Business is complex:

Operating a successful business has become extremely complicated, especially operating a decentralized business that moves people and products (or services) on a cross-national basis.  The CEO is technically called-upon to have a finger on the pulse of the business, the share price (if a public entity), the applicable regulatory regimes (local, provincial or state, national, and regional with regard to its principal jurisdiction, then the same again for every nation in which it operates), Cybersecurity and privacy laws and protections, contingency planning, HR practices (both for the main entity and for any subcontractors in each and every jurisdiction where such subcontracting has gone), marketing and branding efforts both online and offline, and so forth.

CEOs are overworked:

At the same time, and as a result of this requirement for all-seeing and all-knowing CEO qualities (ready at a moment’s notice or with minimal briefing to respond to an unscripted journalistic query or a legislative summons/subpoena and investigation), a constant stream of what used to be paper that you could see and pile and file, and see as it decreased in amount, but is now “all electronic” in voicemails, (both on the portable smartphone and the office line), emails, texts, and attached spreadsheets, letters, and memos, demands to be immediately addressed.  Is it any wonder then, despite the occasional intentional fraud coming to the light of day, that a few things will be missed every now and then?

Help is available:

Most if not all CEOs have assistants, and VPs or Directors to assist them in running the company, with a handful of senior officers who may even add the “Chief” designation in their titles.  But, is it now time to go a little further, and broaden the pool of C-Suite membership?  I would say, yes, and propose an expansion to 10 (“ten”) such members, including the CEO, as divided into 4 working groups – in a “10/4 Formula”.

Ten Executive Officers:

As listed in acronym alphabetical order, the expanded “10/4” C-Suite would include the following members.

1. Chief Administrative Officer (CAO);

2. Chief Contingency policies, plans, and practices Officer (CCO);

3. Chief Executive Officer/Executive Director (CEO);

4. Chief Financial Officer/Comptroller (CFO);

5. Chief Information Communications Technology Officer (CIO);

6. Chief Legal Officer/General Counsel (CLO);

7. Chief Marketing Officer (CMO);

8. Chief Operating Officer/President/Managing Director (COO);

9. Chief Plans, Projects and Partnerships Officer/Chief Development Officer (CPO);

10. Cross-national Coordinating Officer (XCO).

(i)                 CAO (Chief Administrative Officer): Responsible for overall management of residual line and staff functions and their budgets, the CAO arguably has more authority than all of the other executive officers apart from the CEO.  Residual Line functions include security, supplies and procurement, and transportation (with IT already carved-out and assigned to the CIO).  Residual Staff functions include personnel and recruitment, work/life balance and morale, and plant and maintenance (with finance, and legal already carved-out and assigned to the CFO and CLO respectively).

(ii)               CCO (Chief Contingency policies, plans, and practices Officer): Working primarily with the CLO and the CPO, this executive officer will focus exclusively on forming contingency policies (both staff- and customer-facing), devising and implementing contingency plans, and instituting contingency best practices with entity-wide knowledge, training and testing, and modification as advised or required.  This executive officer would be supported by a team of technical and scientific experts, professionals with deep experience in that particular business or group of business lines, hedging strategy specialists and advisors (coordinated through or embedded with the CFO), and a host of disaster management practitioners well-versed in the mix of political, environmental, and societal hazards that the company might find itself facing.  We all see how complex emergencies can be created by the interplay of:

(a)    Combined environmental hazards (earthquake followed by a tsunami in Fukushima, Japan, that led to loss of life and food resources, radiation leakage, and mass evacuations that impacted both production capacity there and elsewhere, and consumption levels in Japan and other countries);

(b)   Combined human failing and product defect (excessive speed and bad watch practices in avoiding icebergs that led to the Titanic sinking with significant loss of life, with added contribution from bulkheads that did not rise all the way to the ceiling, allowing them to be over-topped by the incoming water);

(c)    Combined technical and human failings (allegedly bad directions and reputedly absent leadership that led to the grounding of the Costa Concordia, and to its captain being neither the last to leave the listing and helpless vessel, nor the first to lead a safe and orderly evacuation);

(d)   Combined technical and human failings (faulty production processes, sanitary practices, and management or regulator laxity) leading to recalls of raw foods (lettuce, peanuts, eggs), processed foods (packaged foods and processed or sold-raw meats), and other consumables in painkillers, pet food, and vitamins;

(e)    Single environmental hazard (volcanic eruptions on Iceland’s Eyjafjallajoekull glacier and on Chile’s Puyehue-Cordon Caulle volcanic chain, respectively) that shut down air traffic over vast areas; disrupting business and personal travel for a significant period of time and causing many billions in losses to be incurred;

(f)    Combined environmental hazards (hurricane and wind, with flooding) that destroy crops and inventories of goods, soak and damage transportation and infrastructure with salt water, and displace large numbers of people due to the lack of power, destruction of local food sources, and absence of safe and mould-free shelter; especially critical during colder weather that could also generate snow and ice, or during a storm season or tornado season –generating additional casualties from the perils of pollution and exposure to the elements;

(g)   Possible product defects (A.D. 2012 parking garage collapses in Elliot Lake, Ontario, in Woodbridge, New Jersey, and in Dorval, Florida) that are exacerbated or tested to destruction by heavy or concentrated loading (other building and structural cave-ins/collapses), harsh winds (Tacoma Narrows bridge collapse), and tremors (earthquakes and nearby blasting) or severe rains and flooding (sinkholes, bridge washouts, shore and hill erosion, and subterranean tunnel and sewer flooding), leading to loss of life, trapped and injured survivors who require complex and costly water rescue, aerial evacuation, and high-angle rescue (with or without enclosed space shoring, rescue dogs, and specialized robots or probes), significant infrastructural damage, and additional losses of homes, vehicles, and other property;

(h)   War or sustained insurrection and its knock-on effects in unregulated munitions flow, refugee movements, compounding food and medical deficiencies with resultant disease outbreaks, violence against refugees, and creeping destabilization of neighbouring and hitherto peaceful states;

(i)     Human maintenance and management failings coupled with an ultra-hazardous activity (massive oil discharge in the Gulf of Mexico, with ecosystem damage and sundry knock-on effects impacting businesses in the food, transportation, hospitality, and tourism sectors);

(j)     A constant stream of technical security failings opening access to corporate networks, special programs, critical infrastructure, and personal information.

The risks of something bad becoming “very” bad are significantly heightened in an interconnected, co-dependent, and wired world.  Climate Change threatens to put entire chains of unprepared suppliers, manufacturers, and growers out of business; whether due to direct disruptions or disruptions of their own third-party suppliers, manufacturers, and growers.  This can go on far down the line, and everyone could be stuck.[1]  Complex emergencies and preparations such as these require a lot of thought and planning, and likely now, verified certifications from counterparties that they have taken certain precautions to guard against being caught without a backup plan to the detriment of others.  This is the unenviable task of the CCO – to ensure full recovery from all disasters … in the long-term!  *The short term is a different story.*

(iii)             CEO (Chief Executive Officer/Executive Director): Responsible for the strategic directions and strategic outcomes of the company, the CEO is the head coach.  Assistant coaches are the other C-Suite members, and a “conductor” analogy will not work here because an orchestra cannot function when multiple conductors and sub-conductors are calling their teams of workers (in silos/fiefdoms) to play divergent, discordant tunes.  Inevitable results of the latter are committed cacophony, complete confusion, and a corporate collapse.

(iv)             CFO (Chief Financial Officer/Comptroller): This officer is responsible for all fiscal affairs, including Budgeting and Forecasting (projections, allocations, and analytics), Treasury (expenses and receipts, and credit and investment management), Financial Statements (reporting and internal audit), and all policies, protocols, personnel, and computer programs and platforms (tools) that are involved in this complex mix.

(v)               CIO/CTO (Chief Information Communications Technology Officer): The CIO is responsible for Network Architecture (designing, building, and configure a network that meets specifications and serves desired functions), Enterprise Resource Planning (allocation of and budgeting for, I.T. resources, including distinct subsystems for e-commerce, sales and billing, CRM and data governance, CAD/CAM, SCADA, and internal communications – voice, data, intranets, mobile applications), and Network Administration (access protocols, physical and electronic security, data integrity and backup, business continuity planning in the I.T. domain), and all policies, protocols, personnel, and computer programs (tools) that are involved in this complex mix.  An additional function of Privacy and Data Protection (PDP) may reside herein, with the office and functions of the XCO, or with the office and functions of the CAO.

(vi)             CLO/GC (Chief Legal Officer/General Counsel): The GC protects the organization against known and developing risk factors; represents the organization to third-parties and defends its interests (whether in contractual protections and advance due diligence, litigation and alternate dispute resolution, or to regulators and through regulatory processes including GRC (governance, risk, and compliance) functions, and IP registration and licensing), and advises the organization on overall legal strategy, or legal aspects/repercussions of specific or proposed strategies and actions.  The CLO will be assisted by subordinates and may have relationships with specialized outside law firms in desired fields (or practice area group environments),[2] to which he or she will assign work as needed to support In-House legal functions.

