FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report





All Episodes
Now displaying: Category: compliance know-how
Oct 9, 2017

The compliance component of your mergers and acquisition regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents a target has to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below: 
  1. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access - is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
  2. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.
  3. Education, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
  4. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
  5. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to  turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
  6. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
  7. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, anti-corruption enforcement actions, Opinion Releases or other relevant information. 

Mike Volkov has noted there are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 6, 2017

One of the clearest themes from the 2012 FCPA Guidance was around the importance of your pre-acquisition work in any merger or acquisition on a target company. In the section on Declinations, the 2012 FCPA Guidance provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

One of the difficulties in the pre-acquisition phase is that there is never enough time or resources to do all the assessment and analysis that you might desire. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment, you must take a different approach. You might try assessing other areas through a more limited focused risk assessment. 

Some of the areas that such a pre-acquisition risk assessment could begin with an inquiry into the following areas: 

  • Are the target’s resources adequate to sustain a culture of compliance?
  • How are the compliance risks being addressed in the C-Suite and the Boardroom?
  • What are the compliance risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the compliance program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured?
  • Disciplinary guidelines – Do they exist, have they been publicized at the target and has anyone been terminated or disciplined for a violating policy?
  • Are escalation protocols appropriate? 

There are a variety of materials that you can review from or at a company that can facilitate such a Pre-acquisition Risk Assessment. You can review the target’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. 

You could assess the target’s senior management support for the target’s compliance efforts through interviews of high-level personnel such as the CCO, CFO, General Counsel, Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.           

Such a review would lead to the next level of assessment, which is how well does that target communicate about compliance within its organization and to key third-parties such as sales agents. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications of employees and third-parties. You should also take consider statements by senior management of the target regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections. 

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees of the target. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses. 

As there is no dispute that third parties represent the highest risk to most companies under the FCPA, as assessment of the target’s third party due diligence program is certainly something that should be a part of any pre-acquisition risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries; there should be an assessment if there has been management of the third-party after the contract is signed. 

Another area for review in any pre-acquisition risk assessment is to consider the target’s employee commitment to its compliance regime. But just as you look at the carrots to achieve compliance, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly.   

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting. 

Three Key Takeaways

  1. One never has enough time to engage in all the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination so if you are limited in time and scope try something new and different.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Oct 5, 2017

As a general legal matter, when a company acquires another company, the successor company cannot be liable for the acquired company’s activities prior to acquisition. In FCPA jurisprudence, there is no case law precedent directly on point. However, the DOJ and SEC have commented extensively on “successor liability.” Opinion Release 03-01, from the DOJ first suggested that an acquiring company could be liable for pre-acquisition FCPA violations. In that case, an acquiring company determined a target had engaged in conduct which potentially violated the FCPA. The DOJ opined that if the acquirer halted the illegal conduct, extensively remediated, disciplined the offending officers and employees of the target and continued to provide information and cooperate with the government, the DOJ would not prosecute under the FCPA. 

In addition to 03-01, there are a few FCPA enforcement actions which suggest that if a company makes good faith efforts to conduct due diligence, integrate compliance programs and take extensive remedial actions by and if all that is done on a quick basis, the DOJ will give the acquiring entity strong credit. One of the best examples of this approach was the 2009 purchase by Pfizer of Wyeth. Pfizer could do limited due diligence before the acquisition but because both were massive organizations it was not possible to do complete due diligence prior to acquisition. After the acquisition, but within 180 days, Pfizer had identified much of the wrongdoing at Wyeth and halted it. Pfizer was not held criminally liable for any of the conduct at Wyeth. 

Most of what Pfizer was held responsible for in its DPA was because of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, purchasers did not typically conduct pre-acquisition due diligence on acquisition targets. And during the investigation most of the violations of FCPA for which Pfizer was held criminally liable; began prior to the acquisition of Pharmacia. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the sides of the equation.

In 2008, DOJ Opinion Release No. 08-02 provided additional information for a safe harbor for successor liability based upon a very specific fact scenario. The Opinion Release is known as the “the Halliburton Opinion Release.” In the Halliburton Opinion Release, the DOJ indicated that it would not take enforcement action based on specific circumstances that allowed for limited pre-acquisitions due diligence and aggressive post-acquisition schedule for a risk audit and disclosures to the government. Thereafter in the Johnson and Johnson and DSS DPAs, the DOJ further refined the requirements and time frames to obtain this safe harbor. 

The 2012 FCPA Guidance advanced the information for the compliance professional. It provided the clearest argument for a safe harbor to companies if companies invest reasonable effort in due diligence and post-acquisition compliance; they may well be able to avoid major liability. The DOJ and SEC noted, “in a significant number of instances, DOJ and SEC have declined to take action against companies that voluntarily disclosed and remediated conduct and cooperated with DOJ and SEC in the merger and acquisitions context.” Furthermore, DOJ and SEC provided that “a successor company’s voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program may also decrease the likelihood of an enforcement action regarding an acquired company’s post-acquisition conduct when pre-acquisition due diligence is not possible.” 

The 2012 FCPA Guidance provided literally a roadmap for a Buyer to limit compliance risk in the mergers and acquisition context. It emphasized the importance of pre-acquisition due diligence and post-acquisition integration of compliance programs and internal controls. This type of integrated approach would reduce risk of future bribes and allow the purchaser and target to address potential violation(s) through negotiation of costs and responsibilities for investigation/remediation. Finally, and as with all effective compliance, it will assist the purchaser to accurately value the target company. 

In 2014, the DOJ issued Opinion Procedure Release 14-02 which provided further guidance on successor liability. This release reiterated the DOJ’s willingness to recognize a safe harbor where the acquiring company makes sufficient efforts to conduct due diligence and post-acquisition integration and concluded that acquisition of a company does not create FCPA liability where it did not exist before, such as for jurisdictional reasons. In the Release, the requesting company had acquired a company with significant anti-corruption compliance program deficiencies, including: lack of documentary records to support gifts to government officials or charitable donation, incomplete and inaccurate records for expenses, and lack of written compliance policies and procedures. 

Three Key Takeaways

  1. Opinion Release 03-01 was the first to provide a safe harbor concept in the M&A context.
  2. The Halliburton Opinion Release expanded the safe harbor concept to the situation where a company could not engage in substantive pre-acquisition due diligence.
  3. The 2012 FCPA Guidance brought together the various strands of a safe harbor position.


This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 4, 2017

Why should a company engage in pre-acquisition due diligence in the mergers and acquisition context? Certainly compliance with anti-corruption laws such as the FCPA or UK Bribery Act is a good starting point. However there are other reasons that were laid by Transparency International (TI) in, a White Paper entitled “Anti-Bribery Guidance for Transactions.” The TI White Paper suggests that there are greater forces driving compliance than simply compliance with anti-corruption and anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. A company engaging in an international acquisition should also strive to avoid the potential financial and reputational damage that may arise from investing in or purchasing a company associated with bribery or corruption.

Some of the specific consequences where investments are made in a company which has a history of bribery or corruption include.

  • Both the target company and the acquiring company may place themselves (and their respective Boards of Directors) at risk of criminal or civil fines and penalties.
  • The market value of the target company may be overstated and hence damage the overall financial position of an acquiring company. Conversely, such conduct may diminish the asset value and returns for a target company.
  • The business instability brought by such conduct. This can include aborted business deals where both sides work long and hard only to have the transaction fall apart near the end of the process.
  • The acquired business may not simply be dysfunctional but acquiring such a business may also introduce a culture into the acquiring company which will negatively impact it and bring about employee de-motivation.
  • Even if there are no individual criminal actions brought against target or acquiring company employees, there can be a long period of disruption due to lengthy and costly investigations and the attendant reputational damage.

