When it comes to building a best-in-class compliance program, prudent compliance officers may want to take pointers from those who have learned the hard way, through a Foreign Corrupt Practices Act enforcement action.
Germany-based engineering group Bilfinger is one such example. In December 2013, Bilfinger agreed to a $32 million criminal penalty with the Department of Justice to resolve FCPA charges that, from late 2003 through June 2005, the company conspired with pipeline construction company Willbros and others to pay more than $6 million in bribes to government officials in Nigeria to obtain and retain contracts related to a pipeline project.
As part of the settlement, Bilfinger signed a three-year deferred prosecution agreement, in which it agreed to adopt new—or modify existing—internal controls, a compliance code, and policies and procedures designed, in part, to detect and deter FCPA violations. Bilfinger further agreed to an external compliance monitor, appointing Mark Livschitz, for a minimum term of 18 months. The monitor’s primary responsibility was to regularly review the efficacy of Bilfinger’s compliance program and report the results back to U.S. authorities.
In 2015, Livschitz concluded that Bilfinger’s compliance program was not up to par. At that time, Bilfinger was in the process of replacing most of its senior management team, with the appointment of CEO Tom Blades; CFO Klaus Patzak; General Counsel, Chief Compliance Officer, and Corporate Secretary Olaf Schneider; and Chief Human Resources Officer Michael Bernhardt.
Compliance Week caught up with Schneider and Bernhardt on Dec. 7, immediately following their most recent meeting with U.S. authorities in Washington, D.C. Schneider says that, since joining the company in 2015, Bilfinger continues to have regular exchanges with the Department of Justice.
“We meet on a quarterly basis here in Washington,” Schneider says. In attendance at those meetings are not just members of the executive board, but also those who are directly responsible for executing Bilfinger’s compliance program. At those meetings, which can run several hours, the Justice Department receives updates on the progress of the compliance program, challenges Bilfinger faces, and what further compliance processes are in the works, he says.
With the help of external experts, including former FBI director Louis Freeh, Bilfinger implemented a compliance remediation plan that focused on three familiar compliance pillars: prevention, detection, and response. “We started off by developing a new code of conduct,” Schneider says. Bilfinger’s former code of conduct, formulated in 2012, has been revised to include specific group policies to more clearly lay the groundwork for business practices based on integrity.
For example, core elements of the code of conduct for suppliers, subcontractors, and service providers “relate to counter-acting corruption, bid rigging and illegal employment practices, as well as respecting the fundamental rights of employees and environmental protection requirements,” according to Bilfinger’s 2016 annual report. “We also unequivocally demand that our suppliers require their own suppliers to adhere to these principles.”
These policies are further supported by the compliance team in the form of local road shows and a broad range of communication and training measures—such as on-site training and e-learning—that are targeted toward all Bilfinger employees and available in 13 languages.
“Different from many other companies is our rigorous process around allegations.”
Olaf Schneider, Chief Compliance Officer, Corporate Secretary, Bilfinger
Additionally, Bilfinger’s compliance training program, which has been in place since 2011, has been expanded to include broader offerings related to bribery and corruption training. Case studies are used to increase participants’ awareness of compliance topics in a way that corresponds to their tasks and positions.
Underlying the prevention of bribery and corruption is a company-wide focus on integrity that starts with regular and consistent communication from the highest echelons of the company. As Blades stated during Bilfinger’s annual general meeting in May 2017: “I want to be very clear: We place a very high value on integrity. There is no room for non-compliant conduct at Bilfinger. Laws and internal rules apply to every single employee throughout the world.”
To ensure that managers are also held to account, Bilfinger included a new “integrity factor” into management bonuses, which was calculated for the first time in 2017. This metric is defined by the executive board, under the lead of Chief Human Resources Officer Michael Bernhardt, for each organizational unit separately and used to measure the degree to which compliance requirements are fulfilled.
“That, in effect, means that if you misbehave or don’t behave according to our rules, your bonus is completely gone or heavily reduced,” Bernhardt says. Such a measure also helps to ensure that employees perceive integrity as a part of the corporate culture and can emulate the correct and responsible behavior of supervisors.
Detection and response. With integrity as a backbone, the company is also working to enhance its detection and response mechanisms. First implemented in July 2016, Bilfinger’s “Compliance Help Desk” serves as the main point of contact for any employee with a compliance query. “We thus achieve uniformity and security in the handling of compliance issues and can provide our compliance expertise globally to all employees by means of a structured approach,” stated Bilfinger’s 2016 annual report. “At the same time, approaches for further improvement of our Bilfinger compliance program can result from the questions and feedback.”
From July 2016 through Dec. 31, 2016, Bilfinger received a total of 131 inquiries, the majority of which related to questions about its guidelines and internal regulations (38.2 percent), and gifts and invitations (34.4 percent), according to data from its 2016 annual report.
Early recognition of potential misconduct and the quick and consistent response to any unlawful conduct or conduct that violates the company’s code of conduct is a key component of Bilfinger’s compliance program. Employees and external parties can, on a confidential basis or anonymously, report potential misconduct by telephone, the Web, or e-mail, if they prefer not to go to their supervisor.
“Different from many other companies is our rigorous process around allegations,” Schneider says. Just this year, Bilfinger established an “Allegation Management Office,” strictly tasked with investigating allegations of compliance breaches.
