Posted on

Fraud: Department of Justice (DOJ) Announces Procurement Collusion Strike Force

Background

It has been highlighted by some studies that Procurement fraud is the second most frequently reported form of economic crime behind asset misappropriation.

Procurement fraud is the act of gaining a dishonest advantage by abusing a position of decisive power in the procurement process; either by the individual responsible for this position in his or her own action, or by those seeking to win the opinion of that individual, resulting in a decision of benefit to themselves. Procurement fraud may be committed by procurement officers, vendors, or subcontractors, but always involves the act of collusion in order to obtain the unmerited advantage.  Fraudsters use the procurement process as part of their scheme to further their own interests in lieu of serving the interests of the procuring company.

Consider the internal risk of this type of fraud: ill-gotten financial gains come in the form of kickbacks to the Fraudster who in this example is the buyer, for selecting the suppliers’ bid which is often not in the best interest of the company.  Procurement fraud is also an external risk.  Vendors may work together to create the illusion of competition, thus fooling the procurement officers into accepting a bid above fair market value.  The scope of procurement fraud is widespread, global and not limited to certain categories, companies, or geographies.

Deeper Dive

Some report that approximately 30% of organizations have experienced procurement fraud, and that it was most common during the solicitation phase.  During this time, vendors may collude with each other or with procurement officers in various ways that compromise the fairness of the bidding process and potentially result in improperly awarded contracts and/or higher contract costs.  Those “holding all the cards” during the solicitation phase, make the process extremely susceptible to unethical behavior.

It is important to remember that even after the contract has been awarded, the potential for fraud is ever-present. For example, a vendor could:

  • Charge more than the contractually agreed price and hope the overcharge goes unnoticed.
  • Submit duplicate invoices in the hopes that both invoices are processed.
  • Deliver non-conforming goods or services of lower value, quantity or quality than specified in the contract.
  • Exploit the change order process to perform services not specified in the contract or to artificially inflate the contract value over time.
  • Work in collusion with an insider to submit bogus invoices for goods not delivered or services not provided by the vendor.

According to a Global Economic Crime survey, the sectors reporting the most procurement fraud were state-owned enterprises (SOE’s), followed by the energy, utilities and mining; engineering and construction; and transport and logistics industries.

More likely than not, factors driving the increase in procurement fraud schemes include an increase in public tender processes, companies changing and expanding their global supply chains, and a rise in outsourcing.

On November 5th, the Department of Justice announced the formation of the new Procurement Collusion Strike Force (PCSF) “focusing on deterring, detecting, investigating and prosecuting antitrust crimes, such as bid-rigging conspiracies and related fraudulent schemes, which undermine competition in government procurement, grant and program funding”.

The Strike Force is an inter-agency partnership comprised of prosecutors from the Antitrust Division, and prosecutors from thirteen (13) U.S. Attorneys’ Offices.  Aiding in the prosecutors’ efforts are investigation partners such as the Offices of Inspector Generals from the Department of Justice, Department of Defense, U.S. Postal Service, and General Services Administration Office. The Department of Justice’s announcement proclaimed that investigating and prosecuting those who “cheat, collude and seek to undermine the integrity of government procurement” will have more to concern themselves with when executing their crimes. Prosecutors and investigators alike expressed enthusiasm to be working as a part of this new team.

gavel and money

Bribery and Antitrust

An effective method to detect bribery schemes is to analyze contract awards for unusual patterns or anomalies. For example: correlating contract awards to financial transactions may identify instances where fraudsters attempt to conceal their behavior.  You may not see a check cut from the organization directly to the person they’re bribing, but a closer look may uncover patterns like excessive meetings, gifts, meals, and entertainment during the time period of awards.  Data analytics can also be used to detect instances of price-fixing, bid-rigging, and/or market division or allocation fraud schemes.

