Today’s post is from David Simon (Foley & Lardner).
Professor Koehler (my former colleague at Foley & Lardner) has been critical of “FCPA Inc.” and, in particular, the astronomical costs associated with certain FCPA investigations and compliance measures. My friends in the C-Suite of FCPA Inc. have responded defensively – reacting at least in part to a perception that these criticisms suggest a corner-cutting approach to important work that must be done properly.
As an FCPA lawyer with a foot in both camps, let me try to find some common ground.
I share Mike’s concerns. While I understand that each case is different and that it is often necessary for investigating counsel to respond to outside forces that drive up costs, some of the eye-popping numbers can’t help but make one question the FCPA investigation/compliance value proposition.
This dynamic is especially troubling because, I fear, it drives the perception among many smaller and mid-sized companies that anti-bribery compliance is simply out of reach financially. A recent survey of global corruption compliance in the middle market conducted by McGladrey confirms that this segment of the market is underserved. That is dangerous and bad for all the interested parties – including the DOJ and SEC. It simply isn’t good public policy for sound FCPA compliance advice and investigative resources to be available only to the Exxon Mobils of the world.
That said, the quality of the work should not be compromised by maintaining some focus on the value proposition. Corner-cutting is not appropriate (and is almost never in the company’s long-term interests). But aren’t there ways to manage costs and still produce quality work? The answer is clearly yes. And while the options for delivering more for less are myriad, let me propose three fairly modest concepts, which, if implemented, would help bring quality FCPA representation to many more companies that really need it:
1. Give Strong but Practical Compliance Advice
We can start by heeding the counsel of the SEC and DOJ in last year’s Resource Guide:
- “DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs.”
- “[T]here is no one-size-fits all program. . . . Indeed, small-and medium-sized enterprises likely will have different compliance programs from large multi-national corporations, a fact DOJ and SEC take into account when evaluating companies’ compliance programs.”
In other words, take it seriously, but be practical. And take a risk-based approach to FCPA compliance.
In a world where FCPA compliance was the company’s number one focus (above and beyond making and selling stuff), a company would conduct “Full Monty” due diligence on all of its distributors (maybe even its customers). It would employ a rigorous system for reviewing all gifts, meals and entertainment expenses in excess of $25. (After all, $25 is a lot of money to a customs official in Borneo . . .) It would conduct annual compliance audits of the books and records of all of its third-party intermediaries.
But really, does that approach make sense for most of our clients? While there may be companies that have a risk profile that justifies these procedures, for many – indeed, the vast majority – such an approach is simply impractical. Let’s not make the perfect the enemy of the good.
To lawyers and compliance professionals: Be practical. Be willing to sign-off on compliance procedures that are effective but tailored to the actual risk posed. Don’t be afraid to divert from “best practices” when best practices are not risk justified. Take a stand. But be prepared to defend your decisions.
And to the enforcement agencies. Be true to your word. “[D]o not hold companies to a standard of perfection.” Accept common sense compliance judgments, even when things ultimately go wrong.
2. Appropriately Scope FCPA and Bribery Investigations
When a company discovers conduct that may violate the FCPA or company policies, an investigation is necessary. It never makes sense for a company to ignore such a discovery. You are simply not serious about compliance if you do not take steps to understand what happened, why, how, and to respond appropriately. The enforcement agencies are entirely justified in requiring this and in taking companies to account for failing to investigate and respond to indications of wrongdoing.
The problem for many companies is that they hear the words “FCPA investigation” and think millions of dollars – or tens of millions, or hundreds of millions – in costs and fees. Too often, this leads companies to make the bad decision to forgo an investigation altogether.
But just as there is no “one-size-fits-all” FCPA compliance program, there is no “one-size-fits-all” FCPA investigation. Proportionality and reasonableness are key.
The main driver of investigation cost is scope. FCPA investigations that spin out of control usually do so because the scope is never clearly defined at the outset or because of significant scope-creep during the investigation. Think about our country’s history with Independent Counsel investigations. Without a clear, narrowly defined mandate, investigations can go on interminably. Investigators investigate. There is always some new lead to pursue, another witness to interview, another document to request and review.
The investigation scope needs to be reasonable and appropriately calibrated to the issues under investigation. Scope must be clearly defined, and the investigator must keep the scope front of mind. Discipline is key.
This is not to say that the scope should never change once defined. Often, new significant facts are discovered and new issues identified. Many times, these developments warrant a modification to the scope. But those decisions should be approached thoughtfully and intentionally. Scope modification is not the same thing as scope-creep.
Appropriately scoped investigations cost less. Companies with limited legal and compliance resources can access quality investigative services and can fulfill the agencies’ directive that “companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response.”
To the SEC and DOJ: To make this work, you need to apply these same common-sense principles to your assessment of company investigations. Be reasonable. To outside auditors assessing the company’s response: Ditto.
3. Disaggregation of Services in FCPA and Bribery Investigations
One final modest idea to manage the cost of FCPA investigations: Consider disaggregating services.
It is not necessary to have high-priced lawyers conduct every aspect of every investigation. In the health care industry, they refer to “working at the top of your license.” In other words, to enhance the efficiency of the provision of care, each professional should be put to his or her highest and best use. Move the work down the chain of training and expertise where appropriate. Application of the same concept in FCPA investigations can have the same pro-efficiency effect.
As a preliminary matter, it isn’t necessary for a company to hire outside counsel to conduct every FCPA investigation. There are certainly some situations where the exclusive deployment of inside investigative resources is appropriate.
Even when outside counsel properly leads the investigation, the lead investigator should consider non-traditional deployment of resources so that everyone on the team is being put to his or her highest and best use. A couple of examples:
Consider enlisting internal company resources to accomplish some investigative tasks. Under the right circumstances, company IT personnel can help gather and process data for the investigation; internal audit or finance resources can help with the analysis of the books and records; and in-house counsel can perform certain investigative tasks. Independence and perceptions of independence must be taken into consideration in every case, of course. In some investigations, it won’t be appropriate to involve company personnel. But in some, it will be entirely reasonable and appropriate. And where it is, there will be substantial cost savings.
In addition, investigative counsel should consider outsourcing or alternative-sourcing aspects of the investigation. Document review is an obvious example. Consider using data review software to cull the relevant documents that warrant review. (It is noteworthy that DOJ recently approved the use of this approach in the AB InBev/Grupo Modelo merger review. If it works in antitrust, why not FCPA investigations?) This can save hundreds of hours of lawyer and staff time. It also often makes sense to outsource document review. There are a number of firms that conduct quality document review at a much lower cost than using attorneys (even contract attorneys.) I personally have used Novus Law, a document-related discovery firm, to handle all of the document review, management and analysis on a couple of document-heavy FCPA investigations. They do an outstanding job (no quality compromises) at a fraction of the cost.
These are just a few ideas for changing the way we provide compliance and investigative services to give better access to these critical services to more companies. How we do this is less important than that we do it.