FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report





All Episodes
Now displaying: January, 2017
Jan 31, 2017

John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government.

The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidelines for the creation of the modern compliance profession. These guidelines included credit for “the specific elements of an effective compliance and ethics program. Companies that embarked on such programs would be eligible for more lenient sentences. To qualify as “effective,” a company’s compliance program would not only have to establish standards and procedures to prevent and detect criminal conduct, but would have to actively promote a culture encouraging ethical conduct and compliance with the law. The implementation of those guidelines in 2004 reflected the need for corporate boards to demonstrate knowledge of compliance programs and fulfillment of oversight responsibilities as part of monitoring the effectiveness of companies’ compliance and ethics programs.”

The next major step was the financial accounting frauds and scandals of the late 1990s and early 2000s including Enron, WorldCom and Tyco. These scandals were so wide-ranging, with senior executive participation, if not directing of the corporate fraud that a new legislative response was required and this response was the passage of the Sarbanes-Oxley Act of 2001 (SOX). Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code”, said, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness…” SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.” This strengthened the compliance professional who was called upon to design these internal controls.

The next major legislation which enhanced the compliance function was the Dodd-Frank Act of 2010, passed in response to the 2008 financial crisis. MacKessy pointed to the downfalls of Bear Stearns and Lehman Brothers as drivers of more compliance because they both “demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value.” The legal and legislative response has been that companies should design effective compliance programs which use risk based programs as a basis to design, create and implement effective compliance programs. Joe Howell, Executive Vice President (EVP) for Workiva Inc., has gone further, drawing a straight line from the FCPA to SOX to Dodd-Frank in the development of the compliance function.

All of this means compliance is not going away, no matter what the law enforcement priorities of the new administration. Companies understand that compliance and business ethics have a role in not only driving business strategies and initiatives but that more compliant companies are better run companies and at the end of the day more profitable because they have better controls. MacKessy ends his piece by stating the compliance programs “can provide multiple rewards - from risk mitigation, to reputational enhancement, to business strategy development.”

The compliance discipline is where the harmonic convergence occurs in a corporation. Whether it be specific tasks of making sales, vetting relationships or the spade work of creating policies and procedures, it is compliance that drives the discussion of how we should do business. The corporate compliance profession fulfills the business obligation in doing things the right way for, at the end, it will be the compliance profession which implements the requirements of compliance whether those requirements are anti-corruption laws such as the FCPA, the UK Bribery Act, Anti-Money Laundering (AML), export control, anti-trust regulations, or any other regulation that you can name. Equally importantly, the compliance profession is teaching corporations how to evaluate risks and the compliance profession leads that discussion. It is the compliance profession that is the most innovative in not only protecting corporations, but actually helping corporations do business, do business more efficiently, and do business more profitably.

Three Key Takeaways

  1. Doing compliance is Doing Business.
  2. Properly accomplished, compliance makes a business more efficient and more profitable.
  3. Use the Robert Gates as a great example of how the FCPA means more business for US companies.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.





Jan 31, 2017

In this episode I visit with Brad Davis, founder and CEO of TechIttoMe, a data and information governance firm. It assists clients with data privacy, security and other facets of information government. Brad discusses compliance in the context of information governance and why having a data governance program is critical for both multi-national and domestics businesses; from the Fortune 100 down to the solo podcaster. It is a fascinating look into how the principals and process of compliance work across multiple disciplines. 

Jan 30, 2017

Today is the penultimate day of my 30 days to a better compliance program. Just as compliance programs sprang up, grew and began to evolve and mature in the middle of the last decade; the sophistication of the regulators has also increased. We most clearly see this in the appointment of the Department of Justice (DOJ) Compliance Counsel, Hui Chen. 

With her initial public remarks, Chen provided insight into how she would consider the effectiveness of a compliance program. Her key point was companies should operationalize their compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 under the remediation prong, with the initiation of the DOJ Pilot Program around FCPA enforcement, the DOJ once again emphasized the operationalization of a company’s compliance program as a key metric in determining benefits under the program. You must actually be doing compliance going forward. 

This evolution in the DOJ’s thinking and its sophistication of compliance program analysis is in clear response to how the market initially responded to the requirement to have a compliance program back in the 2004-time frame. More recently, each Deferred Prosecution Agreement (DPA), in Schedule C under the details of a best practices compliance program, has required the company to take “into account relevant developments in the field and evolving international and industry standards” in upgrading their compliance program. This requirement has led companies to keep abreast of best practices and continually evolve their compliance program forward. The DOJ in turn, has upped its game and now requires companies to operationalize compliance. 

