Bribery Enforcement Action in the Insurance Business……Again

December 22, 2011

 

The insurance industry looks to be a target. This would not be a surprise if you read my recent blog, Bribery and the Board in the Insurance Broker Business, here. With only days left in 2011, I won’t go so far as to use the (2011 word of the year, at least as per my list) contagion, but I have a feeling I will be using the term “systemic” industry risk a lot in 2012.

This time it is Costa Rica. The funds were intended as education and training for INS officials (see how difficult it is to avoid doing business with public officials in the international space),  but some of it went to travel to “tourist destinations” or other purposes not provided within the brokers “books and records.” In this case, and unlike the previous Willis UK Bribery Act case, the NPA (non-prosecution agreement) made note of invoice and other records that made it obvious “that the expenses were clearly not related to a legitimate business purpose.”

The NPA included “failure to devise and maintain an adequate system of internal accounting controls with respect to foreign sales activities sufficient to ensure compliance with the FCPA.”

The price tag you ask?………….$25 million ($1.76 million penalty, with was a substantial reduction thanks to “extraordinary cooperation”, “timely and complete disclosure of improper payments”, and the 5.25 million pound payment to the UK’s FSA (Financial Services Authority); plus $14.5 million in disgorgement and prejudgment interest in a related SEC settlement) not to mention their legal, investigation and communication cost.

The ultimate cost will be difficult to determine, but is potentially much greater than the above, due to potential reputational damage, the new costs to “adhere to rigorous compliance”, and the costs of possible follow-on civil liability claims.

Who you ask…………….? Sorry,………………………………………………….. AON. Here, here, here.

The bigger question……….did they buy investigation coverage under the Marsh exclusive program, or negotiate it themselves with Chartis (to save the commission)? And, will they jump on the band wagon to market this case as the perfect “loss example” to their clients?

At the risk of defending a competitor, it is very likely that the SFO, SEC, DOJ, etc, have a great scapegoat in the insurance brokerage industry: 1) we are the best direct link to business of every size and in every sector, 2) going after international accounting/auditing/consulting firms is difficult because they have a longer history of successfully defending themselves from liability; 3) many of the clients of audit/consulting firms don’t retain them for risk management advice, 4) “do as I say, not as I do” doesn’t just apply to child raising.

The loss control opportunity (the investment in time and resources should reflect the risk, which means the risk needs to be identified to determine the applicability of the following):

  1. Get the “rigorous compliance, bookkeeping and internal controls standards” in place now, not after the enforcement action,
  2. Follow the DOJ “minimum best practices compliance program” as per their common Deferred Prosecution Agreement (the research is a good start, but here is a hint) aka Plea Agreement,
  3. Establish Legal and Compliance Committee of the Board (3 members, no execs),
  4. Appoint one or more senior executives to implement of oversee anti-corruption policies, procedures and standards, and provide adequate resources and an adequate level of autonomy from management, (note that US Sentencing Guidelines suggest that this compliance officer reporting to the General Counsel who reports to the board may not qualify, see here for NY Times article, “MF Global’s Risk Officer Said to Lack Authority”),
  5. Appoint a Compliance Consultant to aid in those activities and the reporting obligations,

The insurance spin – There are two insurance vehicles that come to mind for the transfer of direct “bribery enforcement” based loss:

  1. Standalone Investigation Costs Coverage – this is a new product, rarely purchased and largely unknown product, but no matter what the purchase decision, the due diligence alone is worth your (and your broker’s) effort,
  2. Investigation Costs Coverage as built into a D&O or D&O/Professional Liability policy – there is no rhyme or reason to the contract language so tread carefully. Make sure your broker identifies “Entity” coverage vs “Personal” coverage, and if this analysis covers less than a dozen areas of the policy, ask them  to try again,
  3. Request details on “formal” vs “informal” investigations, but recognize that the “broader” the policy the more onerous there “reporting” obligations, and the greater the risk of erosion or exhaustion of limits.

For indirect loss you might only be able to look to your D&O or D&O/Professional Liability policy. The key for D&O coverage is:

  1. Don’t assume it is a D&O policy as almost every policy provide coverage to the corporate Entity,
  2. Know how your policy or program (layers of policies) is exposed to erosion or exhaustion,
  3. Follow-on or Downstream loss can come from many directions, so request information on how your policy responds to “derivative” demands, “securities claims”, and regulatory enforcement not included in the initial bribery/corruption enforcement,
  4. Since some “bribery enforcement” loss does not name individuals, then you may have skipped the “direct loss” comments above, and therefore I will repeat – the “broader” the policy the more onerous there “reporting” obligations, and the greater the risk of erosion or exhaustion of limits.

