Sunny: Hello everyone. My name is Sunny McCall and I am Momentum’s Vice President of Content and Experience and Program Director of Momentum’s Upcoming Oil and Gas Compliance Exchange. It is my great pleasure to be here today with Matt Queler. Matt, welcome.
Matt: Good morning Sunny and thanks for having me today.
Sunny: It’s our pleasure. For our listeners today and by way of background, Matt is a principal in Deloitte Financial Advisory Services LLP, where he assists law firms and companies with internal investigations and Foreign Corrupt Practices Act (FCPA), fraud, False Claims Act, and other white collar matters before the Department Of Justice, Securities and Exchange Commission and foreign authorities. Matt also helps clients improve compliance programs, conduct pre-M&A and third party due diligence, and tackle post-deal integration. Previously, Matt was an Assistant Chief in the DOJ’s FCPA Unit, where he oversaw some of its most complex FCPA investigations and routinely assessed companies’ internal investigations, compliance programs, and remediation.
So Matt, let’s go ahead and just jump right in there, as just shared a few moments ago, immediately prior to joining Deloitte, I understand that you held some very prominent positions there in the FCPA unit of the Fraud Section in the Criminal Division. Reflecting now on your current role, as an advisor to companies who are often interacting with the Department in the context of investigations, negotiations, etc., what experiences would you say you rely most on from your time at the Section when offering guidance to current clients?
Matt: I was pretty lucky and thanks Sunny for the question. I was lucky because I sat in on probably hundreds of meetings between the DOJ, the SEC and the companies that were under investigation, and there I really saw the spectrum of how companies handled dealing with the Department of Justice and the SEC in terms of giving investigation updates on their internal investigations, talking about how the company scoped and carried out the investigation and also on their compliance presentations and their remediation efforts – how companies handled the remediation and what they were doing to improve their compliance programs. I think, more importantly, I saw the government’s response to what questions were asked, how those questions were answered, the internal discussions afterwards, in other words the reactions of the DOJ attorneys, the SEC enforcement staff and the FBI. So at least I think I was able to see a whole range of what worked and sometimes what didn’t work, and one of the things that we used to call it was that we were lucky enough to see the good, the bad and the ugly.
Sunny: Perfect. Now, building upon the prior question Matt, if you could identify the one biggest no-no companies often make when negotiating with the government, what would that be, and then conversely, if you could offer one piece of advice to companies, when approaching the government in the same regard and what would that be?
Matt: That’s also a great question and I will tell you it’s probably hard to come up with the biggest no-no because there really are so many, obviously, dealing with the Department of Justice and the SEC, they can be finicky. I think the biggest no-no for me is when companies approach with the wrong attitude. I think, for example, if you are going in thinking you are going to do just enough to get the government to go away or that all of this is a waste of time and a distraction of business, I think that’s probably the biggest no-no. I get that, I understand that. Companies want these matters to go away, they are expensive, they’re a distraction. They want to get back to their jobs, which is to make money for their shareholders and their owners. They want to keep their employees employed. They want to be successful. Unfortunately, many companies still see compliance as a cost center and certainly dealing with the government as a giant distraction. And they come in, they want to deal with the government and they only want to do the minimum necessary, to make the government go away. I can tell you that the government can tell the difference between companies seeking to placate the government and those that are serious and committed to change and improvement.
I can also tell you that companies are not as good at hiding their views as they think, and it comes out in their commitment, it comes out in the seriousness of their responses and it really comes out in their effort. Companies just, in a two-year, in a four-year, in a six-year investigation, with the number of meetings you have and the number of things that you need to do to keep the government happy, it’s really, really hard to hide that over all that time. And if the government gets any sense of that kind of perspective, it will really sour things for the company. So that’s what I would say is probably for me one of the big no-nos.