Compliance is a service within your organization, yet under the operationalized model, compliance is a profit generator for a business. Just as law departments generate business by doing transactions, compliance can be viewed as delivering services not only to the business unit but also third parties with whom the company does business. This means not only traditional transaction partners such as sales agents, representatives and distributors but also joint venture (JV) partners, teaming partners and others. Compliance can deliver compliance related services to these third parties as a profit center. 

Doing compliance means doing business. There are multiple types of risks in a business; operational, regulatory and reputational, just to name a few. The effort to measure and then manage each of these risks can be led by the compliance function. The more efficiently these risks are measured (i.e. assessed) the more easily and efficiently these risks can be managed. This means that the business is not faced with a binary 1/0 or Go/No Go decision on risk but if compliance moved into measuring and the managing risk through the operationalization of compliance into the business unit; the process would help you to do business more efficiently and with greater profitability. 

Compliance is a platform to make your company not only a better run organization but can also demonstrate the thoughtfulness and effectiveness of your compliance program should a regulator ever come knocking. This is because if you operationalize compliance into the fabric of your organization, compliance internal controls will touch every aspect of the employment experience in a way that is not obtrusive and will not slow down what you are trying to achieve. 

Take compliance as a platform in HR. At every point in talent management, HR can insert compliance into the cycle. Those points include the pre-employment interview and screening, the interview process with progressively higher senior management, the initial on-boarding process, the quarterly, semi-annual or annual performance review, annual bonus review, assessment and award, promotions and even exiting of an employee. The platform of compliance can record each of these touch points and you now have an internal control burned into HR which is a compliance internal control. Further, if there is any attempt to circumvent or over-ride one of these HR internal controls involving the hiring of a son or daughter of a foreign governmental official, a red flag can be raised and sent to the compliance function for further review. 

Compliance is a marketing platform. Some attention has been paid to the use of compliance as a recruiting and hiring tool for millennials. One of the facts of their generation is they want to work at companies which are seen to be doing business ethically, all the while making money. Moreover, as Ethisphere demonstrates annually with its World’s Most Ethical Company awards, businesses which win those awards, on average, exceed the New York Stock Exchange (NYSE) blue chip average for profitability. It will be interesting to see the results of ISO 37001 certification on financial profitability. 

Compliance embraces public advocacy. The Volkswagen (VW) emissions-testing scandal is one of the largest corporate scandals of the past few years. One thing that makes the VW scandal so unique is that it is one of the few scandals where a company’s actions were so transgressive they damaged the reputations of its competitors. As a response to the VW scandal, Ulrich Grillo, President of the German industry association BDI, recognized that compliance is the answer. He urged companies to check their management processes, including compliance and control systems. He suggested one of the key questions to ask should be “Are we doing everything right?” When you have the President of a national industrial association saying compliance is the answer, you need to sit up and take notice.

Three Key Takeaways 

  1. You must work to operationalize your compliance program.
  2. You must keep you program evolving in light of regulatory change and industry practices.
  3. Compliance is a business process. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.





Jan 28, 2017

Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible. 

Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the SEC retaliatory language prohibition which attempts prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC langauge language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.


When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the Securities and Exchange Commission (SEC), identifying bribery and corruption. 

Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or Department of Justice (DOJ)) comes calling after that ex-employee has blown the whistle on your organization. 

I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.

Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Three Key Takeaways

  1.  Adjust your separation agreement language to meet current SEC requirements.
  2. Treat severed employees with respect.
  3. Monitor, triage and respond to the hotline timely, even if you have to move other resources to do so.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 27, 2017

Show Notes for Episode 37, week ending January 27, the Jeff Sessions’ edition 

  1. Brazilian Judge killed in plane crash. See article by Dick Cassin in the FCPA Blog.
  2. Two individuals charged in Och-Ziff matter. See article by Richard Cassin in the FCPA Blog.
  3. Trump announces White House Compliance Team. See White House Press Release.
  4. Jeff Sessions will continue robust FCPA enforcement. See Questions for the Record submitted January 17, 2017 from Senator Whitehouse in the nomination of Jeff Sessions to be Attorney General.
  5. $7MM whistleblower award by SEC to three persons and Whistleblower conference in NYC. See article in FCPA Blog and Tom Fox article on the Whistleblower Conference.
  6. China leads countries for 2016 FCPA cases and China announces 2 invoice requirement. See Tom Fox article in Compliance Week and Eric Carlson article in the FCPA Blog.
  7. Anything of value in FCPA cases. See Tom Fox article in Compliance Week.
  8. Jay Rosen Weekend Report on continued lessons from the Rolls-Royce global anti-corruption enforcement action in LinkedIn.
Jan 27, 2017

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA,  the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point.

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three Key Takeaways 

  1. Learn the internal controls your company currently has in place.
  2. Map your compliance internal controls to the COSO 2013 Framework,
  3. Use your gap analysis as a basis for remediation.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 26, 2017

Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term.

