The Justice Department Evaluation of Corporate Compliance Programs states in Prong 10, Appropriate Controls – What was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

You should incorporate compliance terms and conditions into your contracts with third parties. You must have appropriate compliance terms and conditions in every contract with third parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption. 

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions: 

• payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
• the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
• the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
• the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
• remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract. 

I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant. 

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it. 

• Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
• Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
• Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
• No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company's prior written consent (to be based on adequate due diligence).
• Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
• Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
• On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
• Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
• Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years. 

Many do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum compliance terms and conditions. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator. 

Three Key Takeaways

1. There is no set formula for clearing of red flags or the evaluation of due diligence.
2. Know when to say enough has been done.
3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode, I am joined by Eric Feldman, SVP at Affiliated Monitors. Eric is a long time US government employee who now helps to provide companies with monitorship services, in a wide range of areas. These include external monitors after a FCPA enforcement action, monitorships with companies who contract with the federal government, state and local authorities. Eric discusses the strategic use of a monitor in a wide variety of areas, from prevention and detection of legal violations to M&A work. For more on Affiliated Monitors, check out their website by clicking here.

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking.

The Justice Department Evaluation of Corporate Compliance Program states under Prong 10 the following, “Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?” There is no set formula or guideline for clearing red flags or evaluating due diligence. One approach came from two compliance practitioners at GE Oil & Gas, Flora Francis and Andrew Baird made at the 2014 SCCE Utility and Energy Conference on GE’s third party risk management, where they described the process by which GE reviews the risks around each third party with which it does business. 

Some of the factors which GE considers, when evaluating a third party, include the following: 

• Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
• In-house Capabilities: Do we already have the organization in place to handle these capabilities?
• Overlap: Do we already have a third party in the region/country that can handle our needs?
• Volume of Business: How much business will this third party bring to the company?
• Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
• Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
• Reputation: What is the third party’s reputation in the market? 

GE takes this information and then break downs the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were: 

• Country channel where the third party is located in or where it sells into;
• Experience by the third party with the sales channel;
• Type of third party involved; agent, reseller, distributor;
• Commission rate, is it standard v. non-standard;
• Will any sub-third party relationships be involved;
• Will the third party sell to government entity or instrumentality;
• Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
• Was the third party mandated by customer or the end user;
• What is the third party’s contract duration;
• Is the third party involved in more than one project;
• Does the third party have any historical compliance issues;
• What is the percent of sales with products or services; and
• What is GE’s annual revenue with the third party? 

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and a Go/NoGo decision whether the company should move forward with a proposed third party. 

One approach came from Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. I found his questions to be very relevant when considering how far down the chain a company must go. 

Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties. 

Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier. 

Step 3: What Do You Need To Know? While with your first-tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties. 

Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared. 

Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process. 

In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so. 

Three Key Takeaways

1. There is no set formula for clearing of red flags or the evaluation of due diligence.
2. Know when to say enough has been done.
3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

Show Notes for Episode 47, for the week ending April 7, the Season Opener Edition

In this episode, Jay and I have a wide-ranging discussion on some of the week’s top FCPA and compliance related stories. We discuss: 

1. Wrap up from the SCCE European Compliance and Ethics Institute.
2. SEC Unit Chief Kara Brockmeyer announces her retirement. Click here for Matt Kelly’s article on Radical Compliance.
3. Wal-Mart announces its 2016 spend on its FCPA investigation and remediation of $99MM. Click here for Matt Kelly’s article on Radical Compliance.
4. Upjohn warnings after the Yates Memo. See article the Grand Jury Target blog.
5. Report on OECD Integrity Forum. Allison Taylor writes in the FCPA Blog.
6. Astros, Red Sox and Dodgers all lead their divisions.
7. Jay previews his weekend report.

Yesterday I considered the need for due diligence in the management of third parties. Today, I want to take a deeper dive and explore the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. 

Level I 

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering, anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases.  These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities.  It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements. 