There are several positive benefits from appropriate due diligence, including:

  • Management quality indicator which will assess the positive qualities of the target company, including the quality of the target’s management and its overall systems, including books and records. The evidence from due diligence of anti-corruption and anti-bribery programs is an indicator of overall management quality.
  • The mitigation benefits available if a bribery incident is discovered. Under the UK Bribery Act, if a company has “Adequate Procedures” it may have a defense to a claim of violation of the Act. Under the FCPA, evidence of a best practices compliance program can be used in mitigation of any alleged violation of the FCPA.
  • The reputational gain which an acquiring company may be able to gain with regulators or investors if it can show integrity and responsibility during the due diligence process.
  • Lastly an acquiring company can go a long way in meeting investor expectations in Environmental, Social and Governance (ESG) risks, which can include corruption and bribery, during M&A transactions.

To begin the process, the following should be actively explored:

  • Has bribery taken place historically?
  • Is it possible or likely that bribery is currently taking place?
  • If so, how widespread is it likely to be?
  • Does the target have in place an adequate anti-bribery program to prevent bribery?
  • What would the likely impact be if bribery, historical or current, were discovered after the transaction had completed?

Financial, legal or reputational risk can have a significant impact the valuation or a transaction or its desirability. The following potential impacts for a purchaser or investor of anti-corruption or anti-bribery risks during due diligence can be laid out visually in chart format, which is a useful way to think through and present your analysis.


Legal Risk

Financial Risk

Reputational Risk

Current bribery and/or corruption in target company discovered during transaction




Current bribery and/or corruption in acquired company discovered in post-transaction




Historical bribery and/or corruption discovered during transaction

High to low depending on jurisdiction

High to low depending on jurisdiction

Low to medium

Historical bribery and/or corruption in acquired company discovered post-transaction

High to medium depending on jurisdiction

High to medium depending on jurisdiction

High to medium

These factors provide the compliance practitioner strong ammunition when confronted with a management which fails to understand the need for a robust due diligence in a mergers and acquisition transaction. By not focusing on the regulatory aspects of M&A transactions but more on the market reasons for engaging in the appropriate due diligence, you can emphasize the business reasons for compliance.

Three Key Takeaways

  1. There are numerous legal and business reason to engage in anti-corruption due diligence in the M&A space.
  2. ESG can present significant corruption risks in emerging markets.
  3. Present your analysis in high, medium and low risk formats.


This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 3, 2017

In this episode, Matt Kelly and I take a deep dive into an article by Todd Haugh, in the most recent issue of the MIT Sloan Management Review entitled, “The Trouble With Corporate Compliance Programs that even best practices compliance program fail to take into account behavioral best practices and one important but too often overlooked key to strengthening both individual and overall corporate behavior is eliminating rationalizations. 

Haugh points to the Wells Fargo scandal which occurred in large part because of multiple rationalizations at multiple levels. At the employee level, they were pressured to violate both company policy and the law by their managers. At the senior management level the balance sheet rationalization came into play. Both of these led employees to “rationalize their conduct by denying responsibility and claiming relative normality.” 

We consider the steps Haugh recommends. The first was one of the most intriguing and it was for a company to employee a behavioral specialist to take current research and theory into practice in an organization. The second was to “use behavioral best practices to eliminate rationalizations.” The final suggestion is that companies should “use incentives to influence behavior in the right direction” by understanding how rationalizations come into play. Most interestingly Haugh believes that employee “praise and expressions of gratitude motivate more than money”. Think of the cost of a good word now and then or a pat on the back. 

The topic is a fascinating look at new insights for the compliance practitioner into how to motivate employees and make compliance more effective in an organization.

For more see Tom's blog post, The Fraud Triangle, Rationalizations and Compliance Programs. 

Oct 3, 2017

Today, I want to consider some of the key FCPA enforcement actions involving mergers and acquisition. These cases and the 2012 Guidance have made clear that Justice Department and SEC will vigorously prosecute companies which allow bribery and corruption to continue after a merger or purchase occurs. The key point to remember is that if a company was engaging in bribery and corruption before it was acquired and continues to do so after the transaction is completed, it is now you which is engaging in bribery and corruption, not them. 

Syncor International Corporation (2002)

Allegations- Cardinal Health, Inc. acquired Syncor International Corporation, a radiopharmaceutical company based in California. Between 1997 and 2002, Syncor’s Taiwanese subsidiary made improper commissions payments totaling $344,000, to physicians who were employed by state-owned hospitals to influence the doctors’ decision to buy Syncor products and services. Another $600,000 in corrupt payments were made through Syncor’s foreign subsidiaries in Mexico, Belgium, Luxembourg, and France. All payments were authorized by and with the knowledge and approval of Syncor’s Founder and Chairman.

Penalties-Syncor Taiwan Inc., a wholly owned subsidiary of Syncor International Corporation, pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, was sentenced to 3 years of supervised probation and ordered to pay a US $2 million fine. The company also agreed to pay a $500,000 civil penalty and to cease and desist in future violations and was required to retain an independent consultant to review and make recommendations concerning the company’s compliance policies and procedures. At the time, it was the largest penalty ever obtained by the SEC in an FCPA case.

Key Lessons Learned- This was the first time the DOJ charged a foreign company under the 1998 amendments, for taking acts place in the US (i.e., Chairman’s approval). Parent liability was established through the foreign subsidiary’s books and records and employees of a state-owned entity are instrumentalities of the government. This case also demonstrated how a government investigation can slow the closing of an acquisition as the acquisition by Cardinal Health was delayed until the investigation was concluded and agreements were struck with the DOJ and SEC. The acquirer brought Syncor for a lower price than originally negotiated. 

Titan Corporation (2005)

Allegations- This case involved the acquisition of Titan Corporation, by Lockheed Martin Corporation but perhaps most importantly, the acquisition ultimately failed. Titan employed a consultant and paid $3.5 million to a known business advisor of the President of Benin. Of the $3.5 million paid to the advisor, approximately $2 million were indirect contributions to the President’s re-election campaign. At the direction of a Titan senior officer, at least two payments of $500,000 each were wired from Titan’s bank account in San Diego, California, to the agent’s account in Monaco. The remaining payments were made to the agent in cash. Payments were characterized on Titan’s books and records as “social program payments” that were required by its contract with the government, the company also falsified documents to enable its agents to under-report local commission payments in Nepal, Bangladesh, and Sri Lanka. Finally, Titan falsely reported to the US government commission payments on equipment exported to Sri Lanka, France, and Japan.

Penalties- Titan pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, as well as a tax violation, was sentenced to 3 years of supervised probation and ordered to pay a $13 million fine. SEC alleged violations of the FCPA’s anti-bribery and books and records provisions. Titan agreed to pay the SEC and additional $15.5 million in disgorgement and prejudgment interest penalties and a $13 million penalty, which was satisfied by payment of the criminal fines. Titan was required to retain an independent consultant to review its compliance procedures and to adopt its recommendations. Finally, the SEC issued a 21(a) Report criticizing Titan’s proxy statement for incorporating what it deemed false FCPA representations and warranties. Most importantly for Titan, its acquisition by Lockheed-Martin ultimately failed.

Key Lessons Learned-some of the basic tenets of a compliance program were laid out in this enforcement action. They included: a company must conduct meaningful due diligence with respect to foreign agents and consultants and must ensure that the services alleged to be performed are provided. Internal controls must be designed to detect “red flags,” such as offshore payments and inconsistent invoices. From the M&A perspective, representations and warranties in a merger agreement must be accurate (or qualified) when included in a proxy statement. There can be a risk of additional prosecution under the International Traffic in Arms Regulations (ITAR) and possible suspension of export privileges, potential US and foreign tax exposure and possible contractor debarment issues by the Department of Defense. Ultimately and most importantly from the business perspective, the merger failed when Titan was unable to meet contractual agreement to settle with the US government by a certain time. 

Latin Node (2009)

Allegations-In June 2007, eLandia acquired Latin Node, which provided wholesale telecommunications services to several developing countries by leasing lines from local phone companies, in Latin America for $20 million. In August 2007, during a post-acquisition financial integration review, eLandia discovered evidence that Latin Node had paid approximately $2.25 million in bribes to Honduran and Yemeni government officials between March 2004 and June 2007. Subsequently, eLandia voluntarily reported the payments to DOJ, eventually paying a $2 million fine and placing Latin Node into bankruptcy and thereby losing its entire investment.

