Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Jan 22, 2018

Today I visit with James Shields, the Creative Director for Twist and Shout Communications, a UK company which creates training video using comedy as the touchstone. You can check out a selection of the company’s offerings on its sight, Tuesday’s with Bernie. I visit with Shields about the creative process his company uses, how comedy can translate across a wide variety of cultures and language to be an effective training tool. The company has found that comedy generates a visceral reaction, a reaction based on feeling rather than intellect. Because of this reaction, employees are more interested and more engaged in compliance training; all of which makes it more effective. 

The company believes that both culture and behavioral change is an emotional process, not just ‘training’, and internal communication done properly can change a culture. Whether the subject is as dull as anti-corruption compliance or as fundamental as transformational change in the business, comedy will make employees sit up and take notice. They believe that by focusing on humor, the training will help break down both the individual training against compliance training as well as work to strengthen the overall corporate culture.

But more than simply stand-alone videos, the company seeing compliance training as a process. From the creative side the process includes an integrated story line which will engage employees, third parties and other relevant stakeholders. Shields also believes that putting comedy into context is important – the audience needs to relate to what they are seeing on screen so the environment and characters should feel familiar. That is when the message feels authentic and resonates much more strongly.

Finally Shields and the company have put together an entire training campaign structure. Why don’t you think about your training like you would a movie or other marketing campaign. They lay it out in White Paper entitled, “Engaging the YouTube Generation which you should definitely check out.

Jan 21, 2018

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.

Internal AuditWhat types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control TestingHas the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 20, 2018

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

The DOJ Evaluation of Corporate Compliance Programs focuses on this question in Prong 7 with the following: Response to InvestigationsWhat has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc., has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. The bottom line is that your return on investment here is going to be very high if you put the resources into remediation and it do this well. This is easier with the information that was provided in the 2017 FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the US Sentencing Guidelines for remediation.

Dan Chapman, former CCO at Parker Drilling and Cameron International, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management, because “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of Human Resources (HR), i.e. recruiting and retention.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the 2017 FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated, or, as Berland notes, “When you’ve got the energy, use it.”

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 19, 2018

Focusing on investigations under Prong 7 in the Evaluation it stated, Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Moreover, with the advent of the SEC Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they discussed the specifics of an investigation protocol.

Step 1: Opening and Categorizing the Case. This first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. Step 1 should be accomplished in one to three days after the allegation comes into compliance.

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, this should also be planned out at this time. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. This group would decide on the appropriate disciplinary steps or other actions to take. Step 4 should be completed in one day to one week.

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report.   

Three Key Takeaways

  1. A written protocol, created before an investigation is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 18, 2018

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

Having both a robust internal reporting system and triage of such reports is critical in a best practices compliance program. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 17, 2018

In this episode Matt Kelly and I take a deep dive into a fascinating paper from Harvard Business School. Boris Groysberg and George Serafeim, worked with a global recruitment firm to study more than 2,000 executive-level job placements from 2004 to 2011, examining a wide range of job placements and pay data since 2004. They found that the stigma of listing a discredited company on your resume, even if you had nothing to do with the misconduct there, leads recruiters at your next employer to pay you less.

Some of the numbers Groysberg and Serafeim calculated:

  • Overall, executives with a restatement in their past received a salary 4.6 percent lower than those without one;
  • Executives with a restatement in their recent past saw an even larger discount: 5.6 percent; and the professors defined “recently” as within the last nine years;
  • Executives specifically in the finance function saw a 9.9 percent discount compared to others without a tainted work history.

We consider the long-term salary effects by reference to tables put together my Matt which show how such an initial reduction would impact your overall compensation on a 15 year basis.

It’s not news that listing tainted employer on your LinkedIn profile can harm your career. This study, however, is one of the first that tries to quantify exactly how much that “stigma effect” can harm your salary career on a go-forward and long-term basis. It is yet another way to convince senior executives and other colleagues that a strong compliance program matters: misconduct at the company can trim the salary offer those people might get at their next job — by 4.6 percent or more, apparently. executive’s career in dollar terms.