In simple terms, bid rigging is a fraud scheme which involves intentional manipulation of the bidding process. It often involves an agreement among competitors as to who will be awarded the contract.  The bidders may agree in advance who will submit the winning bid. The purchaser is then provided with a bid amount higher than what the competitive market generally produces, which results in an overpayment for goods or services. There are four basic schemes involved in most bid-rigging conspiracies:

  • Bid Suppression:  In this type of scheme, one or more competitors agree not to bid, or withdraw a previously submitted bid, so that a designated bidder will win. In return, the non-bidder may receive a subcontract or payoff.
  • Complementary Bidding: In this scheme, co-conspirators submit token bids which are intentionally high or which intentionally fail to meet all of the bid requirements in order to lose a contract. “Comp bids” are designed to give the appearance of competition.
  • Bid Rotation: In bid rotation, all co-conspirators submit bids, but by agreement, take turns being the low bidder on a series of contracts.
  • Customer or Market Allocation: In this scheme, co-conspirators agree to divide up customers or geographic areas. The result is that the co-conspirators will not bid or will submit only complementary bids when a solicitation for bids is made by a customer or in an area not assigned to them. This scheme is most commonly found in the service sector and may involve quoted prices for services as opposed to bids.

Note: Subcontracting arrangements are often part of a bid-rigging scheme. Competitors who agree not to bid or to submit a losing bid frequently receive subcontracts or supply contracts in exchange from the successful low bidder. In some schemes, a low bidder will agree to withdraw its bid in favor of the next low bidder, in exchange for a lucrative subcontract that divides the illegally obtained higher profits between them. 

Almost all forms of bid-rigging schemes have one thing in common: an agreement among some or all of the bidders which predetermines the winning bidder and limits or eliminates competition among the conspiring vendors.  Indicators of collusive bid-rigging schemes include:

  • Be aware of bids for goods or services for which the pool of qualified prospective bidders is small but maintains a large control of the market share.  These bids are at higher risk for vendor collusion.
  • Also be mindful of bids for standardized goods or services.  If there are no differentiating factors among the various proposals aside from price, there is a much greater risk of collusion.
  • When vendors collude with one another, similarities may exist in the bids submitted to the procuring company.  For example, pay attention to similarities in the mailing addresses, email address domains, or courier account numbers.  Take a look at the properties of an electronic document to see if similar authors appear.
  • Observe the behavior of vendors when undergoing the procurement process.  The communication or action of the bidding vendors can be very telling.  Remember social engineering is a tool available to both sides!

Price Fixing schemes often impact the procurement process when business is conducted through purchase orders or direct purchases. Price fixing occurs when competitors agree to raise or fix their prices for their goods or services, set a minimum price that they will not sell below, or reduce or eliminate discounts.  Indicators of these types of schemes include:

  • Look for situations where competitors always announce their price increases at the same time for the same amount, or staggered price increases with an established pattern or frequency, often times creating the appearance of who is going to be first to increases prices.
  • Look for competitors reducing or eliminating discounts at about the same time.
  • Generally, be alert to situations in which all prices seem to be uniform and all suppliers refuse to negotiate those prices.

dominoes and red one.jpg

Methods to Deter & Detect Procurement Fraud

An effective way to deter and detect fraud is to develop a thorough understanding of the business environment, the risks impacting the achievement of the business’ strategic goals, and the implementation of a holistic fraud risk management program.  Once the risks are identified, I would also strongly encourage the use data analytics, combined with proper training, internal audits, and compliance reviews to support and supplement the fraud risk management program.

Other practices that could help detect fraud include, but are not limited to:

  • Ensuring transparency from everyone and apply the right amount of skepticism, always!
  • Maintaining, restricting access to, and auditing a valid master vendor list.
  • Performing proper due diligence during supplier onboarding.
  • Referring to debarment sources of blacklisted suppliers.
  • Performing peer grouping to determine if a supplier fits an appropriate profile for a contract.

At Baker Tilly we can assist any organization with your fraud risk management and anti-fraud programs and controls.  This includes services to detect, deter, respond, and remediate instances of fraud. Our team of experts is well positioned to investigate and remediate suspected instances of procurement fraud, which includes the ability to conduct a root cause analysis to determine the cause of the misconduct.  The DOJ has deemed a company’s efforts to properly remediate and identify root cause as a best practice and often provides credit to those companies who engage in such activities in the event of a criminal prosecution resulting from procurement fraud.  The DOJ also looks highly upon companies with robust third party risk management programs, which can also be used to mitigate the risk of procurement fraud.

Our team of highly-skilled professionals use advanced analytics, such as predictive modeling, to help identify attributes or patterns that are highly correlated with known fraud, even complex and emerging patterns of fraud. Moreover, we use text mining as an effective tool to identify red flags of procurement fraud or antitrust violations.

I often say, “Analytics can answer questions that manual or ad hoc methods would generally miss – it’s the ‘silent whistleblower!’”

plan miss

Closing

Many organizations miss the mark when it comes to managing the procurement process. Some are quite good!