(vii)           CMO (Chief Marketing Officer): Marketing takes many forms, whether in the product or service itself, traditional print and radio advertising, or word of mouth (which includes word of web and word of viral video whether good or bad, and word of both product placement and recall).  Product recalls, though starting as negatives, may actually garner fans from the way in which the manufacturer or producer responds to the adverse event.  This role needs a nimble operator who has a good command of the technical marketing side (web and graphic design, wordplay, and psychology), and a social media team with dedicated monitoring functions, previously archived quick response webpages for a variety of scenarios, and an outside media analytics and PR firm on standby.  Special care must be taken where an employee comes aboard with his or her own social media following, or develops one while working on the company time and dime.  It can be a two-edged sword.

(viii)         COO (Chief Operating Officer/Managing Director/President): Keeping the day-to-day operations on an even keel, with proper and well-documented sales practices (Sales), timely and accurate order fulfillment (Manufacturing/Service Delivery), and above-board collection and revenue-recognition practices (Finance) is a critical chain to maintain in good working order, as it is the very lifeblood of the company.  A failing on any one of these three links, could throw the ship off course or even sink it.  Ideally, the COO will select either Sales or Manufacturing/Service Delivery as his or her primary focal point, and be assisted by 2 subordinates (for finance and the option not selected).  Strict segregation of duties (SOD) will prevent those deputies from dominating said functions, which must be the primary responsibilities of the CFO (Finance) and the CMO (Sales) respectively.  However, they must work to ensure that these three Executive Officers and their functions are all very well coordinated.

(ix)             CPO/CDO (Chief Plans, Projects and Partnerships Officer; also sometimes termed as the Chief Development Officer): Long-range planning, including succession planning and insurance strategy (except hedging which lies with the CFO), is the responsibility of this executive officer.  In addition, he or she will take the oversight lead on any critical projects (plant upgrades, significant new products), or partnerships that would otherwise and unduly distract one of the other executive officers.

(x)               XCO (Cross-national Coordinating Officer): Many businesses have an international profile, even those with only occasional foreign sales.  This can include employees of many nationalities, cultural or religious preferences and practices, far-flung operations or contract manufacturing plants and raw material sources, or exports to jurisdictions with myriad regulatory regimes.  It is the XCO’s job to ensure everyone is as close to being “on the same page” as possible, company ethical and compliance practices are adhered-to across the board – despite cultural differences, and that consistency is maintained in operations, administration, and responses to any crisis.

Four Working Groups):

(1)   Working Group 1 – Ongoing Operations (OO):

Led by the CEO, this working group would focus on oversight and control of day to day operations.  The CEO would be joined in this effort by the COO and the CMO.

(2)   Working Group 2 – Internal Controls (IC):

Led by the CFO, this working group would focus on compliance and internal controls in creating, implementing, monitoring, and updating a comprehensive GRC program.  In addition to “compliance”, this working group would also be tasked with leading in “cooperation” with regulators, due to the need from time to time for certain companies and industries to respond to requests for cooperation with regulators over investigations, boycotts and sanctions, recalls, security measures, and other joint action that needs high levels of coordination.  The CFO would be joined in this effort by the CAO and the CIO.

From time to time, and for better organizational coordination overall, OO and IC might hold unified meetings (virtual, in-person, or a combination of these), and they would be joined there by the CLO.  Of course, the CLO could also sit-in on IC and OO meetings when separate; time and workload permitting and as the needs of the working groups and the business so require.

(3)   Working Group 3 – Contingencies, Policies, and Projects (CPP):

Led by the CLO, this working group would focus on contingency planning, company policies, and the oversight of critical or large projects.  The CLO would be joined in this effort by the CCO and the CPO.

(4)   Working Group 4 – Global Oversight (GO):

Led by the XCO, this working group would focus on keeping an eye on the global pulse and wellness of a decentralized entity.  Of course, this working group would only be added as and when warranted.  Drawing on other executive officers to fulfill its mission and mandate, GO’s two component sub-groups would be:

*PACE (Privacy, Administration, Cybersecurity, and Environment), and

*COG (Contingencies, Operations, and GRC).

PACE: XCO as the standing lead, and joined by the CAO, CFO, CIO, and CPO.

COG: XCO as the interim lead, and joined by the CCO, CLO, CMO, and COO.  The CEO would be the standing lead for COG, as well as the unified meeting sit-in member for the GO and CPP working groups (as is the CLO for the OO and IC working groups).

Challenges:

Some might say that these functions replicate those of the Board and of the Committees of the Board, to an extent.  I agree in part because this group of 10 top company executives could essentially be said to constitute an Executive Board (supervising day to day functions).  The Supervisory Board (Board of Directors) would still be responsible for oversight, as 10/4 is merely designed to ensure that adequate attention is given at the day-to-day level of governance, to those items and points that have most often tended to cause slip-ups in recent memory (such as governance gaps; lax compliance or internal controls; financial misstatements; and inattention to plugging risks of faulty internal audit, insufficient segregation of duties, lax supervision, or failure to timely act on employee grievances including but not limited to harassment claims), and engage the Board’s attention to find, fix, and further prevent them from recurring, with other appreciable (and avoidable) regulatory and legal costs and repercussions.

Coordination of these now distributed executive-level functions would likely also be a challenge, at least initially.  However, once 10/4 is firmly in place and with the proper implementation of the proposed meeting and joint meeting structures, along with open lines of communication, this should diminish over time.

The need to pay perhaps exorbitant salaries to even more senior officers might also seem like a challenge.  However, there is plenty of un-utilized (read: “unemployed”) and otherwise under-deployed (“unhappily” under-employed) talent available in the current economic climate that would welcome the opportunity to apply themselves to these sometimes new and always interesting roles; not exactly for a pittance as professionals should be given their due respect, but with every intention of earning their way and growing with the company.

Opportunities:

Added specialization of function and better core focus, are obvious benefits.  Clearly, each of these ten functions demands a full-time focus.  C-Suite members will be better able to drill-down within their assigned roles with a lot less distracting “noise” and far fewer demands for assistance or advice on matters outside their scope that cause a frantic scurrying for the right answer, and sometimes outside the company at a cost commensurate with the urgency of the request from …. “higher up”.  More skills and abilities can therefore be retained in-house, and appropriate additional expertise sourced as needed, or retained on call, outside the company.

Growth Map:

Many companies will tend to “really” start with a core of 3 principals, the CEO, CMO, and CIO (if technology focused); or the CEO, CMO, and COO (if in services or a widget-maker).  Of course, all will wear multiple hats from the start, and be drawn to move in many directions at once.  While still small or a start-up, this can often be managed, albeit with a little effort and significantly less sleep.

After a time, they will generally add the CLO and CFO as compliance and cooperation, and the need to create, monitor, and keep-up proper records and accounts in-house (as opposed to having an on-call book-keeper), all become more important over time.  Other motivators for this expansion at the top might be the need to seek financing from Angel Investors or VCs, or preparation for an IPO – or even at that early stage, an acquisition of more capacity or talent that resides in another business.

Eventually, a CAO will be added to free-up CEO or CMO time spent on day-to-day administrative duties for other functions, and the CCO and CPO will be brought-on as the needs of the entity or best practices dictate; which may even precede the addition of a CLO or a CFO, or both.  Similarly, the presence or onset of major cross-national operations may bring in the XCO earlier, or later, in the growth process.

Summary:

10/4 is quite doable, and the first-movers, as always, will be able to iron-out the kinks early, and share or not share their tips with competitors in their industries as they strive to maintain their own competitive leads.  The four corner offices can thenceforth be reserved as boardrooms for meetings of the four working groups or other teams within the work environment that need the separation; while executives sit closer to the middle of the floor and the action, creating a more involved and collaborative decision-making model, and smoother workflow with face-time and an all-ranks accountability that self regulates against water-cooler lounging, social media misuse, and other forms of slacking-off, without the need for certain increasingly used (and sometimes highly intrusive) technical tools to protect and promote productivity.  Let’s see who, if anyone, will go for it first … 10/4?!

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] See e.g. Ekundayo George.  Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published September 1, 2011, on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2011/09/01/cybersecurity-avoiding-destabilizing-data-disaster-d3/<

[2] See e.g. Ekundayo George.  Practice Area Group Environment – PAGE: (a version of) BigLaw’s Future?  Published November 2, 2012, on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2012/11/02/practice-area-group-environment-page-a-version-of-biglaws-future/<

Advertisements

GRC: Compliance (Part 4).

November 12, 2012

This is the fourth and final installment in a series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: What have we covered?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started in Part 1 (GRC: An Overview),[1] with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. Federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general and corporate compliance functions.