D&O, Professional Liability and Crime insurance underwriters are tightening their underwriting standards. They are raising the RED FLAG on the departure of Chief Risk Officer, Chief Compliance Officer, or General Counsel, and may no longer settle for “resigned to pursue other opportunities”.

Greg Shields is a D&O, Professional Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416 862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Bribery and Anti-Corruption Enforcement Insurance in Canada

December 15, 2011

 

I speculate that the Governance, Compliance and Risk Management issue of Bribery and Anti-Corruption will go from a dusty item entered in to board minutes, to a material agenda item. This is not necessarily a good thing because none of the other agenda items can be easily de-weighted.

As mentioned in previous blogs, CFPOA, Corruption of Foreign Public Officials Act, only recently started receiving press based on the enforcement action against Niko Resources, here, here, here and here.

A March 2011 OECD, report, here, suggested the RCMP was had 20 active CFPOA enforcement investigations. Based on the CFPOA being sleepy legislation for most of its 13 year history, and considering that only two cases, Hydro Kleen and Niko, have seen the light of day, it can be extrapolated that there have been any new investigations launched in the last ten months.

With the inconsistent Canadian legal precedent on disclosure obligations for public issuers, and with few to no announcements by such public issuers disclosing any RCMP investigations, it can also be assumed that many of the 20+ companies have no idea they are being investigated.

With there being such little press and such small financial consequences (until Niko), it would also be a fair statement to suggest that Anti-Bribery, Anti-Corruption compliance programs within individual Canadian companies might not be receiving substantial resources or significant board/executive attention.

My strong recommendation is that this needs to change and change quickly. The best defence (to an investigation or enforcement action) is a good offence. This offence needs to be well worded, aggressively communicated, strongly enforced and meticulously documented.

The FCPA, the use counterpart, has seen very active enforcement. This enforcement has resulted in many follow-on claims including class action securities claims. Since we only have one enforcement action in Canada, that has been brought after the inception of Bill 198 (secondary market liability legislation), and it is too early to determine the risk of follow-on litigation, the only thing Canadian directors and executives can do is assume the financial, market and reputational risk of an CFPOA Enforcement Action will be material to the organization.

There is no doubt that more enforcement actions will soon become public. This means there will be a lot of Directors, Creditors and Shareholders receiving an unpleasant surprise in the new year. When the issue becomes public every company decision, announcement, prospectus and even individual discussions and emails will become the subject of scrutiny and conjecture.

It is usually at this point of crisis that risk management and insurance are raised. Insurance coverage will become a critical question. Directors and officers will want to know if their D&O insurance policy will respond. But they may not recognize that there is no such thing as a “standard” D&O insurance policy. They also might not realize that early response of the D&O policy to a CFPOA enforcement action or investigation may put these directors at a considerable personal risk.

The issues of policy limit adequacy, limit erosion or exhaustion, “notice” obligations, exclusions and continuity are too detailed for this blog post. These issues are also too specific to the specific to the actual insurance program in place and the unique investigative order and potential litigation.

There are dedicated Investigation Costs insurance products available and in the works. These policies are designed specifically for investigation costs, and in most cases they provided limits of liability that will not erode the limits available under the D&O program.

The only way to extract value from the risk management activity of “risk transfer to insurance” is to identify risk, develop loss control tools, determine coverage priorities and negotiate and buy insurance prior to “smelling smoke.”

Greg Shields is a D&O, Professional Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416 862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.

 


Risk Management During Occupy Toronto

October 14, 2011

 

Ryan Mitchell, Vice President of Mitchell Sandham Insurance Brokers has been quoted in today’s Toronto Star, providing insight into the Occupy Toronto Protest happening this weekend.  He comments on risk management strategies for businesses in the downtown core to consider implementing.  Please click here to access the article.

 


Director and Officer Liability without Culpability

September 30, 2011

 

There has always been risk of personal loss to directors, even in absence of intent to harm. Such loss is usually financial loss and not criminal incarceration. However, even though this financial loss may be limited to legal fees incurred to achieve dismissal  or settlement (at least in the situation of absence of intent), such fees can be staggering to individuals and their personal loss will also include physical and emotional stress, damage to reputation and lost opportunities.