In an economic downturn, I see two increasing compliance risks for companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures. Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’? Further, if there is a 10% to 30% overall employee reduction, what additional pressures will be on those employees remaining to make their numbers or face the same consequences as their former co-workers?

I think both of these scenarios are fraught with increased compliance risks. For companies to engage in behaviors as I have outlined above would certainly bring them into conflict with the Ten Hallmarks of an effective compliance program as set out in the FCPA Guidance. For instance on resources, the FCPA Guidance does not say in a time of less income, when your compliance risk remains the same or increases, you should cut your compliance function. Indeed’ it intones the opposite, when stating, “Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”

The FCPA Guidance speaks to an analysis from the DOJ side, which would presumably be a criminal side review. For instance, if a company cuts its compliance staff while its risk profile has not decreased, does this provide the required intent to commit a criminal act under the FCPA? Moreover, who would be the guilty party under such an analysis? Would it be the Chief Executive Officer (CEO) who ultimately decides we need a fixed percentage cut of employees or simply a raw number to be laid off? How about the department head (as in the CCO) who is told to cut your staff 10% or we will make the cuts for you? Or is it a company’s Human Resources (HR) department?

But there is a second reason that I believe that energy companies risk profiles will increase in this industry-specific downturn. Unfortunately it will come from those employees who survive the lay offs. They will be under increased pressure to do the jobs of the laid-off folks so there will be a greater chance that something could slip through the cracks. If you are already working full time at one job and one, two or three other employees in your department are laid-off, which job is going to get priority? Will you only be able to put out fires or will you be able to accomplish what most business folks think is an administrative task?


But more than the extra work the survivors will have laid upon them will be the implicit message that some companies senior management may well lay down, that being Get the Deal Done. If economic times are tough, senior management will be looking even more closely at the sales numbers of employees. The sales incentives could very well move from a question of what will my bonus be if I close this transaction to one of will I be fired if I do not close this transaction. If senior management makes clear that it is bring in more business or the highway, employees will get that message.

Once again, where would the DOJ look for to find intent? Would it be the person out in the field who believed he was told that he or she either brought in twice as much work since there were half as many employees left after lay-offs? Would it be the middle manager who is more closely reviewing the sales numbers and sending out email reminders that if sales do not increase, there may well have to be more cuts? What about the CEO who simply raises one eyebrow and says we need to hunker down and get the job done? 

Three Key Takeaways


  1. Less personnel does not equal less risk.
  2. Do less with less.
  3. Increase you use of technological solutions to make your compliance program more efficient.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 26, 2017

2016 was more than simply the most robust year in Foreign Corrupt Practices Act (FCPA) enforcement. It was also a record year in Securities and Exchange Commission (SEC) whistleblower awards and additionally the year the SEC literally crashed through the $100 million mark for whistleblower awards under Dodd-Frank. It would therefore seem like a very propitious time for a well-rounded conference focusing solely on this issue. Fortunately for us in the compliance space, Financial Research Associates have answered the call with the Whistleblowers & Compliance conference to be held in NYC on February 27, 2016. Recently I was able to visit with Conference Chair, Gregory Keating, on the event.

Greg is the Chair of Choate Hall & Stewart LLP’s Labor Employment & Benefits and Whistleblower Defense Groups. In his practice has he three general areas. The first is compliance related and is everything from conducting training for organizations to auditing their existing practices, policies and procedures to assist employers to make sure that everything is setup correctly to insure a transparent environment. Second is in the area of investigations; including those focusing on  alleged wide-spread retaliation or wrongful conduct which whistleblowers bring to light. Third is litigation in the arena of whistleblower retaliation suits that are brought under a growing array of statutes, predominately Sarbanes–Oxley (SOX), Dodd-Frank, the False Claims Act, and others which prohibit against retaliation.

Keating is very excited about the conference. He noted there will be a marquee group of speakers who come from a number of different arenas. There will be government officials from some of the most prominent agencies who have agreed to speak. A group with an in-house perspective from some very prominent multi-national organizations who are wrestling with and analyzing how best to respond to this changing climate, who are going to weigh in and give their perspective. There will be some of the most prominent members of the defense bar, nationally and internationally, in this space. Last, but not least, there will be a number of extremely high profile plaintiff lawyers who practice either in Dodd-Frank or the plaintiff side of retaliation against whistleblowers.

The conference will kick-off with a deep dive into the whistleblower landscape, discussing its importance and why there is such deep water right now. It will canvas the expansion of whistleblower rights and remedies, focusing on recent court decisions that have come out and new legislation that continues to evolve. It will also look at what companies are doing specifically in response in this area.

