Check the Box Compliance Isn’t Enough

Lessons from the BHP Billiton FCPA violation and SEC charge

“A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA,” said Antonia Chion, Associate Director of the SEC’s Division of Enforcement. “Although BHP Billiton put some internal controls in place around its Olympic hospitality program, the company failed to provide adequate training to its employees and did not implement procedures to ensure meaningful preparation, review, and approval of the invitations.”

That is a quote from a recent press release by the U.S. Securities and Exchange Commission detailing charges against BHP Billiton. While you’ve likely heard about the charges stemming from inappropriate hospitality for foreign officials and state-owned enterprise employees at the 2008 Summer Olympics, it’s that statement from SEC Associate Director Antonia Chion that should have compliance teams and oversight boards really paying attention. On paper, BHP Billiton had a process in place to prevent FCPA violations stemming from inviting people to the Olympics. In practice, the company fell woefully short. It comes down to three key words in Ms. Chion’s statement:

  • Training
  • Procedures
  • Internal Controls

When crafted, implemented and monitored properly, these three elements can help organizations institute a strong program. When they’re used to build the straw man version of a compliance initiative, it can lead to disastrous, and costly, results. Let’s take a look at what happened in the BHP Billiton case (as closely as we can using only the facts released in the official statement) and what could—and should—be done to stand up a proper program.

Training Training

Training is the workhorse of your program. You can create as many policies, procedures and standards as you want, but unless you actually train employees on those initiatives it’s all for nothing. Relying on employees to read your policies isn’t enough either, you need to implement an engaging, interactive training course that helps them understand the policy and how it applies to their daily job functions. The lack of training is a major red flag in Chion’s statement and reiterated as a weak point throughout the press release.

“BHP Billiton failed to provide employees with any specific training on how to complete forms or evaluate bribery risks of the invitations,” the SEC reported.

In a situation like this, where employees were actively inviting people outside of the company to attended a lavish event on the company’s dime, training for all employees responsible or able to issue invitations should have expanded beyond the basic workings of this particular project. This holds true for any company in a similar situation. A refresher course or targeted training on FCPA regulations, with a specific emphasis on how it relates to this particular situation, should be considered a critical component of effective training in cases like these. This is particularly important if the people you’re reaching out to are in a foreign country, especially one with a history of a strong bribery culture like in the BHP Billiton instance.

Putting the policies in context is an important component of effective training. Don’t just explain your company’s FCPA policy; explain why it exists, how it pertains to these employees and their current job function and how it effects both the individuals and the company. Explaining the reasoning behind the policy shifts it from an inconsequential rule that employees have to abide by to a community effort to build a strong, ethical company culture. People are more likely to participate in a team effort than they are to follow a rule handed down from upper management that they don’t really understand.

You remember how awkward it felt in school when you had a question but thought it was dumb—you didn’t want to ask it out loud.

Set aside time and a means for employees to seek clarification during training and make sure they can ask these questions in an open, non-judgmental environment. You remember how awkward it felt in school when you had a question but thought it was dumb—you didn’t want to ask it out loud, in front of everyone. You don’t want that scenario to play out during training. If an employee doesn’t ask a question it could ultimately lead to a costly violation. If employees don’t feel comfortable asking their question during the training, or if they think of a question or come up against a tricky situation later, make sure they understand how to contact the compliance department for clarification.

ProceduresProcedures

Beyond the lack of proper training for the BHP Billiton employees completing the invitation forms, the overall process was deeply flawed.

“BHP Billiton required business managers to complete a hospitality application form for any individuals they sought to invite to the Olympics, including government officials.  However, the company did not clearly communicate to employees that no one outside the business unit submitting the application would review and approve each invitation,” according to the press release.

This is the definition of checking the box. A process (fill out a hospitality application) was put in place but no thorough procedure for review and approval was implemented. In a world of checks and balances, that second level of review is crucial. Review and approval by a compliance team member is especially important when dealing with gifts, entertainment or travel issues since they can so easily run afoul of the FCPA. A government official may seem clear-cut enough, but it can be harder to distinguish forbidden parties as you move further down the decision-making chain. Things can get even murkier for employees who don’t specialize in compliance when it comes to employees of a state-owned enterprise—particularly if the employee is working with people in a country or region they are unfamiliar with.