For more on the topic see Matt Kelly’s blog post The Salary Penalty for Misconduct

For more reading, see the article by Sarafeim and Groyberg, Does Financial Misconduct Affect the Future Compensation of Alumni Managers?

Jan 17, 2018

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in Evaluation that companies need to consider.

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” provide an excellent manner to consider steps in the management of third party relationships. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

Consolidate Third Parties but Retain Redundancy-It is incumbent that consolidation in your third-party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third-party lifecycle easier to manage, particularly steps 1-4.

Keep Tabs on Subcontracted Work- If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors.

Make Sure Your Company is Legally Protected-This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract.

Keep Track of Your Third Parties’ Financial Stability-This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances.

Formalize Incentives for Third Party Performance-One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

Auditing Third Parties-Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four step in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three Key Takeaways

  1. Have a strategic approach to third party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 16, 2018

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

Appropriate ControlsWhat was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. 

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing. 

Step 1 - Business Justification

The first step breaks down into two parts: 

  1. Business Sponsor
  2. Business Justification 

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the Business Sponsor, who will be the primary contract with the third-party for the life of the business relationship. 

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. 

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. Further both operate as compliance internal controls. 

After you have completed Steps 1-3; then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted. 

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these red flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

The Evaluation specified the importance of this final step when it stated: Management of RelationshipsHow has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed. The bottom line is that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward. 

Final Thoughts 

I continually give my mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon. 

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.” This makes the evaluation of your risk assessment a key element in your compliance regime.

William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions -- on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

David Lawler, in Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”

In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

Three Key Takeaways 

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and force rank your risks.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

In this podcast, I visit Jonathan Marks, a partner at Marcum LLP on how to perform a root cause analysis and it uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. 

Jonathan Marks, notes a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”

We also consider how to use a risk assessment because under the Evaluation, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

We tie these requirement from the Evaluation of Corporate Compliance Programs together. You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.

Jan 14, 2018

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.

The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices  compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements listed the seven following areas of risk to be assessed, which are still relevant today.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the 2012 FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.

One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article, “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption would might well be attributed to your company.

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

Three Key Takeaways 

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 13, 2018

In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the FCPA Corporate Enforcement Policy it states, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred”.

Under Hallmark Six of the Ten Hallmarks of an Effective Compliance Program it states:

In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.

However, I believe that the 2012 FCPA Guidance’s best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. This is more than financial incentives for ethical behavior but institutional objectivity for your employees.

Institutional objectivity comes from procedural fairness. This is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by, processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program.

Administration of Discipline

One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Similarly and as was re-emphasized in the FCPA Corporate Enforcement Policy, there must be real consequences to employee who violate your compliance program. If the regulators come knocking and you have not disciplined any company employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude pretty quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is with the organization.

Employee Promotions

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

Internal Investigations

The third area the Fair Process Doctrine is critical in, is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

An often-overlooked role of any CCO or compliance professional is to help provide employees procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program.

Three Key Takeaways

  1. The DOJ and SEC have long called for consistent application in both incentives and discipline.
  2. The Fair Process Doctrine ensures employees will accept results they may not like.
  3. Inconsistent application of discipline will destroy your compliance program credibility.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 12, 2018

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

This same concept around compensation and incentives was brought forward in the Evaluation under Prong 8, Incentives and Disciplinary Measures, where it stated, “Incentive SystemHow has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

A Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, discussed a company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” The article lays out a framework for the Chief Compliance Officer or compliance practitioner to operationalize compensation as a mechanism in a best practices compliance program.

As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

There are three key questions you should ask yourself in modifying your compensation structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Keep the compensation plan simple and even employee KISS, keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.” The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third-party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. The beauty of this alignment is that it works with your sales force throughout the entire sales cycle. If your sales channel is employee based then their direct compensation can be used for alignment. However, such alignment also works with a third-party sales force such as agents, representatives, channel ops partners and even distributors. You can even introduce clawbacks, which would come into play at some point in the future for who might violate your compliance program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. As a part of immediacy, there must be sufficient communication with your employee. In the world of employee compensation incentives, there should be transparency as to the expectations.