It’s starts with a well-written code of conduct, and includes strong policies, proper internal controls (note: segregation of duties is a pervasive issue), robust third party risk management program, training, and monitoring.

I’m not surprised by the DOJ’s initiative and commend them in the fight against public procurement crimes.  We recommend organizations review their compliance program, supply chain, and procurement process for risks and opportunities for enhancements.

We welcome your thoughts and comments.

Now, for tomorrow!

Best,

Jonathan T. Marks, CPA, CFE | Firm Leader

Paul Zikmund

Melissa Dardini

Members of Baker Tilly’s Global Fraud and Forensic Investigations, Compliance, & Security Services

Our team focuses on the intersection of where strategy meets execution, so that we can  enhance and protect our clients’ value.”

trio jonathan paul melissa.PNG
Copyright 2019
Posted on

Jonathan T. Marks, Baker Tilly Partner, is Speaking Today at the First Chair Event in Chicago on Triaging Whistleblower Allegations

frm

As the use of whistleblower programs continues to grow, many organizations find themselves struggling to manage burgeoning caseloads. As a result, serious fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips that contain allegations of ethical breaches can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, the most effective approaches often resemble the medical triage programs that hospitals and first responders use to allocate limited resources during emergencies, or a crisis situation. Here are some useful guidelines for designing and implementing a fraud triage system.

The Growing Use of Whistleblower Programs

Despite extensive fraud detection measures, closer management scrutiny, and increasingly sophisticated technology, the most common fraud detection method is still the simplest: somebody notices something suspicious and decides to speak up. According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, 40.0% of the cases reported in their study were uncovered as the result of tips (usually from an employee, supplier, or customer) —more than internal audit 15% and management review 13% combined. The ACFE study also demonstrates that dedicated reporting hotlines are particularly effective. In organizations where such hotlines were in place, 46.0 % of the cases reported were uncovered through tips, compared with only 30.0% percent of the cases in organizations without hotlines. These results are consistent with patterns that have been recorded in the ACFE’s biennial survey since its inception 20 years ago. On a broader scale, as a matter of best practice, the COSO Internal Control–Integrated Framework, along with various other enterprise risk management (ERM) frameworks and guidance from Institute of Internal Auditors (IIA), also emphasize the importance of establishing and maintaining effective whistleblower programs.

In addition to their demonstrated effectiveness, whistleblower programs have also been promoted through recent regulatory actions. For example, one section of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission to make monetary awards to individuals who voluntarily provide information leading to successful enforcement actions that result in monetary sanctions over $1 million. A few years earlier, the Sarbanes-Oxley Act of 2002 required the audit committees of publicly traded companies to establish procedures to enable employees to submit confidential, anonymous information regarding fraudulent financial reporting activities. Dodd-Frank and Sarbanes-Oxley are only two examples out of a broad range of laws that encourage – and often mandate – whistleblower programs. A 2013 study by the Congressional Research Service found no fewer than 40 federal whistleblower and anti-retaliation laws, designed to protect employees who report misconduct. Eleven of those 40 laws were enacted after 1999. On February 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers, a long-anticipated case that clarifies who is protected as a “whistleblower” under the Dodd-Frank Act’s anti-retaliation provisions. It states that to qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. Now under Dodd-Frank an individual is only protected from retaliation if he or she has reported a potential violations to the SEC before he or she separates from the company. Such laws not only make whistleblower programs more common, they also make the timely resolution of tips even more critical, as we are about to explain.

There is momentum today to correct Dodd-Frank.

On July 9, 2019, the U.S. House of Representatives passed H.R. 2515, also known as the Whistleblower Protection Reform Act of 2019 (“WPRA”). The WPRA is designed to address a gap in the whistleblower protections afforded under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010 (“Dodd-Frank”), as interpreted by the Supreme Court in Digital Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). Specifically, the Supreme Court in Digital Realty Trust ruled that the anti-retaliation provision of Dodd-Frank does not extend to protect employees who only make reports concerning violations of securities laws internally, as opposed to individuals who made a report to the U.S. Securities and Exchange Commission (“SEC”). The WPRA is designed to amend Dodd-Frank to ensure the statute’s protections extend to individuals who make internal reports of securities violations.