Next, in Part 2 (GRC: Governance),[2] we set framework parameters in a chart or matrix.  There were 3 category columns on the X-axis, arranged horizontally; 7 category rows on the Y-axis (with 2 additional but reserved rows), arranged vertically; and as a third or “depth” dimension, containing 5 more categories.  We also ran through a much abbreviated presentation and analysis, using only the first category column (Governance), as we addressed some of its intersection points with the 7 category-rows, as well as with selected elements of the third simultaneous analytical element, the depth dimension (Function, Industry, X-national, Employee class, and Division).

Recently, in Part 3 (GRC: Risk),[3] We presented an analysis using only the second category column (Risk), and addressed some of that column’s intersection points with the 7 category-rows, as well as with elements of the depth dimension (F-I-X-E-D).

Compliance.

Now, we address some compliance or control options and arrangements (involving persons, processes, and protocols) as they intersect with category-rows and the depth dimension.  What additional compliance and control arrangements as encompassed by a compliance program, might be available to address the challenges of governance, government regulation, and the risks that have been identified in the preceding installments of this series?

Regulatory:

In the U.S. financial services industry, for example, passage of Gramm-Leach-Bliley in 1999 ushered-in a Financial Privacy Rule (mandating the entity’s provision, prior to commencing the business relationship, of a privacy notice to customers, and also restricting the entity’s collection, use, and disclosure of customer personal information without consent, along with instructions and the opportunity for customers to opt-out); a Safeguards Rule (mandating the creation by entities, if not already existing, of a comprehensive, written plan and procedures to secure and protect customer information, along with assigned oversight, risk analysis, testing, and modification as needed); and instituting Pretexting protections (primarily through ongoing training of financial industry employees in counter social engineering, to better detect, deflect and report unauthorized attempts to access protected, nonpublic customer personal information).[4]

An effective compliance program with regard to Gramm-Leach-Bliley, for example, would therefore involve entity leadership at the highest levels, recruitment and retention of competent advisors, access to industry best practices through associations, and a painstaking exercise of “checking all the boxes”.  Fraud Risk Assessments (FRA) should also be periodically conducted, with regard to the potential for collusion, whether between insiders, or between insiders and outsiders, combined.  Entities involved in ultra-hazardous activities, national security, or work with the vulnerable sector (children and youth, the elderly, and healthcare or social services), should also be especially mindful of their often enhanced regulatory compliance requirements – and not just with respect to financial disclosures.

Environmental:

Compliance with environmental law is an increasingly complicated task.  Pre-construction Environmental Risk Assessments (ERA) are common, as can be assessments of the cultural and community impacts in some jurisdictions.  Issues raised must be addressed to the satisfaction of regulators and even host communities, in order to proceed with confidence and at times, in peace.  Starting with a government agency’s own specific or omnibus roadmap for its own compliance,[5] is one option, and if it is somewhat dated (unlike the referenced resource at the time of posting this blog) there is no harm in asking a contact person at that agency for guidance on how to access updates or addenda, if any.  In addition, special attention should be paid to legal and regulatory requirements on engineering and efficiency; measurement, disclosure, and mitigation; and ongoing training on tools, threats, and a company-wide mandate for high ethical standards and corporate transparency when dealing with investors, employees, and regulators.

Accounting/Audit:

A study (released in 2005) on Revenue Recognition Practices in the wake of SOX,[6] found that in a survey of 162 public companies, contract management, revenue recognition, and tax provisions and related accounting were among the top 5 contributors of GRC challenges.[7]  As to the direct impact of SOX, both public (162) and private (238) companies were found to be closely aligned in the major factors impacting their revenue recognition policies, being: business model changes (approximately 25% and 30% respectively); new audit requirements (approximately 7% and 5% respectively); and SOX, itself (approximately 25% and 30% respectively).[8]  Being nevertheless well aware of the challenges they faced, the respondents at all 400 companies, both public and private, identified 10 areas where they were exploring and evaluating automation and compliance tools.  Amongst these ten, were: workflow and approval process, contract management, revenue recognition, tax, credit management, and expense reimbursement.[9]

The current fiscal landscape is no different, as fiscal challenges continue and accrue.  It is therefore critically important to first gain a better grasp on the fiscal landscape, in order to fashion a credible and comprehensive fiscal policy matrix, including revenue recognition (Framework).  The fiscal matrix comprises 9 (“nine”) main elements, termed “frapsra” (F, P3, S, R3, A); being:

(i) Framework;

(ii) Procurement (set price range, source or order, receive and verify, pay);

(iii) Projects (budget, issue requirements, evaluate options, start-manage-complete project, evaluate and commission, pay);

(iv) Personnel (establish requirement, interview and verify credentials and fit, hire and train, assign and promote, and otherwise manage);

(v) Sales (set price or range, fix essential terms, take order, ship and fulfill, invoice);

(vi) Receivables (management);

(vii) Revenue (recognition);

(iix) Receipts (apportionment); and

(ix) Audit (internal):

  1. Of Internal Controls ~ to prevent, detect, and timely correct and clarify mistakes and ambiguities before they are released and potentially impact upon the entity as either material misstatements or being materially misleading;
  2. Of Disclosure Controls ~ to give senior officers the confidence to present and defend credible MD&A and forward-looking statements, and certify statements of earnings and financial condition in accordance with law;
  3. Of the GRC Regime ~ to ensure that the 5 (“five”) questions ending this installment and this series, can be asked and answered appropriately.

The fiscal policy “Framework”, comprises 6 (“six”) main elements, being in no particular order:

(a)    Oversight and offshoring:

  1. Transfer costs,
  2. Customs duties,
  3. Country of origin rules,
  4. Tax treatment;

(b)   Business model:

  1. Description and rationale,
  2. Reporting lines and functions,
  3. Transaction example standards,
  4. Sample bottlenecks/sticking points with decision-tree tables;

(c)    Listed procedures for data capture, data control, data typing, and data verification, with backup, secure offsite replication, and recovery; including an identification of approved software tools;

(d)   Improper and prohibited practices identified;

(e)    GAAP and related accounting policies (the options to be applied, as these choices impact the rest of the Framework.  Once selected, these should only be changed on approval at the highest levels, but reviewed with (and preferably prior to) the introduction of any new product or service, or the addition of any sub-entity;

(f)    Effectiveness considerations:

  1. Segregation of duties,
  2. Contracts management with standardized forms and formats,
  3. Standardized sales and procurement forms and formats,
  4. Training and internal + external communications policies,
  5. Credit management for the entity, vendors, and customers,
  6. F-I-X-E-D (depth dimension) application, to share the Framework entity-wide, considering local or regional variations in line with overall GRC policy.

Lessons Learned:

The days of racing to the bottom (lax regulatory regimes of primary organization) and bottom-feeding (seeking out the most lax regulatory jurisdictions in which to operate), should be long gone in light of recent court Alien Tort Statute victories involving Ecuadorians[10] and Nigerians,[11] amongst others likely still to be filed, and the increasing push to recognize international environmental crimes as crimes against humanity and genocide.[12]  Other inroads are also being made in securing redress for colonial wrongs,[13] and so both memories and the retroactive reach of the law, can be extensive.

Additional lessons learned in compliance efforts should focus on industry-specific and geo-specific GRC efforts (labor relations, climate change).  In addition, scandals over the past decade should have proven beyond a doubt that only a combination of manual and automated controls can cover for gaps and human deficiencies, and that there must also be senior officer commitment with active project, process, and contracts management to ensure the proper creation, implementation, enforcement, and ongoing testing and improvement of an effective GRC and ethics program.  Special attention should also be paid to compliance with laws and regulations on Proxy Filings and voting, Stock Options, and Insider Trading disclosures.

Internal/Institutional:

As with compliance in the environmental field, touched-upon above, other industries also have their own compliance challenges, which can often be considered in light of specific guidance documents issued, for example in the United States, for the Steel industry,[14] regarding Patent and Trademark law compliance for small businesses,[15] and in the realm of trade compliance.[16]

Achieving compliance can be a significant distraction in some jurisdictions where new and sometimes highly complex laws, are issued[17] and updated[18] on a regular basis; whether in response to an emergency or other critical event, or to address an ongoing issue or series of issues.  In the case of the latter, the Dodd-Frank Wall Street Reform and Consumer Protection Act,[19] for example, ushered-in a sea change to the resource industry landscape with regard to public issuers.  Significant due diligence and disclosure requirements (claimed as onerous in some cases), are now mandatory in order to detect, prevent, and curtail the trade in conflict minerals,[20] which trade has had significant community and cultural impacts.  For instance, wherever “conflict minerals are necessary to the functionality of production of a product manufactured by such person”, annual reports must be filed containing: (i) “a description of the measures taken by the person to exercise due diligence on the source and chain of custody of such minerals”; and (ii) “a description of the products manufactured or contracted to be manufactured that are not DRC conflict free”.[21]

In terms of enforcement, recent caselaw in the United States has expanded the definition of who can constitute a whistleblower under Dodd-Frank.  We see from Kramer, that such a person can be almost anyone who discloses information about a possible violation (being a lower standard than for SOX, which requires disclosure to the SEC of information concerning a securities law violation, as backed by reasonable belief that a possible violation occurred).  We also see from Ott, that a person asserting a retaliation claim under Dodd-Frank need not necessarily/always be a person who would (or could) also have qualified for the whistleblower bounty in making a disclosure in apparent accordance with law, in the first place.[22]

As a result of these laws (SOX and Dodd-Frank), and other laws requiring in-depth and ongoing compliance, appropriate ethics and regulatory compliance training should be developed and broadly instituted across the company.  This is especially critical in entities with depth, i.e. decentralized with multiple divisions or business segments, whether domestic, continental, or more transnational.  Additionally, internal investigations should be properly structured[23] and intermediaries closely monitored to avoid any third-party or vicarious liability, or conspiracy.