A panel at Compliance Week 2016, entitled “The Unsolvable Problem: Performance, Pay, Pressure and Misconduct”, focused on variable compensation. The panel had some interesting thoughts around compensation, including the amount of your variable compensation relative to risk; What does your discretionary bonus program consist of? Is it corporate performance based? Group performance based? Only personal, i.e. eat what you kill? Or is it some combination of all of the above?

The panel provided three examples of which might lead to compliance failures. (1) Lofty goals but no direction for employees on how to get there; (2) A paucity of communication between management and line employees, meaning there was raw fear from employees to inform their immediate supervisor of bad news. Conversely, it could be the supervisors who do not want to hear such bad news; and (3) If your company has singular focus on numbers, meaning that is the single judge of your worth as an employee. Answering some of these questions if they arise can help you to understand the design of incentive plans and allow monitoring of incentive plans to identify underlying links that may arise through compliance violations. 

Obviously, the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support your company’s business model and overall culture and values. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process. 

Three Key Takeaways

  1. The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors.
  2. Keep the compliance aspects of your compensation structure simple and easy for your employees to understand.
  3. Have full transparency in the framework of your compensation structure.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 11, 2018

The communication of your anti-corruption compliance program, both through training and message, is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation of Corporate Compliance Programs where they asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training.

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based TrainingWhat training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects? 

This adds two requirements. The first is that you must assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program. 

Joel Smith, the founder of Inhouse Owl, a training services provider, considered an analysis of return on investment (ROI) for compliance training. He advocated performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (i.e. effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. I have adapted his concepts on ROI to focus on compliance training effectiveness.

Smith’s model uses four factors to help determine ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These same four factors can be used to determine compliance training effectiveness.

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
  3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

The beauty of using surveys is that it provides feedback on not simply the compliance training to determine effectiveness but a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.

The importance of determining effectiveness of your compliance program is now enshrined by the DOJ in its Evaluation. The Evaluation demonstrates the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many Chief Compliance Officers and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three Key Takeaways

  1. You must demonstrate you have measured the effectiveness of your compliance training?
  2. The DOJ is clearly moving into requiring a demonstration of effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate full operationalization of your compliance training. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 10, 2018

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward?

I visited with Louis Sapirman, Chief Compliance Officer at Dun & Bradstreet (D&B) about the company’s integration of social media into compliance. Sapirman emphasized the tech savvy nature of the company’s work force. It is not simply about having a younger work force. If your company is in the services business it probably means an employee base using technological tools to deliver solutions. He also pointed to the data driven nature of the D&B business so using technological tools to deliver products and solutions is something the company has been doing for quite a while. This use of technological tools led the company to consider how such techniques could be used internally in disciplines which may not have incorporated them into their repertories previously.

Not surprisingly, with most any successful corporate initiative, Sapirman said it began at the top of the organization, literally with the company’s Chief Executive Officer, Robert Carrigan. Sapirman noted that the CEO saw the advantage of using social media internally and challenged his senior management team to take a new look at the manner in which their corporate functions were using social media. From there Sapirman and his compliance team saw the advantages of using social media for facilitating a 360-degree approach to communications in compliance. Sapirman comprehended the possibility for use of social media for compliance with those external to the company as well.

Internally Sapirman pointed to a tool called Chatter, which he uses similarly to Twitter users who engage in a Tweet-up. He has created an internal company brand in the compliance space, using the moniker #dotherightthing, which trends in the company’s Chatter environment. He also uses this hashtag when he facilitates a Chatter Jam, which is a real-time social media discussion. He puts his compliance team into the event and they hold it at various times during the day so it can be accessed by D&B employees anywhere in the world.

He said that he seeds Chatter Jam so that employees are aware of the expectations and to engage in the discussion respectfully of others. When D&B began these sessions he also reminded employees that if they had specific or individual concerns they should bring them to Sapirman directly or through the hotline. However, he does not have to make this admonition any more, as everyone seems to understand the ground rules. Now this seeding only relates to the topics that each Chatter Jam begins with going forward.

