Ryan McConnell
We’ve all done it—forward an email on Foreign Corrupt Practices Act statistics to colleagues. I may be one of the worst offenders. The emails typically list the number of cases, whether the cases involved individuals or entities, settlement amounts, number of settlements, or countries involved.
Companies that take a risk-based approach to compliance collect internal and external metrics to track both the risk of a compliance failure and the risk of enforcement. FCPA statistics can show which industries are government enforcement priorities, the types of violations (e.g., whether they involve third parties), the economic consequences of violations, and a preview of future enforcement efforts. And with dedicated FCPA resources at both the Securities and Exchange Commission and the U.S. Department of Justice, it’s a good bet there will be plenty of FCPA cases in the immediate future—which means lots of new statistics.
But what about the countries involved in the cases? If there is a big corruption investigation involving a particular country or if a country is implicated in 10 percent of the cases in 2012, does that mean there is a greater risk of enforcement in that country in the future?
No. The problem with using FCPA enforcement statistics to evaluate compliance risk assessments is that just because violations occur in one country this year, it does not mean the same will be true next year. There is a uniform set of prosecution guidelines, but where a case arises and whether it will be prosecuted are extremely difficult to predict. Just because there were 12 FCPA enforcement cases in 2012 and two involved Mexico, that does not mean Mexico is a higher enforcement risk in 2013 than a country without any enforcement cases in 2012. There may be zero cases involving Mexico this year. Or there may be twice as many.
There are several metrics available to track enforcement risk in a country—ranging from internal data points, such as a company’s geographic footprint in the country and type of business activity, to surveys from operations that are designed to identify risks posed to the organization. Companies can also use external data points, such as whether countries enforce their own laws and survey information from organizations like Transparency International. The Organisation for Economic Cooperation and Development tracks country-specific anticorruption enforcement efforts in addition to data privacy cases and a wide variety of other information. External enforcement is particularly useful to evaluate data privacy risk, as many countries have robust data privacy laws but either do not enforce the laws or levy fines that are insignificant in comparison to the cost of some recommended data privacy protection measures. Trade control prosecution statistics revealing countries involved in U.S. prosecutions can show which countries are a nexus for sanctioned countries. But DOJ enforcement statistics are not nearly as helpful for evaluating the risk of enforcement in a given country.
Dr. Philip Tetlock, a professor at the University of Pennsylvania, wrote an influential book on political forecasting. In his book, Expert Political Judgment: How Good Is It? How Can We Know? (Princeton University Press, 2006), Tetlock notes that political observers stumble when they look for patterns in random events. According to Tetlock, “[f]orecasting accuracy suffers when intuitive causal reasoning trumps extensional probabilistic reasoning.” Because we are trained to look for patterns, when we see enforcement in a particular country or area we intuitively believe that this is relevant to future enforcement risk. Tetlock says the most accurate forecasters aggregate different types of information together to come up with a prediction. The least accurate fixate on a particular model and are dismissive of new information that undercuts their theory.
Tetlock’s analysis helps with risk prediction in the corporate compliance arena. Applying Tetlock’s theory, external surveys such as the Transparency International Corruption Perception Index would be more relevant than country-specific FCPA enforcement data. This is because Transparency International has revised its statistical modeling formula for 2012 and now includes data from 13 sources, each covering 16 to 175 countries with each country evaluated by at least three sources (and most using seven or eight). Pooling data from multiple sources increases the accuracy of the final result. A properly designed internal survey would also be similarly instructive.
Tetlock focuses on thinking about probability in the right way and improving predictions by remaining open to new data. Compliance professionals should too. The government tracks enforcement cases to show enforcement wins and successful prosecutions. We track enforcement cases because, as Tetlock points out, “[o]ur reluctance to acknowledge unpredictability keeps us looking for predictive cues.”
Recognize that a pattern—even when packaged as a data set—may be just a random event, like the likelihood of prosecution in one country as opposed to another or the chance that the power would go out in the Superdome during the Super Bowl. This year, ensure that your company focuses on data points that are indicative of both the risk of compliance failure and the risk of future enforcement.
Ryan McConnell is a partner at Morgan Lewis and former Assistant United States Attorney in Houston. Dr. Tetlock is a featured speaker at the University of Houston’s Ethics and Compliance Conference this summer. If you have something you’d like discussed in this column or have a data point for a risk assessment that you have found particularly instructive, email rmcconnell@morganlewis.com.
