news. If we rescued them, others would expect the financial safety net. (It seems like the government made the wrong decision in deciding to let Lehman fail.) We let people build in flood plains based on government flood insurance and subsidized insurance.

Another case in point is my snowboard helmet, streaked with the brown marks of tree limbs from my runs through trees. I feel safer and take some risks that I would not take without my helmet. My head is safer, but I am more likely to take damage somewhere else or dislocate my elbow (again!).

Part of the compliance program has to focus on making sure that the reporting, governance, and compensation of the people in your organization are tied to the long term goals of the organization.

If you are rewarding people based on short-term goals, then you are going to end up with short-term results. If you are rewarding them for gains and not penalizing them for losses, then they are insulated from the risk. They are likely to make riskier decisions.

Merely running a compliance program to make sure people are following the rules is nice. But it is better to have compliance program that also focuses on removing incentives to break the rules. I think that is what I mean by structural compliance.

See:

Image is a Poland road sign: Znak A-27.svg

SEC Enforcement Update: A Wounded Animal is a Dangerous Animal

securitiesdocket Securities Docket presented this webcast with Michael MacPhail, of Holland & Hart LLP and Patrick Hunnius of White & Case LLP. “In a sharp detour from the era of Chairman Christopher Cox, the SEC under new Chairman Mary Shapiro’s leadership has obtained big budget increases that will be used to increase the number of enforcement lawyers. It has also empowered its staff by streamlining procedures relating to the issuance of formal orders of investigation and negotiating civil penalties with corporations. The staff has responded enthusiastically to the change in regime by bringing an unprecedented number of emergency civil actions, cases involving Foreign Corrupt Practices Act violations, and cases targeting lawyers.” The materials are available on Securities Docket. These are my notes.

Michael MacPhail of Holland & Hart LLP started off by pointing out the beating the enforcement division has taken over the last year. The new administration has brought in some strong new leadership. (and its pissed off and wants some victories.) The SEC is touting its litigation victories and enforcement actions. It wants to be tough and is taking a “Get Tough” approach.

The SEC is also seeking lots of Temporary Restraining Orders. The TRO is ex parte so the company has no chance to present its case at the TRO hearing. The TRO also usually includes an asset freeze. These are “draconian” measures. Since the SEC is limiting funds, they are also limiting the defendants’ access to cash for legal fees. That makes it hard to keep lawyers in place. One example is the Stanford case where his lawyers quit and Stanford now has to defend himself.

How do you avoid a TRO? Talk with the SEC staff and let them know that you have removed the risk factors. Show proof that the bad acts have stopped. Convince the SEC that assets and funds are not moving. Try using escrow accounts and transparent accounts. You will also need to prove that you are actually taking those steps. The Wells Process has started changing from office to office and case to case on the defendants access to information about the case against them.

Patrick took over to focus on enforcement priorities that are likely here to stay and some likely new trends. He pointed out that FCPA enforcement has been on the increase. They are also look at attorneys and other professionals. These are attractive scalps. One of the likely areas of enforcement is the FCPA in the era of Sovereign Wealth Funds and the use of government bailout funds. Many Sovereign Wealth Funds can fall under the definition of foreign controlled enterprise under the FCPA.

There is no clear line of what amount of foreign ownership makes an entity an instrumentality of a foreign government. Majority ownership is probably enough. But minority interests may still be enough. Increased Sovereign Wealth Fund investment activity could transform ordinary business partners into a foreign government instrumentality. For example, 10% of Daimler is owned by a Sovereign Wealth Fund. Another example is the City Center project in Las Vegas which is joint venture of MGM and Dubai World. The owner of that project may be subject to the FCPA. There are very few compliance programs in place to deal with that scenario. You have to be cautious about the foreign government ownership of banks and financial companies. Icelandic banks are probably instrumentalities of a foreign government. Looking inward, Citibank, AIG, and Bank of America could be thought of as instrumentalities of the United States.