I think the second point, and again in terms of non-legal advice, because I am not here in that capacity, I think the one bit of advice I would give is don’t mix factual recitations and advocacy. What I mean by this is, there’s a time for objectivity and there’s also a time for advocacy. But if you are always mixing the two, you risk losing credibility with the government. I used to say when I was at the Department and the lawyers of the company were – I don’t want to say spinning but advocating over the facts – I used to always say let’s talk objectively about the underlying facts without spin and then let’s argue what it means. And the way I used to break it down is that there are facts and there are factual conclusions, there are also legal conclusions, but there’s a difference between the underlying raw facts and the factual conclusion. Some companies come in and they start arguing right away about the factual conclusion, sometimes it’s also a legal conclusion like there’s no jurisdiction. Before we’ve even had or the Department and the company has had an objective discussion about the underlying facts. That’s a problem. When companies come in and argue that the CEO for example didn’t know about X – whatever the issue is – but they aren’t objective about the underlying facts and there wasn’t a discussion about the underlying facts first, that’s often a problem.
And so the example I always give is, I think it’s a simple one – is the traffic light red or green? That’s a fact. But you reach that conclusion based on the underlying evidence. If a company comes in to the government and tells them that the traffic light is green and they don’t tell the government that they reached that conclusion because seven people said the light was green and three people said the light was red, and that the company believed the seven people over the three people, the company and its counsel could lose a lot of creditability. The government finds out that there are actually three witnesses out there who are saying that the light was red. Maybe the government chooses to believe the three witnesses more than the seven. Maybe the three witnesses were innocent bystanders and the seven were the buddies of the person who ran the red light and is sitting in the car with them. You can sort of see the analogy in conspiracy or fraud when there are a lot of people along for the ride and may have a motive that is less than pure. So, the point is, disclose the underlying facts, this witness said that, witness number two said Y, witness number three said Z, and then argue about the conclusions that should be drawn, the factual and legal one.
Sunny: Really interesting insights there, thank you Matt. Now, switching gears a little bit and thinking now about your interactions with current clients, specifically within the oil and gas sector, what would you say are the top three challenges that are most often voiced as obstacles to achieving effective compliance in their day to day operations, and then part two, what would your recommendations be for resolving these?
Matt: I think the first issue for me, what keeps coming up over and over again is resources, resources, resources. With the price of oil down and with a little bit of a contraction still in the industry, compliance budgets, frankly budgets for anything are really, really tight. Companies have slashed personnel, costs and budgets not just in the compliance area, but it’s particularly difficult to have to absorb X%, 20%, a substantial reduction in compliance resources when there’s really enormous pressure to do more and not less. I think what companies are trying to do in terms of resolving it, are learning how to do more with less, being more strategic with their compliance resources. I think there are many different risks that companies have to deal with, anti-corruption, sanctions, safety, environmental issues, even fraud.
And I would say as a side note, by the way, one thing that I think we see a lot of is that sometimes companies don’t take as much time looking at fraud as part of their overall risk assessment, that seems to be something that’s given a little less time and consideration. But the point is that there are a lot of risks and many companies up until this date have been very siloed in terms of addressing these risks. They have an anti-corruption program, they have an anti-fraud program, they have an environmental program, they have a safety program – different programs than the sanctions program entirely. And I think that leads to duplication on the one hand and it leads to gaps on the other hand. Obviously, duplication can be inefficient and gaps can be risky. I think there’s a movement to be more efficient in handling these different risks, figuring out where there’s overlap and reducing the redundancies as well as closing any gaps, and I think that’s how companies would be more efficient. I think there’s also more technologies and tools that are used these days to automate, to make things a little bit more efficient, cut down on sort of the person hours required to do some of the tasks that they need to do. So, I think that’s the first issue, resources.
I would say the second issue is still third parties, it’s still the single biggest risk that companies are facing. Third parties remain essential to business in so many jurisdictions particularly in oil and gas – whether it’s JV partners, local content requirements, understanding the bidding requirements of a particular country, but it still comes down to – do you know who you are dealing with and how they are actually doing business? And we’ve all talked about the importance of due diligence. I know that’s nothing that anyone needs to hear about. And due diligence can be enormously helpful but Unaoil had rigorous due diligence, so due diligence isn’t always going to solve your problems. I tell people and I used to tell people when I was at the government and I spoke a lot that due diligence was really only half the equation. Post retention monitoring is often given short shrift and companies probably need to do a little bit more to protect themselves on that side.