Responding to Tips – Why Timeliness Matters Dodd-Frank, Sarbanes-Oxley, and the various regulatory structures that were established to implement them are helping to mold a corporate environment where undervalued and underappreciated compliance professionals and in-house counsel are incentivized to “blow the whistle.” Such incentives can be helpful in creating a self-regulating environment, but they also make it essential that corporations establish a timely and effective process for remediating complaints. For example, to carry out its mandate under Dodd-Frank, the SEC established a separate Office of the Whistleblower, which has paid out more than $160 million to 46 whistleblowers in connection with 37 covered actions, as well as in connection with several related actions since it was founded in 2011. Three of the ten largest whistleblower awards were made by the SEC during FY 2017.

Under this program, there are exceptions if at least 120 days have passed either since the auditor (excluding external auditors who obtained the information during the audit of an issuer) or accountant properly disclosed the information internally (to their supervisor or to another person in the organization who is responsible for remedying the violation (i.e., the audit committee, chief legal officer, chief compliance officer, or their equivalents), or since they obtained the information under circumstances indicating that the entity’s officers already knew of the information. Then they can report the lapse directly to the SEC and be eligible for a sizable whistleblower award – from 10 percent to 30 percent of any fines or sanctions that are collected. The program’s website prominently features headlines such as “SEC Issues $17 Million Whistleblower Award” and “SEC Awards More Than $5 Million to Whistleblower,” to cite only two of many recent examples.Since the program’s inception, the SEC has ordered wrongdoers in enforcement matters involving whistleblower information to pay over $975 million in total monetary sanctions, including more than $671 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors .With incentives like that, it should be no surprise that whistleblower complaints are on the rise. Yet in most cases, such awards would not have been available if the companies involved had resolved the initial fraud complaints within 120 days.Unfortunately, our experience indicates that, while many companies invest in tips hotlines and similar whistleblower programs, a large portion of them fail to invest adequately in an allegation review process for promptly evaluating, prioritizing, and responding to the whistleblowers’ tips in a systematic, repeatable, and defensible manner. As the number of tips grows and investigators’ caseloads expand, complaints end up sitting in a queue waiting to be investigated, while the company remains vulnerable to the risks the tipsters were warning about, and the SEC timeline is running.

A 2018 study of customers of the compliance software company NAVEX Global found that case closure times have blipped to 44 days and has dropped to 40 days according to their 2019 study. This metric is important given that, under certain agency whistleblower provisions, an organization will have limited time to complete an internal investigation.

Moreover, when the various categories of fraud are compared, cases involving suspected accounting, auditing, and financial reporting fraud took the longest to resolve by far – 55 days! In other words, the average case closure time for cases of suspected financial fraud was almost halfway to the 120-day deadline – the point at which employees are incentivized to report the case directly to the SEC and expose the company to additional, sizable sanctions.

Hidden and Direct Costs of Delayed Response Even setting aside potential SEC sanctions, delays in investigating whistleblower tips are costly in other ways. Delayed responses to tips can cause employees and other potential sources to lose confidence in the hotline or other whistleblower program, undermining the effectiveness of the the compliance and ethics program and adding further complexity to the risk management effort. Most companies expend considerable time, effort, and resources in creating compliance and ethics programs. Failing to establish a system for dealing with allegations or tips in a timely manner can mean those expenditures are probably wasted. There are also direct costs associated with delays in handling tips. The losses resulting from a fraud scheme are directly related to how long the scheme goes on. The ACFE’s 2018 Report to the Nations found that the median losses for frauds that were uncovered in six months or less was $30,000. But at the other end of the scale, schemes lasting more than five years caused a median loss of $715,000. Simply put, the longer perpetrators are able to continue, the more financial harm they are able to cause. Clearly, the absence of an effective program for handling whistleblower complaints promptly and effectively can have a significant and direct financial impact – in addition to the regulatory, employee relations, and reputational risks such a shortcoming entails.

A Triage Approach While there is no single, one-size-fits-all method for following up on whistleblower complaints, the most effective approaches are similar in many ways to medical triage programs, such as those implemented by hospitals and first responders during emergencies to help medical professionals prioritize the treatment of patients. In medical triage, those with serious, life-threatening injuries are treated ahead of those whose conditions are less severe. In the same way, a fraud triage program helps risk, audit, and fraud professionals prioritize the investigation of tips and whistleblower complaints. Those that indicate serious, material risks are addressed differently and more aggressively than those that reflect mere misunderstandings, minor errors, personal grievances, or false tips, all of which could tie up investigators unnecessarily. Under a fraud triage program, the same principles apply. Hotline tips or complaints that do not indicate fraudulent behavior can be delegated to human resources, IT, or other line or support functions that are capable of handling them more efficiently. Meanwhile, complaints that involve suspected fraud, but which are less significant in terms of financial losses, control failures or other risks, may be set aside temporarily while larger, more material cases receive immediate attention.