Structural/Systemic:

Securities laws in the United States,[24] across Canada,[25] and the European Union,[26] for example, specify the types and extent of information that issuers must disclose, both for registration and as an ongoing requirement.  Securities laws in India[27] and Australia,[28] and such United States amending laws as the Sarbanes-Oxley Act (SOX)[29] and the Gramm-Leach Bliley Act,[30] further address transparency, detailed compliance and reporting requirements, and mandatory aspects of corporate governance and ethics.  Except as otherwise specifically stated,[31] SOX compliance is mandatory,[32] and three noteworthy compliance provisions are Sections 404, 302, and 307.

SOX Section 404:

Section 404 specifies annual disclosure by corporate issuers, re: the existence, management responsibility for, and evaluation of their own internal controls; as further “attested to and reported on” (double-checked and verified as accurate), by the issuing entity’s auditors.[33]  Retaliation against whistleblowers,[34] failure to certify financial statements as required,[35] and evidence tampering that hampers or clouds an investigation,[36] will all now constitute criminal offences under SOX, with significant penalties.

SOX Section 302:

Section 302 further mandates that principal officers of issuers certify by signing that they have: (i) reviewed the subject quarterly or financial report; (ii) found the same to be accurate (“does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading”); (iii) found same to be complete (in that the information therein does “fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report”); (iv) have appropriately established and maintained and evaluated internal controls; with (v) disclosure to the issuer’s auditors and the audit committee of all “significant deficiencies” and “material weaknesses” of internal controls, as well as “any fraud whether or not material that involves management or other employees who have a significant role in the issuer’s internal controls”; as well as any corrective actions.[37]

SOX Section 307:

Finally, Section 307 provides for a heightened duty of legal counsel to report up the line when finding evidence of any “material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof”[38]  Counsel has an additional duty to report further up the management chain to the Audit Committee or another appropriate Committee of the Board of Directors, if the first person hearing the complaint and report “does not appropriately respond to the evidence”.[39]

Technical/Tactical:

Segregation of duties should be rigorously enforced in accordance with industry best practices, or in excess of industry best practices, where warranted.  Spot audits of social media usage policy compliance should be ingrained, as should be disciplinary procedures for infractions and industry (or above-industry) best practices in IT management policies and procedures; some of which practices I earlier identified in part 3 of this series.

Further technical and tactical compliance efforts should focus on industry-specific and geo-specific risks (earthquake, hurricane or tornado, fire and flood).  Sometimes, however, even the best-laid plans and safety precautions[40] can be overwhelmed under the onslaught of concurrent multiple perils, such as the earthquake and Tsunami in Fukushima, Japan of Monday April 11, 2011.  In any case, there should be interim testing and updates of the written, shared, and practiced compliance guidelines; especially in the rapidly developing e-Commerce and social media realms with regard to Cybersecurity and privacy rights (PIPEDA and provincial privacy laws in Canada, and state privacy laws in the United States); online spam protections in the American CAN-SPAM Act,[41] along with Canada’s equivalent in the Canada Anti-Spam Law;[42] Online copyright infringement protection for ISPs in the American Digital Millennium Copyright Act (DMCA), and Canada’s equivalent Copyright Modernization Act[43], all added areas of concern for entities involved in that space, requiring inclusion in their compliance plans.

Two Additional (reserved) Categories:

The first reserved category is Implementation (covering investigations and improvements; staff inclusion as stakeholders; and inspired giving as a corporate social responsibility).[44]  The second reserved category is Climate (covering conflicts of law; conflicts of culture – whether business or natural; and contingencies – environmental, political, technical, man-made, and popular (with “popular” including riot, insurrection, sit-in/occupation, and pre- or post-sporting event mayhem tantamount to riot or insurrection.[45]  Some of these were touched-upon in the above analysis or earlier installments.  However, being essential to the overall success of any GRC program, they should be checked and re-checked, often and at length, against the F-I-X-E-D (depth dimension).

Summary.

Essentially, a company needs to be able to ask all of its officers, employees, and directors the following 5 questions.  A perfect score includes 4 x yes answers (questions 1, 2, 4, and 5), and 1 x no answer (question 3).  If question 5 yields any or many “no” answers, then the company needs to realize and accept that there is a problem, because over time its business will evolve, the applicable regulations will change, and the market is dynamic, so a functioning and responsive GRC program, if left static and unchanging, cannot be so perfect for all cases, and over all time!

Question 1: Would you take issues and complaints to a responsible officer or director? (are there internal complaints procedures in place, and do all within the company know how to avail themselves of same?);

Question 2: Are you confident that the issues or complaints raised will be adequately and timely addressed?  (do the responsible officers and the set procedures inspire credibility, by a demonstrated commitment of senior management to both GRC and the established complaint procedures?);

Question 3: Do you fear retaliation or punishment for raising issues or complaints in accordance with the established complaint procedures?  (is there a compliance culture, and are there adequate whistleblower protections?);

Question 4: Are these reporting behaviours championed within your organization?  (is there a clear commitment by all management levels to establishing, enunciating, and upholding the entity’s values and mission, and ethical behaviours; and are internal controls established, communicated, and enforced on a uniform and consistent basis?);

Question 5: Is there anything that you can think of and suggest to improve the GRC processes at your place of work? (this includes both the overall employing entity or head office, and suggested local variations for legal jurisdiction; business or actual culture; changing times, climes, and circumstances; and deficiencies or lessons learned).

*****************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Mr. George is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George.  GRC: An Overview (Part 1).  Published on ogalaws.wordpress.com.  October 21, 2012.  Online:>https://ogalaws.wordpress.com/2012/10/21/grc-an-overview-part-1/<

[2] Ekundayo George.  GRC: Governance (Part 2).  Published on ogalaws.wordpress,com.  October 29, 2012.   Online:>https://ogalaws.wordpress.com/2012/10/29/grc-governance-part-2/<

[3] Ekundayo George.  GRC: Risk (Part 3).  Published on ogalaws.wordpress.com.  November 6, 2012.  Online: > https://ogalaws.wordpress.com/2012/11/06/grc-risk-part-3/<

[4] See infra, note 30.

[5] United States Department of Commerce.  Energy and Environmental Management Manual.  Released in September, 2012.  Online: >http://www.osec.doc.gov/oas/Documents/OSEEP/Docs%20&%20Newsltrs/Documents/EEMM_FINAL_%2826_Sept._2012%29.pdf<

[6] RevenueRecognition.com.  Sarbanes-Oxley and Revenue Recognition Practices: Financial Executive Benchmarking Survey, Revenue Recognition Edition. 2005.  Online: > http://www.complianceweek.com/s/documents/RevRecandIDC-RevenueRecognitionPractices.pdf<

[7] Id. at page 5, figure 6.

[8] Supra. note 6 at page 4, figures 3 and 4.

[9] Supra. note 6 at page 6, figure 7.

[10] See e.g. Karen Gullo and Mark Chediak.  Chevron Bid to Dismiss $18 Billion Award Rejected in Ecuador.  Bloomberg.com, January 4, 2012.  Online: >http://www.bloomberg.com/news/2012-01-04/chevron-loses-bid-to-throw-out-18-billion-award-in-ecuador-pollution-case.html<  Post-judgement actions on the award are ongoing.

