Incorporating the “Fraud Triangle” into Compliance Risk Assessments

In my Corporate Compliance Insights column, I have run a series of articles discussing how Compliance and Ethics Professionals might incorporate the Fraud Triangle into their Annual Compliance Risk Assessment(s).  Though I cannot re-print the articles here, below are summaries of each with a link to each respective piece in the series.

This is a fascinating subject for mixed compliance and fraud professionals like myself. Incorporating the factors of the Fraud Triangle into compliance related areas has been very effective for me in the compliance and Independent Corporate Monitor work that I do.  Feedback has been very positive on this series and I hope that the articles may provide you with some practical ideas that will help you improve the effectiveness of your own Compliance & Ethics Programs.

The first in the series is an Overview of the Fraud Triangle, which introduces the theory and sets the stage for the articles to follow.  It also defines and distinguishes “Occupational Fraud” from “Predatory Fraud.”  Though the Fraud Triangle was developed by a criminologist and concerned criminal acts associated with fraud, I have found that the concepts also apply to less than fraud-related criminal actions, such as violating a compliance policy or acting unethically in the course of an occupation.

The next article in the series explores the “Opportunity” factor of the Fraud Triangle, which relates to one’s ability to commit fraud, violate a compliance policy or act unethically, and is affected by such things as, among others, internal controls, knowledge & training, authority, and experience.

Part 3 of the series examines the “Rationalization” factor of the Fraud Triangle, which relates to a person’s ability to internally justify/rationalize their unethical, wrongful or criminal actions.  This is often affected not only by a person’s individual moral standards, but also by the ethical tone within an organization and the person’s perception(s) about the fairness and equality of rewards and punishments for actions and behavior.

The next in the series looks at the “Motivation” factor of the Fraud Triangle, which generally relates to an “unshareable need” that arises within a person’s life.  This is the one factor of the Fraud Triangle that an organization has the least control over, as well as the most difficult one to be assessed.  This “unshareable need” is a personal need that can arise from a broad range of things, ranging from common and ordinary life issues (i.e. a divorce) to those that are more nefarious (i.e. drug addiction).  As this need increases within a person’s life, so to does the risk of that person taking actions contrary to an organization’s Code of Ethics and/or Compliance Policies.  To help illustrate this, I included in this article some very interesting and real-life examples that I have encountered over the course of my 20 plus years of fraud investigations experience, including many from my service as an FBI Agent.

The final in the series examines the “Perception Factor”.  This is technically not a part of the Fraud Triangle and concerns the perception by an individual regarding whether or not they will get caught if they violate a compliance policy, act unethically or commit a fraud.  I have found that this can be an overriding factor in a person’s decision whether or not to violate a compliance policy, act unethically or commit a fraud, even when the three factors of the Fraud Triangle are at a high risk.

FCPA Settlement Agreements, Monitors and Self-Monitoring

There has been a slightly less frequent requirement by the DOJ for Independent Corporate Monitors (“Monitors”) in FCPA-based settlement agreements during 2011.  Counts may vary a little due to timing, but there have been about seven (7) such settlement agreements during the first half of 2011, of which two (2) required Monitors and three (3) required some form of “self-reporting.”  Previously, Monitors had been required, on average, in a little more than forty percent (40%) of FCPA-based settlement agreements, a fair amount more than the twenty-eight percent (28%) average for the first half of 2011.

What is behind this apparent trend and does it have anything to do with concerns that have been raised over the last few years about the costs and scope of Monitors?  Does it signal a broader “policy” shift within DOJ and/or outside of just FCPA matters?

What should be considered by government agencies when contemplating whether or not to allow an organization to self-monitor their compliance with the terms of a settlement agreement?

If one looks at DOJ’s written policies on the topic and public statements by DOJ officials, such a change is clearly not “official policy” in general, nor is it just for FCPA matters.  Also, while costs of a Monitor are certainly among the many factors considered by all parties, there is nothing to indicate costs are a key consideration by DOJ in determining whether or not to require a Monitor at all, much less a factor in this trend.

As a Monitor and one who tracks the use of Monitors intensely and very broadly, I am absolutely confident in saying that the use of Monitors is universally (FCPA being an exception thus far in 2011) increasing, not decreasing.  Not only among more regulatory and enforcement agencies at all levels of government within the United States, but abroad.  Without articulating and referencing all the support behind this assertion (just look at previous issues of “The Monitor” to see the broad use and requirement of Monitors), I think we can dispel any notion that this apparent trend in FCPA-based matters has any broader implications, both in and outside of DOJ. Accordingly, I would like to explore why this trend may be happening within DOJ FCPA-based settlement agreements.

From my reviews of the underlying settlement agreements in the older and more recent FCPA matters, both where a Monitor was and was not required, there seem to be three key things that have happened and are continuing to happen that I believe explain this trend.  The cost of a Monitor is definitely not one of them and never should be.