Proper Staging of the Allegation – the Critical First Step A swift and thorough triage process leads directly to a more appropriate and timely response. The specifics of that response will vary, of course depending on the nature and severity of the case, but the fundamental elements of the treatment include forming the right team to investigate, understanding root causes, and providing timely disclosure to all constituencies. Before such a response can be planned and executed, however, the tip or allegation must be evaluated or “staged” based on a consistent set of criteria. Navigant’s fraud governance framework identifies five such stages:

Stage 1 Stage1 allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. These may include employee-to-employee disputes, isolated cases of small-scale employee theft, and the normal policy complaints, misunderstandings, and personal disagreements that are often raised through a whistleblower program. In most cases, these complaints are best handled by human resources or management personnel.

Note: Human Resources and management should be trained on proper investigation protocols, including the escalation process. A basic level of review should be performed and documented to corroborate that no further investigation is warranted. This review and documentation could be performed by a branch or office manager. For an employee who is the target of such a complaint, management should consider placing such employee on a temporary legal hold which triggers the retention of email and other documents until the risk of retaliatory litigation has passed.

Stage 2 These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. If the allegation is substantiated, then the result of the remediation process is a change to a business process or business rule, followed by an enhancement of the company’s preventive or detective internal controls. Because they indicate a deficiency in internal controls, such allegations are escalated to the internal audit function in order to obtain a deeper understanding of the control environment. Internal audit should evaluate what controls are currently in place, and determine where the breakdown in internal controls occurred. It is also important to assess if the allegations are signs of a bigger problem or if they could have an impact on financial reporting. If financial reporting is affected, sensitivity testing must be performed to calculate the low case, medium case, and worst case financial impact. Internal audit’s review also might identify multiple violations. Again, the employees affected should be put into a legal hold which triggers the retention of email and other documents until the risk of litigation passes. In some cases, employee termination may be warranted.

Stage 3 These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. Such cases require the same level of investigation as Stage 2 cases, along with an internal investigation that usually is conducted under the direction of the general counsel, involving compliance and internal audit as well. In some instances, the investigation might need to be performed independently by a function or person who is not directly involved in the control environment.

Stage 4 These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. Such cases are generally addressed through an internal investigation, usually under the direction of outside counsel operating under privilege. The investigation often involves the use of independent, outside experts as well.

Stage 5 These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. In such instances, the board generally should engage outside counsel and forensic investigation experts to initiate a privileged and confidential fact-based investigation. The external auditors may also be involved and a disclosure to the SEC may be required. It’s important to note that, in both Stage 4 and Stage 5, engaging outside experts is generally necessary. Other critical elements of the Stage 4 and Stage 5 responses include having a qualified and experienced investigation team, along with a time-phased work plan that is minimizes disruptions to the organization’s day-to-day business as much as possible. The investigators will begin with fact-finding interviews to help them evaluate who else to interview and when. The investigators will also help the company identify a list of custodians who will be interviewed to understand where their data was being saved (for example, on email servers, mobile phones or other devices, flash drives, cloud servers, and network folders). Generally, a large-scale data collection effort will then ensue in order to search and preserve all potentially relevant information. The goal is to determine who knew what and when, and how high up the chain the knowledge went. The investigation will also assess if the audited financial statements be relied upon, so that counsel and board members can determine what disclosure requirements might apply. In addition, where internal control issues are noted, outside counsel can also recommend and assist in recommending new or enhanced policies, procedures, and controls.

Ownership, Responsibility and Follow-Up Obviously, the triage staging system described here is not the only plausible methodology an organization can use for evaluating allegations of wrongdoing and planning appropriate responses. Other thought leaders in the field have proposed evaluating tips according to various other criteria such as the severity of the allegation, the specificity of the information it contains, and similar factors. Ultimately, whatever triage process and framework is chosen it will need to be customized to reflect the company’s particular situation and its particular industry. In many instances, boards may choose to combine elements from several approaches.