Today, corporate directors and officers are subject to criminal prosecution (and potentially a criminal record) based on the “responsible corporate officer doctrine” and their responsibility for the corporation not for their own conduct.

In this blog I usually stick with Canadian experiences. But due to the level of US exposure for many Canadian companies (and their executives and directors), this blog posting, here, of Kevin LaCroix in his The D&O Diary blog is worth sharing.

The Canadian perspective on risk management of criminal or quasi-criminal proceedings is three fold. First, indemnification provisions under the Canadian Business Corporations Act, here, one of the provincial Acts, or an industry based Act, should be reviewed for its trigger of indemnification or denial of indemnification. Under many such provisions the term “may” indemnify,  or
“may” advance moneys, is used, but some contain the word “shall”. These provisions also require the subjective test of “honesty” and “good faith”, and in a criminal or administrative action an additional test of “reasonable grounds for believing the individual’s conduct was lawful”, must be met before indemnification is provided.

Second is the individual contractual indemnity. By-laws may be unique to individual corporations, and they may or may not improve on statute language. Comfort will depend on the wording, but blanket bylaw indemnification can be modified and
restricted with no notice to current and (more importantly) former directors and officers, as long as a proceeding has not started. Therefore, individual contractual indemnities should be considered. I will leave this language between you and your lawyer, but there are being used more often in Canada and should be considered by every director and officer.

Third, insurance, is referenced in some indemnification provisions. The wording of the provision could be “may purchase and maintain insurance for the benefit of an individual” but it is very important to remember that this is full extent of the Government’s involvement in your D&O insurance policy. There is no vetting of that policy, there is no standard or even common policy wording in the Canadian D&O marketplace, and there is no control over who (individual or corporate entity) has access to that policy. The coverage of the policy is the responsibility of each and every director and officer. And though many directors will look to the “due diligence defence” and “reliance on officers and other experts” for protection from liability, the failure of an officer to properly procure a D&O policy for the director will mean that the director will have to cover their defence costs in the underlying suit, while they take on the cost of bring a claim against the officer for negligence. When it comes to financial statement preparation, “reliance” might provide comfort, but not when it comes to the D&O insurance policy.

The due diligence on the D&O insurance policy purchase cannot be done in this short blog posting, but, when considering criminal and quasi-criminal actions, here are a few things to look for:

  1. Is coverage limited to “civil” action?
  2. Is the reference to “criminal”action or proceeding or “penal defence” only given under a “sublimit ofliability”?
  3. Do the intertwined definitionsof “Claim”, “Loss” and “Wrongful Act” explicitly cover, exclude, limit or remain silent on “criminal” action or proceeding?
  4. Is there any reference to “Bill C-45”?
  5. Is the “Bodily Injury / Property Damage” exclusion limited (“for” preamble) or broad (“based upon, arising from, ….” Preamble)?
  6. Does the “benefits” or “statutory” exclusion extend to a health or safety act?

This is not an exhaustive list of issues under the D&O policy, but, regarding criminal actions, it is a good start. It is important to know that no D&O policy will cover the actual fine or penalty related a criminal or quasi-criminal act.

If you would like help navigating the risk of being a director officer, or you would like more information on insurance and D&O claim examples, please don’t hesitate to contact me directly.

Greg Shields is a D&O, Professional Liability, Employment Practices Liability, Fiduciary Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at
gshields@mitchellsandham.com,  416-862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Employment Risk in Canada

September 23, 2011

Mitchell Sandham is again excited to have an article featured in Canadian Insurance Top Broker Magazine, called “Employment Risk in Canada” by Greg Shields.  Please click here to access the article featured in CI Top Broker.  http://www.citopbroker.com/news/employment-risk-in-canada-2699

Greg Shields is a D&O, Professional Liability, Employment Practices and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com, 416 862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: These articles does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.

 


Injury Risk

August 12, 2011

 

Physical injury is an extremely important risk to organizations. Most high risk industries, like construction, have very strong employee safety policies and procedures. Some organizations, like amateur sport leagues, may not have the resources necessary to educate and respond to safety concerns.

Chartis has launched their “aHEAD of the GAME” program, here, to help organizations, coaches and families identify and reduce the risk of brain injury. It offers some very good statistics, resources, tips and loss control information.  We encourage every organization, ref, coach, parent and teammate to take advantage of this information and help reduce the risk of concussions and other brain injuries.