Expertise of Counsel
First, outside counsel for the firms involved in FCPA matters have gotten really good.  Not only have they gained an abundance of experience in such matters because of the sheer volume of DOJ FCPA investigations that have taken and are taking place, but they now have a plethora of settlement agreements available that tells them explicitly what the DOJ expects with regards to compliance programs and what other companies have done in those instances where a Monitor was not required, or vice-versa.

Accordingly, even as these seasoned defense attorneys begin to plan an internal investigation, they are looking for compliance and control failures and providing immediate advice about remedial measures aimed specifically at addressing the issues they know DOJ will have and in a fashion similar to that which they have seen other companies do to avoid a Monitor.  The cost savings of this as compared to the cost of a Monitor could be argued to not be as large as perceived, given that the “additional” services by such law firms does not come free, or inexpensively, nor does it always necessarily entail the use of very experienced compliance professionals, though that is changing too.  Nonetheless, many of these attorneys are exceptionally experienced in these matters and this strategy and process has been very effective to date in helping companies avoid the imposition of a Monitor in resolving FCPA matters.

Along those same lines, the DOJ (and the SEC) have not sat quietly regarding their expectations of compliance programs and internal controls within companies subject to the FCPA.  To the contrary, they have been very vocal in sharing their views about the topic, as well as about Monitors and some of the factors involved in considering whether or not to require them.  With such an abundance of information (i.e. settlement agreements, public statements by DOJ/SEC officials, articles, white papers, etc), its longer “rocket science” to “reverse engineer” what needs to be done in order to minimize the likelihood of a Monitor being required in DOJ FCPA matters.

The Corporate Compliance Industry
Second, among the key considerations in resolving FCPA matters (and corporate misconduct in general), is the state and effectiveness of an organization’s “pre-existing” corporate compliance and ethics program and internal controls.  Corporate compliance, as an industry, is still relatively new and has grown tremendously over the last few years.  Their impact on organizations’ pre-existing compliance programs has been positive, deep and broad.

There are several large and highly reputable organizations that now cater specifically to the compliance industry, some of whom even offer certifications for compliance professionals.  These organizations host large national and international conferences, as well as a myriad of local and regional seminars that cover all aspects of compliance within just about every industry. They have created and aggressively communicated standards and best practices as well, which comport with, among other things, the United States Sentencing Guidelines as it relates to corporate compliance & ethics programs.  As the compliance profession has grown and made more training and information accessible about best practices in compliance and ethics programs, corporate compliance professionals within organizations with pre-existing compliance programs have become better trained and equipped to improve their organization’s compliance programs, which results in less remediation and oversight if/when a problem occurs.

In addition to those organizations focused on the industry of corporate compliance and ethics, FCPA compliance has been a major topic of coverage by industry organizations (i.e. American Bar Association, Association of Certified Fraud Examiners, American Institute of Certified Public Accountants) and the professional training companies that serve the constituents of those organizations (i.e. American Conference Institute, Practising Law Institute, etc.).  It is also the topic of a huge amount of “viral” coverage, with law firm websites, newsletters, tweets, Linked-In groups and blogs that track everything going on related to FCPA matters and, in some cases, providing instant access to libraries of relevant documents and resource materials.

Want to keep up with FCPA issues/happenings?  Set a “Google Alert” on “FCPA” with instant updates and watch your email inbox explode.

Proactive FCPA Services
Finally, the universe of companies with exposure to the FCPA is tremendous and the risk(s) high.  For many years now, attorneys, consultants and compliance professionals have been using the DOJ’s aggressive prosecution of violators, which entails individual criminal prosecutions and monstrous organizational fines and restitution, to make companies (and their Board Members, where applicable) abundantly aware of their FCPA risks, personally and organizationally.  While organizations have traditionally avoided the costs of such proactive services in general, the seemingly huge personal and organizational risk(s) in FCPA has caused many organizations to shift their cost/benefit considerations in favor of action.  As a result, many companies have obtained professional compliance related services to proactively assess and improve the FCPA compliance components of their corporate compliance programs.  Proactive FCPA compliance has been among the hottest professional service areas of all proactive risk-based services for several years now.

As a result, there are many more companies, particularly within the industries “targeted” by the DOJ for FCPA, with viable “pre-existing” compliance programs today, who previously had little or no compliance program at all, much less one that addressed FCPA specific risks.

Self-Monitoring is Not Monitoring
The need for a Monitor must be evaluated in light of each matter’s particular circumstances.  A Monitor is not always necessary or appropriate to assuring the timely and effective compliance of an organization with their settlement agreement obligations.  However, the DOJ (and any other government agency) should cautiously contemplate their reliance on self-reporting by an organization on that organization’s compliance with the terms of a settlement agreement.  While the DOJ might hope that most companies, their counsel and the company’s employees would do so with the effectiveness, transparency and integrity expected of an Independent Corporate Monitor, there is no “independent” in self-reporting.

As just one example from my own experiences as a Monitor, I have had within the scope of my Monitorships the responsibility of verifying that organizations have met their settlement agreement obligations regarding reports/complaints of employee misconduct.  These have included complaints raised through a Hotline, directly or indirectly with the Chief Compliance Officer, through a direct supervisor, and/or any other means.  For those raised through a Hotline, for example, I routinely review the Hotline log (often done through a third-party and may include both telephonic and electronic communications) and assess how all such complaints were responded to, resolved and reported.   I then report to the relevant government agency on my findings.