Regardless of the specific criteria upon which the system is based, the importance of maintaining written policies and procedures cannot be overstated. Moreover, but in all cases it is important in all cases that the responsibility for developing, implementing, and maintaining the triage response system be clearly defined. The assignment of this responsibility will vary as well, depending on the size and nature of the organization, its governance structure, the volume of whistleblower complaints and other factors. It could fall to internal audit, the corporate general counsel, a board committee, a designee of the CFO, or some other person or group – but in all cases it’s essential to have a designated individual or business function that is responsible for initially capturing complaints and performing the triage o the allegation(s). Once the framework is set and data is being collected, it’s also important to step back and periodically assess what the data is saying. For example, if the complaint hotline is bombarded with a high frequency of inconsequential complaints related to minor personnel disputes uniform violations or employees complaining about having to work a holiday, then it may be time to provide additional training on how the complaint hotline is to be used. An increase in sexual harassment complaints or complaints related to substandard working conditions could be provide an early warning of a potential leading indicator for a class action lawsuit. Similarly, an increasing number reports of low dollar employee theft are usually signs of a larger cultural problem. Evaluating the data and trends captured in your complaint system can help you make decisions that could prevent the next “big event.” In that sense, an effective, well-designed, and consistently executed fraud triage effort can pay even bigger dividends that go beyond the direct benefit of helping you evaluate and prioritize tips and complaints more efficiently.

Lastly, as facts come to light, there might be a need to escalate the allegation. If an investigation starts with human resources or internal audit, they should be trained on what to do if the matter intensifies!

escalation process.jpg

Matters that generally require escalation include, but are not limited to:

  • Violation of law – antitrust and competition, anti-bribery and corruption, employment discrimination and harassment, fraud against third parties by employees
  • Accounting, books and records – public financial reporting, internal financial reporting and disclosure, insider trading, SOx, Dodd-Frank
  • Environmental, healthy, safety
  • Any employee theft, misappropriation, or fraud against the organization in excess of $$$$$$$ 
  • Code of Conduct Violations of the Executive Leadership team
  • Misconduct by Legal, Ethics and Compliance employees – failing to investigate or stopping an investigation
  • Third party frauds against, or thefts from, the organization

Care should be taken and consultation with legal counsel and compliance is wise move, unless they are or appear to be involved, then go directly to the Board of Directors

Board members, I would seek to understand the escalation process and I would review the allegation log to ensure investigations are being done timely, you are being briefed on all serious matters, proper discipline has been applied, and  internal controls are installed or enhanced to try to prevent and detect possible future bad or “carryover” behavior! 

I welcome your comments and suggestions.

Jonathan T. Marks

Attribution:

  • Buckley
  • NAVEX
  • ACFE
  • SEC

 

This material is protected by Copyright Laws and may not be reproduced in any form without my express written permission.

Posted on

Caremark, Compliance, and Caution!

open door

Background

A significant June 2019 decision by the Delaware Supreme Court interpreting the Caremark doctrine that limits director liability for an oversight failure to “utter failure to attempt to assure a reasonable information and reporting system exists” prompts this update.

The Court said that in order to “satisfy their duty of loyalty,” “directors must make a good faith effort to implement an oversight system and then monitor itthemselves, because the existence of management- level compliance programs alone is not enough for the directors to avoid Caremark exposure.

The Delaware Supreme Court reversed the Delaware Court of Chancery’s dismissal of a Caremark claim that arose out of the Blue Bell Creameries’ (“Blue Bell”) ice cream listeria outbreak where there was an alleged pattern of disregarded food-safety warnings.  The Delaware Supreme Court’s opinion in this closely watched case provides useful guidance to directors about the proper role of the board in overseeing risk management and compliance programs.

head in sand

Breach of Duty

Caremark defines a director’s duty of care in the oversight context and is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management. Caremark defined duty of care as “the care an ordinarily prudent person in a like position would exercise under similar circumstances”.

The Caremark decision built a high wall for plaintiffs to scale in asserting a board’s failure to comply with duty of care and loyalty standards. A landmark case before the Delaware courts in 1996, the decision written by the Court of Chancery of Delaware for In re Caremark International Inc. clarifies the board’s duties in relation to its oversight activities. The court outlined what plaintiffs must prove when claiming that directors breached their duties, notably that:

  1. Either the directors knew or should have known that violations of the law were occurring; and, in either event,
  2. The directors took no steps in good faith to prevent or remedy that situation; and
  3. Such failure resulted in the losses alleged in the complaint.