The SEC has raised the flag that they are going after gatekeepers, especially if it can be seen that the gatekeepers was heavily involved in the bad acts. Patrick pointed out how lawyers have got dragged into the back-dating of stock options scandal. Patrick looked at two cases. In US v. Collins, the attorney was found to have been involved in drafting loan documents to hide some of the REFCO losses. The attorney was also involved in drafting the SEC disclosure documents and did not disclose the bad things he saw or should have seen. In US v. Offill he worked with his client to get around the registration requirements in order to sell securities. He was accused of being part of a “pump and dump” schemes.

Red Book 2.0 Released by OCEG with the GRC Capability Model

oceg_logo1

The Open Compliance and Ethics Group has released the second version of its Red Book about compliance models. OCEG’s Red Book 2.0 provides a guide for implementing and managing a GRC system or aspect of that system. That means Governance, Risk, and Compliance. Red Book 1, which came out in 2005, focused on “getting the compliance house in order.” This version takes a more holistic approach of incorporating the various elements as part of business processes.

It weighs in at 255 pages so I have lots of reading ahead.

See:

Breaking Down Compliance Silos: The Cost-Effective Approach to Managing Compliance

Michael Rasmussen, President of Corporate Integrity, Julian Parkin, Group Privacy Programme Director at Barclays, and John Kelly, Director at OpenPages, spoke in a webinar on taking a strategic approach to managing compliance. The webinar was sponsored by Compliance Week. These are my notes.

Michael set the stage by asking: Does your organization walk its talk? He equated risk to an iceberg. You have a big chunk of risk awareness visible to many. But 90% of it is below the surface. He equated that 90% to “risk ignorance.” As you might expect with a graphic of an iceberg, he used a Titanic metaphor.

A soloed approach to GRC leads to a lack of visibility, wasted resources, unnecessary complexity, a lack of flexibility, and vulnerability. Compliance is NOT going away. It is a business process that is only increasing in volume and complexity.

barclays

Julian took over and started with a focus on data privacy and operational risk. Many companies come into compliance because they have an “incident.” As a financial institution, they are very concerned with customer data and how their employees treat it. They focused not only on the stored data, but their hardware as well.

Barclays used this great branding tool to reinforce the message. There were several instances where they took a laptop left alone or other data source, leaving just this postcard behind. For them it is important for them to show to their customers that their information is safe with them, just as their money is safe with them.

John took over to display some of his company’s IT solutions for compliance. He pointed out that a spreadsheet fails as a compliance tool because it lacks the audit trail to show what infotmation was known when.

Compliance Policies and Email

email_icon

You should take a look at your computer use and email policies to see how they address three recent cases involving email in the workplace.

The first case involves unauthorized acces: (Van Alstyne v. Electronic Scriptorium, Inc.).  The president of the company had broken into an employee’s personal AOL email account. The employee had occasionally used that email account for business communications. To top off the bad behavior, the president of the company had propositioned the employee before firing her and then accessing that email account.

In the second case (Stengart v. Loving Care [.pdf]), Ms. Stengart resigned from Loving Care and sued the company. Before leaving she e-mailed her lawyer through her personal web-based account from her company-issued computer using the company’s internet access. Loving Care recovered temporary files stored on that computer which contained copies of Stengart’s attorney-client communications. Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation. She asked the trial court to decide whether the e-mail, sent during work hours on a company computer, was protected by the attorney-client privilege. The court held that it was not.

In the third case (Noonan v. Staples), Staples fired sales director Alan S. Noonan  for padding his expense report. Executive Vice President Jay Baitler sent an e-mail to approximately 1,500 employees explaining the reason for the firing. The e-mail contained no untruths, but Mr. Noonan sued for defamation anyhow. Unfortunately for Staples, truth is not a defense in Massachusetts if the challenged statement was communicated with actual malice.

Lessons? What should you have in your company’s computer policy?