In my Monitorships, regardless of whether a complaint was made through a Hotline or otherwise, the organizations knew that a I was watching, reducing the risk that any complaints could be ignored, mishandled or not appropriately reported in accordance with the settlement agreement obligations and/or applicable laws and regulations.  While not all complaints and/or resulting investigations required that they be reported, either to me as the Monitor or the government, the ability of the company to subjectively and solely make such a decision was impacted by my presence.  This helps assure that complaints are not only appropriately and effectively addressed, but that what needed to be reported to the government was so reported.  In fact, the companies that I have served as the Monitor of have tended to “over-report,” meaning they reported to the government about complaints that did not require reporting, either by law or the settlement agreement.  For example, in one of my Monitorships a Hotline call was received regarding an employee’s request for their own personal tax information and had no implications or relationship to misconduct; however, it was reported by the organization to me and the government merely because it came through the organization’s Hotline.

Though I am not involved in it and have no personal knowledge about the particulars, a company presently under a Monitor has very recently and publicly come under scrutiny as a result of a complaint (they note it as a “tip” in their public filings).  While it is unclear at this point whether the tip that led to that internal investigation came into the Hotline or not, it and the results of their internal investigation was reported to their Monitor and the government and has called into question whether or not they “knowingly and willfully breached material provisions” of their settlement agreement.  The company further acknowledged that this was a “significant liability” for them and could lead to government and civil liabilities and possible exclusion from certain government contracting which would have a “material adverse effect” on their financial condition.
Would this have come to light at all without a Monitor present, if they were left to self-reporting?  We may never know.

In addition to the utter lack of independence, an organization’s capability/ability should also be carefully and closely weighed by government agencies that contemplate permitting an organization to self-report on their compliance with a settlement agreement.  Among the chief responsibilities of a Monitor is to verify not only that the company complies with their settlement agreement obligations, but that they do so timely and effectively.  As it relates to effective compliance, many companies may not have the requisite resources and compliance experience to adequately make such a determination, while Monitors do, frequently having more experience in making such assessments than a company’s management, in-house counsel and/or compliance personnel.

One example of evaluating effective compliance from my own Monitorship experience involved an organization’s obligations in their settlement agreement regarding specific accounting and internal control requirements.  The complexity of these requirements exceeded the ability of the accounting and compliance professionals within the organization.  They intended to comply with their settlement agreement requirements in these areas and genuinely thought they had done so, but in reality they had not.  As the Monitor, I brought their failure to their immediate attention and provided guidance about how they might remedy their errors, which they were able to do, improving their own systems and procedures while effectively fulfilling their settlement agreement requirements at the same time.  Had this been left to self-reporting, neither the company nor the government would have known that the actions taken by the company were not effective.

Similarly, but much more frequently, I have experienced this same issue in evaluating the effectiveness of compliance training(s) required by settlement agreements.  Because such trainings are a key means of communicating a company’s compliance policies and the primary means of assuring that their employees understand and can apply them in their roles, they have been and continue to be a recurring requirement in settlement agreements.  There have been instances in my own Monitorships where, with the best intentions in mind, such compliance training has been conducted, in accordance with the requirements of a settlement agreement, that were wholly ineffective.  My testing found that those who received the training did not adequately understand the compliance policies or how they were applicable in their roles.  This lack of effectiveness was immediately raised with the organizations, allowing them to refine and improve their compliance training, as well as learn techniques to assess the effectiveness of that training within their own on-going compliance program monitoring, while effectively meeting their compliance training obligations as per their settlement agreements.  Once again, without the presence of a Monitor to recognize such a deficiency, neither the organizations involved nor the government agencies to whom they would have self-reported would have ever known.

Perhaps most concerning of all as it relates to self-reporting are those instances where companies view their compliance with a settlement agreement as a “check the box” exercise, with no regard to the spirit and goals of the settlement agreement.  In such instances, the government (and possibly the company itself) would not know whether or not a company is effectively complying with their settlement agreement obligations.  To the contrary, they would think everything was proceeding along smoothly.  At least until the next crisis arises.

Yes, Monitors come with a price.  While there are many misperceptions about how high that price may be (perhaps another good topic to explore), such a price is outweighed by the many benefits for the organization, the government agency, the industry and the public-at-large, among others.  Not only do I think that costs are not a factor in the recent decline in the use of Monitors in FCPA-based settlement agreements, I think they should never be a significant consideration at all in any matters where a Monitor is considered.  If the costs of a Monitor are a concern to a company, perhaps the attorneys who help companies negotiate the settlement agreements with the government should push harder to have the government offset any associated fines with the costs of the Monitorship, as was recently done in the Sirchie Acquisition Company (FCPA) and XE Services (Export Controls) settlement agreements.

The price of non-compliance, intentional or not, is too high to pay.