Various levels of review aren’t solely for catching intentional wrong-doing, it can also uncover innocent mistakes before they become issues. FCPA standards can be hard to decipher—compliance professionals are still working through some of the details. On top of that, people tend to rationalize their behavior, particularly if it’s in a gray area.

“One shortcoming of compliance programs is that they assume misconduct comes from bad apples, rather than good people doing bad things. … We rationalize our bad behaviors to such an extent that we do not realize we are crossing ethical boundaries until it is too late,” a recent Harvard Business Review article explained.

In this context, an employee could issue an invitation (or send a gift or pay for a dinner) to a foreign official thinking it was perfectly OK because that particular official doesn’t overtly influence any business with your company. While your policies may expressly forbid these kinds of actions to ANY government official, it’s easy to see how an employee could think this instance is ok. A consistenly applied procedural review would catch this misstep, allowing you to stop the invitaiton before it goes out and have a discussion with the employee before the behavior continues or potentially escalates.

Internal ControlsInternal Controls

Ms. Chion notes that BHP Billiton did have some internal controls in place, presumably because they had a process for filling out a hospitality application form before carte blanche issuing the invitation. However, true internal controls that stand up to FCPA standards are extremely robust. In fact, the presence of strong internal controls are one of the key elements of FCPA compliance outlined in the resource guide released by the DOJ and SEC.

The last line of defense in a sense, internal controls are intended to help organizations monitor actions and procedures to uncover wrongdoing and make sure processes are working correctly and being consistently followed. Regular audits and meticulously documented records can help companies spot transgressions, identify procedural inconsistencies or even flag processes and procedures that are too weak to begin with. While I have no insight into BHP Billiton’s internal controls or auditing process (and make no claim to what they do or don’t do), a third pair of eyes from the audit team or other internal control entities could easily have flagged the Olympic invitation process as prone to FCPA violations and spotted invitees who the company could not pay for to attend the Olympics.

While the DOJ and SEC expect some level of internal controls to be put in place, they leave the degree of scrutiny largely up to organizations.

“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances,” the resource guide reads.

However, the guide also notes that “the payment of bribes often occurs in companies that have weak internal control environments.” And as evidenced by the charges against BHP Billiton, the presence alone of internal controls are not enough to protect your company from wrongdoing or regulatory action. For that reason, companies should invest wisely in strong internal controls rather than setting up a ghost process, declaring it “good enough” and checking off the internal controls box on the requirements.

Compliance may not be an old field (it’s relatively young compared to HR and finance departments) but the requirements, regulations and expectations are strict. More and more companies are finding themselves in hot water for not giving compliance the due diligence and attention it demands. And as the field matures and business relationships grow more complicated, companies are going to have to stop relying on the basics and find funding, resources and solutions that allow them to build truly strong, robust programs—business reputations and bank accounts depend on it.

Update

A statement by BHP Billiton shed some more light on the issues surrounding the FCPA violation:

In its statement, BHP said the company didn’t have an independent compliance function at the time of its sponsorship of the Olympics. Instead, accountability for compliance with the company’s anti-corruption policies stood with the business units, the statement said. It since has created an independent compliance function that reports to the head of legal and to the risk & audit committee of the board, BHP said.

“Today, this function would be required to approve any offer of hospitality of this kind to a government official,” the company said in the statement.

This not only highlights the importance of compliance, but the need for an independent, autonomous compliance department within an organization. Business unit managers are not only not compliance experts, they are most likely focused on other goals. This naturally leads to some issues when it comes to compliance, noted Jeff Alberts, head of Pryor Cashman’s white collar practice, in the recent Wall Street Journal article.

“When a review role is played by someone with a business interest instead of a compliance interest, it tends to result in that employee’s focus not being on compliance issues. They tend to focus, naturally, on business aspects.”