Level II 

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties.  I believe that Level II should also include an in-country data base search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources. 

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. According to Candice Tal, founder of Infortal, Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions.  Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.” 

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players.  These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such  “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.”  

Further you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party willing to stand up with under the FCPA and are you willing to partner with the third party. 

The Risk Advisory Group, has put together a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence.  

Three Key Takeaways

1. A Level I due diligence should be only used where there is a low risk of corruption.
2. A Level II due diligence is sufficient in a high risk jurisdiction if there are no red flags to clear.
3. Level III due diligence is deep dive, boots on the ground investigation.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

Most companies fully understand the need to comply with the FCPA requirements around third parties as they represent the greatest risks for an FCPA violation. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to comply with the FCPA while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of third party risk and thereby perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you should have developed in Steps 1 & 2 of the third party management process should provide you with the initial information to consider the level of due diligence that you should perform on third parties. This leads Step 3 in the five steps of the third-party management-Due Diligence. 

Jay Martin, CCO at BakerHughes often emphasizes that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf. 

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle IV of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.” 

Carol Switzer, writing in Compliance Week related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.” 

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the DOJ discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.” 

Three Key Takeaways

1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
2. All commentary on best practices compliance programs require an appropriate level of due diligence.
3. The best practice is to use a professional due diligence provider to perform due diligence level 2 and 3. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode, I visit with Adelle Berger, who recently became the Chief Integrity Officer at Louis Berger. Some of the topics we discuss are:

• Why is her title “Chief Integrity Officer” as opposed to Chief Compliance Officer or Chief Ethics and Compliance Officer?;
• What is the role of a CCO around integrity or how does she see her role at Louis Berger different that a traditional CCO?;
• Does she have any specific initiatives around ‘integrity’?;
• How can a Chief Integrity Officer help drives the values and culture in an organization;
• Her academic background is not the usual one for a compliance professional, what took her in the field; and
• How a Chief Integrity Officer is the most recent iteration of the compliance function, to Compliance 3.0.

The next step in the five-step process is the Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. The questionnaire should be mandatory step for any third party that desires to work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk, but run away from doing business with such a party. 

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following, a Questionnaire, “means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.” 

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties with which it may have business relationships. For example, a company that properly assesses that there is no risk of bribery on the part of one of group of its third parties will require nothing in the way of procedures to prevent bribery in the context of those relationships. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks. 

What should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know? Initially, Corley said that the scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise. 

Below are some of the areas which I think you should inquire into from a proposed third party include the following: 

• Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
• Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
• Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
• Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
• •References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
• PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
• UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
• Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
• FCPA Training and Awareness: Has the proposed third party received FCPA training or certified by a recognizable entity? 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

The questionnaire fills several key roles in your overall management of third parties. Obviously, it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three Key Takeaways

1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
2. All commentary on best practices compliance programs still require questionnaires.
3. If a third party refuses to fully respond to your questionnaire, walk away from the proposed relationship. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

In this episode Matt Kelly and I take a deep dive into the recent kerfuffle involving United Airlines and its policy which prevented to teenaged girls from boarding a flight wearing leggings. Was United within its rights to exclude the passengers for inappropriate dress? Is the policy valid? Did the gate agent receive appropriate training to make their decision? In the world of today, social media accelerates the ability to judge, without improving the ability to judge. For ethics & compliance officers, that means every compliance risk is now magnified into a reputation risk. Finally, we consider Matt's closing sentence, "Training, values, culture, judgment. Funny how those four things keep cropping up, isn’t it?" and what it means for compliance. 

For more insight, read Matt's blog post, "United's Policy Management Lessons"

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. 

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have that specific third party representing your company. This concept is enshrined in the 2012 FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” 

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program. 

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include: 

1. Business Sponsor - Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
2. Business Rationale - The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction? 

What should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor. 

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations include a review of the qualifications of the third-party candidate for subject matter expertise, the resources to perform the services for which they are being considered and the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive. 

