There is a portion of the DOJ’s Evaluation of Corporate Compliance Programs that has received surprisingly little play in FCPA compliance circles. Under the heading “Risk-Based Training,” the DOJ poses a series of questions companies will need to answer.
What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?
The guiding concept is fairly straightforward and isn’t new. The idea is that the frontline sales employee will require a different sort of training than the Accounts Payable clerk, the CEO, or the local HR manager. Each of them faces a different type, level, and quality of FCPA risk – and this presupposes that the business organization has performed a proper (and well-documented, re-performable) corruption risk assessment.
In an ideal world, each employee would be provided the FCPA training content that educates them best about their particular role in the FCPA compliance universe. While some companies have evolved FCPA training along those lines, most still seem to have a one-size-fits-all training approach with a single online anti-corruption training course offered to all personnel during orientation, with possibly an annual refresher course.
The preferable path is to develop a risk-tailored approach from a risk management perspective – to train employees exposed to FCPA risk according to their job function, industry sector, and geography. For example, HR personnel (see my paean to them in a previous post) probably ought to be made aware of the “princelings” scandals and the risk of using an offer of employment as a “thing of value” under the FCPA.
Accounting personnel, however, should be educated about the use of third-party intermediaries as conduits for improper payments. Thus, the Accounts Payable clerk should know to scrutinize invoices beyond whether they’re approved for payment, but also whether there is proof of delivery of the goods and services, whether the third-party intermediary is a legitimate, reputable business that has been subjected to appropriate due diligence, etc. The logistics leader should be made aware of potentially risky touchpoints with Customs personnel, and so on.
Special mention, however, is deserved by a few groups dear to our hearts – the Board of Directors, Legal, Compliance, Internal Audit, and the afore-mentioned third parties (both intermediaries and non-intermediaries).
Each of these categories of personnel plays specific roles in the ABC Compliance Program risk management framework and needs tailored training to properly discharge their duties. As an example, if Internal Audit has a compliance auditing role, audit personnel should clearly receive in-depth training on corruption risks relevant to their organization and procedures for testing anti-corruption compliance controls.
It is highly unlikely that a generic one-hour corporate training session will be sufficient to train an Internal Audit team, particularly if they work for a U.S. issuer with Books and Records and Internal Controls obligations. Vendors and suppliers also need targeted training to identify and mitigate corruption risks associated with third-party intermediaries.
Confronted with a clear imperative to develop FCPA training targeted to specific functions, industry sectors, and geographies, how should a company proceed?
Focus on risk, as identified through your corruption risk assessment, and develop targeted training for the most critical control areas first. Does your Finance team have the requisite knowledge to detect and deter bribery through third-party intermediaries? Knowing that Internal Audit will need to test your entire FCPA program, does audit staff have sufficient knowledge of FCPA program controls to evaluate program effectiveness?
In the end, you will need to make sure you can answer the question: From a risk-based perspective, are the right people being trained, and is their training sufficient?