 


Bribery and the Board in the Insurance Broker Business

August 1, 2011

 

Between the FCPA, UK Bribery Act and the CFPOA there are many new cases in the bribery landscape. However, there is a very recent case involving a multinational insurance brokerage. This case is not categorized as a direct bribery issue, but rather a failure to prevent bribery. The Financial Services Authority (FSA) announced last week, here, that it fined Willis Limited 6.9 million pounds for “failings in its anti-bribery and corruption systems and controls” which “created an unacceptable risk that payments by Willis Limited to overseas third parties could be used for corrupt purposes.”

This case changes the game before most people have even started to learn the rules. It is still very common for corporate leaders to respond to news of bribery enforcement by saying “everyone is doing it” and “that is just how we do business in (insert industry)(insert city).” Most internal and third party professionals will be quick to point out that such realities are not an acceptable defence to regulatory enforcement. However, those defences are still being attempted, and the result is industry based systemic risk as regulators then say “ok, where else and who else” and start flipping over rocks in other regions or at industry competitors. Therefore, don’t be surprised to see similar settlements in insurance brokerage industry.

The rules of the game are that directors and senior management need to turn their minds to controls and procedures to prevent this (recently) unacceptable behaviour. In the Willis case, it seems that the organization, unlike many other organizations, did in fact create and implement “appropriate anti-bribery and corruption systems and controls”, but the FSA has suggested with this fine that the existence of controls is not enough and they are required to “ensure that those systems and controls are adequately implemented and monitored”, at the grassroots level.

The time period of the payments in question was January 2005 to December 2009, which means that there is a long tail of liability involved with FSA bribery enforcement actions and therefore organizations and their governing minds had better respond quickly to create and/or increase their controls and control enforcement and monitoring.

The Willis case, and the recent Canadian CFPOA case against Niko Resources, here, might suggest that international bribery enforcement is not a game, because the value of the fines are many multiples of the alleged inappropriate payments in question (at least those values that were disclosed.) In the Niko case the payments in question were less than C$200,000, but the fine was C$9.6 million (the actual value of Niko’s business dealings in “high risk jurisdictions” were not disclosed.) In the Willis case, the total value of transactions over the five year period was 27 million pounds, with the suspicions payments totalling $227,000, and the fine being 6.895 million pounds (after a 30% discount for cooperation and early settlement.)

Here is the loss control opportunity presented by this case to directors, officers, management and employees of corporations doing business overseas (I know this is easier said than done, this is a just a blog):

  • Identify all payments to foreign third parties (especially in “high risk jurisdictions” – if it helps to narrow things down (kidding) the Niko case involved Bangladesh, the Willis case involved Egypt and Russia),
  • Establish and record the commercial rationale for all payments to foreign third parties – this needs to be done to the minute degree of demonstrating “in each case why it was necessary… to use an Overseas Third Party (OTP) to win business and what services (the company) would receive from that OTP in return for a share of its commission”
  • Understand that foreign official is a much broader group than you might think (other bribery cases have set the precedent that doctors and other medical staff in most countries are considered foreign officials, World Bank and IMF staff are foreign officials), 
  • Realize other enforcement examples are not just a learning opportunity but an obligation; the acting director of enforcement and financial crime in the Willis case specifically said this case was “particularly disappointing as we have repeatedly communicated with the industry on this issue”, 
  • Provide formal training to staff to recognize an affected payment and to record in detail (more than a brief description) the reasons and resulting services surrounding the payment. This is the only way to demonstrate adequate monitoring and effectiveness of anti-bribery systems and controls, 
  • Ensure adequate due diligence on OTP to assess how the OTP is connected to the organization’s client, the foreign official and any other involved third party, 
  • Recognize that you are responsible for indirect bribery or alleged bribery of a foreign official, not just for direct bribery. This means you are responsible for the actions of any Third Party that could be in a position of making improper payments to help your organization win or retain business from overseas clients or prospective clients, 
  • Ensure that this due diligence is applied to each and every time a payment is made to a Third Party, not just the inception of business with that Third Party.

There is a very strong argument that the Willis case is not a bribery case, it is a books and records case, but FSA does not seem to care about the distinction. The case has been lumped in with the recent UK Bribery Act / FCPA / CFPOA bribery enforcement actions, so it is getting media attention that it may or may not deserve.

Is this a good example of directors’ and officers’ liability? No, not directly. There was no mention of negligence by an individually named director or officer. But many bribery enforcement actions have spawned downstream criminal, civil and securities liability lawsuits, so if directors and officers do not learn and react to the public pain suffered by other entities, they have a good chance of facing personal liability.