Penalties-Latin Node pled guilty to a one-count criminal information as part of a plea agreement with the government. Under the agreement, Latin Node agreed to pay a $2 million criminal fine, a $400 special assessment and agreed to continue its cooperation with the government. Four Latin Node executives were charged with criminal conduct for their actions. They were Jorge Granados, 54, the company's former CEO; Manuel Caceres, 64, a former vice president; and Juan Pablo Vasquez, the chief commercial officer; and Manual Salvoch, the company’s former CFO. All four pled guilty.

Key Lessons Learned-This was the first FCPA enforcement action based entirely on pre-acquisition conduct that was unknown to the buyer when the transaction closed. The purchaser’s entire $22+ million investment in Latin Node was wiped out due to inflated acquisition price of corrupt company and investigation costs. All of this demonstrated the need for rigorous pre-acquisition due diligence in addition to the post-acquisition integration. It also exposed individuals to the real possibility of jail time for their actions. 

There have been several M&A cases since these three but they set the model for the DOJ’s prosecution going forward. Every compliance practitioner should be aware of these cases and communicate to management that one of the most well settled areas of FCPA enforcement is around M&A. Simply put if you do not engage in appropriate pre-acquisition due diligence and there continues to be ongoing bribery and corruption after you acquire an entity, your company will bear the brunt of any prosecution.

Three Key Takeaways

  1. FCPA enforcement in the M&A space is one of the most well settled areas of enforcement.
  2. Failure to perform pre-acquisition due diligence can significantly devalue a purchased asset.
  3. Always remember that if bribery continues after an acquisition it is no longer them engaging in bribery and corruption but you who are engaging in bribery and corruption.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 2, 2017

Today, I begin a one month series on how to have a more effective compliance program involving business ventures. This will include the role of compliance in mergers and acquisitions, the role of compliance in joint venture agreement, distributorship, franchises as well as other forms of business relationships.

The 2012 FCPA Guidance makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre-and post-acquisition context. A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies” said “I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don’t look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal.”

The 2012 FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. The DOJ and the SEC made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” This action was based upon the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

In a hypothetical, the 2012 FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, “(1) having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company’s customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years.”

The DOJ Evaluation of Corporate Compliance Programs also had some specific questions around M&A. Under Prong 11. Mergers and Acquisitions (M&A), the following topics were listed, including some specific questions. Under Due Diligence Process, the following questions were posed, Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? Under the topic, Integration in the M&A Process, the following query was posed, How has the compliance function been integrated into the merger, acquisition, and integration process? Finally, under the line area of interesting, Process Connecting Due Diligence to Implementation, the following queries were posed, What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

One of the key themes this month will be the integrated nature of compliance and business ventures. Whether the compliance work is seen in the mergers and acquisition context, joint venture context or one of the myriad of other business relationships of the current business world, there is an approach that a Chief Compliance Officer (CCO) or compliance professional should take to assess the risk, monitor the risk and then manage the risk with continued monitoring with a feedback of data and information into your risk management strategy.

Three Key Takeaways

  1. We will consider the role of compliance in a wide variety of business relationships, including mergers and acquisitions, joint venture agreements, distributorships, franchises as well as other forms of business relationships.
  2. Compliance for mergers and acquisitions should be seen as a unidimensional continuum.
  3. The Evaluation focuses on what data did your risk monitoring system turn up and how did you utilize it going forward.


This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 2, 2017

In this episode, I have a fascinating interview with David McLaughlin, founder and CEO of QuantaVerse, which has artificial intelligence and data analytics tools to help companies manage risk more effectively. We discuss the use of such tools and techniques for risk reduction solutions to provide insight into the details of your customer’s customers, which allows a company to not only identify bad actors but also aggressively fight financial crime, including fraud, bribery and corruption. We explore how this downstream approach would allow you to more effectively manage subcontractors to your company’s prime contractors. We consider how artificial Intelligence is transforming Internal audit investigations with technology; how it is enhancing compliance programs with predictive data analytics and how artificial intelligence can Help companies reduce FCPA risk. 

We conclude with a discussion how the use of AI can bring a more holistic approach to compliance as a business process rather than simply policies and procedures so that the end of the day a company is more profitable. The implications for the compliance profession are profound and these concepts will lead improvements on compliance efficiencies. 

For more information on QuantaVerse, check out their website,

Sep 28, 2017

While many compliance departments may have begun more as a command and control function, set up by lawyers to comply with anti-bribery laws such as the FCPA, UK Bribery Act or others; this type of leadership model is now becoming outmoded in today’s world. It is not that employees are interested in the ‘why’ they should do business ethically and in compliance with such laws but it is more that power is shifting inside corporations. In a HBR article, entitled “Understanding “New Power””, authors Jeremy Heimans and Henry Timms explore how leadership dynamics are changing and what companies might be able to do to harness them. I found them to have some excellent insights, which a CCO moving to CCO 2.0 or compliance practitioner might be able to garner for a compliance function. 

The authors begin by noting that ‘new power’ differs from ‘old power’ in a bi-lateral dimension of intersection. This intersection is between the models used to exercise power and the values which are now embraced. It is the understanding of this shift in power, which will facilitate the compliance function moving more to the forefront of a business integration role. The new power models are fourfold. Under sharing and shaping a company is much more integrated with its customers and supply chain. Second is funding which continues this integration by adding a vertical component of funding, whether equity positions or some other type of funding. Third is producing in which “participants go beyond supporting or sharing other people’s efforts and contribute their own.” Finally, there is co-ownership, which is the most decentralized, pushing participation down to the lowest or most basic levels. 

But beyond these new power systems, the authors believe that “a new set of values and beliefs is being forged. Power is not just flowing differently; people are feeling and thinking differently about it.” The authors call them “feedback loops” which “make visible the payoffs of peer-based collective action and endow people with a sense of power. In doing so, they strengthen norms around collaboration”. 

The authors lay out five new values. They include the area of governance where the authors note, “new power favors informal, networked approaches to governance and decision making.” Next is in the area of collaboration where the authors believe that this new power value rewards “those who share their own ideas, spread those of others, or build on existing ideas to make them even better.” The next new value is DIO or do it ourselves. Under this value, there is a “belief in amateur culture in arenas that used to be characterized by specialization and professionalization.” Next is transparency which, while not a new concept, says that more permanent transparency between business and social lives will lead to a “response in kind from our institutions and leaders who are challenged to rethink the way they engage with their constituencies” specifically including their employee base. The final new value identified by the authors is affiliation, which means that new and younger employees are less like to “forge decades-long relationships with institutions.” 

The authors have three prescriptions that I found could be useful for the CCO or compliance practitioner to incorporate into a mature and evolving compliance program moving forward. Compliance functions need to “engage in three essential tasks: (1) assess their place in a shifting power environment, (2) channel their harshest critic, and (3) develop a mobilization capacity. 

Assess where you are 

This prong is quite close to something compliance practitioners are comfortable with in their role, a risk assessment. However the authors suggest that the assessment be turned inward so you should assess the compliance function on this “new power compass—both where you are today and where you want to be in five years.” You can benchmark from other companies in responding to this query. Internally, you can begin this process with a conversation about new realities and how the compliance function should perform. More importantly such an assessment can help you identify the aspects of their core models and values that should not be changed. 

Incorporate business unit interests 

The authors note, “Today, the wisest organizations will be those engaging in the most painfully honest conversations, inside and outside, about their impact.” However, I think this question should be asked first by the CCO or compliance practitioner. For it is not only what you are doing to work with your business units but more importantly what are you doing to incorporate their concerns and suggestions into your compliance regime. If you are going to ask the business unit to be a significant partner or better yet be your business partner, you will need to have a mechanism in place to engage your business unit so there can be an inflow of input before the compliance function has an output of requirements. As the authors write, “This level of introspection has to precede any investment in any new power mechanisms” to which I would add any successful compliance function. 

