Baker Tilly
Contact us
Looking in on a board meeting
Article

What you don't see is what you get: why governance matters

May 11, 2022
Overview

Stericycle disclosed in its August 2017 filing with the U.S. Securities and Exchange Commission (SEC) that it received a subpoena from the SEC in June 2017 “requesting documents and information relating to the company’s compliance with the Foreign Corrupt Policy Act (FCPA) or other foreign or domestic corruption laws concerning certain of the company’s operations in Latin America.” The Department of Justice (DOJ) also notified the company that it was investigating the matter in parallel with the SEC.

On April 20, 2022, the U.S. Department of Justice announced it had entered a three-year deferred prosecution agreement (DPA) with Stericycle Inc. to resolve allegations that it violated the FCPA.

The three-year DPA relates to behavior that occurred circa ten years ago and is the most significant FCPA action we have seen this year. The DPA does require an independent compliance monitor. This bribery scheme carried out by specific employees occurred in Brazil, Mexico, and Argentina. It involved sham third parties and secret spreadsheets, which laid out the bribes and labeled these payments necessary for debt collection services.

In this case, the root cause(s) may be linked to Stericycle’s poor corporate governance and failure to properly monitor key risks. Other contributing factors are rapid growth, lack of post-acquisition integration, a poor organizational and financial reporting structure, and the failure to implement a culture of compliance with proper controls. The DPA mentions that Stericycle strengthened its corporate governance “by appointing numerous new individuals to senior management and Board of Directors positions and establishing a Safety, Operations, and Environmental Committee to enhance Board oversight, but is silent on overall governance practices and the internal audit initiative. Isn’t the role of internal audit to provide an independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively?

Background

Stericycle is a U.S. based business-to-business company that serves customers in the U.S. and 16 countries worldwide through its family of brands. They are a leading compliance-based solution provider that protects people and brands, promotes health and well-being, and safeguards the environment headquartered in Illinois. They specialize in medical waste management.

Stericycle admitted to a scheme involving the payment of bribes to foreign officials in Brazil, Mexico, and Argentina. Stericycle paid approximately $10.5 million in bribes to foreign officials in the countries mentioned herein to secure business contracts from which Stericycle profited by at least $21.5 million.

Specifically, between 2011 and 2016, hundreds of bribe payments were made to government officials in Brazil, Mexico, and Argentina. An executive at Stericycle’s Latin American division directed employees in the company’s offices in Brazil, Mexico, and Argentina to pay the bribes, usually in cash, based on a percentage of the value of an underlying contract. The co-conspirators tracked the bribe payments through spreadsheets and used code words to discuss the bribes, using such terms as “C.P.” or “commission payment” in Brazil; “I.P.” or “incentive payment” in Mexico; and “Alfajores” (a popular confection or cookie) or “I.P.” in Argentina.

Investigations

Stericycle resolved the investigations conducted by the Department of Justice, the Securities and Exchange Commission, and Brazil. Stericycle agreed to enter a three-year DPA and pay approximately $90 million for these actions. The DOJ decided to credit up to one-third of the criminal penalty against fines the company pays to Brazilian authorities.

Despite Stericycle’s extensive remedial efforts, the DOJ imposed a two-year independent compliance monitor because the company had not fully implemented or tested its enhanced compliance program.

The DOJ noted that Stericycle had a history of prior civil and regulatory settlements but no previous criminal history and, after considering several factors, agreed to discount the criminal penalty with a 25 percent reduction off the bottom of the applicable U.S. Sentencing Guideline range.

The Stericycle bribery misconduct is informative because of the numerous executives and employees and third-party vendors involved in the schemes. Stericycle’s Latin American division’s tone and conduct from the top was to engage and advance the business through bribery.

Key Takeaways and Thoughts
  • Compliance has become a critical corporate governance issue globally, and there is a trend of revamped Board oversight and monitoring duties.
  • Oversight focuses at the macro level on implementing policy, programs, and operations in compliance with laws and regulations.
  • Monitoring tracks progress in implementing functions, programs, and operations at the micro-level.
  • Corporate culture and compliance matters – Stericycle had what appears to be a weak compliance program. Also, there was no anti-corruption policy until 2016.
  • A robust compliance program is vital to prevent or deter misconduct, but the DOJ may also consider whether the compliance program is operationalized and tested when determining whether a compliance monitor is needed.
  • Internal Audit, Compliance, and Legal need to collaborate and work together to enhance Enterprise Risk Resiliency.
  • Third-party risk management – the procure-to-pay cycle needs to be carefully evaluated, appropriately designed with controls and effectively monitored.
  • How tight is your grip on cash – controls within the finance and treasury function should be evaluated to ensure there is proper segregation of duties, authorization, and reporting. We have learned from prior enforcement actions that cash payments of any kind are a Red Flag.
  • Sometimes, although radical, exiting a market or activity is necessary.
  • Replacing board members could bring new perspectives on managing risks.
Closing

Last October, in a virtual keynote address delivered at the American Bar Association’s Annual Conference on White Collar Crime, Deputy Attorney General (DAG) Lisa O. Monaco (Monaco) pledged a DOJ crack-down on white-collar crime. During her remarks, she announced three new actions. One related to cooperation credit, the second related to the company’s criminal, civil, and regulatory record, and the third was the DOJ’s use of independent corporate monitors.

In recent years, corporate monitorships have been more the exception than the norm. The Stericycle resolution underscores the significance of DAG Monaco’s October 2021 announcement and the DOJ’s more liberal use of independent compliance monitors – even on companies that fully cooperate and adopt extensive remedial measures. So, is Stericycle the beginning of a resurgence of the independent compliance monitor? Only time will tell.

We should all take note and pause to reflect on what DAG Monaco said when addressing the conference that “corporate culture matters, [and a] corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.”

Lastly, even though Stericycle identified specific bad actors and evidentially disciplined these employees, it will be interesting to see if the DOJ charges the individuals in this case.

For more information, or to learn how Baker Tilly’s fraud specialists can help your organization, contact our team.

Related sections

Aerial view of a highway interchange
Next up

Lessons from compliance and the intersection of enterprise risk management and internal audit

Go to articlearrowCreated with Sketch.