My advice, be careful about extending your D&O insurance policy to FCPA / UK Bribery / CFPOA enforcement action if you don’t fully understand how your policy is exposed to Entity Coverage or other risk of erosion or exhaustion of its limits of liability. There is no regulation or oversight of D&O policy wordings or pricing in Canada, so your assumption of the level of “personal loss” coverage in your D&O policy might be incorrect. Without early investigation you might not find that out until it is too late.

Greg Shields is a D&O, Professional Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com, 416 862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


CFPOA (Bribery) Enforcement Action on the Rise

July 8, 2011

 

Risk Management will be a particular challenge based on the “ground level” exposures and the difficulty identifying and controlling risk that is created by a vast number of activities conducted by a large number of people with significant geographic and supervisory separation.

Therefore, based on single aggregate limits, and considerable number of parties and matters insured under a typical D&O insurance policy, a full understanding of how and where limits are sharing should be a top priority for D&O buyers.

In past blog posts I have been critical of Canadian regulation and enforcement of Bribery. But, I can now suggest there has been an extraordinary increase in Canadian corporate bribery enforcement. I am not suggesting the alarm bells should be raised, as the number of cases has gone from one to two (two to three if you include individuals), and I am sure that 99.something % of Canadians (and nearing that number of politicians) could not tell you what CFPOA stands for. This is not as easily said of FCPA. The Foreign Corrupt Practices Act, here, in the US has seen significant press over the last year. This should be no surprise, the US government provides a website listing enforcement actions in chronological order (there are 14 actions under ‘A’ alone), a dedicated email address for reporting violations, and transparency on settlements/judgments (which have been in the hundreds of millions of dollars.)

I wouldn’t be worried about wiretaps and agents posing as foreign government officials……, if your organization does absolutely no business (purchasing or selling, travel or expenses) outside of Canada. We are not known for aggressively fighting white collar (I prefer the term “financial”) crime. However, if you do any business outside of Canada, perhaps some risk identification and loss control is a good idea.

CFPOA stands for The Corruption of Foreign Public Officials Act. It can be found on a Canadian government site, here, but there is no “enforcement” section, or any obvious “report bribery or corruption” contact information. I don’t even recommend a search of Canadian government information regarding corruption or bribery, as it is a time wasting and frustrating exercise in ineffective links and extraordinarily outdated reports. Prior to this very recent case, I could find reference to only two criminal prosecutions in Canada since the 1999 inception the act and the only one with a dollar figure was for $25,000.

In June, enforcement of bribery in Canada actually made publication. I would like to say that it made headlines, but the only page-one google hits for “bribery enforcement in Canada” were law firm briefs and low profile blogs.

The recent case is Niko Resources Ltd., here, which is based on bribery of a junior energy minister in Bangladesh. As per the Reuters report by Scott Haggett, “the charges stemmed from providing a car worth $191,000 and a $5,000 trip”, but the fine is $8,260,000 plus a victim surcharge of 15% for a total $9.5 million fine. This does not include legal costs and it does not contemplate the reputational damage to Niko, or their 3.2% fall in market cap of their shares (which equates to more than $120 million.) Class action securities claims have been started for less.

A CFPOA settlement in this range is material to even the biggest Canadian corporations and it obvious that the intent is to send a warning signal to all Canadian companies, directors and senior management (and to try to get the Government out of the news for being complete ineffective on bribery and corruption.)

Here is the corporate governance, risk management and insurance spin. For this we will have to look outside of Canada because, in the article here at Canadian Lawyer Magazine by Andi Balla, it has been expressed by the head of the RCMP unit in charge of investigation corruption of foreign officials that “Canadian legislation is very short and hard to interpret.”

Based on the US experience with FCPA, and the very recent UK Bribery Act, the issue of Bribery will receive increased focus as a material Corporate Governance, Risk Management and Compliance responsibility. Risk Management will be a particular challenge based on the “ground level” exposures and the difficulty identifying and controlling risk that is created by a vast number of activities conducted by a large number of people with significant geographic and supervisory separation.

Like most other corporate risks, good loss control will come from establishing, communicating, enforcing and monitoring policies and procedures. But identifying, qualifying and quantifying risk in order develop specific risk based policies and procedures is much easier (not to mention quicker) to say than do.