Mobilize your capacity 

Here I suggest you consider contracted third parties and other third parties such as joint venture (JV) partners as an avenue through which the compliance function can bring greater benefits to an organization. Compliance expert Mary Jones, the former  Global Industries Director of Compliance, often discusses her training of the company’s third parties and how thankful they were that when she would personally travel to their locations and put on in-person training. Her efforts to travel to their locations, spend the money required to do so not only directly strengthened Global Industries’ compliance function but created allies for her efforts by giving these suppliers the information and training they needed to comply with their customers requirements. By reaching out in this manner, Global Industries used its contracted third party suppliers to create a stronger company compliance program. 

As the anti-corruption compliance profession matures, it will become more a component of a company’s business function. This means less of a lawyer’s top down mentality of do it because I said to do it, to more collaboration. 

Three Key Takeaways

  1. The lawyer driven command and control method for compliance is outmoded and outdated.
  2. Innovation in compliance leadership is recognizing the bi-lateral nature of power and communications in an organization.
  3. A feedback loop can be used in the leadership function as well. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 27, 2017

Now consider the use of video to assist ongoing communications in a best practices compliance program. It has certainly been proven that social video can boost your company’s brand awareness and its sales. Why not consider using video to boost your compliance functions brand awareness and help spread the message of your corporate values and ethos. In an article in Inc., entitled “Everything You Need to Know About Creating Videos for Your Business (Even If You Have No Video Experience)”, it reported that Facebook now generates an “average of eight billion video views per day and YouTube reaches more 18- to 49-year olds than any cable network in the U.S.” Why not take advantage of this natural tendency to produce compliance focused content that would engage your compliance customer base – your employees. 

The article provides three short guidelines to consider which are equally valid for considering communications from the compliance function. The first is to have a plan around what you want to do. This includes not only your script but also your budget. It does not have to a large high dollar production. You can shoot a video in your office, literally using your iPhone if that are all the resources you can muster. I recently attended the tech conference Collision 2017 and in the press area, there was a set up for interviews using iPhones. At the 2016 SCCE Compliance and Ethics Institute, Kortney Nordrum recorded Roy Snell and myself for a live session of our Unfair and Unbalanced podcast using an iPhone. 

Another resource is your corporate media function. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. The cost for the video was quite reasonable as it was produced internally. 

This CenterPoint Energy example brings up another key point which is timing. Just as many CCOs used the New York Times’ breaking story on Wal-Mart’s alleged FCPA violations in Mexico back in 2012 as an opportunity to brief senior management on what can happen when your company appears on the front page of a Sunday NYT edition for FCPA violations; CenterPoint Energy used the VW emissions-testing scandal as an opportunity to not only reaffirm its own corporate values but also engage in ongoing communications. 

Another key element is also built around time and it is that “short videos are good videos”. You can have a series of short videos communicating different aspects of your compliance program. It can range from short messages from your CEO, to videos of your CCO to videos of employees. Employees will always tune in when senior management speaks to them internally through a video. They want to hear from the President and a message of commitment to the culture values of doing business ethically and in compliance is always a message that will resonate with employees. 

Also consider having employees in short discussions on how they may have overcome compliance challenges. Celebrate these events but do not forget their power to educate and inspire other employees. Such techniques can give your employees a peek behind the curtain, not to show the wizard has no clothes but because it makes your internal compliance function seem more authentic. 

What are some of the venues you can utilize for these videos? Of course internal channels are appropriate to use. If you have an internal Twitter like function, you can post short videos that can be posted and reposted multiple times per day. If you have a tech savvy, media-friendly company you might consider an Instagram type approach, combining videos and pictures. Finally, do not forget the power of YouTube. It is one of the largest search engines behind Google and the prime location for video watching by the vast majority of folks these days.  

Finally, never forget that one of the key factors listed in the Morgan Stanley Declination to Prosecute was 35 compliance reminders provided to their recalcitrant FCPA violating Managing Director Garth Peterson over seven years. These types of videos can certainly be used in a variety of ways, including as a legal defense to any FCPA investigation. 

Three Key Takeaways

  1. Use all the tools available to you to communicate the message of compliance.
  2. Use current events as starting points to discuss your corporate values.
  3. Do not forget the Morgan Stanley declination and 35 compliance reminders. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 26, 2017

How do you tap into your largest resource of innovation for your compliance program, which  is of course your employee base? That topic was explored in an article in the MIT Sloan Management Review, “How to Catalyze Innovation In Your Organization” by Michael Arena, Rob Cross, Jonathan Sims and Mary Uhl-Bien. This article posits that companies can “fuel the emergence of new ideas by understanding and tapping the power of employee networks.” 

The tenets and concepts the authors articulated provided several useful insights for a CCO or compliance professional. The first was that “companies need to create context that allows people, ideas and information to flow across different groups.” The second identifies a group of employees who operate as brokers and they create “bridges between groups” within a company. These brokers should work with “central connectors, who are well-connected in one subgroup” to form a powerful network. Finally, “when facing a problem, innovators should engage their network early on.” 

Interestingly, as with the ever-dwindling myth of the rogue employee in FCPA enforcement, the authors note, “Tales of a lone inventor with a blinding insight are unhelpful myths when it comes to corporate innovation. Successful service, product, or process innovations within large, complex organizations are very much a social phenomenon.” A successful CCO will know that they need to leverage employee networks for both innovation and communications of compliance initiatives. 

The authors key insight was their three divisions of social networking within an organization. They believe “A key to catalyzing emergent innovation is identifying and positioning innovators within an organization.” Moreover, it is the use of these networks which can move innovation back up to the top of an organization and communications down through a company as well. 


Brokers are the group of employees which build bridges from one group to another within and outside an organization. This allows them to act as critical channels of information and ideas. Brokers offer three competitive advantages: broader access to diverse information, early access to new information, and control over the diffusion of the information. Yet more than simply acting as conduits, “Brokers facilitate this discovery process through their social connections and then determine how and when these insights can be introduced to other parts of the organization. The creation of adaptive space enables brokers to more actively connect and navigate beyond their local subgroups to explore new possibilities.” 

Central Connectors 

The second group is “central connectors” who provide group cohesion for implementation of innovation and communications going forward. The authors stated, “Group cohesion represents how connected individuals are to one another within a group. A group is considered cohesive when many redundant connections exist among group members. That is, the likelihood of any individual within the group being connected to any other individual within the group is high. As a result, cohesive groups can quickly share information and generally operate with high levels of trust.” These central connectors can take an idea and move it into more disparate groups to diffuse both ideas and communications; in short it is often these central connectors who will drive an innovation to success. 

While some industries and companies resist rotation for a CCO or compliance profession, it would appear the better practice is to use rotation as a catalyst for innovation and change. The authors noted one example where employees were moved between projects every three years or so which allowed knowledge to flow around more readily. The authors concluded that the company had “provided the space that enabled an active interplay between brokers and connectors.” 


The final group identified by the authors are the “engergizers” who can work to “trigger the interest and engagement of others and unleash the passion necessary for bold innovations to advance.” The authors believe that many factors can drive this including “Network energy, or enthusiasm, drives diffusion, co-creation, and active engagement across the larger organization.” The energizers challenge those within a company to “think more boldly than they would within their own subgroups and creates a contagious mindset as the innovation progresses.” Finally, “Energizers are able to fully engage in interactions, inspiring others to devote more time and energy to an initiative. The reputation of an energizer spreads quickly across the network, attracting others to aggregate multiple ideas into bolder, integrated concepts that are more likely to succeed. Energizers connect with individuals who have different expertise or backgrounds. These differences can be embraced as elements essential to the creation of bolder innovation.” 

Through these three differentiated groups, there are five steps around innovation for the CCO to consider going forward. 