BILFINGER COMPLIANCE PROGRAM OVERVIEW
Below is an excerpt of a letter included in Bilfinger's 2016 Annual Report from CEO Tom Blades, providing an overview of the new compliance program.
I would like to mention another topic which I feel is particularly important: compliance. The compliance program currently being developed by our in-house experts in a number of different disciplines in tandem with external consultants comprises 12 work packages. These will enable Bilfinger to continue to develop its systems and raise awareness of compliance topics among our employees. This is also a proactive approach to countering compliance risks.
Bilfinger’s Code of Conduct was rewritten in 2016, and its internal guidelines were revised. New training modules were also developed. Internal controls relating to sensitive business processes were strengthened. Compliance experts in the divisions will provide effective support for the business units.
In addition, there is a new Compliance Help Desk. This will be available to any employee who has a compliance query and will provide a swift expert response. The legal and compliance departments have been merged. The aim is to bring all their expertise under one roof and to optimize corporate governance processes.
Bilfinger sees the requirements of the [Department of Justice] as an opportunity to make further improvements to the quality of its compliance processes. All our stakeholders should be able to rely on the fact that Bilfinger employees are aware of the importance of proper behavior and that any misconduct will be detected by the systems in place and appropriately dealt with.
There is no room at Bilfinger for bribery or any other form of non-compliant behavior. Integrity is vital. We impress our customers with the quality of our services and inspire customer confidence through fair competition.
Source: Bilfinger Annual Report
From there, an independent allegation management committee—chaired by one of Schneider’s direct reports and made up of experts from legal and compliance, internal audit, tax, and human resources—evaluates each reported incident. Allegations are put into two buckets: severe or non-severe. Examples of severe allegations are those that concern corruption, money laundering, data privacy, or allegations involving senior management, Schneider says. In 2016, this committee convened a total of 56 times.
Where allegations warrant an internal investigation, those are initiated by the independent allegation management committee, and any possible sanctions are then handled by a separate disciplinary committee, chaired by Bernhardt. Examples of actions that may be taken include remedial actions—like process improvements—legal proceedings, or disclosing the case to authorities, Schneider says. From Jan. 1, 2016 to Dec. 31, 2016, 113 investigations were initiated out of 129 potential compliance violations, and approximately 20 disciplinary measures were taken.
To streamline processes further, Bilfinger’s legal and compliance departments were merged in the summer of 2016 into a new Corporate Legal & Compliance department, with a direct reporting line to the chairman of the executive board. “With the new structure, we are combining our strengths in legal and compliance and, thereby, optimizing our corporate governance processes,” Blades said in an internal memo to employees.
Furthermore, the responsibilities of this department were expanded as of Jan. 1, 2017, to include investigations and Allegation Management as a separate office within the department. At the same time, cooperation between compliance and internal audit was intensified and formalized. “We have thus ensured that the three areas that are fundamental to our compliance program—prevention of compliance violations, early recognition of misconduct, as well as quick and consistent reactions to such misconduct—are comprehensively managed by and within the area of responsibility of these gatekeeper functions.”
Other efforts. Bilfinger is also making progress in the further development of its compliance management system. “When I arrived at Bilfinger, there were 70 different HR systems throughout the world and the same number of payroll systems,” Bernhardt says. “This made it extremely difficult to centrally detect issues.” To resolve that issue, the company is putting in place a centralized HR system.
Bilfinger also has an objective to reduce the number of legal entities it has and continues to make strides in this effort. Schneider says when he first started working at Bilfinger, the company had more than 600 legal entities throughout the group. That number has since been reduced to 200 legal entities, helped to reduce costs and compliance risk.
That’s achieved by performing a risk assessment on each legal entity to understand their risk profile. Based on the outcome of the risk assessment, we agree on certain activities that need to be implemented and accomplished to mitigate the risk posed by that business partner. To date, Schneider says, “we have done compliance risk assessment on our 200 legal entities.”
Establishing a world-class compliance system, however, comes at a high cost. “From the beginning of 2015, we have invested roughly €100 million into our compliance program,” Schneider says.
Bilfinger also has in place a rigorous third-party management process as part of its compliance program. “We have developed a tailor-made due diligence process for our third parties,” Schneider says. “Only customers and employees are excluded. Otherwise, we vet all third parties, which includes our suppliers.” Since that process began in April 2017, Bilfinger has approved more than 25,000 third parties and further expects to have roughly 60,000 approved third parties by March 2018, he says.
“It’s not just lip service,” Schneider adds. Bilfinger also has rejected eight percent of high-risk third parties, “which means we do not work with them any longer.” Reasons for rejecting a third party can, for example, be due to information received during the due diligence process or due to information obtained during investigations or by internal audit, he says.
As with all companies, compliance risks are not static, and compliance efforts require ongoing attention and improvements. Bilfinger acknowledges it’s not perfect, and compliance risks remain high, it stated in the company’s annual report: “We are currently investigating suspicious cases in various countries, including Brazil and Vietnam, and are cooperating with the authorities.”
Practices makes progress. “Once you have an effective compliance system, it gives you a competitive advantage,” Schneider says. Customers view Bilfinger as a reliable partner, interested only in fair and clean business. But more than that, he says, it makes employees proud to work for Bilfinger knowing the company does business in an ethical and responsible way.