The U.K. Ministry of Justice, regarding the new U.K. Bribery Act (took effect July 1, 2011), here, has provided some Guidance, here, to their legislation. But enacting policies and procedures is further complicated by the vague language of the official guidance which uses phrases like “extremely unlikely to engage Section 1” (the section prohibiting Active and Passive bribery), and introduces the “reasonable person” test and “common sense approach”. One area that makes it difficult to define or identify risk is the “associated persons” language which is not easily defined and includes any person or entity who “performs services” for the company. Therefore, direct and even indirect contractors could create a risk of liability for the corporation.

Other concerns with the U.K. guidance is that many terms are not defined. One such term is “close connection”, because this close connection to the U.K. could apply to the person committing the offence, or to place of incorporation, or to the location of the consenting senior officers. Another important term “carry on business”, because the parent company or even a subsidiary entity does not have to be incorporated in the U.K. in order to be responsible under the Act.

Directors of affected companies will to have look at the “relative ‘value’ of the spend” in every foreign business dealing and determine its ‘proximity’ to a pending business deal in order to identify activities that generate risk. They will then have to prioritize which activities could become the subject of scrutiny under the Act and direct resources accordingly.

The insurance response has yet to be determined. Some ideas are presented by Anjali Das, a partner in the Chicago office of the Wilson Elser law firm, are published in The D&O Diary Blog, here.

Insurance underwriters will eventually be requesting copies of Anti-Bribery policies and procedures, but that has not started (in Canada) and we hope to provide warning of any such change.

Directors, if not already, will soon be asking their General Counsel, CFO, Corporate Secretary, or whoever else is their go-to-person on personal liability and directors’ and officers’ liability insurance (D&O), about the potential response of their D&O policy to a CFPOA investigation. Since there are many dozens of different D&O policy wording and hundreds of endorsements in current use in Canada, there is no one-size-fits-all answer to this question. Your current in force policy wording needs to be reviewed. I suggest asking for an electronic searchable version from your insurance broker and searching for the term “fine”. If you are attempting to find the answer in paper form I recommend starting from the last endorsement and working backward. It is common for large publicly-traded companies to have more than 20 endorsements on their D&O policy, changing a good portion of the base policy wording. You will likely see a “fines and penalties” exclusion (unfortunately not in the exclusion section,) hidden in the definition of Loss. However, there may be a ‘carve-back’ (and exception to the exclusion) for defence costs.

Before you do anything regarding affirmative insurance coverage for an CFPOA action, an examination of priorities is warranted. Meaning, what do all of the Insureds, or at least Classes of Insureds, want the policy to do? I have not seen a CFPOA exclusion used in Canada, and Canadian underwriters are not likely to take a knee-jerk reaction to the Niko CFPOA enforcement action. I have also not seen any specific CFPOA endorsements in the Canadian marketplace, but I am sure they are in the works. But, the “broadening” of coverage to include Loss based on CFPOA actions may not be in the best interest of all Insureds. There is usually only one limit of liability available and it is shared by every director, officer, employee and the corporate entity (including every subsidiary) for every individual allegation, investigation and lawsuit. Also, it is common that in the middle of a potentially large group of claims (or circumstances which could lead to a claim) policy limits are not renewed (refreshed) at the expiry of the policy and therefore the one limit of liability may be the only limit available for all of these parties and matters for many years.

Therefore, based on single aggregate limits, and considerable number of parties and matters insured under a typical D&O insurance policy, a full understanding of how and where limits are sharing should be a top priority for D&O buyers.

I try not to subject my readers to 2,000 words in a post, but this does not give the corporate governance, risk management and insurance spin the detail it deserves. Therefore, if you would like more details in these areas, or if you would like help understanding your D&O policy and its potential triggers (positive and negative) regarding CFPOA enforcement, notice obligations or risk of limit exhaustion, please don’t hesitate to call me directly.

Greg Shields is a D&O, Professional Liability and Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at gshields@mitchellsandham.com,  416 862-5626, or Skype at risk.first. And more details of risk and loss control can be found on the Mitchell Sandham blog at http://mitchellsandham.wordpress.com/

CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


D&O Liability and Governance Discussion Points:

February 18, 2011

XBRL:

Many directors and officers know nothing about the SEC deadline, of June 15, 2011, for foreign private issuers (XBRL.ca, here, says there are 350 in Canada) to meet interactive data reporting requirements (explanation of XBRL, here). I have not been able to develop an opinion on the potential ramifications of XBRL on Canadian governance and compliance risk, or on directors and officers liability, but, change never comes without some costs.

