Billie Sol Estes died yesterday and when it comes to scam
artists from the great state of Texas, before there was Allen Stanford and his
magical Certificates of Deposits located in his private bank in Antigua, there
was Billie Sol Estes. Before Sir Allen came along, Billie Sol had a 50 year run
as the King of Texas Swindlers. He was most well-known for his scam involving
phony financial statements and non-existent fertilizer tanks to loot a federal
crop subsidy program. He went to jail for mail fraud over this scheme, although
his conviction was later over-turned. But his lasting legacy may be the
following quote by former Associated Press (AP) correspondent Mike Cochran, who
recalled writing how Estes made millions of dollars in phone fertilizer tanks
scam and noted "how many city slickers from New York or Chicago can make a
fortune selling phantom cow manure?"
Billie Sol's risk tolerance was quite high and his
implementation of a risk management plan may have seemed, well, rather 1950ish.
Hopefully your company is a tad more mature in this process. But after you have
identified a compliance risk, what should the next steps be for a company's
Chief Compliance Officer (CCO)? This question was explored in an article by C.
J. Rathbun, in the May/June issue of Compliance and Ethics Professional
Magazine, in an article entitled "You've identified a corporate risk-what next?".
Rathbun believes that any consideration of such an identified risk will be in
the context of three key questions:
The Compliance Report
Rathbun explained that a CCO needs to consider several
questions when shaping the report which will go to the management group or
Chief Executive Officer (CEO) to make any decision on whether a new risk should
be accepted. These questions include:
Weighing the Options
Once the report is considered and the options weighed,
what are some of the possible outcomes that a company may utilize? Rathbun
breaks the options down to four. The first is risk avoidance, where a company
decides that the risk is simply too great. The second option is risk
management, where the company implements procedures to manage the risk and then
monitors the risk closely. The third is risk shifting where some portion of the
risk is transferred through insurance or other mechanism. Fourth, and finally,
is that the company can simply accept the risk, so risk acceptance.
Rathbun believes that the risk management choice is the
one which may well take the most work, particularly for a CCO. You may be
required to create new policies and procedures to assist in the risk management
process. Any new policies and procedures will need to be implemented with attendant
training for the affected employees. There will need to be follow-up monitoring
to ensure engagement and accountability.
Confirming Changes in Behavior
Rathbun articulates that are two mechanisms by which a
"checkback" can be performed on policies, procedures, actions and employee
accountability. These two mechanisms are monitoring and auditing. Monitoring
is a commitment to reviewing and detecting compliance programs in real time and
then reacting quickly to remediate them. A primary goal of monitoring is to
identify and address gaps in your program on a regular and consistent basis. Auditing
is a more limited review that targets a specific business component, region or
market sector during a particular timeframe in order to uncover and/or evaluate
certain risks, particularly as seen in financial records. However, more
aggressive approaches may be required such as the addition of follow-up
assessments to confirm effective management of the new risk.
Rathbun cautions that the use of more standard tools to
"checkback" should also be utilized. These include compliance by third parties,
testing or otherwise gauging employee knowledge regarding the risk management
program and even hotline complaints. Rathbun also suggests that relatively new
tools such as transaction monitoring, relationship monitoring and real-time
party monitoring of third parties should be considered.
Rathbun believes that the end goal should be "to allow
the company to identify a growing concern before it becomes an issue-before
consumers are harmed or regulators become concerned." While a well-structured
program does require vigilance it also allows the opportunity for continuous
improvement for your company. Rathbun concludes by stating that your goal
should be to "help ensure that you and your company 'will get the first crack'
at addressing a problem, if one occurs."
I found the Rathbun article to provide a good method for
the compliance practitioner to think through, then design and implement a risk
management plan, within the context of your overall compliance program.
Although she never states it, a key component that she outlined is the
Document, Document, Document component of any compliance program. The
Department of Justice and Securities and Exchange Commission said in their FCPA
Guidance "In the end, if designed carefully, implemented earnestly, and
enforced fairly, a company's compliance program-no matter how large or small
the organization-will allow the company generally to prevent violations, detect
those that do occur, and remediate them promptly and appropriately." I believe
that you can achieve such a carefully designed and earnestly implemented risk
management program by using Rathbun's suggestions.
Finally, if a long, tall Texan comes to you wanting to
borrow money against some fertilizer tanker; do not just turn and walk, run in
the other direction.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2013
For more information about LexisNexis
products and solutions connect with us through our corporate site.