Lessons Learned from the Walmart FCPA Enforcement Action (Part III of III)
This is a tough posting – frankly, there are so many lessons learned from the Walmart case that they could fill a book, or an e-book at least. I will focus on some of the big issues.
Walmart should breathe a sigh of relief. The compliance cloud hanging over its heard for so long is now gone, except with one big caveat – Walmart has a monitor for two years.
When the Walmart controversy developed, everyone (including me) expected Walmart to suffer a significant penalty, exceeding $1 billion. However, Walmart escaped this mess with only a $282 million settlement. Walmart did well.
At the same time, however, Walmart spent approximately $900 million on remediation, lawyers, consultants and billions in its own time and resources. That is not chump change.
Business Growth without Compliance: Walmart is a textbook example of how a limited focus on business growth without consideration of compliance needs and controls will result in disaster. It should be cited by every compliance officer who needs to argue that an aggressive business strategy has to be coupled with appropriate compliance support. A failure to recognize this connection is certain to lead to compliance problems. When the business gets out ahead of compliance, the business is unlikely to focus adequately on compliance risks.
Gatekeepers: Compliance and Audit Authority: The Walmart factual statements is replete with instances when legal, compliance and most especially internal audit findings, recommendations or other concerns were ignored, brushed aside, manipulated or allowed to die by delay. If gatekeepers do not have adequate authority to raise concerns, stop a deal and require remediation, a company will suffer real and significant compliance damage. When issues are raised, there is a written record of such concerns. If they are not fixed or addressed in some credible manner, each instance of failure to follow up can be used as evidence of criminal intent. A company that authorizes internal audit to identify weaknesses in compliance controls has to back up internal audit by requiring company actors to fix the identified problems by a specific data. Someone has to be designated as the responsible official and held accountable for a failure to address the issue. Compliance and legal problems have to be accorded the same considerations.
Third-Party Risks: We have heard so much on third-party risk management. Walmart is yet another example of third parties who were regularly used to funnel bribery payments. The absence of adequate controls is striking because it is a basic list of requirements that stand as a bare minimum required under today’s standards: (1) a business justification; (2) a specific review of the third party’s qualifications and government associations; (3) documentation of services provided; (4) review of invoices for appropriate and reasonable fees; (5) certifications of compliance; (6) written contractual anti-corruption warranties; (7) audit rights; (8) monitoring of third party activities.
Walmart’s use of third parties subcontractors and subagents demonstrated the risks associated with use of these intermediaries for illicit purposes. If a company encounters a situation where the business or an existing third party proposes to engage a subcontractor or subagent, such arrangements should be scrutinized closely. It is critical that a business justification exists for use of such subcontractors and subagents.
Independent Investigations: It seems almost implausible by today’s standards but somehow Walmart executives and officials manipulated Walmart’s initial internal investigation to ensure that it never substantiated allegations of bribery in Mexico. The ringleader at the executive level in Walmart Mexico eventually was assigned to investigate allegations against himself. Talk about improper – is it so implausible that we will never see such a blatant failure to adhere to independence again?
Don’t Trust Local Lawyers/Professionals: Unfortunately, the Walmart case is likely to add to the library of lawyer jokes and disparaging comments. After all, the primary culprits in Mexico were local lawyers who were more than happy to pay bribes, collect fees and then engage in a coding system for bribery payments in the invoices sent to Walmart. What else can you say?
The lesson learned is that professionals in foreign countries who interact on behalf of your company have to be subjected to the same due diligence standards as any other high-risk vendor or supplier interacting with government officials. This lesson extends to other professionals, including accountants, tax professionals (especially in China), lobbyists, consultants and others who interact with the government on your company’s behalf.