Recently, the Delaware Supreme Court overturned and remanded a decision by the Chancery Court, ruling that a Plaintiff had indeed scaled the Caremark standard in their complaint. The case, See Marchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019), involved  the  directors and officers of Blue Bell Creameries’ (“Blue Bell”) founded in 1907,  the creamery produces a product lineup  that includes Blue Bell Ice Cream, Light Ice Cream, No Sugar Added Ice Cream, Sherbet and frozen snacks that are manufactured and distributed to supermarkets and food stores through Blue Bell’s direct store delivery program.

On April 20, 2015, Blue Bell voluntarily recalled all of their products from the supermarket and food store shelves and shut down all production operations after the Centers for Disease Control and Prevention (“CDC”) and the U.S. Food and Drug Administration (“FDA”) and several state health agencies found evidence that linked listeriosis (“listeria”) to Blue Bell Creameries products.  Listeria is a life-threatening infection caused by eating food contaminated with the bacterium (germ) Listeria monocytogenes.  The germ infected ten (10) people with several strains of Listeria and resulted in the reported deaths of three (3) people. As the organization’s revenues dropped precipitously, it terminated more than half of its workforce and ceased paying distributions to its limited partners. Ultimately, Blue Bell was fined by government authorities for poor safety policies and practices.

Blue Bell suffered losses because, after the operational shutdown, Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment. The plaintiffs in this case brought a complaint that two key executives (President & CEO and the Vice President of Operations) and the board breached its fiduciary duties.

The complaint alleges the President and CEO and the Vice President of Operations
breached their duties of care and loyalty by knowingly disregarding contamination
risks and failing to oversee the safety of Blue Bell’s food-making operations, and
that the directors breached their duty of loyalty under Caremark.

The court was compelled to decide in the plaintiff’s favor due to evidence of the simplicity of the organization’s business model; the industry-specific risk of food safety; the lack of board oversight of food safety issues; and the absence of protocols by which the board expected to be advised of developments in this risk area.

It was concerning to the court that when “yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety” during the critical period leading up to the three deaths. In the court’s view, these facts created “a reasonable inference that the directors consciously failed to attempt to assure a reasonable information and reporting system exist[ed].”

The Caremark standard is burdensome for the plaintiffs’ bar to overcome. Indeed, it was stated in a footnote of the Marchand v. Barnhill ruling that “[under Delaware] law, director liability based on the duty of oversight is possibly the most difficult theory… upon which a plaintiff might hope to win a judgment.”

Law and justice concept. Judge's gavel, scales, hourglass, books.

Key Determinations

The key Delaware Supreme Court determinations, both fact-driven, were:

  • Independence. The Supreme Court held that one director, viewed by the Court of Chancery as independent, was not independent based on the allegations in the complaint. As a result, the court found that a majority of the board was not independent and disinterested for purposes of the board’s consideration of a stockholder demand to file a lawsuit against directors and officers.
  • Oversight. For purposes of denying a motion to dismiss by the organization, the facts alleged by the plaintiffs were sufficient to satisfy the high Caremark standard for establishing that a board breached its duty of loyalty by failing to make a good faith effort to oversee a material risk area, thus demonstrating bad faith.

landing on aircarft carrier

Some Guidance for Directors

Marchand is a noteworthy decision, both because it illustrates the outer bounds of directors’ oversight duties and because it represents a rare instance of prospective Caremark liability.

The specific deficiencies at Blue Bell listed by the Court serve as a helpful guide to the minimum best practices under Delaware law: a board should consider

  • Dedicating a committee to its main compliance risks;
  • Establishing protocols requiring management to keep it apprised of compliance practices, risks, and reports;
  • Setting a schedule to assess its main compliance risks on a regular basis;
  • Formulating procedures for the communication of red or yellow flags to the board and memorializing the associated discussions in board minutes; and,
  • Arranging for and documenting regular discussions of compliance risks at board meetings.

Review Your Public Filings

Given that the risk factors listed in Form 10-K generally represent the organization’s core areas of concern, directors should review their organization’s recent public filings and evaluate the organization has an adequate board-level oversight process in place to address relevant risk factors.

Monitoring and reporting systems

A board-level compliance monitoring system directed at and overseeing the organization’s central compliance risks must be in place. The Court made clear that, where appropriate board-level oversight systems existCaremark claims generally fail.  The compliance system must be implemented in good faith, must be governed by appropriate procedures, and must be tailored to the  organization’s business and its core compliance risks.