One of the concerns lawyers tend to have about the use of social media is with general and specific topics coming up on social media and the ill it may cause the organization. Sapirman believes that while such untoward situations can arise, if you make clear the ground rules about such discussions, these types of issues do not usually arise. That has certainly been the D&B experience.

Each employee uses their own names during these Chatter Jams so there is employee accountability and transparency as well. Sapirman said they further define each communication through a hashtag so that it cannot only immediately be defined but also searched in the archives going forward. He provided the examples of specific regulatory issues and privacy. This branding also enhances the process going forward.

I asked Sapirman if he could point to any specific compliance initiatives that arose during or from these Chatter Jams. Sapirman emphasized that these events allow employees the opportunity to express their opinions about the compliance function and what compliance means to them in their organization. One of these discussions was around the company’s Code of Conduct. He said that employees wanted to see the words “Do The Right Thing” as the name of the Code of Conduct.

I inquired about D&B’s use of social media in connection with their third parties. Sapirman said that the company allows some of them access to its internal Chatter tools to facilitate direct communications. Further, these external contractors can connect with both Sapirman and the company through Twitter. He said that he is consistently communicating to the greater body of customers about the compliance initiatives or compliance reminders on what the D&B compliance function is doing and how it is going about doing them. He believes it is an important communications tool to make sure that he and his team are getting their compliance messages out there.

Both of these initiatives drove home to me three key insights. The first is how compliance, like society, is evolving, in many ways ever faster. As more millennials move into the workforce, the more your employee base will have used social media all their lives. Once upon a time, email was a revelatory innovation. Now if you are not communicating, you are falling behind the 8-ball. Employees expect their employers to act like and treat them as if this is the present day, not 1994 or even 2004.

The second is that these tools can go a long way towards enhancing your compliance program going forward. Recall the declination to prosecute that Morgan Stanley received from the Department of Justice, back in 2012, when one of its Managing Directors had engaged in FCPA violations. One of the reasons cited by the DOJ was 35 email compliance reminders sent over 7 years, which served to bolster the annual FCPA training to the recalcitrant Managing Director. You can use your archived social media communications as evidence that you have continually communicated your company’s expectations around compliance. It is equally important that these expectations are documented (Read – Document, Document, and Document).

Finally, never forget the social part of social media. Social media is a more holistic, multiple-sided communication. Not only are you setting out expectations but also these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

Three Key Takeaways

  1. Incorporation of social media into your compliance communications can pay off big dividends.
  2. Focus on the ‘social’ part of social media.
  3. Use internal corporate social media to have facilitate a 360-degree conversation.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 9, 2018

Today, I visit with Mark Rainsford and Jason Sugarman, principals with RS Legal Strategies which is a pioneering Queen’s Counsel led business crime, fraud and legal strategy boutique. Its world-class professionals include leading and junior counsel, a solicitor, a former member of the judiciary and special advisor to the Serious Fraud Office, two former investigators, analysts, researchers, tax fraud and compliance specialists. RSL has special expertise in UK DPAs and NPAs and offers an Independent Compliance Monitor or Reviewers.

RS Legal Strategies employs former senior UK law enforcement investigators to provide expert analysis and an invaluable strategic advice on evidential and disclosure issues. RS Legal Strategies conducts internal investigations into wide variety of areas including: fraud detection, business and corporate crime, proceeds of crime and money laundering investigations and regulatory compliance.

In 2017, RS Legal Strategies formed a strategic alliance with Affiliated Monitors (AMI). With the complementary experience of the US and UK teams, it allows companies to take a more pro-active approach to addressing ethics and compliance deficiencies comprehensively and through the efforts of an independent advisors, there is a much greater likelihood that a successful outcome and improved practices can be achieved. Through the combination of RS Legal’s experience with UK enforcement actions, with AMI’s global ethics and compliance, this alliance can significantly increase the likelihood of any of a corporate client securing a non-prosecution outcome, a Deferred Prosecution Agreement, or other beneficial outcome resulting from ongoing investigations.