  1. Tap into adjacent expertise and a broad network early in problem-solving.Almost universally, more successful innovators did not immediately solve a problem they were given as “they were likely to ask questions and engage their network early to help them think about the problem differently and to find people with tangentially relevant expertise who might give them a different perspective on the solution.”
  2. Make early interactions beneficial to others. Innovators, drew ideas to and from others, not fostering off their vision on their co-workers. This is directly attributable to sharing and exchanging as a more collegial approach.
  3. Spread ownership of the idea and seek feedback.This is the point which lays bare the myth of the lone innovator working in a closeted office. Indeed, the authors noted, “among our interviewees, trying to develop an idea in isolation until it was seen as bulletproof was a sure recipe for failure. The more successful innovators made decisions on whom to include and how to run initial meetings in ways that shaped both the innovation and the network.”
  4. Develop a prototype early.While the authors admonish to “Be open in process” they suggest strongly that you “insist on pushing to a prototype as early as possible.” It is because, “Early prototypes provide proof of concept. But even more important is that a working prototype dramatically changes the nature of the conversation and engagement with the network.”
  5. Communicate the early-stage solution and then iterate with the network. The authors noted, “As more stakeholders and end users give input, ensure that your team is prepared to make incremental changes, test, and adapt quickly.” 

There are always pockets and groups within an organization which resist change. Often this is one of the CCOs most difficult task. Yet the authors have laid out a clear path to overcoming such resistance and it is equally applicable to moving compliance communications through an organization. By using central connectors and energizers, a CCO, the broker, can get the message of compliance moved faster, in a more complete and enthusiastic manner. Finally, this will go quite a long way towards operationalizing your compliance regime. 

Three Key Takeaways

  1. Employees can be the greatest advocates for your compliance program.
  2. Employee engagement is one of the most direct and cost effective ways to operationalize your compliance regime.
  3. Use the five-step approach to facilitate greater employee engagement in compliance. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 25, 2017

Much has been written on hiring a new CCO. As with the hiring of other senior executives, such as a CEO or CFO, there can be specific questions about challenges the candidate has faced in prior engagements. For the CCO position having one who has literally been through the wars, usually in the form of an extensive Foreign Corrupt Practices Act (FCPA) investigation or enforcement action, is a critical inquiry. In most instances, Boards will want a candidate who can lead the company through the situation currently faced. 

But what about hiring at a level below the CCO? Most companies take the best athlete approach, hiring the most well rounded candidate with a varied background. However an article in the Harvard Business Review (HBR) Idea Watch column, entitled “When Hiring Execs, Context Matters Most”, reported on a new CEB study which “suggests that companies will be more successful if they consider the particular leadership context when hiring for every level. Instead of taking on generalists trained to meet any management test, the researchers say, firms should use an assessment system that identifies candidates whose personality attributes and experience are custom-tailored to the contextual challenges of the position.” 

Basically, CEB came up with a quantitative approach, looking at 27 different contexts around projects, challenges and issues. From this list they, “assessed leaders’ personality attributes, tracked relevant experience, and solicited opinions about behavior, performance, and effectiveness from supervisors and direct reports.” The research team “also coded 60 variables that inform context, such as whether the job involves a high degree of uncertainty, requires managing a geographically dispersed team, or calls for cost cutting.” From this they ran data analytics and “worked to understand why some leaders succeeded while others underperformed, the biggest factor that emerged was how well a leader’s personality, skills, and experience meshed with the specific challenges of the job.” 

Some of the challenges which included the following areas are well familiar to the compliance practitioner: leading global or cross-cultural teams; transforming a high-conflict culture; leading an organization through a merger or acquisition, operating a corporate function with high resource constraints; growing through innovation; growing the function through cost competitiveness; and managing a broad portfolio of products and services. 

The bottom line is that the more challenges a leader will face, the more difficult their job will become and the success rate will inevitably drop. Yet the article suggests that the context of experience may well be a key indicator. But it moves beyond simply hiring, noting “For example, if success in a leadership role is context-specific, and if the context is apt to change quickly in a fast-moving business environment, firms might need to move leaders in and out of roles quickly. Awareness of contextual challenges can also change the way a company approaches development.” Jean Martin of CEB was quoted “Once you recognize how well-suited leaders are to the context in which they’re about to be placed, you can use that information to drive much more specific investments in development and find ways to coach people to account for the greatest areas of mismatch.” 

This approach also allows you to get to the granular level of team projects. The article said that companies could use such techniques to “revise responsibilities, streamline goals and objectives or try and solve a particular problem”. A company could also use this method to consider its internal bench strength, focusing on who could assist the compliance function in rolling out a new initiative or even a new compliance innovation. The piece ended with a few thoughts on the best athlete approach. It suggested a term called ““spiky,” meaning that they excelled at a few specific capabilities but were not above average in all. “Chasing managerial agility instead of allowing for specialization is ineffective,” the researchers concluded.” 

HBR also included an interview with a company which had utilized this analytical approach, Adecco Group, a Zurich based workforce solutions entity. The company’s global head of talent strategy and development, Courtney Abraham, was interviewed. As much as they tried the company inevitably fell back on a non-analytical approach; i.e. using intuition in the hiring process. Mostly, Abraham felt such an approach did not deliver consistent results. 

While Adecco did not use the full 27 context approach suggested in the CEB study, they did develop its own 6 “most important challenges some will face in a new role and compare them to candidate’s skills, competencies, motivations and runaways.” This allowed the decision to move away from the gut level to one of a “shared language” among those evaluating the talent. 

An interesting side effect and one not expected by Adecco was that the data often led to an internal candidate who was not “next in line” for a promotion. It allowed internal promotion with “eyes wide open” to a candidate’s strengths and areas where they needed additional development. It also has implications for development as employees have a better understanding of their weaknesses and what gaps they may need to fill. Abraham stated, “we can use onboarding and development to actively coach and support them.” Internal hires bring the benefit of having already bought into and have been a part of the company culture and “they understand our business, the people and the competitive landscape.” 

The use of data can help a compliance professional identify internal candidates to move a corporate compliance program forward. This can also give a company a boost by bringing non-compliance professionals into the compliance realm which will allow them to more fully operationalize compliance if they return to a more traditional business unit role. 

Three Key Takeaways

  1. Develop the criteria of challenges your CCO and compliance team will face and incorporate that into your hiring analysis.
  2. Consider bringing non-compliance professionals into your compliance function using the same hiring techniques.
  3. Build your compliance bench strength on a project by project basis using the same techniques. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 22, 2017

Innovation can come in various forms for an organization. Innovation can appear in a structural form. You can move compliance more deeply into your organization with new or different structures. One I have seen have success is a compliance committee more closely tied to the geographic market in the field, or the Regional Compliance Committee. 

Two of the most common compliance focused committees are those at the Board level and those which sit between the CCO and the Board, usually consisting of senior executives such as members of a company’s executive leadership team. However, a Regional Compliance Committee can will help the corporate compliance function to more effectively ensure employee and business partner engagement with compliance by integrating compliance into every aspect of functions and generating the necessary information to continuously improve the overall compliance function. A Regional Compliance Committee can also operate on multiple planes to fully operationalize compliance in a company, augment the internal controls and make the company a more efficient and profitable entity. 


Most companies have a Board Committee dedicated to ethics and compliance or something like a Board Audit Committee which the CCO will report into. Once again, there are many companies with senior executives populating another level of oversight with a compliance committee between the CCO and the Board. A Regional Compliance Committee, formed at the regional level, helps to create more direct ownership, accountability, and valuable transparency.  This moves compliance down into all levels of a company’s operations.  This approach also significantly improves the consistency of compliance execution, and helps to ensure that all of business objectives are achieved in a legally compliant fashion. A Regional Compliance Committee does not have primary responsibility for internal investigations but is charged with reporting any known compliance issues to the CCO. 

A Regional Compliance Committee can provide clear and frequent compliance-related communication on related matters throughout the region, strengthening a company’s compliance culture.  It allows compliance topics to be more thoroughly discussed at regularly occurring operations meetings. A Regional Compliance Committee can have communication structures designed to facilitate communication up the chain and down the chain. This allows a CCO to have a more direct set of eyes and ears closer to the ground. Finally, the Committees give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis. 