I asked Keating if he might provide an example and he related that there has been a real proven attack on corporate agreements and policies which have the purpose or effect of muzzling whistleblowers. There have been, in the last year at least, almost half a dozen six figure civil money penalties imposed by  the SEC. The conference will provide some concrete guidance and advise from both the in-house and defense bar perspective on how to avoid that mine field. Additionally, there will be some concrete advice flowing from some very, very recent Department of Labor (DOL) recommended best practices around how to have an effective compliance program, where they focus on the importance in this day and age of training.

A hot topic to be discussed is the current whistleblower retaliation trial of former Bio-Rad General Counsel (GC) Sanford Wadley. The conference will use this trial to consider the rising tide of in-house counsel and compliance professionals as the whistleblower. Keating said that other hot topics that will likely be addressed include whether whistleblowers can take confidential information in direct violation of a confidentiality agreement and, nonetheless, proceed as a whistleblower and whether would-be whistleblowers could engage in other opposition which arguably is unreasonable and whether those whistleblower rights will trump otherwise legitimate company policies. Keating ended by stating “there is a lot in this space that is really sizzling now” and the conference agenda will reflect these very current topics.

The conference will feature government representatives from the SEC, the US Commodity Future Trading and the DOL. This is whistleblowing across the government spectrum and will allow the attendees to identify some of the issues which corporations across America are grappling with and provide some unique insights into how best to protect oneself in this rapidly changing climate.

No doubt to warm my heart as the nuts and bolts guy, there will be several panels dedicated to subjects such as how do you do compliance, including training; drafting and creating effective employment separation, settlement and confidentiality agreements, and in-house audits. Of course there will also be coverage of hotline triage and response, together with presentations on how set up a robust investigation protocol.

In short, if there is only one whistleblower conference you can attend, you should strongly consider this event. It will showcase regulators, the whistleblower defense bar, top corporate in-house compliance practitioner and GC types, and the plaintiff’s bar for whistleblower and retaliation cases. For any compliance practitioner, GC or lawyer, I think this will be a fabulous conference. I hope you will be able to attend.

Best of all readers of this blog will receive a discount to the event. You can receive a 15% discount off the regular price by entering the Code CMP 161. For more information on the event, check out the website by clicking here.

Jan 25, 2017

Today, I the Holy Grail of compliance –Return on Investment—for your compliance program. In a very interesting article by Paul Healy and George Serafeim entitled, “An Analysis of Firms’ Self-Reported Anticorruption Efforts”. In this academic paper, the authors looked at the issue of not simply profitability of companies, which had more robust anti-corruption compliance programs but also what was the direct effect on the companies’ return on equity (ROE) in countries which were perceived to have a high incidence of corruption.

Not surprisingly, in countries in a low risk for corruption, there was not much difference in the sales growth for companies with robust anti-corruption compliance programs and those business which into the authors’ ‘cheap talk’ category. However when it came to growth in countries which had a high propensity of corruption, there was a dramatic difference.

When quantitative types say, “The magnitudes of the estimated coefficients are economically interesting”; it is a HUGE deal. These findings are equally large and important for the CCO or compliance practitioner. The authors conclude by making several observations. First, companies which have more robust compliance programs are from countries which have more robust enforcement and monitoring. Second the more robust your compliance program is the lower your sales growth may be but the higher your overall return in a high risk country will be going forward. Finally even if a company sustains high sales grow in a high risk country; if it does not have a robust compliance program, the sales will drop off dramatically and may well lead to negative ROE.

All of this information points to companies which are on the Ethisphere list of the World’s Most Ethical Companies and their financial performance. They have better than average financial performance because they are better run. The are on this list because they have robust finance internal controls which include compliance internal controls. To mix metaphors, robust internal controls around compliance do not slow you down but allow you to go faster and move more safely into high risk countries.

So the next time some business type tries to say that following the law by having a robust FCPA anti-corruption compliance program in place; you can correct him. Spikes in sales in high-risk countries do not translate into sustained growth and without an effective compliance program in place; your company may actually lose money.

Key Takeaways

  1. Demonstrating ROI is the Holy Grail of compliance-use it.
  2. Compliance helps drives sales in high risk countries.
  3. Long term sales and profitability drop off when bribes are paid in high countries.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 24, 2017

In this episode I visit with Carlos Ayers, a founding partner at the Sao Paulo law firm of Maeda, Ayres & Sarubbi about the state of anti bribery compliance in Brazil, how the Brazilian legal and compliance communities view the Odebrecht global anti-corruption settlement, what US companies who have done business with Odebrecht and Petrobras over the past 10 years need to be doing right now and the founding of his new law firm. 