IFRS:

IFRS is for many people a thing of the past. But the repercussions on governance, risk management and D&O insurance have not even started and may not be known for years. The concern of D&O underwriters is the significant increase in reliance on management assumptions and estimates in corporate financial statements. Some accountants are suggesting that the number of notes to the financial statements will jump from 30 to 300. Others have even said that had Nortel been reporting under IFRS the corporate problems would have gone on much longer, and loss to stakeholders would have been much larger. This over disclosure will do far more harm than good, especially to directors. Disclosure and transparency is a good thing. But when it becomes overwhelming for investors, and even for professional analysts, the result will be a more confusing and unreliable financial statements than before our current level of disclosure was mandated. The difference is that the over disclosure will allow more protection for “allegedly” negligent executives, and their outside auditors, accountants, analysts, investment advisors and lawyers, because when a professional liability lawsuit is launched they will be able to point the four words  (out of 10,000) in two obscure notes as their get out of jail free card. That escape from liability has a good chance of driving an increase in “risky” behaviour, and it leaves the shareholders, creditors, employees, suppliers, and the directors, holding the bag.

If you would like to receive more information please contact me, Greg Shields, Partner, Mitchell Sandham Insurance Service, gshields@mitchellsandham.com, or at 416 862-5626.

CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Risk Management is in the Details

December 8, 2010

 

The following article was written by Greg Shields specifically for the Official Newsletter of the Canadian Society of Physician Executives (CSPE), who have given us permission to republish it on our blog.

 

Risk Management is in the Details

Creation of the Risk Wiki or Corporate Risk Wiki

By  Greg Shields

In the CSPE’s March 2010 Newsletter Dr. Tardif used a great sports analogy, “Teams whose forwards constantly criticize their defense never win the cup.” His comparison to physicians criticizing managers is equally applicable to executives who ignore their Risk Managers.

There is no better example than Lehman Brothers’ colossal failure. In January 2008, they had an implied market cap of over $30 billion and, by September of that same year, they had lost 95% of its value and sought Chapter 11 bankruptcy protection, making it “the largest bankruptcy ever filed.” (see the Examiner’s Report, here. pg. 1; the examiner was Anton R. Valukas of Jenner & Block LLP, here)

The greatest problem with the concept that “those who forget the past are doomed to repeat it” (largely attributed to George Santayana) is that, to learn from past failures, we are forced to read things like the 2,280 page, 8,000 footnote (not including appendices) Lehman Brothers Holdings Inc. Chapter 11 Proceedings Examiner’s Report. I doubt that CSPE members have that much free reading time available. Therefore, I will provide my – personal, with no reflection on my company, the CSPE, or this publication, slightly biased and very crude – summary:

Arrogant, egotistical, omnipotent and arguably unsupervised executive officers were allowed to completely disregard one of the largest risk management teams in the world.

When I say “allowed,” I mean that it happened and, therefore, a confluence of factors allowed it to happen. Whether it is allowed from the context of legal liability may take many years and hundreds of millions of dollars to decide. But, as the examiner’s report uses the phrase “the Examiner does not find Colorable Claims that Lehman’s Senior Officers Breached” no less than 19 times, I suggest that it could be allowed again in the future.

Risk Management, much like its sister fields, actuarial sciences, engineering, insurance, human resources, finance etc., is built on details. Some people in every organization find these details boring or unworthy of their time, but almost every major corporate financial loss, from major oil spills to a million – (or billion) – dollar employee fraud schemes, can be traced back to overlooked or disregarded policies and procedures. Unfortunately, such people can be found within every rank of every organization, but the odds their attitude becoming pervasive will increase if it is held by senior management.

Here is a small example. Do you remember the days when you could pull out the entire stereo out of your car, and bring it with you to keep it from getting stolen? My younger sister started using my car because I could not afford to bring it to university. When she called to break the news that the window was smashed and the stereo stolen, I asked why the stereo was in it. She said that she had been taking it out for months and months and “there were never any problems”, so she stopped. The task became boring and inconvenient, but, more important, it became inconsequential.

Risk Management is all about repetitive tasks and redundant functions. The problem is those terms are considered negative and have become synonyms of “unnecessary” and “extravagant.” That mindset may be difficult to overcome in non-life-threatening industries or with certain divisions like sales, customer service, administration and support, but, in an organization of physicians and leaders, there is at least the basis for understanding the importance of details, repetitive tasks and redundant functions.