[11] See e.g. the matter currently on Appeal to the United States Supreme Court of Kiobel v. Royal Dutch Shell.  Online: >http://www.supremecourt.gov/Search.aspx?FileName=/docketfiles/10-1491.htm<; on appeal from Kiobel v. Royal Dutch Pet. Co., 621 F.3d 111 (2d Cir. 2010), decided on September 17, 2010.  Online: >http://www.ca2.uscourts.gov/decisions/isysquery/3d9bbe68-742b-4422-9de6-1b3c3d48589b/7/doc/06-4800-cv_opn.pdf#xml=http://www.ca2.uscourts.gov/decisions/isysquery/3d9bbe68-742b-4422-9de6-1b3c3d48589b/7/hilite/<

[12] The 2 essential questions to be answered in Kiobel, are: (i) whether corporate civil tort liability under the Alien Tort Statute (“ATS” 28 U.S.C. §1350) goes to subject matter jurisdiction, or goes to merits and has thus already been decided below; and (ii) whether a corporation can be sued as can a private party, or is immune to liability for violating the law of nations regarding genocide, extrajudicial killing, or torture as the 11th Circuit already answered in the affirmative, below.  See United States Supreme Court.  10-1491 Kiobel v. Royal Dutch Petroleum, Decision Below: 621 F.3d 111. Lower Court Case Number: 06-4800, 06-4876.  Questions Presented.  Online: >http://www.supremecourt.gov/qp/10-01491qp.pdf<

[13] See e.g. the ongoing case in the United Kingdom of Mutua and others v. The Foreign and Commonwealth Office (“Mau  Mau” case), [2012] EWHC 2678 (QB), judgement issued on October 5, 2012).  Online:> http://www.judiciary.gov.uk/Resources/JCO/Documents/Judgments/mutua-fco-judgment-05102012.pdf<

[14] United States Department of Commerce, International trade Administration, Import Administration.  Steel Import Monitoring and Analysis System.  Online: >http://ia.ita.doc.gov/steel/license/index.html<

[15] United States Department of Commerce and United States Patent and Trademark Office (USPTO).  Small Entity Compliance Guide: Request for Supplemental Examination.  Released in September, 2012.  Online: >http://www.uspto.gov/aia_implementation/supp-exam-compliance-guide.pdf<

[16] United States Department of Commerce, Bureau of Industry and Security.  Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual.  Released in June, 2011.  Online: >http://www.bis.doc.gov/complianceandenforcement/emcp_guidelines.pdf<

[17] See e.g. United States Congress.  The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001.  Pub. L. 107–56, Oct. 26, 2001; also sometimes referred to as Patriot I.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

[18] See United States Congress.  USA Patriot Improvement and Reauthorization Act of 2005.  Pub. L. 109–177, Mar. 9, 2006; also sometimes referred to as Patriot II.  Online: >http://www.intelligence.senate.gov/laws/pl109-177.pdf<; See also United States Congress.  PATRIOT Sunsets Extension Act of 2011.  Pub. L. 112–14, May 26, 2011; also sometimes referred to as Patriot III.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-112publ14/pdf/PLAW-112publ14.pdf<

[19] United States Congress.  The Dodd–Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111-203, July 21, 2012.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-111publ203/pdf/PLAW-111publ203.pdf<

[20] Id. at Section 1502.

[21] Id.

[22] See Kramer v. Trans-Lux Corp., No. 3:11cv1424, 2012 U.S. Dist. (D. Conn. Sept. 25, 2012), at page 11 of the Order.  In partially denying the defendant’s Motion for Summary Judgement (seeking dismissal of the plaintiff’s Complaint for failure to state a claim for which relief can be granted, under FRCP 12 (b)(6)), the Honorable Stefan R. Underhill, U.S.D.J., held that “Sarbanes-Oxley protects persons who disclose information they reasonably believe constitutes a violation of SEC rules or regulations (…) by the language of the whistleblower provision, the whistleblower need only have reasonably believed that it was a violation (…) [t]herefore, Kramer has alleged sufficient facts to support a Dodd-Frank Act whistleblower claim based on his internal and external communications”.  Online: >http://courtweb.pamd.uscourts.gov/courtwebsearch/ctxc/11cv1424mtdrul.pdf<

See also Ott v. Fred Alger Management, Inc., No. 11 Civ. 4418, 2012 U.S. Dist. (SDNY Sept 27, 2012), at page 9 of 20 in the Order.  In her Memorandum and Order denying the defendant’s Motion for Summary Judgement under FRCP 12(b)(6) and FRCP 23.1 (Derivative Actions by Shareholders, of which this was one such), the Honorable Loretta A, Preska, U.S.D.J., held that the “anti-retaliation protections apply whether or not you satisfy the requirements, procedures and conditions to qualify for an award.”  The American Law Institute, Continuing Legal Education.  The SEC’s Whistleblower Program: One Year Later Cosponsored by the ABA Business Law Section and the ABA Section of Public Utility, Communications and Transportation Law.  Telephone seminar/audio webcast as delivered on October 9, 2012.  Online: >http://files.ali-cle.org/files/coursebooks/pdf/TSUP04_chapter_02.pdf<

[23] Caselaw in the European Union has left In-House Counsel somewhat exposed when rendering advice or conducting In-House investigations, as there is an absence of effective privilege.  See e.g. Akzo Nobel Chemicals & Akcros Chemicals v Commission (Competition) [2007] EUECJ T-125/03 (17 September 2007).  Online: >http://www.bailii.org/eu/cases/EUECJ/2007/T12503.html<  On the part of outside Counsel, another risk that he or she may face is to be (or find oneself alleged to be) caught-up in the misconduct of a client as more than an innocent advisor.  Joseph P. Collins has so far been able to secure a retrial since his earlier criminal conviction.  See US v. Joseph P. Collins, 10-1048-cr, NYLJ 1202537905466, at *1 (2d Cir., Decided January 9, 2012).  Online: >http://www.law.com/jsp/decision.jsp?id=1202537905466<

[24] United States Congress.  The Securities Act of 1933 (Truth in Securities Act), 15 U.S.C. §77a et seq.  Online: >http://www.sec.gov/about/laws/sa33.pdf<; The Securities Act of 1934 (Securities Exchange Act), 15 U.S.C. §78a et seq.  Online: >http://www.sec.gov/about/laws/sea34.pdf<

[25] Each province creates, implements, and enforces its own securities laws, as there is no national regulator.  Indeed, this may remain the case for the foreseeable future as a “Reference” question put to the Supreme Court of Canada approximately one year ago, was returned with a decision that the federal power granted under the 1867 Constitution Act to regulate trade and commerce was insufficient to authorize creation of a national securities regulator over and above the existing provincial securities regulators.  See Reference Re Securities Act, 2011 SCC 66, [2011] 3 S.C.R. 837.  Online: >http://www.scc-csc.gc.ca/case-dossier/cms-sgd/dock-regi-eng.aspx?cas=33718<  However, the Province of Ontario passed An Act to implement Budget measures and other initiatives of the Government, S.O. 2002, S.O. 2002, ch. 22-bill 198 (effective April 7, 2003), which at its Title XXVI amended the Ontario Securities Act with: (i) updated definitions for materiality, (i) clarification of continuing disclosure provisions, (iii) encoding of privacy protections for issuers under the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, Chapter F.31, (iv) raising the fine levels from $1 million to $5 million in certain cases, (v) barring fraud, market manipulation, and the making of misleading or untrue statements, and (vi) imposing liability on directors and officers or a “person who authorized, permitted or acquiesced in the non-compliance”.  Online:  >http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&BillID=1067&isCurrent=false&ParlSessionID=37%3A3<.  This laid the groundwork for Canada’s security regulators to work together and issue what became National Instrument 52-109: Certification of Disclosure In Issuer’s Annual and Interim Filings; also sometimes termed SOX Canada.  Online: >http://www.bcsc.bc.ca/uploadedFiles/securitieslaw/policy5/52-109NI_Advance_Notice.pdf<  Subsequent amendments and collateral instruments have strengthened the disclosure regime for public issuers in Canada’s various provinces.

[26] European Commission.  Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004, on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC.  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:390:0038:0057:EN:PDF<

[27] National Stock Exchange of India Limited.  Listing Agreement, §49 at pages 77-91; also sometimes termed SOX India.  Online: >http://www.nse-india.com/getting_listed/content/listing_agreement.htm<

[28] Government of Australia.  Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004; also sometimes termed SOX Australia.  Online: >http://www.comlaw.gov.au/Details/C2004A01334/Download<

[29] United States Congress.  The Sarbanes-Oxley Act of 2002 (The Public Company Accounting Reform and Investor Protection Act), Pub. L. 107–204, July 30, 2002, 116 Stat. 745.  Online: >http://www.sec.gov/about/laws/soa2002.pdf<

[30] United States Congress.  The Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999), Pub. L. 106-102, November 12, 1999, 113 Stat. 1338.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf<

[31] For example, limited exemptions exist under Securities and Exchange Commission (SEC) Final Rule 33-9142: Internal Control over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers. 17 CFR Parts 210, 229 and 249.  Effective September 21, 2012.  Online: >http://www.sec.gov/rules/final/2010/33-9142.pdf<

[32] Some additional SOX carve-outs and modifiers were created by the JOBS Act, which passed with the strong support of both parties (380:41 in the House with 10 more not voting, and 73:26 in the Senate); although not without some controversy from interest groups.  See e.g. Congress of the United States.  Jumpstart Our Business Startups Act (“JOBS Act”).  Pub. L. 112-106, Apr. 5, 2012.  Online:>http://www.gpo.gov/fdsys/pkg/PLAW-112publ106/pdf/PLAW-112publ106.pdf<.  See also JOBS Act Critique: Consumer Federation of America. Public Interest Groups Oppose Anti-Investor “Capital Formation” Bills.  March 5, 2012 Open Letter to the United States Senate, Committee on Banking, Housing and Urban Affairs.  Online: >http://www.consumerfed.org/news/467<

[33] Supra note 29, SOX at Section 404 (Management assessment of internal controls)See also United States Securities and Exchange Commission (SEC) Final Rule 33-8238: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports.  17 CFR Parts 210, 228, 229, 240, 249, 270 and 274.  Effective August 14, 2003.  Online: >http://www.sec.gov/rules/final/33-8238.htm<

[34] Supra note 29, SOX at Section 1107 (Corporate Fraud Accountability Act of 2002), within SOX Title XI.