Compliance risk is the threat posed to an organization’s financial, organizational or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. To understand risk exposure, many organizations should review and improve upon or implement a comprehensive risk assessment process to fully incorporate compliance risk exposure.  The assessment should be performed by subject matter experts along with appropriate business and functional personnel in order to achieve successful results

Never truncate the oversight process by merely listing risks. 

Align the board’s oversight and risk mitigation efforts with the organization’s most significant risks, given its strategy and business model. Listing the organization’s risks or documenting them in a heat map from time to time but failing to identify key risk indicators, assign ownership and implement mitigation efforts falls short of effective oversight. A well conducted risk assessment will identify and prioritize the most critical risks and enable the assignment of resources to effectively and efficiently mitigate these top risks.

Allow time on the board agenda for risk oversight, and set risk escalation and monitoring protocols. 

Executives responsible for managing risk should be positioned to succeed with policies, processes, reporting, and systems appropriate to the industry. Risk management issues should be discussed regularly. In understanding who is responsible for the key risks, the broad strokes of the risk responses in place, and the nature of arising issues, the board should ask questions to satisfy itself that mission-critical matters are escalated to their attention in a timely manner,especially those related to compliance.

Pay attention to culture. 

Organizational culture and performance incentives were highlighted as areas of concern in the case against Blue Bell because it was inexplicable to stakeholders that management did not inform the board of the matters in question. The board must have confidence that management will act promptly to inform it when mission-critical issues of any nature arise. Setting specific and clear expectations of management and risk owners who are tied to mission-critical risks, and including relevant topics at regularly scheduled meetings will help the board attain that confidence and nurture a culture of trust, openness, transparency and timely communications about emerging problems. Companies are encouraged to conduct cultural assessments to help identify risk culture, levels of transparency for reporting concerns and ability to promptly respond to complaints or concerns

Delineate full board and standing committee roles. 

The complaint against Blue Bell Creameries alleges that, despite the importance of food safety, the board had no committee overseeing it, no full board-level process to address it, and no protocol by which the board expected to be advised of developments relating to it. When delegating responsibilities to its committees, the full board should ensure the appropriate committee covers the key risks—whether it currently exists or has to be created and newly chartered—and that information flows are sufficient to apprise the full board of critical matters.

Maintain minutes concerning critical risk matters. 

According to the court, “minutes from the board’s […] meetings are bereft of reports on the listeria issues […] [and] revealed no evidence that these were disclosed to the board.” The court’s findings suggest an expectation that management will escalate mission-critical matters to the board on a timely basis, that the board will set protocols for such escalation, and that there will be evidence in the minutes that such matters were discussed by the board. It was troubling to the court that the board left the organization’s response to the listeria outbreak to management instead of holding more frequent emergency board meetings to provide ongoing updates to board members.

The Blue Bell Creameries case is based on unique facts related to food safety and compliance matters. Nonetheless, the court’s decision might be more than a metaphorical “shot across the bow” and a real warning for boards to ensure their risk oversight processes meets or exceeds fiduciary standards and takes into account the unique regulatory demands of the industry.

 

Closing

The Delaware Chancery Court’s decision in In re Caremark has greatly influenced the growing field of  Compliance as a legal subject and field of practice over the past 20 years. That being said, having active and engaged board oversight in the areas of risk and compliance is a must!

While the Delaware case sends a cautionary message to directors, the DOJ memorandum on the Evaluation of Corporate Compliance Programs provides guidance for directors as they work to fulfill their oversight responsibilities.

I welcome your thoughts and comments.

Best,

Jonathan Pic
Jonathan T. Marks, CPA, CFE

young technical woman working in a field of lettuces with a folder

Note

About 48 million people in the U.S. (1 in 6) get sick, 128,000 are hospitalized, and 3,000 die each year from foodborne diseases, according to recent data from the Centers for Disease Control and Prevention. This is a significant public health burden that is largely preventable.

The Food Safety & Modernization Act (FSMA) is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, economic disruption of the food supply absent mitigation strategies. Rather than targeting specific foods or hazards, this rule requires mitigation (risk-reducing) strategies for processes in certain registered food facilities.

This rule applies to both domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act.

This rule is designed to primarily cover large companies whose products reach many people, exempting smaller companies. There are 3,400 covered firms that operate 9,800 food facilities.

Contributing Author: Paul Zikmund

Attribution:

DOJ, Harvard Law School, NACD