One of the key elements of the Committees are their makeup, which is market centric. A Regional Compliance Committee should include some or all of the following: (a) the Vice President of the region; (b) the regional Ethics and Compliance Director; (c) the regional Legal and Compliance Director; (d) the regional HR Director; (e) the regional Finance Director; (f) the regional Trade Compliance Director; (g) the regional Supply Chain Director; (g) the regional Sales Director and (h) senior representatives of Operations in the market. This composition of the Regional Compliance Committee, coupled with their structures, allow compliance to be fully operationalized into the Company’s global organization.   

Authority and Responsibility 

There are multiple possible responsibilities for a Regional Compliance Committee. Some of these possible responsibilities include: 

  • Assisting in identifying not only potential compliance risks in the region but also reputational risks to the organization.
  • Establishment of goals and metrics to measure against these compliance goals in the region.
  • Exercising oversight of the implementation and effectiveness of the company’s global compliance program in the region.
  • Reviewing and monitoring implementation of Code of Conduct in the region and assisting in the identification of best practices, alternative strategies and local initiatives to enhance the compliance program.
  • Assuring to the CCO and the senior leaders of operations that compliance goals and requirements are both established and communicated across the organization.
  • Advice management of its assessment of the compliance program, ethics and compliance risks in the region and steps taken to both manage and lessen such risks.
  • Reviewing the company’s helpline complaints and other information to assure the region that appropriate steps are taken to modify the compliance program to reduce identified ethics and compliance risks. 

The innovation represented by the formation of a Regional Compliance Committee operationalizes compliance into a company’s operations where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Department’s Evaluation of Corporate Compliance Programs for companies to move the doing of compliance down into the business of the organization, or operationalize compliance. The make-up of a Regional Compliance Committee, while including compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice. 

It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. A Regional Compliance Committee can provide your compliance program a unique structure to perform these functions. 

Three Key Takeaways

  1. Innovation can occur in structural changes to your organization.
  2. A Regional Compliance Committee puts compliance closer to the ground in geographic regions outside the US.
  3. A Regional Compliance Committee facilitates execution in your compliance program. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 21, 2017

Another innovation is to put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” 

This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not often considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not considered in moving the compliance effort forward. 

Communicate the Strategy 

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a companywide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. 

Continually improve your compliance productivity 

Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.  

Improve the human element in your compliance program 

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. 

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. 

Make your compliance strategy relevant 

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world, this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. 

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more than simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. 

Three Key Takeaways

  1. Communicate your strategy and improve the human element in compliance.
  2. Continually improve your compliance productivity.
  3. Make compliance relevant to the business. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 20, 2017

How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.” 

Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries. 

Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies - ultimately with an eye toward improving project results and innovation.”

There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation. 

Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure. 

Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.” 

The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step. 

Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.” 

Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets. 

Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.” 

The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.   

Three Key Takeaways

  1. Whether deliberately or not, compliance must improvise.
  2. Improvisation may seem spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities
  3. Work to have the changes seen as a positive in your organization. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 19, 2017

I welcome you to a new series entitled Compliance Man Goes Global podcast of Compliance Report-International Edition. I am joined by Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years. In each podcast, we take two typical concepts or more-probably misconceptions from in-house compliance conventional wisdom. We check out if these concepts work in emerging jurisdictions. For each podcast, we divide roles with one of us advocating the particular concept identifying pros; the other will provide arguments finding cons. Tim will conclude each concept with some practical solutions for in-house compliance practitioners for high-risk emerging markets.

Today we explore the following two concepts:

Corporate Concept #1. We have detailed policies in the HQ. We deployed those policies at our subs located in emerging markets. We will be just fine.  

Corporate Concept #2. If there is a compliance person located at high risk market we could significantly mitigate our corporate compliance risks.

Sep 19, 2017

If it is not clear already this month, innovation does not simply come from a technical or even service perspective but can improve your compliance program from a wide variety of perspectives. We have considered a variety of issues related to innovation. Now we consider how you think through a compliance related issue as an innovation. 

Every compliance practitioner recognizes the prevent, find and fix tripartite approach to compliance. Many compliance practitioners believe that if you can move your program from one focused on detection to one focused on prevention, you have not only a more robust program but also one which is more fully operationalized as it would be closer to the ground and the front lines of employees. 

Data and its analysis can be used in both approaches. Further data can be used in both approaches for multiple approaches to doing compliance. It can be used to simply stop behavior. However, data and data analytics can be used to further training, education and communication around compliance. The question becomes, which is better: real-time monitoring or right-time monitoring? 

Consider the critique that monitoring of gifts, travel and entertainment (GTE) is always going to be 30-60 days behind the actual real-time event because it will take an employee 30 days to input their expenses into the system, have a supervisor approve it, and it goes to accounts payable for input. Does such a critique defeat a best practices compliance program which is dedicated to moving from simply a detect prong to a prevent prong? 

However, an innovation can occur from how you consider the problem. So instead of a real-time review focus, consider a ‘right-time’ review focus. Patrick Taylor, President and CEO of Oversight Systems says the way to think through the issue is “What is the right time for the analysis?” He detailed the situation where your company has a corporate card program, or you use a corporate credit card. Through those mechanisms, you should be able to access those feeds every day from your card vendor, from your bank or card issuer. If you had that quantum and quality of information, there might well be certain things worth looking for. The classic example might be somebody spends some money at an adult entertainment establishment that masquerades as a restaurant because I may want to reprimand that employee or that behavior immediately. 

Yet if your company uses an expense reporting system like a Concur or Pro River; the expenses can be previewed while they are in process; that is, before they are paid by your organization. It might be perhaps even before the employee’s manager approves the expenses. There could be a rash of information and data to look for at that time to give the manager a heads up to take a bit of a deeper dive into the expense report.           

Finally, there are some GTE expense which are best looked at with the longer-term view. This could include expenses reports used to try to influence employee behavior. As a compliance professional, you are better off demonstrating a pattern of questionable or abusive expense-related items, as opposed to nagging one-off expenses report entries. Further there may be situations where there are literally bursts of activity which I would like to let pass by before trying to download that analysis. The question for the compliance professional is “What do I have, right?” Obviously, you cannot perform the analysis before you have data. The question you must work through is when do you have the data and then what is the right time to do any particular kind of analysis of that data? Because it may not always be the "real-time" when I found, when I've got it. Be much more concerned about what's the "right" time. 

By thinking about what you are attempting to accomplish through your monitoring, it can help to inform your compliance program going forward, usually in a variety of ways. In the GTE example discussed in this piece, if you want to move to something closer to real-time monitoring, you will need to move towards the corporate credit card model, with real-time viewing of the purchases on the card. From there you can make a preliminary assessment if you want or need to use that data from the compliance perspective. Moreover, you should never forget that a much longer right-time review and perspective can be equally valuable for many of your other business processes going forward. 

It is this final point, which makes clear the power of operationalizing your compliance program. If you put the architecture of compliance closest to those in the field who are literally on the front lines of your organization you should be able to obtain the data nearest to the customer. That data can be sliced and diced in a variety of ways which allow incorporate back into your continuous learning loop (OODA feedback loop) so that you can determine the most efficient business process going forward. When compliance can wed its prevent, find and fix mandate with overall business process performance, it can make a company more efficient and more profitable. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. Remember the differences in real-time v. right-time review.
  3. Consider what the review is for and how you will use it going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 18, 2017

Innovation can come in form of new ideas or simply fresh ways to consider old problems. The idea of how to use the information available to a CCO is one that can be explored through different avenues. One of the most interesting, originated in the dogfights from World War II. The insights gained were instrumental in the US military’s swift victory in the First Gulf War. 

It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is your greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster. 

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data. 

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud. 

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.” 

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.” 

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments. 

Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks. 

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”. 