[35] Id. at SOX Section 906 (White Collar Crime Penalty Enhancement Act of 2002), within SOX Title IX.

[36] Supra note 29, SOX at Section 802 (Corporate and Criminal Fraud Accountability Act of 2002), within SOX Title VIII.

[37] This section applies to all U.S. issuers regardless of their place of incorporation or re-incorporation.  Supra note 29, SOX at Section 302 (Corporate responsibility for financial reports)See also United States Securities and Exchange Commission.  Final Rule 33-8124: Certification of Disclosure in Companies’ Quarterly and Annual Reports.  17 CFR Parts 228, 229, 232, 240, 249, 270 and 274.  Effective August 29, 2002.  Online: >http://www.sec.gov/rules/final/33-8124.htm<

[38] United States Congress.  The Sarbanes-Oxley Act of 2002 (The Public Company Accounting Reform and Investor Protection Act), Pub. L. 107–204, July 30, 2002, at Section 307(1): Rules of Professional Responsibility for Attorneys.  Online: >http://www.sec.gov/about/laws/soa2002.pdf<

[39] Id. at Section 307(2).  Pursuant to that section, the Securities and Exchange Commission has issued Final Rule 33-8185: Implementation of Standards of Professional Conduct for Attorneys, 17 CFR Part 205, effective August 5, 2003).  See Securities and Exchange Commission (SEC).  Online: >http://www.sec.gov/rules/final/33-8185.htm<

[40] In the lead-up to Hurricane Sandy of October, 2012, that wreaked havoc on Cuba, Jamaica, Haiti, and the Bahamas in the Caribbean, and had its heaviest U.S. impact on New York and New Jersey, some businesses including AT&T in New Jersey, purchased entire fuel tanker trucks as part of their contingency planning, in order to avoid the line-ups at empty filling stations, the business interruptions caused by employees unable to get to work, and the inability to themselves operate due to lost power and gasless backup generators.  See Katie Eder.  Gas becomes hot commodity for N.J. businesses, post-Sandy.  Published on njbiz.com, November 5, 2012.  Online: >http://www.njbiz.com/article/20121105/NJBIZ01/121109942/-1/enews_dailyT1See also The Associated Press.  Hurricane Sandy Hits Bahamas After Sweeping Through Cuba and Haiti.  Published on nytimes.com, October 25, 2012.  Online: >http://www.nytimes.com/2012/10/26/world/americas/sandy-hits-bahamas-after-havoc-in-cuba-and-haiti.html<

[41] United States Congress.  Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003.  Pub. L. 108-187, Dec. 16, 2003 (CAN-SPAM Act).  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-108publ187/pdf/PLAW-108publ187.pdf<

[42] Government of Canada.  An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radiotelevision and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.  S.C. 2010, c. 23 (also termed the “Canada Anti-Spam Law”).  Online: >http://laws-lois.justice.gc.ca/PDF/E-1.6.pdf<

[43] Bill C-11, The Copyright Modernization Act, received Royal Assent on June 29, 2012.  Notification and counter-notification provisions for ISP’s and certain other webhosts – as akin to the DMCA – can be found in sections 41.25, 41.26, and 41.27 of the Act.  Admittedly, certain public interest entities are protected against harsh penalties in Bill C-11, with the delineation of an injunction as the appropriate penalty for their non-willful copyright infringement.  However, due to the threat (and very real legal option) for infringing websites to be blocked outright in certain jurisdictions, Canadian entities hosting content that might infringe the copyright of ”someone, somewhere” (such as blogs and other social media sites) might include notification and counter-notification measures in their online usage policies and contact forms.  We have been approached, and advised, with regard to this option as a potential demonstrated due diligence compliance measure.  See Government of Canada.  Copyright Modernization Act, S.C. 2012, c. 20.  Online: >http://laws-lois.justice.gc.ca/eng/AnnualStatutes/2012_20/page-1.html<

[44] Undoubtedly, employees who see their employer taking a lead when the situation requires it, and who are encouraged to find ways to become personally involved – whether by selecting and presenting CSR opportunities, enjoying matching donations from the employer, volunteering, or otherwise, will be more likely to buy-in to the company’s values, mission, and longevity (by mutually enforcing amongst their peers, improving by individual or group and committee contributions, and themselves personally adhering, each and all, to its compliance and ethics program).  See generally Beth Fitzgerald.  N.J. business community pitches in for Sandy relief.  Published on NJBIZ.com, November 6, 2012.  Online: >http://www.njbiz.com/article/20121106/NJBIZ01/121109925/-1/enews_dailyT2<

[45] Those who have had the foresight and planning to secure appropriate insurance coverage for wind, fire, flooding, and business interruptions, are always happier than others when their paid-up policies are available for claims in times of great need after such “contingencies”.  See e.g. Joseph N. DiStefano.  Philly Deals: Sandy incites twice as many insurance claims as Irene.  Published on phillydeals.com, Tuesday, November 6, 2012.  Online: >http://www.philly.com/philly/business/20121106_PhillyDeals__Sandy_incites_twice_as_many_insurance_claims_as_Irene.html<

GRC: Risk (Part 3).

November 6, 2012

This is the third in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: What have we covered?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started in Part 1 (GRC: An Overview)[1] with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general and corporate compliance functions.

Next, in Part 2 (GRC: Governance),[2] we set framework parameters in a chart or matrix.  There were 3 category columns on the X-axis, arranged horizontally; 7 category rows on the Y-axis (with 2 additional but reserved rows), arranged vertically; and a third or “depth” dimension, containing 5 more categories.  We also ran through a much abbreviated presentation and analysis using only the first category column (Governance), as we addressed some of that column’s intersection points with the 7 category-rows, as well as with elements of the depth dimension.

Risk.

Now, we address some risk factors as they intersect with category-rows and the depth dimension.

What are some of the risks that are identified or encompassed within laws and regulations, that otherwise challenge good governance, and that should be addressed with a compliance program?

Regulatory:

In this category, we can consider the risk of entity liability for any breach of law or regulation, generally, as well as the potential liability of officers and directors for the same infraction or series of infractions, whether willful or negligent.  Comprehensive General Liability (CGL) coverage is a base prerequisite for which proof will be required by many if not all business counterparties, and certainly competent commercial landlords.  Securing appropriate coverage in Errors and Omissions (E&O) and Directors’ and Officers’ (D&O) insurance as and where applicable, is also highly advisable.  Of course, the same is true for business interruption, receivables, and increasingly now, employment practices in a challenging economic climate with the additional complexity of social media, and employment practices – including candidate sourcing, candidate background checks, hiring and retention (especially with regard to non-competes, work-product ownership and attribution, and compensation and executive compensation for officers and directors generally), monitoring, investigations, discipline, and firing) impacted by increasing employee and contractor use of social media.  Also rising quickly is demand for privacy breach insurance, due to the costly and onerous reporting, remediation, credit monitoring (and sometimes restitution requirements if funds or properties are actually lost), that can result from a large-scale privacy breach.