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.   

Three Key Takeaways

1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
3. Always remember to Document Document Document. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC Accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

In this episode I visit with John Hanson (AKA 'the Fraud Guy') who is also the founder of the International Association of Independent Corporate Monitors (IAICM). He discusses why he founded the group, the needs it hopes to address, the resources available to members and others  and how someone can apply for membership. the Association's website is icicm.org. For additional information you can contract Hanson at jhanson@iaicm.org. Finally, ror more information see my blog post IAICM Shines a Light on Corporate Monitor. 

Day 1- The Third-Party Risk Management Process

This month, I will consider the risk management of third parties in an operationalized compliance program. As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following: 

Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management. 

1. Business Justification and Business Sponsor;
2. Questionnaire to Third Party;
3. Due Diligence on Third Party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third Parties After Contract Signing. 

Over this month, I will be exploring each of these steps in detail so by the end of this month, you will be able to fully operationalize your third party risk management program. 

 Step 1 - Business Justification

The first step breaks down into two parts: 

1. Business Sponsor
2. Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed.  

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. 

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted. 

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

Step 5 - Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. Here we will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward. 

Final Thoughts 

I continually give my Mantra of FCPA compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon. 

Three Key Takeaways

1. Use the full 5-step process for 3rd party management.
2. Make sure you have BD involvement and buy-in.
3. Operationalize all steps going forward by including business unit representatives. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC Accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

I conclude my One Month to Operationalizing your Compliance Program series by discussing how you can put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” 

This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. 

Communicate the Strategy 

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. 

Continually improve your compliance productivity

Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.  

Improve the human element in your compliance program 

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. 

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. 

Make your compliance strategy relevant 

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. 

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. 

Three Key Takeaways

1. Use information from your employees to make your compliance program more productive.
2. Use social media and other innovative techniques to communicate your compliance strategy.
3. Operationalize Operationalize Operationalize, then Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Show Notes for Episode 46, for the week ending March 31, the On the Road to Prague Edition 

In this episode, Jay and I have a wide-ranging discussion on operationalizing compliance through business processes. We discuss: 

1. Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
2. Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
3. Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
4. Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
5. Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
6. What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
7. Jay previews his weekend report. 

Jay Rosen new contact information: 

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

The Evaluation of Corporate Compliance Programs, Prong 6, Incentives and Disciplinary Measures states: 

Incentive System – How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

How can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. An article entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives, addressed these issues and concerns. 

The article was built around a case study of the Sorin Group, a healthcare multinational, and the company’s incentive program for its compliance regime. The company created such an incentive program to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” Compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.” 

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO). 

The variable compensation awarded at the end of each year can be affected in two ways by this compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependent on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.” 

Some examples of compliance obligations that are measured and evaluated include the following: 

For the ELT

• Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance;
• Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally; and
• Support specific initiatives from the CCO, compliance function.

For Department Heads

• Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally;
• Support specific initiatives from the compliance function;
• Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner;
• Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies;
• Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography;
• Identify instances of non-compliance and support compliance monitoring and reporting systems; and
• Partner with compliance in resolving compliance issues.

For Country Heads of Sales

• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials or employees of state-owned enterprises in a timely manner and
• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with government officials or employees of state-owned enterprises on ERP. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives. 

As the final item to consider, is you need to have SMART compliance objectives, which are defined as: 

• Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
  • Who: who needs to be trained?
  • What: what training objectives do you want to accomplish?
  • Where: identify a location for the training
  • When: establish a time frame for the training to be completed
  • Which: identify requirements and constraints for any training
  • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
• Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
• Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
• Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
• Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned, including the following: 

• Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
• Personalize: The objectives should be more personal to each function and more granular.
• Balance: Have qualitative judgments but couple them with concrete and - most importantly - objective and measurable key performance indicators.
• Publicize: Talking about the real company examples of its people make the difference.
• Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
• Just do it: Stop talking the talk and start walking the walk. 