Perhaps the only thing the Healthcare industry needs is regular reminders that consequential loss does not have to be human life to be important to the wellbeing of the organization and its people. Financial loss within an organization can still have catastrophic consequences. It may not be easy to quantify the downstream result of employee theft, loss of private information, or professional negligence lawsuits (not just medical but financial management, design, consulting, human resource, etc.) but they can ultimately lead to lost jobs, fewer nurses, fewer physicians, longer patient wait times and generally less money available for patient care and research.

It is human nature to protect our self-esteem by saying things like “it was an extremely sophisticated scheme” or a “very complicated product or technology” and “the resulting loss could not have been reasonably foreseen by anyone.” But often with a little digging, it is evident that standard procedures were not followed, bolts were not tightened, valves were not tested, background checks were not performed, management incentives were not aligned with desired results, complaints were not investigated, authority and reporting lines were not communicated, etc. etc. The systems or products may well have been complicated or technical and the loss significant, but many of the individual factors involved in the loss were neither technical nor significant.

Risk Management boils down to management attitude and enterprise-wide dedication to the function. Risk of loss can come from every department, division, product and service within a company. The tasks of identifying, assessing, prioritizing, controlling and monitoring risk must be split in to many categories and actions. No one person or team can perform all risk management, and it cannot be performed in a vacuum.

But it is not an insurmountable task. Many organizations do not have the resources to have dedicated risk management staff, but that does not mean that the function should not be organized and communicated. Many risk-management functions are already being performed, and the primary function should be to collect, centralize, organize and communicate existing risk management activities.

So today, I am going to coin a new phrase – as a quick Google search suggests that I am the first to use it – and perhaps incubate a whole new corporate mentality, the Risk Wiki™ or Corporate Risk Wiki™ (please notice I have added the trademark symbol, so now everyone will need my permission to use the terms.) I know the term wiki is over used, but at least it might help get some “web play.”

If you believe Wikipedia, here, wiki is Hawaiian for “fast” and it is “a website that allows the easy creation and editing of any number of interlinked web pages via a web browser using simplified markup language.” But, I would like to stretch it to include all free sharing of information in a collaborative environment, where a large number of people can contribute relatively small amounts of content, based on their own unique knowledge, skills and experiences, without obvious ownership or immediate financial gain, to create a valuable tool. With specific reference to Enterprise Risk Management and the creation of a Corporate Risk Wiki™, a firm’s management can start to embrace the concept of enterprise-wide involvement in the management of risk. They could set up a central location, perhaps even a wiki or intranet site (behind a firewall, with appropriate security, authorization and review before posting), to define and communicate the risk management function, areas of concern and existing policies and procedures. From there, systems could be used to collect the policies and procedures, checklists, crisis management plans and other protocols that employees currently use in their day-to-day jobs and to allow them to comment on the use, value and areas of improvement for these policies. It could also be used to collect loss examples (preferably public ones and appropriately generic so as not to identify actual people or companies) from related operations so that employees can see the impact of losses and the cost of ignoring certain activities or cutting corners.

Like all references to risk management, it is much easier said than done. If I am invited back as a guest contributor to the CSPE newsletter, I would like to highlight specific risks, loss incidents and the loss control activities that could be considered. But for now, I have taken a more macro-view of risk management.

Risk within an organization can come in all shapes and sizes. The impact of financial loss can be immediately obvious and easy to quantify (e.g. a slip and fall in the lobby of your building) or can bankrupt an organization well before the loss was even known (e.g., theft by employees, faulty products, loss of employees.) If the loss is truly impossible to foresee, then that is a risk of doing business that most people are willing to accept. But if the loss is “there to be seen just for turning the page” (a reference to a precedent-setting employee fraud loss and a great example of insurance risk), the circumstances would be much more difficult for most good leaders to accept.

Greg Shields is a Partner with Mitchell Sandham Insurance brokers, an independent company providing commercial, private client and financial services insurance. He specializes in casualty products that address directors’ and officers’ risk, crime,  fiduciary liability,  professional errors and omissions and cyber / media risk. He provides insurance negotiation and risk consulting services, coverage and claims advice to small and medium-sized enterprises, multi-nationals and nongovernmental organizations. Greg can be reached at 416 862-5626 or gshields@mitchellsandham.com or follow his blog at http://mitchellsandham.wordpress.com

Greg Shields, Partner, Mitchell Sandham Insurance Brokers, 416 862-5626, gshields@mitchellsandham.com

CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All comments and opinions are copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to gshields@mitchellsandham.com.


Follow

Get every new post delivered to your Inbox.