Environmental:

Avoiding environmental liability is critical to those industries that I identified in Part 2 as amongst the most closely regulated (food processing, manufacturing, healthcare, energy, natural resources, refining or distilling, construction, chemical manufacturing, information technology, automotive, and transportation).  Emissions should be monitored, contained within acceptable limits, and promptly reported and remediated when they leak as gas or fumes, as required by law.  Effluent, whether leachates (as with an improperly lined landfill) or liquid waste and runoff from some manufacturing, distillation, or extraction process, should likewise be monitored, contained within acceptable limits, and promptly reported and remediated, as required by law.  Finally, the entity must have in-depth knowledge as to what they are, how toxic they are, and how it deals with, its sludges and solids, if any – whether bio-solids (municipal services), manufacturing and natural resources byproducts (pulp and paper mills, or mining), or packaging wastes from inventory and work in progress.  The practice of “Reduce, Reuse, and Recycle” has now added promising legal options (such as plasma gasification and more widespread deployment of renewable energy sources), but must still contend with persistent illegal options (ocean dumping, prohibited re-use of contaminated materials,[3] and undeclared transboundary movements to jurisdictions having “low-to-no regulation”,[4] with devastating effects on flora, fauna, and human life through increasingly toxic and bio-accumulative heavy metals, persistent organic pollutants, and endocrine disruptors; all of which the locals are invariably unaware, but that can cause significant reputational damage, injury, death, and even entity termination for fines and regulatory sanctions,[5] as well as legal actions.[6]

Accounting/Audit:

Accounting and audit risks can impinge upon industry-specific standards, such as the new Basel III capital requirements for the financial services industry; or broadly applicable standards such as Generally Accepted Accounting Principles (GAAP), and the determination of safe harbours in GAAP equivalents, as applied in other jurisdictions.[7]  Procedures, competent personnel, kept current accounting and reconciliation tools, and appropriate policies must be in place to address the risks of improper revenue recognition, transfer pricing, tax remitting, budgeting, and collection practices.  Additional risks must be addressed in the realms of loss control, contract management, and now, various national and transnational Anti-Money Laundering (AML) regulations.

Lessons Learned:

Political risk (government changes, electoral malfeasance as actual or alleged, and unfavourable policy somersaults), reputation risk (employee, operational, and business crises), counterparty risk (contractor malfeasance, insolvency, or non-performance), and business interruptions (human error, accident, utility failure or natural disaster) including as a result of climate change and climatic events such as hurricanes and tornados, are always potential stressors that must be considered in the risk analysis.[8]  One lesson learned should be the regular commissioning and performance of Gap Analyses and SWOT (strengths, weaknesses, opportunities and threats) analyses, or the like, in order to identify, assess, categorize, quantify, rank, and address existing, emergent, and fast-evolving risks in an increasingly competitive and hyper-dynamic business environment.

Furthermore, when a serious issue arises that could put many third parties at risk and result in significant reputational damage and litigation, such as the recent revelation of some alleged flaws in hotel security locks.[9]  The ideal response should be strong and swift, with genuine attempts to work with regulators, counterparties, and the consuming public in addressing their concerns.  However, responses from both the main manufacturer and the hospitality industry, generally, have varied.[10]  A selection of recalls within recent memory shows a range of initial and subsequent responses by suppliers, regulators, and consumers to alleged and actual and repeated consumer health, and food or product safety issues, in Japan,[11] the United States,[12] and Canada.[13]

This underlines the importance of horizon scanning in ongoing hard media and social media monitoring (to be amongst the first to see and know of that posting or video that exposes some critical failing in governance, some hitherto unknown risk, or some compliance challenge that sorely needs to be addressed); having a well thought-out contingency plan in place (adequate preparation); proper proofing and stress-testing of all third-parties and third-party tools (due diligence);[14] good communication lines with vendors (towards a unified message or credible communications); and possessing sufficient, paid-up privacy and other insurance coverages, and accumulated goodwill and litigation reserves can prove most useful, if and as responsibly drawn-down in increments.

Internal/Institutional:

The risks of poor earnings results, liquidity crises, and adverse leadership events that might lead to hostile takeovers and other changes of control (including margin calls, lenders realizing on collateral, and critical talent departure for greener or apparently more fiscally secure pastures), should be addressed with appropriate succession plans and takeover defences lawful in the jurisdiction of overall organization.  A lifecycle management approach and other measures might also be used to address risks associated with internal document flow and external data leakage, especially where the entity has valuable intellectual property, sensitive client data, or a mission-critical role in an ultrahazardous industry or a Law Enforcement and National Security (LENS) capacity.[15]  Costly litigation was long a greater risk in some, more litigious jurisdictions than others.  However, the sheer volume of data currently kept and generated by businesses to include paper trails, electronic documents, email logs, voicemails, and mobile data – at the very least – can lead to crippling e-Discovery costs; not to mention their duplication in parallel regulatory proceedings, or regulatory proceedings combined with individual actions or one or more class actions.[16]  Complex Litigation brings dire realities!  At the risk of severe sanctions for not having, or being unable to find, some critical piece of evidence, great thought, expertise, and sometimes expense, must be put into planning the IT infrastructure, designing an appropriate IT architecture, and implementing a responsible document retention and management policy, along with off-site backup and a good disaster plan.

Structural/Systemic:

This category-row can include operational risk, credit risk, market risk, and a host of legal risks as ongoing concerns.  Occasional but increasingly real considerations, are kidnap and terrorism risk (which is certainly no longer restricted to hitherto readily identifiable industries, businesses, and jurisdictions), and Climate Change risk, which is still both debatable (as to its reality), and unpredictable (as to its severity).  Whatever those real answers are, many people can likely agree that the glaciers are melting and/or retreating; tree cover in the world’s rainforests that protects habitats, provides for carbon absorption, and regulates the weather is being depleted; and weather patterns are changing.

Technical/Tactical:

The risks of unauthorized operations or operators, loss or unauthorized disclosure of Personally Identifiable Information (PII), and exceeded authority, should be addressed with physical (access and surveillance), electronic (encryption and audit trails), and procedural (segregation of duties and “need to know” or “business purpose” criteria) security and intrusion controls.  This must be further buttressed with ongoing vulnerability testing in Privacy Impact Assessment (PIA), Data Protection Audit (DPA), and Threat Risk Assessment (TRA) as appropriate.  Outsourcing and offshoring should always be preceded by due diligence, especially with regard to any Cloud Services Provider (data custody, integrity, and replicability; immediate jurisdiction and long-arm third-party jurisdiction; and service levels),[17] or any offshore manufacturer (labour or health and safety issues).[18]  Pre-employment background checks are highly advisable to guard against bringing-on what you “knew or should have known” was a live liability; or once known or suspected, “turning a blind eye” or “promoting or condoning the conduct”, all of which can cause reputational damage, significant depletion of a famous brand, and legal action or sanction.[19]

Summary.

Effective risk identification, assessment, categorization, quantification, ranking, and addressing  (whether by containment, minimization, or elimination) is critical for a business, and like governance, it is no easy task.  However, with proper planning, advice, and application, it can be done. In the next installment, we will consider “Compliance” category column items, as they intersect with the 7 category rows and some of the 5 depth elements.

**************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Mr. George is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George.  GRC: An Overview (Part 1).  Published on ogalaws.wordpress.com.  October 21, 2012.  Online:>https://ogalaws.wordpress.com/2012/10/21/grc-an-overview-part-1/<

[2] Ekundayo George.  GRC: Governance (Part 2).  Published on ogalaws.wordpress,com.  October 29, 2012.  Online:>https://ogalaws.wordpress.com/2012/10/29/grc-governance-part-2/<

[3] Jonathan Tirone and Subramaniam Sharma.  Radioactive Beer Kegs Menace Public, Boost Costs for Recyclers.  Bloomberg.com.  Published on November 11, 2008.  Online:>http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aKNgo0CVJg9s<

[4] Fiona Harvey.  Trafigura lessons have not been learned, report warns: Amnesty International and Greenpeace say too little has been done to strengthen regulations on toxic waste dumping.  Guardian online.  Published September 25, 2012.  Online:>http://www.guardian.co.uk/environment/2012/sep/25/trafigura-lessons-toxic-waste-dumping<

[5] United States Sentencing Commission.  2011 Federal Sentencing Guidelines Manual, as effective November 1, 2011.  Chapter Eight – Sentencing of Organizations (Introductory Commentary).  Online: >http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm< “Second, if the organization operated primarily for a criminal purpose or primarily by criminal means, the fine should be set sufficiently high to divest the organization of all its assets”.

[6] Edward Broughton.  The Bhopal disaster and its aftermath: a review.  Environmental Health: A Global Access Science Source.  Published on 10 May, 2005.  Online: > http://www.ehjournal.net/content/4/1/6<

[7] See European Commission, Commission Regulation (EC) No 1569/2007 of 21 December 2007 establishing a mechanism for the determination of equivalence of accounting standards applied by third country issuers of securities pursuant to Directives 2003/71/EC and 2004/109/EC of the European Parliament and of the Council.  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:340:0066:0068:EN:PDF<

[8] Of course, these perils bring with them a whole host of other added risks and ills for businesses, consumers, and governments alike.  See e.g. Amy Lieberman of the Christian Science Monitor.  Hurricane Sandy’s darker side: Looting and other crime.  Published on new.yahoo.com, Saturday, November 3, 2012.  Online:>http://news.yahoo.com/hurricane-sandys-darker-side-looting-other-crime-190000049.html<

[9] Andy Greenberg, Forbes Staff.  Hotel Lock Firm’s Security Fix Requires Hardware Changes For Millions Of Keycard Locks.  Published on Forbes.com, August 17, 2012.  Online: >http://www.forbes.com/sites/andygreenberg/2012/08/17/hotel-lock-firms-fix-for-security-flaw-requires-hardware-changes-for-millions-of-locks/print/<

[10] Id.