Jan 24, 2017

I often write about the nuts and bolts of an effective compliance program but one of the most basic things that an effective compliance program must have is a compliance department present to ask the basic questions of compliance to and receive an answer from. I think to the DOJ and SEC this means a couple of things. First, and foremost, there must be the requisite number of resources dedicated to the compliance function. This means that a compliance department must be staffed with an appropriate number of compliance professionals to do the day-to-day basic work of compliance. Head count is always important in any corporation but there must be some minimum number of people in the compliance department to answer the phone or respond to email.

 But, equally important to this resource issue is providing centralized assistance and what the FCPA Guidance says is “to provide guidance and advice on complying with a company’s ethics and compliance program”. In other words, it is up the corporation to have someone there to answer the phone but once they are in that compliance department seat, they have to actually pick up the phone and respond. It is the responsibility of a compliance practitioner to provide the guidance to company personnel who call in or email with questions. Following compliance policies and procedures is always important but to have a live person to answer questions or walk a non-compliance person through the process is a must.

In other words, if someone calls, not only does a compliance person have to be there, someone has to pick up the phone. How many times has a compliance department been called on a Friday afternoon to find that no one is there to answer the phone? But if someone is there, they have to actually pick up the phone and provide an answer. I have inveigled against the compliance function being “The Land of No”; but the situation I am discussing is where a compliance department does not or will not provide the basic answers to a person working out in the field.

The same concepts are a part of a best practices compliance program; someone must be around the pick-up and answer the phone when it rings on Friday afternoon and provide some answers to the question(s) posed.

Three Key Takeaways

  1.  Pick up the phone.
  2. Compliance cannot be The Land of No populated by Dr. No, leave that honor to the Law Department.
  3. The Justice Department now requires compliance expertise and competence of compliance practitioners as a part of a best practices compliance program. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.



Jan 23, 2017

Earlier I considered the Compliance Oversight Committee. Today, I want to you to consider another compliance committee which could positively impact your compliance regime, the Regional Compliance Committee which is created at the regional level, to create more direct ownership, accountability, and valuable transparency.  This moves compliance down into all levels of the Company’s operations.  This approach also significantly improves consistency of compliance execution, and helps to ensure that all business objectives are achieved in a legally compliant fashion.

This Regional Compliance Committee gives compliance a more thorough discussion at regularly occurring company operations meetings. Regional Compliance Committee provides a communication structures designed to facilitate communication up the chain and down the chain. It can give a CCO a more direct set of eyes and ears closer to the ground. Finally, the Regional Compliance Committee facilitates the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis.

One of the key elements of the Committees are their makeup, which is Region centric. The Committee members are such regional leaders as: (a) the Executive Vice President of the Region or equivalent; (b) the Compliance Director for the Region; (c) the Legal Director for the Region; (d) the HR Director of the Region; (e) the Finance Director of the Region and/or audit personnel located in the Region; (e) the Supply Chain Director of the Region; (f) the Sales Director of the Region and (h) senior representatives of Operations in the Region.  

The Regional Compliance Committee operationalizes compliance into the Company’s Regional operations where the business operates. This approach follows the Department of Justice mandate, articulated in the Department’s FCPA Pilot Program for companies to move the doing of compliance down into the business of the organization. The make-up of the Regional Compliance Committee, while including legal and compliance representatives, is also populated by representatives from other disciplines within the global organization, which allows a fuller, richer and more holistic approach to compliance advice.

It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the Regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. The Regional Compliance Committee can provide a unique structure to perform these functions.

Key Takeaways 

  1. A regional compliance committee can work to drive more efficient and more robust compliance into the region.
  2. All regional leaders should be on the committee.
  3. The regional compliance committee should liaise with other compliance committees. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 22, 2017

The Compliance Oversight Committee sits between the CCO and the Board’s compliance committee. The role of this Compliance Oversight Committee is to provide oversight and review of items such as third party approvals and renewals, requests for payments from third parties and significant gift, travel and entertainment requests from employees. There should be some type of oversight which can be reviewed on a monthly or quarterly basis as part of a company’s management of risk. 

As far back as January, 2005, the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice and the Monsanto Company provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or an Oversight Committee. The scope of this Oversight Committee is not fleshed out in the DPA. While many have focused on the Compliance Oversight Committee to monitor agents and other third party business representatives, the role of the Oversight Committee can be broader than simply agents and representatives. A major purpose of an Oversight Committee is to act as redundant backup to the books and records internal controls systems which are designed to detect violations of a company’s compliance program.

 It should be clear the role of the Compliance Oversight Committee is not to substitute its judgment for that of the CCO but rather to provide another level of review to make sure nothing slips through the cracks which might expose the company to unwanted risk. This can begin with a clear, written charter that sets out the functionality, goals, and parameters of the group. Moreover, the Compliance Oversight Committee should be reviewed on a periodic basis to determine usefulness and effectiveness.