Together AMI and RS Legal Strategy offer a unique and compelling vision. Although independent, we would work alongside our client’s lawyers, thus allowing outside and in-house counsel to leverage the exceptional know how from both a UK and USA strategy and compliance consulting perspective.

The interviewees are Mark Rainsford QC, RS Legal Strategies Chairman and Head of Litigation and Jason Sugarman, RS Legal Strategies Managing Director.

For more information, click here.

Jan 8, 2018

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

ControlsWhat controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

here are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company.

Next is the vendor master file, which can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Internal controls are needed over the submission, approval, and input of changes to the vendor master file.

Contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices.

All situations involving the movement of cash or transfer of monies outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system. 

To prevent these types of activities, internal controls need to be in place. All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist at your organization. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice or ‘functioning’. 

Three Key Takeaways

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. SEC lead FCPA enforcement actions demonstrate the enforcement spotlight on internal controls.

                                                      

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 8, 2018

In this episode, I visit with QuantaVerse CEO/Founder David McLaughlin on the company’s new tool, the Chief Audit Checkup service, which leverages the QuantaVerse AI Financial Crime Platform to analyze enterprise data and more efficiently and effectively identify insider threats, bribery, corruption, money laundering, fraud, terrorism financing and third-party risks that traditional internal audit investigations routinely miss. The Chief Audit Checkup service identifies anomalous data patterns related to both known and not yet identified financial crime typologies. The Chief Audit Checkup service lets organizations see first-hand how AI analysis can improve their audit processes and outcomes.

We discuss what is new about this offering and how it can assist a CCO to manage many risks: AML, ABC, Cyber, Export, Fraud, Third parties? In ABC cases, the old Watergate maxim of ‘follow the money’ applies because the employees have to get the money from somewhere to pay the bribes and the Chief Audit Executive Checkup service helps a CCO to follow the money. We explore how the Chief Audit Executive Checkup service helps to see down the entire continuum of a transaction; from initial bid to contract signing and how financial anomalies presented to the user in the Chief Audit Executive Checkup service.

Finally, we walk through a fascinating FCPA hypothetical can how the Chief Audit Executive Checkup can help a CCO in the following. A compliance team is tasked to audit an international electronics company’s line of business with a central Asian country, the team would manually review 150 travel and expense reports for anomalies, one month’s worth of core accounting system records of financial transfers to/from the central Asian country, and 30 days of vendor payments as they relate to possible FCPA or other insider threat or corruption risk. The internal audit team might identify 1-2 cases in which employees submitted questionable travel expense reports. Using Chief Audit Executive Checkup, the compliance team could leverage AI to examine thousands of combined data points to holistically screen all LOB data related to central Asian country for known and unknown financial crime red flags truly worthy of their attention.

For more information on Chief Audit Executive Checkup, click here.

Jan 7, 2018

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated set of policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct.

The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

  • identify who the compliance policy applies to;
  • set out what is the objective of the compliance policy;
  • describe why the compliance policy is required;
  • outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • lay out the specific consequences for failure to comply with the compliance policy.

The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Under Part B of Prong 4 is the Operational Integration section with the following components.

Responsibility for IntegrationWho has been responsible for integrating policies and procedures? With whom have they consulted (e.g., officers, business segments)? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)? 

There are also two specific area that policies and procedures need to focus on. They are around payments and third parties. They have the following components.

Payment SystemsHow was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved? 

Vendor ManagementIf vendors had been involved in the misconduct, what was the process for vendor selection and did the vendor in question go through that process? 

This means that it more than simply having appropriate policies and procedures. It is operationalizing them into your compliance program, down to the business unit level. How can you do so? Compliance training is only one type of communication. This is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Three Key Takeaways

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrine holds for the application of policies and procedures. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 6, 2018

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. Document Document Documents your training and communication efforts.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com

Jan 5, 2018

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs? In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board.

  1. What compliance expertise has been available on the board of directors?
  2. Have the board of directors held executive or private sessions with the compliance function?
  3. What types of information has the board of directors examined in their exercise of oversight in the area in which the misconduct occurred?