The Evaluation makes clear that the Department of Justice expects incentives to be operationalized into your compensation structure. While there may always be subjectivity built into any compensation incentive system, that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices. 

Three Key Takeaways

1. The Evaluation requires not only carrots around compliance but metrics to justify compensation.
2. Provide metrics for each level of employee to hit as a part of a discretionary bonus evaluation.
3. Up to 25% of a discretionary bonus should be based on compliance or an ethical component. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon's blog post on the topic on Linkedin, click here. 

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. In an article in the Spring 2012 Issue of the MIT Sloan Management Review, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors explored the “often overlooked, critical source of differentiation is [a] company’s beliefs” and provided techniques on how to tap into these beliefs. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows: 

1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team. These assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon-the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
4. Develop tests for common beliefs. For those beliefs that are labeled common - you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates a common industry or that we “do it because it has always been done this way” is necessarily a “hard fact.” Consider what test you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that ‘are quite possibly wrong, but worth experimenting with anyway.”
7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect it as well. 

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization. 

Three Key Takeaways

1. How is your compliance embedded at the bottom of your organization?
2. Use of social media can help set the tone at the bottom.
3. A company’s culture is reflected in the values and beliefs that exist throughout the company-make certain you assess it and use that information going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward. 

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move it down through the organization from senior management down to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. Adam Bryant, writing in the NYT in an article entitled, “If the Supervisors Respect Values, So Will Everyone Else”; explored this topic when he interviewed Victoria Ransom, the Chief Executive Officer (CEO) of Wildfire, a company which provides social media marketing software.

Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So, while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Bryant wrote that Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said that “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom wanted to make clear to everyone what senior management considered when determining whether employees “are living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees.

• Passion: Do you really have a thirst and appetite for your work?
• Humility and Integrity: Treat your co-workers with respect and dignity.
• Courage: Speak up - if you have a great idea, tell us, and if you disagree with people in the room, speak up.
• Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
• Impact: Are you having an impact at the company?
• Be outward-looking: Do good and do right by each other.

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

What should the tone in the middle be? That is, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they  will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore your organization should training middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. He further explained that without organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness that an employee is more likely accept a decision that they may not like or disagree with.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

1. Tone at the tops- direct supervisors become the most important influence on people in the company.
2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this episode, we take a look at a recent speech given by NY Fed Chairman William Dudley in London where he addressed improving corporate culture. Dudley provided three recommended steps. First, a bank must decide on its purpose and core values—or, as Dudley put it, “What are you for?” Second, after this identification of purposes and values, you can measure how well the workforce is striving to achieve that purpose. Third a bank can set its incentives so employees work harder to achieve those goals. As usual, Matt and I take a deep dive into the issue of enhancing corporate culture. For more on the speech, see Matt's blog post on Radical Compliance entitled, "Great Speech About Improving Corporate Culture".

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

2. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as here the Justice Department wants to see a company’s senior leadership actually doing compliance. How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Larry Thompson, former PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Paine in citing five factors, which he believed were critical in establishing an effective integrity program and to set the right “Tone at the Top”.

1. The guiding values of a company must make sense and be clearly communicated.
2. The company’s leader must be personally committed and willing to take action on the values.
3. A company’s systems and structures must support its guiding principles.
4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions.
5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption  boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’

• Reject a ‘do as I say, not as I do’ mentality;
• Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
• Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
• Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
• Oversee the development of a Code of Conduct and written compliance program implementing it;
• Ensure there are compliance metrics on all key business reports;
• Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization;
• Not only have a whistleblowing, reporting or speak up channel but celebrate it;
• Keep talking about doing the right thing;
• Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. In this chapter Biegelman cites to a list used by Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:

1. Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
2. Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
3. Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
4. Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
5. Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
6. Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
7. Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
8. The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
10. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
11. Talk to others in your industry and your peers on how to improve your company’s compliance efforts.