The Compliance Oversight Committee should be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction; which means that senior management should be involved in the Compliance Oversight Committee. It would also indicate that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations. The bottom line is that the CCO should chair a committee of her peers/senior level officers in a position to make decisions and marshal resources.

The Compliance Oversight Committee should be designed to review the highest risks to your organization. If your company’s highest compliance risk is third party relationships, you should focus your compliance committee resources on that issue. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function. The Compliance Oversight Review Committee should therefore review all documents relevant to the five-step lifecycle management of third parties.

The Compliance Oversight Review Committee is a key tool which can be utilized by a company to manage its risks. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials and the lifecycle management of third parties is also an important step in the prevention process. The Compliance Oversight Review Committee is another step which I believe can also act as a detect prong and should be employed by companies as an additional protection against any type of compliance and ethics violation slipping through the cracks to become a much larger problem down the road. Companies should implement a Compliance Oversight Review Committee and review the systems they have in place to detect risky conduct. 

Key Takeaways 

  1. Determine an appropriate committee membership.
  2. The committee is there to act as an extra set of eyes for the CCO, not to substitute its judgment.
  3. Determine the scope of items and issues to be reviewed by the committee.

 For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 21, 2017

Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture.

At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks.

The Board Compliance Committee should begin its inquiry with a basic: ‘How do we know it is working?’ In other words, is a company’s compliance program living up to the hallmarks of an effective compliance program in the eyes of the government. Here I lay out four areas of more specific inquiry.

The Board Compliance Committee should obtain information on the processes to carry out the compliance function, rather than details on specific compliance issues. They need to understand that there is a single individual or internal corporate discipline keeping track of the compliance function and making sure that it is being handled properly. They need to understand that there is a system in place that keeps track of compliance requirements.

Another area the Board Compliance Committee interest should be in is the area of hotlines or other internal reporting mechanisms. Here, the Board Compliance Committee needs to know details about both inbound issues and the responses thereto. In the inbound side this means details about who answers the reports, that come in either via email or phone, how this information is triaged and in what time frame. It also requires an understand of whether the reporting system is truly anonymous, with no use of caller-ID or GPS tracking.

The next series of questions deals with the responses to any information which comes to the attention of the company, including such basic inquiries as how are the reports classified and routed? Who gets notified for what types of calls? How the investigative process is divided among various functions or is it outsourced? Finally, what is the response rate and response time?

The Board Compliance Committee must know who is accountable and responsible for each segment of a compliance program. They should obtain assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability. While it is true an effective Board Compliance Committee will allow management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy.

Strategic planning is another area well suited for oversight by a Board Compliance Committee. For such a committee to be both effective and informed it must have an appreciation of where the corporate compliance function stands not only at the present moment, but also has a strategic plan for how the compliance and ethics program can continue to grow. Similarly, Stephen Martin, a partner at Arnold and Porter, has long advocated a 1-3-5-year compliance game plan. However, a Board Compliance Committee should demand the compliance function be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, you want to get your board’s attention on the changes which may need to happen with the [compliance] program. 

Today’s regulatory climate band hyper-transparency in social media make a Board Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start.

Key Takeaways

  1. This committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO.
  2. This committee should work to hold the CCO accountable to hit appropriate metrics.
  3. This committee is ideal for leading the efforts around strategic planning.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.


Jan 20, 2017

 Show Notes for Episode 36, week ending January 20, the Jeff Bagwell in the Hall of Fame edition 

  1. Jeff Bagwell admitted into the Hall of Fame. See article in Houston Chronicle.
  2. Rolls Royce-stunning $800MM global settlement, including resolutions with the UK SFO, DOJ and Brazilian authorities. See Tom’s blog posts on the FCPA Compliance and Ethics Report, Part I and Part II.
  3. Orthofix-another recidivist FCPA enforcement action-see the FCPA Blog
  4. Las Vegas Sands concludes its FCPA enforcement action. On the FCPA Blog.
  5. Jay’s question answered. See Tom’s blog post on the FCPA Blog.
  6. NFL Conference Championship Predictions
Jan 20, 2017

Every Board of Directors need a true compliance expert sitting on their Board. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level?

An arm of the US government has recognized the need for such expertise at the Board level. In 2015 the Office of Inspector General (OIG) has called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, a compliance member. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations.

Mike Volkov looked at it from both a practical and business perspective and has stated, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.”