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 15, 2017

Next we consider superforecasting and its use by a compliance function. Imagine that as a Chief Compliance Officer (CCO), you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability, but to do so you would be required to expose just how unreliable the professional corporate forecasters have been? Could you do so and, more importantly, would you do so? Most generally this is the predictive capability that organizations have used. However, the new “superforecasting” movement, led by Philip E. Tetlock and others, has been gaining strength to help improve this capability. 

The concepts around superforecasting came of age after the intelligence failures leading up to the Iraq War. This led to the founding of the Good Judgment Project, which had as key component a multi-year predictive tournament, which was a series of gaming exercises pitting amateurs against professional intelligence analysts. The results of the Good Judgment Project was presented in a recent Harvard Business Review (HBR) article, by Tetlock and Paul J. H. Schoemaker, entitled “Superforecasting: How to Upgrade Your Company’s Judgment”. The authors had three general observations. First “talented generalists can outperform specialists in making forecasts.” Second, “carefully crafted training can enhance predictive acumen.” Third, “well-run teams can outperform individuals.” 

To move to superforecasting, the authors laid out four precepts. The first is to find the sweet spot, which is somewhere between predictions that are “entirely straight-forward or seemingly impossible.” They note the sweet spot “that companies should focus on is forecasts for which some data, logic, and analysis can be used but seasoned judgment and careful questioning also play key roles. Predicting the commercial potential of drugs in clinical trials requires scientific expertise as well as business judgment.” I find the same to be true in compliance where “Assessors of acquisition candidates draw on formal scoring models, but they must also gauge intangibles such as cultural fit, the chemistry among leaders, and the likelihood that anticipated synergies will actually materialize.” 

Next is to train for good judgment. This requires employees to learn the basics in such techniques as probability concepts, the definition of what is to be predicted and an understanding of numerical probabilities. As cognitive biases are widely know to skew judgment, companies need to raise awareness for this issue to arise. Finally, training to understand the psychology behind such biases narrowed predictive domains. 

Next is to build the right kind of teams. The initial thing to realize is the importance of the composition of the team. The authors found that “cautious, humble, open-minded, analytical - and good with numbers. In assembling teams, companies should look for natural forecasters who show an alertness to bias, a knack for sound reasoning, and a respect for data.” Equally critical is that the “forecasting teams be intellectually diverse. At least one member should have domain expertise (a finance professional on a budget forecasting team, for example), but nonexperts are essential too - particularly ones who won’t shy away from challenging the presumed experts. Don’t underestimate these generalists.” Clearly your compliance superforecasting team should draw from the diversity within your organization not only in discipline but in temperament as well. 

After the composition is considered, the authors move to “diverging, evaluating and converging.” The authors suggest “a successful team needs to manage three phases well: a diverging phase, in which the issue, assumptions, and approaches to finding an answer are explored from multiple angles; an evaluating phase, which includes time for productive disagreement; and a converging phase, when the team settles on a prediction. In each of these phases, learning and progress are fastest when questions are focused and feedback is frequent.” 

The final component of composition is trust as there must be trust among your team members to facilitate good outcomes. This might also be understood that if the superforecasters demonstrate the errors or miscalculations of others in the group, not only will they be protected by senior management but their work will be defended. The authors note, “Few things chill a forecasting team faster than a sense that its conclusions could threaten the team itself.” 

You then have to “track performance and give feedback” as the authors believe that it is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward. This also has the added benefit of providing an audit trail so that a company can learn from both the good and bad predictions. This leads to the authors’ next insight, which, in the process, is critical. 

Such a feedback loop in the compliance sphere could lead to some of the following questions being posed: What information might others have that you don’t that might affect the compliance risk? What cognitive traps might skew your judgment on this transaction or risk? Why do you believe the company can safely navigate this compliance risk? 

Answers to these and other questions can provide insight into not only specific predictions but also the process by which a team moved forward so that it can be replicated, in the future through an audit trail. [Think Document Document Document.] Also, “Well-run audits can reveal post facto whether forecasters coalesced around a bad anchor, framed the problem poorly, overlooked an important insight, or failed to engage (or even muzzled) team members with dissenting views. Likewise, they can highlight the process steps that led to good forecasts and thereby provide other teams with best practices for improving predictions.” 

Like any innovation, there must be a commitment from senior management on moving forward. There must be data available both internally and research conducted externally with auditable trails on judgments, underlying assumption and data sources. The keys to success include frequent, precise predictions and measuring accuracy of predictions for comparison with real-world events. Nevertheless, such an exercise might well be exactly what a compliance function should do going forward. It might give the company enough information to take such a seemingly risky business move, when the prediction shows the risk was lower than the ‘experts’ said. Yet the authors end on this note, “But companies will capture this advantage only if respected leaders champion the effort, by broadcasting an openness to trial and error, a willingness to ruffle feathers, and a readiness to expose “what we know that ain’t so” in order to hone the firm’s predictive edge.” 

Three Key Takeaways

  1. Imagine you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability.
  2. It is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward.
  3. Like any innovation, there must be a commitment from management on moving forward.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 14, 2017

One of the key things the Department of Justice (DOJ) has consistently communicated is the importance of operationalizing rather than having a paper compliance program in place. The Department of Justice’s Evaluation of Corporate Compliance Programs (Evaluation) made clear that to receive credit in any Foreign Corrupt Practices Act (FCPA) enforcement action, you must fully operationalize your compliance program in the remediation phase. 

All of this was driven home to me in an article I read in the Harvard Business Review (HBR), entitled “Disruptive Innovation?”, by Clayton M. Christensen, Michael E. Raynor and Rory McDonald. The authors were concerned that many of the commentary around the phrase ‘disruptive innovation’ were “in danger of losing their usefulness because they’ve become misunderstood and misapplied.” To answer this critique, the authors revisited the central tenets to the theory and how it had developed over the past 20 years. In doing so they detailed three key elements of disruption theory, which I have adapted to the compliance context. 

The first is that compliance is a process. While this may seem as about the most self-evident statement one can make, as late as last week, I was contacted by someone who wanted an ‘off the shelf’ compliance package. They wanted me to do a couple of interviews of senior management and they put in some canned software program so they could claim they had a compliance program. 

This attitude demonstrates the continuing battle the DOJ and Securities and Exchange Commission (SEC) face when communicating their expectations around compliance programs. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful. 

The second key point is that Compliance 3.0 is very different from compliance programs of the past decade. As compliance programs have matured and the structural changes brought about in the Compliance 2.0 model, as articulated by Donna Boehme and others, we have now moved on to Compliance 3.0 where compliance is put into the fabric of an organization. The compliance function is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front line business team can use technology and other tools to operationalize compliance. DOJ Compliance Counsel spoke to this concept in her recent remarks around how well a company would operationalize compliance by incorporating the business functions inputting to compliance around appropriate internal controls. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate headquarters in the US. 

The third point is that not all disruptive innovations succeed. Here the authors write that disruption is only one step in both the creative and growth process. Throughout their article, they discuss Uber in the context of a disruptive business. However, Uber uses the smart phone platform, coupled with a superior rider experience as a part of its business model. For the compliance practitioner, I think the key concept is what SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. You could also plug in here McNulty’s Maxims (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?). 

This is why any successful compliance program should have multiple levels of oversight built into it. If something does slip through, a level of oversight should be in place to review it and hopefully prevent it. Consider the BHP Billiton’s FCPA enforcement action. It involved gifts, travel and entertainment around the 2008 Beijing Olympics. The issue was not that foreign officials were feted at the event. The issue that got the company into trouble was that they did not perform proper oversight over their carefully crafted program. A similar issue was seen in the Lily FCPA enforcement action where charitable donations were approved by an oversight committee without any substantive review and distributor commission rates were approved outside the standard range without appropriate review. 

Disruption innovation has come to the compliance arena. One of the best examples is Louis Sapirman, the Chief Compliance Officer (CCO) at Dun & Bradstreet, who has incorporated not only social media tools but also the concepts of two-way communications into his company’s compliance program. Another is the use of your own company’s data to facilitate a straight line of sight by a CCO or compliance practitioner into transactions needing more detailed reviews from the compliance perspective. 