In the new FCPA Corporate Enforcement Policy, it supplements the above with the following requirement for a Board of Directors in a best practices compliance program, asking what is “the availability of compliance expertise to the board”?

At a general level, these inquiries several structural components for a Board around compliance. They include defining the Board’s role so there is a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities around compliance. The Board must work to foster a culture of compliance risk management so all stakeholders should understand the compliance risks involved and manage such risks accordingly. The Board must incorporate compliance risk management directly into a strategy by overseeing the design and implementation of compliance risk evaluation and analysis. The Board should help to define the company’s appetite for compliance risk so all stakeholders need to understand the company’s appetite or lack thereof for compliance risk. The Board must oversee the execution of the compliance risk management process by maintaining an approach that is continually monitored and had continuing accountability. Finally, the Board must demand benchmarking through compliance systems which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. Your  Board should create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information, the Board can give oversight to any modifications to managing risk that should be implemented. 

In addition to the requirement that a Board of Directors have a Compliance Committee, a Board should also have a compliance subject matter expert as a member. Mike Volkov looked at it from both a practical and business perspective stating, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.” Roy Snell considered it through the prism of the compliance profession and noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Board Compliance Committee

  1. What are the Board Compliance Committee’s responsibilities and what value does it bring to the board?
  2. How can the Board Compliance Committee assist the board to enhance its relationship with management?
  3. What is the role of the Board Compliance Committee?

Part II: Building an Effective Board Compliance Committee

  1. What skill sets does the Board Compliance Committee require?
  2. Who should sit on the Board Compliance Committee?
  3. Who should chair the Board Compliance Committee?

Part III: Directed to the Board of Directors

  1. What is the Board Compliance Committee’s role in building an effective compliance program within the company?
  2. How can a Board Compliance Committee assess potential members and senior leaders of the company’s compliance program?
  3. How long should directors serve on the Board Compliance Committee?
  4. How can the Board Compliance Committee assist in Board succession issues?

Part IV: Enhancing the Board’s Compliance Performance Effectiveness

  1. How can the Board Compliance Committee assist in director development?
  2. How can the Board Compliance Committee help the board chair sharpen the board’s overall performance focus?
  3. What is the Board Compliance Committee’s role in board evaluation and feedback?
  4. What should the Board Compliance Committee do if a director is not performing or not interacting effectively with other directors?
  5. Should the Board Compliance Committee have a role in chair succession?
  6. How can the Board Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

  1. How can the Board Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
  2. What is the Board Compliance Committee’s role in CCO succession?
  3. What role can the Board Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
  4. How can the Board Compliance Committee help the board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

Three Key Takeaways

  1. The DOJ Evaluation of Corporate Compliance Program requires active Board of Director engagement around compliance.
  2. Board communication on compliance is a two-way street; both in bound and out bound.
  3. Has the Board built an effective Board Compliance Committee?

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 4, 2018

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move down through the organization from senior management down to middle management and into its lower ranks. This means that one of the task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization.

What should the tone in the middle be? What should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they will take their cues from how middle management will respond to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be organizational justice so that people believe they will be treated fairly. For if there is organization justice, it engenders perceived procedural fairness which makes it more likely an employee will be willing accept a decision that they may not like or disagree with end result.

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into the theory and practice of compliance in your company.

From this then test what is real in theory and in practice. You can check and see which employees are promoted more regularly; those who do business ethically and in compliance or those who meet their sales quotas every quarter. After you have internally tested, reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your how your compliance model tested. Lead a discussion that attempts to identify any what is different in practice and in theory and then how you can move from theory to practice to operationalizing compliance. Finally, and in the feedback step, test how to more fully operationalize your compliance regime. These tests can be accomplished in the regular course of business or through a special project with a special team and separate budget.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect them as well.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

  1. Tone at the tops- direct supervisors become the most important influence on people in the company.
  2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
  3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 3, 2018

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

  1. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The Justice Department wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and finally how is such conduct monitored in an organization?