Roy Snell sees it through the prism of the compliance profession and has said, “If you ask most companies if they have compliance expertise on their Board… most would say yes. When asked who the compliance expert is they typically point to a lawyer, auditor, risk manager, or an ethicists. None of these professions are automatically compliance experts. All lawyers have different specialties.” He goes on to state that what regulators want to see is specific compliance expertise at the Board level. He noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.


Hui Chen, the DOJ Compliance Counsel, has continually talked about the need for companies to operationalize their compliance programs. She intones businesses must work to literally burn compliance into the fabric and DNA of their organization. Having a Board member with specific compliance expertise, heading a Board level Compliance Committee can provide a level of oversight and commitment to achieving this goal. It will not be long before the DOJ and SEC begin to require this step in any FCPA enforcement action resolution. This means that when your company is evaluated by Chen, under the factors set out in Prong Three of the FCPA Pilot Program, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board level Compliance Committee but also the specific subject matter expertise on the Board and on that committee.

 Key Takeaways

  1. Boards must have compliance expertise.
  2. Government regulators and shareholder groups have both called for greater compliance expertise at the Board.
  3. Compliance expertise at the Board works up and down as such expertise can be a resource to both the CCO and compliance department.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 19, 2017

In this episode I visit with Jonathan Armstrong about the UK portion of the Rolls-Royce global anti-corruption settlement. We discuss the UK Deferred Prosecution Agreement, how it came about, what it might mean for the Serious Fraud Office going forward and how the judicial review of the UK DPA process adds a level of transparency not seen in the United States DPA practice. 

For more on the Rolls-Royce settlement see:

  1. Cordery Compliance client alert, click here
  2. FCPA Compliance Blog articles on the settlement, Part I and Part II
Jan 19, 2017

Continuous improvement requires that you not only audit third parties but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. 

Yet ongoing monitoring is not limited to the financial component of compliance. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company.

The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.

In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.

Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Ongoing employee monitoring is a standard tool of an effective compliance program.
  2. Focus your email sweeps on a high risk product, business unit or region.
  3. Use your findings. Review, analyze and act.













Jan 19, 2017

Show Notes for Episode 5, Year End Review, Part II

 We turn to the 2016 year in review, in this Part II of a two-part series.  

Jonathan Armstrong leads a discussion on Privacy Shield, information and data privacy issues the past year.


Mike Volkov relates what he saw as the top enforcement highlights from 2016, the block-buster year for FCPA fines and penalties and the growing trend of globalization of enforcement. Matt Kelly discusses the arrival of front pay, and general escalation of retaliation risk for company’s vis-a-vis whistleblowers, ideas on auditing corporate culture and what types of data and information should go on a compliance dashboard.

 For Matt’s posts on these topics see the following:

  1. Another Front in Retaliation Risk: Front Pay
  2. Ideas on Auditing Organizational Culture
  3. What Goes on a Compliance Dashboard?

 Rants will return next week. 

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at



Jan 18, 2017

One of the more prescient authors I know is Ryan C. Hubbs, who in 2014, wrote an article for Fraud Magazine entitled “Shell Games”. Shell companies can come in different shapes and sizes. Shelf companies are those formed but not used for a long period of time. This provides the facade of appearing. Finally this type of fraud needs directors and nominees to fill out the package and provide the aura of legitimacy. The final area of concern is ‘hot spot’ or one location which is the home for multiple shell companies. 

In your basic research do not limit your search to the International Consortium of Investigative Journalist’s database of companies listed in the Panama Papers themselves. Initially this database is reported to only have listed 5-7% of the world’s shell companies. Some of the basic questions you should be looking at from your own data and information such as information mis-matches around address, phone, fax, ship to, bank, cell contact.  Also consider whether incoming/outgoing wire transfer documents to determine if payments are forwared to or received from an unrelated third party.

Some specific reviews and steps you can take in public source information includes the following: 

  1. Review web history. In this day and age, if a company or person does not have an active, up and running website, it should immediately raise a red flag.
  2. Review public records searches to identify owners and tracking to known associates. There is a variety of information, which a competent due diligence provider can search. Public records are an important source of information to link entities and individuals.
  3. Mapping the network. This is a key step as you must be able to document the linkage between all the information uncovered. You should map every scrap of information you uncover.
  4. Whois lookup’ for domain ownership, IP addresses. Using “Whois lookup” search engines, you can discover” such information as: domain ownership, IP addresses, the physical addresses of websites, the website administrators and their contact information and finally website creation dates.
  5. Evaluating online presences. Shell incorporators have difficulty fabricating an active and robust online presence because these companies technically do not exist. Some indicia of online authenticity include a properly designed website, which has other online content. There should be periodic and regular updates of information. Finally, there should be legitimate email addresses for contacting the company which are associated with a legitimate website address.