And that actually leads to my third challenge and what I think is actually part of the resolution for the third parties. The third challenge remains – to me – getting buy-in from the business people in terms of the importance of compliance. Companies where Compliance is seen as owning the risk where Compliance says yes or no on decisions rather than advising the business, to me that can be a problem. And the risk is, and to put it in the practical light, the risk is that when a manager in a business line has constant interactions with the third party, they may not have their antenna up. Why? Well, because Compliance has already cleared the third party, so they don’t have to worry, they’ve already passed. That’s Compliance’s problem, they dealt with it, I don’t have to worry about it anymore.
The solution there, and I think part of the solution for third parties, is that the business people have to own the risk. They have to have their necks on the line. They should have to make the decisions and they need to understand there are consequences if they are not paying attention. Compliance should advise but the business people really need to have sort of that skin in the game. And so, when they have endless interactions with third parties they have their antenna up. Let’s be realistic, the business people who interact with the third parties actually see how the business is done, not just look at the answers on the questionnaire or during an interview. Those business people have in many situations the best opportunity to observe troublesome behavior or red flags. And by ensuring that the business lines own that risk and really internalize that and understand that they own that risk, it encourages them hopefully to stay vigilant and to serve as the frontline of defense for prevention and detection of misconduct.
Sunny: Perfect, thank you Matt. And finally, going one step further and honing in on investigations specifically, have you discovered any commonalities or trends in compliance loopholes that are uncovered during the course of an internal investigation, and if so what trends have you found and what advice would you give to companies to get ahead of these issues?
Matt: That’s a great question. Let me answer it this way. I think that what I saw when I was at the Department, was that after third parties, the reason why companies ended up in front of the department or the SEC on FCPA issues was because compliance lagged behind a change in their risk profile. I would say that that comes down to the second most common reason that companies found themselves in hot water. When companies go through mergers or acquisitions, when they enter new markets or even expanding in the existing market, their risk changes and as a result of that change in risk, the old way that they handle compliance may no longer work, it may need a tweak, it may need a massive overhaul. And the way they tackle the anti-corruption risk for example in China may not work when they move into the Middle East. In the same way if 2% of a company’s business was through third parties in high risk markets, they may have a certain way of handling third party risk that maybe appropriate. But if over the next three years, it turns out that 20% of their business is now through high risk third parties, they may need to fundamentally change their way of tackling that risk even if they think they have an understanding of how to deal with high risk third parties in difficult markets.
When the compliance program lags, it often is too late. So, for example, if a company acquires a new target and the old CEO of that target stays on to run the new subsidiary, if that CEO was engaged in corrupt acts and continues such misconduct post-acquisition and it didn’t come up during the due diligence, if compliance only caught her two years later, two years after the acquisition, that misconduct is now under the company’s watch and this happens more often than you might think. I’d say that would probably be one of the biggest mistakes or commonalities that people were saying. And then I would say the second thing is really going back to companies that – what we were talking about earlier, doing things where the compliance people make the decision and the business leaders don’t own the risk. I think people are able to slip things past Compliance a lot more easily than when they convince the business people to take responsibility for that risk. When the culture of the company is that it is all our responsibility to protect the company, and not just say that but to really get the business people to understand that, I think that’s when companies start detecting and preventing more.
Sunny: Well, Matt, thank you so very much, it’s been a pleasure really to chitchat with you a bit here today. Really looking forward to hearing more from you at our upcoming Oil and Gas Compliance Exchange on September 26 in Houston but really just wanted to thank you again and looking forward to hearing more from you at the event.
Matt: That’s great, and thanks so much Sunny. It was a pleasure talking to you today and last year’s conference in Houston was fantastic. And I know it will be a great one in the month from now as well. So, thanks for having me and thanks for spending time with me today.
Sunny: Thanks so much Matt.