First, tell employees that they should not use personal e-mail accounts for purposes of conducting company business.

Second, the company should have a policy that any message sent from a company computer is subject to disclosure and the employees should not have an expectation of privacy.

Third, employees should not access another employee’s files or email accounts, whether they are the company’s or personal.

Fourth, employees should not use email or company computers to send malicious messages.

Finally, make sure you can prove that each employee knows these rules.

See:

Stop Trading on Congressional Knowledge Act

brian_baird

How can you beat the stock market? Become a member of Congress and trade on legislative actions!

You might think that a member of Congress would be prohibited from trading on non-public information that they obtain through their official position. You might be  wrong. Members of Congress and their staff  do not owe any “duty of confidentiality” to Congress. So they can’t be held liable for insider trading based on congressional knowledge. Since they do not have inside knowledge, members of Congress and their staff can share this non-public information with their friends.

Is this a problem? There is a 2004 paper that finds a portfolio that mimics the purchases of U.S. Senators beats the market by 85 basis points per month. Federal law does require Senators to disclose their common stock transfers annually in their Financial Disclosure Reports. But that filing is long after the time of the actual stock transactions.

I will not go into the details of the report other than to note that a few Senators are more active than others. You can reach your own conclusions based on the data.

In these days with a greater focus on transparency, risk and governance, you would think that Congress would close this loophole. In January, U.S. Reps. Louise Slaughter and Brian Baird (pictured) introduced the Stop Trading on Congressional Knowledge Act (the STOCK Act)(H.R. 582). Slaughter and Baird also introduced similar bills in 2006 and 2007, without success.

If this bothers you, maybe you should call, email, or tweet your Congressman or Senator.

See also:

Did Compliance Programs Fail During the Financial Industry Meltdown?

ice_cubes_openphoto

Most people would say yes to this question. I think the answer is more complex. A stand alone compliance program could not prevent the over-exuberance, excessive risk taking, and ethical lapses that lead to the meltdown.

The inspiration for this post came from an article by David Hechler, Risky Business: Did compliance programs fail the test during the financial industry meltdown? for the April edition of Corporate Counsel. Hechler focused on Countrywide Financial Corporation and Tim Mazur, who was an ethics officer at Countrywide. Hechler comes up with three lessons from

  1. Misaligned Compensation Mangles Companies
  2. You Don’t Build an Ethical Culture in a Day (or Year)
  3. Empowerment Is More than a Nice Word

The real problem was a failure of compliance at the structural level, not the program level.

Top-level executive compensation for public companies will be linked to stock performance. There are many people discussing the pros and cons of this approach and how it affects compliance. The more important place to look for misalignment of compensation is front-line employees and mid-level managers.

The examples in the story about Countrywide are a great example. Loan officers at Countrywide were paid higher commission for sub-prime loans than traditional loans. Wrong compensation. Those loans are riskier to the company so they should be less valuable and be subject to a lower commission. (You should also question why commissions would change from one loan product to another.)

The compensation to the loan officer is tied to origination of the loan with no compensation tied to the repayment of the loan. So of course, underwriting standards are going to deteriorate as the pool of good borrowers shrinks and you need to find less qualified borrowers to take on loans.

The managers of these loan officers were also similarly compensated based on origination of the loans so they were going to push for more and more loans regardless of the likelihood of repayment. There is a similarity to this structure and the the structure at Enron. In The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron, the authors paint a picture of Enron focused on origination of deals with little resources or focus on managing the deals.

You can’t build an ethical culture if the structure is not in place. Mazur contends that he did not have enough time to build an ethical culture at Countrywide. Unless he would have been able to change that front-line employee compensation model, I do not think he could have prevented the problems at Countrywide.

You need to align the institutional incentives of your company for a compliant and ethical company. You also need to align the personal incentives for employees throughout the company to match those institutional incentives.

See:

Update: fixed some typos