How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Five factors, derived from the article, can be used guideposts to not only to set the right tone from senior management on doing business ethically and in compliance but also lay the ground for senior management to model appropriate behavior and then have it monitored by the company going forward.

  1. The guiding values of a company must make sense and be clearly communicated by senior management in a variety of settings, to the entire company workforce.
  2. The company’s leader must be personally committed and willing to take action on the values. This means that management must not simply ‘overlook’ the transgressions of top producers.
  3. A company’s systems and structures must support its guiding principles and these internal systems and structures cannot be over-ridden by senior management without both justification and Board approval.
  4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions. Sometime a company must turn down business if there are too many red flags present or by engaging in such behavior the company’s value and ethics will be violated.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis. This means senior management must fully support and back-up such decisions.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’ to fully model the conduct that senior management must show.

  • Reject a ‘do as I say, not as I do’ mentality;
  • Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
  • Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
  • Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
  • Oversee the development of a Code of Conduct and written compliance program implementing it;
  • Ensure there are compliance metrics on all key business reports;
  • Provide leadership to middle managers to facilitate filtering of the zero-tolerance message down throughout the organization;
  • Not only have a whistleblowing, reporting or speak up channel but celebrate it;
  • Keep talking about doing the right thing;
  • Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Inspired by a list from Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business, you can do some of the following.

  1. Keep a copy of the Code on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
  2. Give Your CCO Real Authority. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
  3. Hold them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
  4. Reward and Punish. Have both sanctions for violation of company compliance policies and incentives for doing business in a compliant manner.
  5. Walk the Walk. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
  6. Be a Compliance Student. Be seen at intra-company compliance training. Take a one or two-day course or attend a compliance conference outside your organization.
  7. Recognize Compliance at Your Company. You should recognize outstanding compliance efforts with companywide announcements and awards.
  8. Enshrine Compliance at the Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the compliance committee.
  9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Compliance Committee.
  10. Push Compliance into Your Supply Chain. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
  11. Create an Executive Network for Compliance. Talk to other CEOs and senior executives in your industry on how to improve your company’s compliance efforts.

Another area a CEO can forcefully engage an entire company through is a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

Three Key Takeaways

  1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
  2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
  3. CEO as Compliance Ambassador.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 2, 2018

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the 2012 FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three months, six months, twelve months, twenty-four months. This can facilitate resources deployment where they think is appropriate in order to meet these future demands. 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data. 

All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and  external factors that probably are of high leverage to your operations in business that you simply do not know about.” 

For example, if there is a one-in-three chance of a compliance failure occurring, which a company knew that in advance; the executive committee probably almost stop the activity before there was a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.

Three Key Takeaways

  1. The risk management process is an important backbone of operationalizing compliance.
  2. You should be able monitor and measure both known and unknown risks.
  3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Dec 31, 2017

2017 was a very significant year for every compliance practitioner and compliance program. The year brought two important documents on compliance programs. It began with the Evaluation of Corporate Compliance Programs (Evaluation) released in February 2017 and ended with the Department of Justice (DOJ) announcing a new Policy regarding Foreign Corrupt Practices Act (FCPA) enforcement in November 2017. Building upon the Ten Hallmarks of an Effective Compliance Program, as first articulated in the 2012 FCPA Guidance, there are now specific points, issues and questions a compliance professional can use to more fully operationalize your compliance program. 

In November 2017, Deputy Attorney General Rod Rosenstein announced the new FCPA Corporate Enforcement Policy. This new Policy incorporated the Ten Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide as continued best practices and added new information on the DOJ’s expectations for more fully operationalizing compliance. The DOJ further incorporated language and concepts from a variety of sources, including the 2016 FCPA Pilot Program and the 2017 Evaluation.

Three Key Takeaways 

  1. 2017 brought two key DOJ documents forward for use by the compliance practitioner, the Evaluation and new FCPA Corporate Enforcement Policy
  2. You must work to more fully operationalize your compliance program
  3. Always remember the three most important things in any compliance program are: Document, Document, and Document
1 « Previous 2 3 4 5 6 7 8 Next » 17