As many compliance practitioners are lawyers, we are naturally reticent to embrace such change. However, I think the pronouncements of the DOJ this year have made it even clearer of the need for continued evolution of anti-corruption compliance going forward. Disruptive innovation can be one of the techniques to get your compliance program to that desired location. 

Three Key Takeaways

  1. Compliance programs should evolve as business risks change.
  2. Compliance has moved to the front lines of a business.
  3. Disruptive innovation is only one step in both the creative and growth process. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 13, 2017

Design thinking is another innovation which can help the Chief Compliance Officer (CCO) move forward in a cutting-edge manner to make a compliance program not only more robust but also operationalize it into the fabric of the company. Such a mechanism would help to drive compliance into the operational nature of a company, which is where the latest pronouncement from the Department of Justice (DOJ), in their Evaluation of Corporate Compliance Program suggest a company should take their compliance regime. 

Design Thinking can bring innovation in a number of ways to your compliance program. Jon Kolko discussed this innovation in a Harvard Business Review (HBR) article entitled “Design Thinking Comes of Age. Kolko’s insight that, “the approach, once used primarily in product design, is now infusing corporate culture” is one that any CCO or compliance practitioner can use in redesigning your compliance program for your internal customers, i.e. your employees and third parties that may fall under your compliance program. All of these groups have a user experience in doing compliance that may be complex and interactive. You need to design a compliance infrastructure to the way people work so that doing compliance becomes burned into the DNA of a workforce. 

The first component of design thinking is to focus on the users’ experience with compliance. Kolko stated that designers need to focus on the “emotional experience” of the users; he explained that this concerns the “(… desires, aspirations, engagement, and experience) to describe products and users. Team members discuss the emotional resonance of a value proposition as much as they discuss utility and product requirements.” For the compliance function, this could be centered on the touch points the employee base has with the compliance function and that this should be “designed around the users’ needs rather internal operating efficiencies.” 

The next step is to create something design thinkers use called “design artifacts”. While this is usually thought of as a physical item they can also be “spreadsheets, specifications, and other documents that have come to define the traditional organizational environment.” Their use is critical because “They add a fluid dimension to the exploration of complexity, allowing for nonlinear thought when tackling nonlinear problems.” Whatever the compliance practitioner may use, Kolko said, “design models are tools for understanding. They present alternative ways of looking at a problem.” 

The next step is to “develop prototypes to explore potential solutions.” In others words, build a part of your system and test it from the users’ perspective. Here the author quoted innovation expert Michael Schrage for the following, “Prototyping is probably the single most pragmatic behavior the innovative firm can practice.” I think this is because “the act of prototyping can transform an idea into something truly valuable” through use, interaction and testing. Simply put, prototyping is seen as a better way to communicate ideas and obtain feedback.


While it may initially sound antithetical to the CCO or compliance practitioner, a key component for design thinking is a tolerance for failure. I realize that initially it may appear that you cannot have failure in your compliance program but when you consider that design thinking is an iterative process it becomes more palatable. Kolko quoted Greg Petroff, the chief experience officer at GE software, about how this process works at GE, “GE is moving away from a model of exhaustive product requirements”, adding “Teams learn what to do in the process of doing it, iterating, and pivoting.” 

However design thinkers must “exhibit thoughtful restraint” when moving forward so that they can have deliberate decisions about what processes should not do. This means that if a compliance process is too complicated or requires too many steps for the business unit employee to successful navigate, you may need to pull it back. I like the manner in which Kolko ends this section by stating that sometimes you lead with “constrained focus.” 

Kolko ended his article by noting three challenges he sees in implementing design thinking, which I believe apply directly to the CCO or compliance practitioner. First is that there must be a willingness to accept more ambiguity, particularly in the immediate expectation, for a monetary return on investment. A more functional or better compliance system design may not immediately yield some type of cost savings but it may be baked into the overall compliance experience. Second, a company must be willing to embrace the risk that comes from transformation. There is no way to guarantee the outcome so the company leaders need to be willing to allow the compliance function to take some chances in directions not previously gone. Third is the resetting of expectations as design does not solve problems but rather “cuts through complexity” to deliver a better overall compliance experience. This in turn will make the company a better-run organization. 

Kuldeep Singh, writing in the SCCE magazine Compliance and Ethics, in an article entitled “Design Thinking: Creating an ethics-based compliance governance solution”, helped to put some flesh on these concepts. I found a key insight from Singh was that rather than simply concluding that violations of anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) were engaged in by bad actors, it is rather good people doing bad things such as engaging in bribery and corruption. 

Using design thinking to improve your compliance regime by building from the ground up rather than a legalistic top-down approach favored by most lawyers. For Singh, it all starts with the employees, not simply the problem. So you begin by asking questions, lots of questions. From this point he suggests that you formulate the proposed solution as a “problem statement”. 

From this point, you are ready to begin brainstorming to come up with some solutions. There are four steps Singh lays out. First is to “state the problem to be solved with enough clarity of specificity.” The second is to “identify the objectives of the problem solution.” The third step is to “generate alternative solutions and create a list of alternatives prior to having a group discussion.” And finally, you end with collectively generating alternative solutions. 

The final step is to test the proposed solutions, or as Singh puts it “test, test, prototype and test again.” The key is to avoid prejudgments so he advises to “let the tester interpret the prototype” and obtain their feedback. It is incumbent to iterate through the process multiple times, which allows you to narrow the scope of the solution and to “move from working on broad concepts to nuanced details.” 

Singh puts this design thinking protocol to use to help create a more effective ethics and compliance training model. He uses employees to provide the initial input to improve its effectiveness and relevance to the front line employees. The compliance team then implements several proposed solutions until the most operative one or ones becomes apparent. These are then rolled out companywide for better and more effective compliance training. As the entire process is documented, when the regulators, such as the DOJ or Securities and Exchange Commission (SEC), come knocking, you will have the ability to not only explain your training but also demonstrate its effectiveness. 

Three Key Takeaways

  1. Design thinking concepts are not simply for product innovation but for culture innovation as well.
  2. Design thinking works around the users’ needs rather internal operating efficiencies. For a compliance program, this means employees, third parties and customers.
  3. Design thinking works to improve your compliance regime by building from the ground up rather than a legalistic top-down approach.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 12, 2017

I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.” 

A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes. 

How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.” 

The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration. 

There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”

This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information. 

In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”

There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.” 

The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation. 

The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.” 

This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program. 

Three Key Takeaways

  1. Blockchain has great potential for the compliance profession.
  2. Blockchain can facilitate the third party due diligence and update requirements.
  3. Blockchain can provide a clear trigger for compliance terms and conditions.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to


Sep 11, 2017

In Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.” 

The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).” 

Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.” 

Copenhagen Compliance suggest another approach in their e-newsletter entitled Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.” 

Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions: 

  1. List the different causes and the circumstances that decrease or increase the likelihood of risks;
  2. List the different causes and the circumstances to understand a risk at an individual level;
  3. List the different causes and effect that can make risks occur;
  4. Describe the effects which take place immediately after a risk occurs; and
  5. Describe the effects of a risk that happen because of the primary effects or because time elapses. 

The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business. 

Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.” 

For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned. 

Three Key Takeaways

  1. Kaizen works by reducing waste and eliminating work processes that are overly difficult.
  2. Use a four-step approach, “Plan-Do-Check-Act”.
  3. Kaizen works in for internal compliance controls and compliance processes.  



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 11, 2017

In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation. 

We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.

Sep 7, 2017

What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road. 

Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.

Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach. 

Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context. 

The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective. 

A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise. 

There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI. 

This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away. 

This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies. 

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.” 

There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech. 

Three Key Takeaways

  1. Artificial intelligence has already disrupted the legal profession, the compliance profession may be next. ComTech will be the result.
  2. Document review will be the first area of significant AI use in compliance.
  3. Beware the limitations and disadvantages of ComTech. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

1 « Previous 4 5 6 7 8 9 10 Next » 16