Many companies struggle with some type of metric which can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

Three Key Takeaways

1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
3. CEO as Compliance Ambassador.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In  this episode, I visit with Erica Salmon Bryne, EVP at Ethisphere on the 2017 World's Most Ethical Companies honorees. Erica goes into how the corporate compliance programs are evaluated, what the companies disclose to Ethisphere and how the winners consistently demonstrate compliance is good for business. Check out more information on Ethisphere's site by clicking here. 

In this episode, Jay and I have a wide-ranging discussion on why good compliance and is good for business. We discuss: 

1. LRN Ethics and Compliance Program Effectiveness Report. Click here for Report.
2. Ethisphere’s 2017 World’s Most Ethical Companies. Click here for Report.
3. Why good compliance is good for business. See Tom’s blog post.
4. Women in compliance: A key to organizational diversity. See article in the FCPA Blog.
5. ECI Podcast: Engaging With Your Monitor: Best Practices from ECI’s Independent Monitor Benchmarking Group. To listen to the podcast, click here.
6. Jay previews his weekend report.
7. Tom previews a presentation he will give with Jenny O’Brien and Roy Snell at the SCCE European Ethics and Compliance Institute in April. Jay previews a presentation at the same event by Eric Feldman of Affiliated Monitors. For more information on the event, check it out by clicking here. 

Jay Rosen new contact information:

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

The Department of Justice Evaluation of Corporate Compliance Programs states, in Prong 10, Third Party Relationships: 

Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties? 

If you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program. There are several different ways that you should manage your post-contract relationship. 

Relationship Manager 

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include: 

• Point of contact with the Third Party for all compliance issues;
• Maintaining periodic contact with the Third Party;
• Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
• Submitting annual reports summarizing services provided by the Third Party;
• Assisting the company’s compliance function with any issues with respect to the Third Party.

The Relationship Manager can be the Business Sponsor who prepared the Business Rationale discussed on Day 17. By using the Business Sponsor as the Relationship Manager, your company will further operationalize compliance by continuing to have the business unit lead the front-line relationship, communications and contact with the third party. As noted compliance commentator Scott Moritz has said, “This puts the onus on each stakeholder.”

Compliance Professional 

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such a resource. A third party may not be large enough to have its own compliance staff so any company using third party representatives should provide a dedicated resource to third parties. This will not create a conflict of interest nor are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party. 

Third Party Oversight Committee 

A Third Party Oversight Committee further operationalizes compliance. It review all documents relating the full panoply of a third party’s relationship with a company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third party who might represent a company on the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in anti-corruption compliance, this is a manner to deliver additional management of that risk. 

After the commercial relationship has begun the Third Party Oversight Committee should monitor the third party relationship on no less than an annual basis.  This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Third Party Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance.  In addition to the above remedial review, the Third Party Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the Third Party Oversight Committee should review any request to provide the third party any type of non-monetary compensation.  

Audit

A key tool in operationalizing the relationship with a third party post-contract is auditing the relationship. You should secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line, any audit of a third party include, at a minimum, a review of the following: 

1. the effectiveness of existing compliance programs and codes of conduct;
2. the origin and legitimacy of any funds paid to Company;
3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
4. all disbursements made for or on behalf of Company; and
5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

Three Key Takeaways

1. Management of the third party relationship is the key step in determining the effectiveness of your compliance program in this risk area.
2. By using non-compliance functions, such as the Business Sponsor or Relationship Manager you more fully operationalize your compliance program.
3. Never forget to put a second set of eyes on all third party relationships.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third party risk management process. 

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party representing your company. This concept is enshrined in the FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” 

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program. 

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include: 

1. Business Sponsor - Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
2. Business Rationale - The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

So what should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor. 

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations would include a review of the qualifications of the third party candidate for subject matter expertise, the resources to perform the services for which they are being considered and identifying the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive. 

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.    

Three Key Takeaways

1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
3. Always remember to Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.