Three Key Takeaways 

  1. Do you have a mechanism to review your own vendors and agents for shell companies?
  2. Do not forget the open source tools available to you.
  3. Review your previously approved third parties in light of the Panama Papers.
Jan 18, 2017

In this episode Matt Kelly and I take a deep dive into a couple of recent SEC enforcement actions. The first involved L-3 Technologies and accounting irregularities. The second involves BlackRock and the continued issues around pre-taliation. We connect these enforcement actions to broader issues involving the COSO 2013 Framework, the DOJ mandated expertise in compliance, a speak-up culture and remedial actions. For additional information, check out Matt's blog posts on these topics:

  1. Lessons Galore in New SEC Internal Controls Case; and
  2. SEC Dings BlackRock for Pre-Taliation Clauses.
Jan 17, 2017

Many compliance practitioners often inquire how to set up a data analysis program and how to use it to help monitor for a compliance program. I draw from Joe Oringel, co-founder of Visual Risk IQ for the firm’s five-step process for any analytics project. The steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 - Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, you could ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data.

Step 2 - Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool.

Step 3 - Writing the Queries

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

Step 4 - Analyze and Report Results

You should summarize the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant and if required, an action step becomes apparent.

                        Step 5 - Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Three Key Takeaways

  1. What information to you want to look at?
  2. Once you analyze it, you must take appropriate remedial steps.
  3. Data analysis is a continuous feedback loop.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 17, 2017

In this episode, I visit with Matt Ellis, a partner at Miller & Chevalier. Ellis has recently published his first book The FCPA in Latin America. Ellis' discusses why he wrote the book, some of the key issues around FCPA compliance in Latin America and debunks the myth that Latin Americans desire bribery and corruption in their business dealing. 

Jan 16, 2017

What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation. 

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.” 

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions. 

  1. Figure out what you want to measure (i.e. what’s the “benefit”?) Before you ever train an employee, you should have a goal in mind. In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations. 
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. 
  1. Did employees actually learn anything? If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. 
  1. Are employees applying your training? You should determine employee application and their implementation of the training topics, with employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations.  
  1. What’s the quantitative business impact of your training? There are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Determine with these 5 questions. 
  1. How often could a noncompliance event occur?
  2. How much revenue would be involved?
  3. What is the profit margin on the revenue?
  4. What are the other costs?
  5. What are the noncompliance hard costs? 

Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided - Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.” 

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more robust assessment and calculation laid out by Smith provide you with formulae you can use going forward. 

Three Key Takeaways

  1. You need to know the effectiveness of your compliance training.
  2. What is the quantitative business impact of your compliance training?
  3. What is the qualitative business impact of your compliance training?

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 15, 2017

For compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk.

The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk ranking process, you have internalized the admonition that one size does not fit all in deciding the content and intensity of training needs for each role or individual. You should be now ready to design your compliance training.

The first step is to define what you are trying to achieve in your compliance training. This certainly means more than simply ‘check-the-box’ training and when implementing compliance training you have put some significant time and thought into it. It should be well designed to the targeted group of employees who will receive it. Your compliance training can and should have several business-related goals, in addition to specifics of anti-bribery laws such as the FCPA. These include identifying the business objectives of engaging in commerce in a legally compliant manner; managing threats which may come to employees you have identified as high-risk and the business opportunities afforded if you have sufficient compliance systems in place to prevent bribery and corruption. Moreover, you can present tangible business benefits if you address these issues in a positive manner. Finally, such focused training can and should help to ensure integrity and the company’s reputation by strengthening your business culture and ethical conduct.

You are now ready to design your compliance training, with the above goals in mind. You should include the development of curriculum using a risk-based model and set uniform methods for acquiring content, maintaining records and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Lastly, you will need to consider training content revision when requirements or risk analyses change.

 After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who your audience is and what their characteristics might be. For the high-risk employee, you will need focused training so that they will be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements and penalties. For the medium risk employee, compliance training should include scenarios so that they know the risks, requirements and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. For the low risk employee, they should be made aware of the risks, requirements and penalties as well as your entity’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

Now you need to determine the most appropriate mechanism to deliver the content of your compliance training. You can use a variety of methods for each of the designed risk based rankings. The delivery of compliance training for high-risk employees should be repeated frequently using several methods of delivery. You can include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises. Additionally, you should work to determine the effectiveness of your compliance training to this group through testing and certification. For your medium risk employees, your compliance training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, both live and online, and have methods to demonstrate evidence of understanding. To address the content required for low risk employees it can be done largely through online training, again you will need to make sure the material is reviewed and updated on an as needed basis.

Three Key Takeaways 

  1. Identify your goals.
  2. Risk rank your target audiences and risk base your training.
  3. Develop multiple forms of training delivery mechanisms.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

1 2 Next »