[11] The Associated Press.  Massive worldwide Toyota recall affects 7.4 million vehicles.  Published on ctvnews.ca, October 10, 2012.  Online:>http://www.ctvnews.ca/autos/massive-worldwide-toyota-recall-affects-7-4-million-vehicles-1.989540<

[12] April Fulton.  Same Plant, New Month: Cargill Ground Turkey Recall, Take 2.  Published on npr.org, September 12, 2011.  Online:>http://www.npr.org/blogs/health/2011/09/12/140398110/same-plant-new-month-cargill-ground-turkey-recall-take-2<

[13] CBC News.  XL Foods takes ‘full responsibility’ for meat recalled for E. coli.  Published on cbc.ca, October 4, 2012.  Online:>http://www.cbc.ca/news/business/story/2012/10/04/beef-recall-expansion-xl-foods.html<

[14] Under the United States Health Insurance Portability and Accountability Act (HIPAA) as amended, third-party health data outsourcing contractors or “Business Associates” are now directly responsible in their own rights, for compliance with applicable state and federal privacy and privacy breach laws and regulations.  In the past, primary entities bore the brunt of liability.  Nevertheless, 3rd party stress testing and due diligence are still best practices.

[15] Whether or not involved in one of those closely regulated industries or activities listed in the “Environmental” category row, above, any person or entity involved in research, especially Dual Use Research of Concern (DURC – meaning research that can have peaceful uses, as well as uses for terror and aggression), should take precautions and be particularly concerned about responsible publication (there are already plenty of mass disaster creation manuals on the internet), their access to funding (who really want to be linked to a toxic source), and their continued freedom (terrorism, terrorist conspiracy, failure to warn or inform, or properly register), and so forth.  See e.g. Office of Biotechnology Activities (OBA), Office of Science Policy, United States National Institutes of Health (NIH).  United States Government Policy for Oversight of Life Sciences Dual Use Research of Concern.  Released March 29, 2012.  Online: >http://oba.od.nih.gov/biosecurity/bio_usg_activities.html<

[16] With a major mis-step, government action for: (i) regulatory sanction, fine, and disgorgement against the company, may proceed with (ii) parallel criminal penalty actions against the company itself, and (iii) against culpable officers and directors (either or both of which the company may or may not pay to defend, and regarding either or both of which the company may or may not be forced to contend with an E&O insurer’s or a D&O insurer’s attempt to deny coverage).  These may also be joined by: (iv) direct individual or class proceedings against the company by third-parties who have been harmed by the alleged unlawful acts, and simultaneously joined or closely followed, by (v) a whistleblower Qui Tam action under the False Claims Act by the disclosing Relator (employee, contractor, or agent), perhaps with a (vi) wrongful dismissal/retaliation suit if already retaliated against in some prohibited fashion; along with (vii) one or more Shareholder Derivative Suits for diluting the value of public company stock through Board fiduciary duty breach.  Of course, (iix) other interests may always seek to intervene as actual parties, or leave to file Briefs; which will likely bring added heavy (and costly) motion practice.

[17] See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on ogalaws.wordpress.com. December 28, 2011.  Online:>https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[18] David Teather.  Gap admits to child labour violations in outsource factories.  Guardian.co.uk.  Published on Thursday, 13 May, 2004.  Online:>http://www.guardian.co.uk/business/2004/may/13/7<

[19] Neil Midgley.  Panorama: Jimmy Savile – What the BBC Knew, BBC One, review.  Telegraph.co.uk.  Published on Wednesday, 24 October, 2012.  Online: >http://www.telegraph.co.uk/culture/tvandradio/9625956/Panorama-Jimmy-Savile-What-the-BBC-Knew-BBC-One-review.html<

Technology is having an ever deepening impact on the practice of law and the sustainability of traditional practice and law firm models, with mobile devices, DIY legal forms and software tools online, outsourcing and off-shoring of routine legal services, increasing practice complexity and specialization, and fewer true borders between regulatory regimes which significantly increases the possibility of malpractice claims, UPL, and other liability exposures.

In light of the present and persistent economic malaise and recurrent trends in boom and bust legal hiring, a serious argument can be made for the grouping of related and complementary (including with counter-cyclical balancing) legal practice areas so as to better protect the long-term prospects of business/management side law firms; some of which – Coudert Brothers LLP (2006), Heller Ehrman (2008), Thelen LLP (2009), Howrey LLP (2011), and Dewey & LeBoeuf (2012) – are no longer with us.

As set in alphabetical order, a sampling of practice area group environments (forgive me if I missed yours) in a global corporate legal industry still valued at $100 billion/p.a.,[1] might include:

(1) Biotechnology, Intellectual Property, Technology, Entertainment, and Sports Laws (BITES);

(2) Corporate, Commercial, Advertising, Marketing, Publication, Promotion, and Sponsorship Laws (CAMPS);

(3) Crisis Counseling, and Document Disposition and e-Discovery Evidentiary Compliance (CCDE);

(4) Cybersecurity, Cloud, e-Commerce, and Outsourcing Practices (CCEO);

(5) Communications, Healthcare, Insurance, Privacy, and Data Protection Laws (CHIPDP);

(6) Complex Litigation on the Environment, Climate, Criminality and Torts (CLECT);

(7) Energy, Natural Resources, Emissions, Water, and Climate Change Law (ENREWC);

(8) Fashion, Fabric-ware, Immigration, Labor and Employment, and Benefits Laws (FILE-B);

(9) Government Lobbying and International Relations Law (GLIR);

(10) Indigenous Governance and Laws (IGL);

(11) International Organizations and Not-for-Profit Laws (IONP);

(12) Mergers, Acquisitions, Banking, Securities, and Securitization Laws (MABS);

(13) Manufacturing, Retail, and Consumer goods Laws (MARC);

(14) Municipal, Electoral, and Local Governance Laws (MELG);

(15) Medicine, Implantable Device, Drink, Agriculture, Food, and Supplements Laws (MIDAFS);

(16) Private Equity, Government Contracts, and Venture Capital Syndication and Counseling (PEGVC);

(17) Procurement; International Trade and Customs; Competition; and Constitutional Law, Civil Rights, and Human Rights Law (PITCH);

(18) Permitting, Real Estate, Leasing, and Franchising Practices (PRELF);

(19) Restructuring, Insolvency, Funding of Distressed Entities, and ADR (RIFDEA);

(20) Partnership, Venture, and Small Business Formation and Counseling (PVSBFC);

(21) Trusts and Estates, Education, Disability and Elder Laws (TEDE);

(22) Transportation, Regulatory, Utilities, National Security, and Construction Laws (TRUNC).

This represents one way to put some proper comparability and commonsense competition (not based on ever diminishing fees in cutthroat price competition) into legal service offerings, and also have partners and practitioners cluster for their mutual synergies and sustainability against the individually-experienced valleys of unpredictable business cycles, and the better service of their clients with tangible enhanced value in-PAGE depth.  Due to the strict fiscal discipline and focus on sustainability over growth[2] that this proposed system would impose, each PAGE might:

(a)     Keep ¼ of what it brings in on its book of business as pure profit (that it will distribute amongst its own partners, associates, and dedicated staff as it sees fit);

(b)   Apportion ¼ for its own PAGE “initial” overhead and business development pool;

(c)    Send another ¼ off to account for the firm-wide “residual” overhead and recruiting pool (from which each PAGE will then be able to draw in some pre-set or floating formula);

(d)   Have to then relegate the last ¼ to debt service, first; anything left over going into the residual overhead and recruiting pool, as the secondary option.  From this, leaders of all PAGE will jointly decide whether and to what extent they can free funds for reversion to PAGEs – whether by quantum of contribution, or lockstep in true equity.

These proportions are not set in stone, and firms will remain free to tweak them as they see best.  Each PAGE will also have to set budgets in advance and submit projections to the firm.  Of course, some contrarians and “elitists” will look to further distinguish themselves by avoiding a PAGE system or rearranging themes.  But, PAGE is already here, partly, as some global firms prefer “partnerships of partnerships” with significant business and budgetary autonomy.  However, time will always tell, and in the full light of day, whether or not the elitists were right!

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Being a business owner who has taken courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Jennifer Smith.  Survey Says Post-Recession Shifts Are Here to Stay.  Published on blogs.wsj.com, May 16, 2012.  Online: >http://blogs.wsj.com/law/2012/05/16/brave-new-world-legal-edition-survey-says-post-recession-shifts-here-to-stay/?mod=WSJBlog<

[2] Edward Tan, JD.  Why the BigLaw Business Model Should Be Put to Sleep.  Published on blogs.findlaw.com, June 21, 2012.  Online: >http://blogs.findlaw.com/greedy_associates/2012/06/why-the-biglaw-business-model-should-be-put-to-sleep.html<

%d bloggers like this: