As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third-party management. It begins with the following: 

How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

What was the business rationale for the use of the third-parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. They are:   

1. Business Justification and Business Sponsor;
2. Questionnaire to Third-party;
3. Due Diligence on Third-party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third-parties After Contract Signing.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

The call, e-mail or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. 

This scenario was driven home in a FCPA enforcement action brought by the SECin July 2015 involving Mead Johnson Nutrition Company. In that case, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as articulated in the 2012 FCPA Guidance, states: "a good compliance program should constantly evolve."

Keeping track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company (i.e., a company reorganization or major acquisition). 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. 

The 2012 FCPA Guidance made clear that each company should assess and manage its risks. It specifically noted that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “check the box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

In the context of mergers and acquisitions under the FCPA, in a near perfect example of the Howard Sklar maxim that ‘water is wet” the 2012 FCPA Guidance stated “mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence Process –Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1-Analysis and Remediation of UnderlyingMisconduct, the Evaluation states: 

What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: 

Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes. 

Initially you need to understand the difference between a root cause analysis and a risk assessment. Obviously, you would perform a root cause analysis after an incident occurs so to that extent it is reactive rather than proactive. The site Thwink.org has defined root cause analysis as:

The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.

Well known fraud investigator Jonathan Marks, in an interview with the author, defines a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”

With The Complete Compliance Handbooksitting at the top of the rankings in its first week of sales, Jay Rosen and myself take a look at some of the top compliance stories over the past week. 

1. Tom’s new book The Complete Compliance Handbookwas released on Monday May 21. It is No. 1 in Amazon’s New Releases in Business Ethics. Available on Amazon.com. Purchase an autographed copy here. It is reviewed in the FCPA Blog, Radical Complianceand Corruption, Crime and Compliance.
2. GDPR is live. Are you ready? Check out Tom’s blog postand white paper. For yet more on GDPR see the podcast series Countdown to GDPR: Episode 1 -Introduction; Episode 2 - The Role of the Data Protection Officer; Episode 3 - Policies and Procedures; Episode 4 - DPIAs; Episode 5 - Vendors in GDPR Compliance; Episode 6 - GDPR for Communications Professionals; Episode 7 - Data Security and Data Breachesand Episode 8 - Subject Access Requests
3. Compliance Week 2018 is in the books. We review some of our highlights.
4. The SFO brings new charges in the Unaoil matter. Dick Cassin reports in the FCPA Blog. Mara Lemos Stein reports in the WSJ Risk and Compliance Review.
5. Matt Kelly considers doing compliance in the midst of corporate downturns, in Radical Compliance.
6. DOJ announces two new indictments in the Rolls Royce bribery case. Dick Cassin reports in the FCPA Blog.
7. Doing business with Pemex, it now requires contractors to have compliance program. Luis Corres reports in the FCPA Blog.
8. What is nudging in compliance? Ben DiPietro reports in the WSJ Risk & Compliance Journal.
9. The DOJ’s Evaluation of Corporate Compliance Program still resonates with complaince practitioners to help think through compliance programs and issues. Sascha Mastussak considers it in the SCCE Blog.
10. Rockets take the lead in their series with Golden State 3-21 and are heading out west. Celtics head back to Cleveland up 3-2.
11. The Everything Compliance gang is back in the Cohen and Friends edition. Check it out here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

This week the gang sticks a roundtable Q&A, with a focus on the Michael Cohen imbroglio. Jay Rosen considers the lessons to be learned in hiring third-parties. Matt Kelly considers issue from the COSO angle: the control environment v. compliance activities. Mike Volkov weighs in search warrant and Bank Secrecy Act perspective. Jonathan Armstrong adds his own unique British perspective (IE., snark) to the conversation. In addition to the commentary we have the following rants:

1. Matt gives a shout out to Preet Bharara to encourage him to run for NY state Attorney General. 

2. Mike rants on CEO and C-Suite involvement in more and more corporate scandals.

3. Jonathan rants on inane GDPR opt-in emails, which hopefully will end when GDPR goes live May 25.

   4. Jay rants on the lack of respect for his beloved Red Sox.

5. Jim Moore steps in for a special guest rant on the Boston/Cleveland series officiating.

Today we consider Subject Access Requests (SARs) under General Data Protection Regulation (GDPR). As always, I am joined in this exploration by Jonathan Armstrong, a partner in Cordery Compliance in London. SARs may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR on May 25, 2018. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.

SARs currently exist for all countries in the European Union (EU), in most jurisdictions companies can currently charge a small fee for them. Although the fees are generally fairly trivial, it does put off many applicants. However, post-GDPR Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. He noted that some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR. But it is not simply the detailed work needed to fulfill the SAR but a company must also redact out the data on other people.

Armstrong provided an example for a SAR for emails sent to an individual. A SAR might come in for emails being sent to Mr. Jones. While you might be able to do a word search for Mr. Jones and find all emails relating to him, it could be that 10 other people were copied in on emails to/from Mr. Jones. You are required to redact out the details of those 10 people.

Armstrong further refined the example by adding the factor that the email related to performance appraisal and a manager is communicating how their seven direct reports accomplished in that performance appraisals for the year. In responding to the SAR, a company must disclose the information on the one individual who has made the request but redact the information on the others. He words like “he or she” must be reviewed as they can provide personal identifiable information such as a person’s sex. There is also information such as cell phone details, which might be found on the footers of emails that would identify individuals. This information must be redacted.  

Obviously, this example is antithetical to the way in which US companies not only do business but the manner in which they try to avoid releasing any information to the public. However, Armstrong believes this is very important in the EU and will be going forward in the UK, post Brexit. He even pointed by to Max Schrems and the original litigation which brought down Safe Harbor. It could also be that EU and UK citizens might make SARs and then use the US corporate responses as the basis for class action type lawsuits. All of this mean US companies must not only take SARs seriously but have a protocol in place for handling them.

Once again, the key is to have policies and procedures in place to deal with SARs. He said it all begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Also remember that a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR  but as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could  resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place. 

Leadership’s Conduct at the Top 

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states: 

Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates? 

Moving Compliance Tone Down Through an Organization 

• Muddle in the middle
• Tone at the bottom 

The Board and Operationalizing Compliance 

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs?In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board, Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  

• Compliance Committee on the Board
• Compliance Expertise on the Board
• Compliance Oversight by the Board

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here. 

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

The Code of Conduct 

What is the value of having a Code of Conduct? 

“First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” 

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it. 

Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” 

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and Procedures – What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and Procedures– Has the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, 

The specific written policies and procedures required for a best practicescompliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct. 

Internal Controls and Compliance

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

Controls –What controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe. 

There are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

CCO Authority and Independence 

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. 

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: Prong3. Autonomy and Resources  

Stature– How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?  

Autonomy– Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?  

In the Policy, the DOJ laid out additional factors around CCO authority:  

1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
4. The reporting structure of any compliance personnel employed or contracted by the company.  

This new language would seem to signal the death knell for the dual GC/CCO role. 

Compliance Function in an Organization 

Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Funding and Resources 

You will now have to justify your corporate compliance spend. 

You now have to justify your compliance budget request denials. 

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here. 

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

How to Perform a Risk Assessment 

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddyenforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” 

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management Process– What methodology has the company used to identify, analyze, and address the particular risks it faced?Manifested Risks– How has the company’s risk assessment process accounted for manifested risks?In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”. 

What Should You Assess? 

1. Geography-where does your Company do business.
2. Interaction with types and levels of Governments.
3. Industrial Sector of Operations.
4. Involvement with Joint Ventures.
5. Licenses and Permits in Operations.
6. Degree of Government Oversight.
7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration. 

How Do You Evaluate a Risk Assessment? 

LIKELIHOOD

 ‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups. 

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward.  However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here. 

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

360 Degrees of Compliance Communications 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program. 

The Use of Social Media in Compliance 

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward? 

What is Effective Compliance Training? 

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?  

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training– Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? 

1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here. 

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

In this episode I visit with Nate Lankford, member at Miller & Chevalier on the firm’s FCPA Spring Review 2018. The quarterly Miller review is also an excellent resource for any FCPA or compliance practitioner, chocked full of statistics on enforcement actions, legal and compliance analysis, reports on international FCPA developments and commentary. It has always been a ‘Must Read’ review for any compliance professional. The FCPA Spring Review 2018 continues this trend.

In this episode, we consider some of the following issues:

• What if anything, can be gleaned from the now one plus year of enforcement under the Trump Administration and Sessions-led Justice Department.
• Has there been an untick in declinations?
• Any uptick in individual prosecutions?
• What are some of the key points from the following enforcement actions: Elbit, Transportation Logistics and Kinross?
• Some of the top international developments including: Canada Updates Anti-Corruption Law and Enforcement Tools; French Anti-Corruption Agency Issues First Official Guidelines and France Enters into Two More Bribery-Related Negotiation Resolutions; Airbus Payment in Germany
• The Digital Realty Trust v. Somers decision at the US Supreme Court and its implications for companies and compliance practitioners.
• What has been the response to the new FCPA Corporate Enforcement Policy requirement for companies to prohibit software that generates but does not retain business records or communications.

A copy of the Miller & Chevalier FCPA Spring Review 2018 can be found here.

The quarterly Miller FCPA Review is a must read for any compliance professional. The Spring Review 2018 is no exception.

With Uncle Duke joining the compliance debate around Michael Cohen, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. The fallout from the Michael Cohen revelations continue to explode across the compliance universe. Matt Kelly considers it from a COSO perspective in Radical Compliance, Tom and Matt podcast have another podcast about it on Compliance into the Weeds, Tom channels his inner Hunter S. Thompson for a three part series, Part I-the Start, Part II-Full Gonzo and Part III-Uncle Duke. The NYT reportsthat the Novartis GC loses his job over the scandal.
2. Rod Rosenstein announced a new “anti-piling on” policy. What does it mean for FCPA enforcement? Lara A. Covington and Michael E. Hantman, writing in the FCPA Blog, point out the strings attached and potential rewards. Tom considers the new policy (channeling Tom Wolfe) here.  For the full text of Rosenstein’s remarks see here.
3. Writing in forbes.com Dan Pontefract says we need ethics professionals more than ever.
4. The purveyors of the most excellent Global Anti-Corruption Blog, Rick Messick and Matthew Stepenson both post articles decaptitating the arguments against transparency into shell corporations. Rick’s piece is here. Matthew’s piece is here.
5. What is it like to negotiate a FCPA/Bribery Act resolution, while heading up the remediation. Phoebe Seers reports on how the Innospec GC/CCO handled it in Mlex.
6. Trump tweets out to protect Chinese jobs in the ZTE sanctions case. What are the implications? Sam Rubenfeld takes a look at the landscape in WSK Risk & Compliance Journal.
7. Businesses are finding value in combining sustanibility and compliance. Ben DiPietro reports in the WSJ Risk & Compliance Journal.
8. Cybersecurity whistleblowers are becoming increasingly important to the SEC and in the corporate world. Henry Cutter reports in the WSJ Risk & Compliance Journal.
9. Rockets square their series with Golden State 1-1 and are heading out west. Celtics head to Cleveland up 2-0.
10. Tom announces publication date of his next book, The Complete Compliance Handbook,which will be available on May 21, 2018 on Amazon.com. If you are attending Compliance Week 2018, Tom is have a book signing party on Monday, from 2:15 to 2:45. Come by and pick up an autographed copy.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode, Jonathan Armstrong and I discuss the backbone of the new General Data Protection Regulation (GDPR), which is data protection and the ancillary topic of responding to data breaches. GDPR introduces significant changes on the mandatory reporting of data breaches, including both a requirement for reporting to the relevant regulator(s) and communication to those affected by any data breach.

In this episode, Matt Kelly and I take a continued deep dive into the travails of Michael Cohen, AT&T and Novartis for their hire of Cohen’s company Essential Consulting. After last week’s emergency podcast on the topic, we take a more measured discussion of the latest series of allegations. We discuss the PR disaster which has beset both AT&T and Novartis and where things may be headed.  

For more reading on Cohen, Essential Consulting, AT&T and Novartis, see

Tom’s three piece series:

Michael Cohen, 3rd Party Consultants and Hunter S. Thompson: Part I

Michael Cohen, 3rd Party Consultants and Hunter S. Thompson: Part II, Full Gonzo

Michael Cohen, 3rd Party Consultants and Hunter S. Thompson: Part III - Where is Uncle Duke?

Matt Kelly’s piece AT&T Wins Ethics Award, Looks Ridiculous

In this episode I present a live podcast recording made at the 6thLEC Compliance Conference in Sao Paulo last week. In the podcast I interviewed Carlos Ayres, partner at Meada, Ayres and Sarubbi and Matt Ellis, Member at Miller & Chevalier. We discuss the burgeoning compliance scene in Brazil and across the continent of South America. Ayres reflects on some current issues facing compliance practitioners in region. Ellis discusses the raft of new anti-corruption laws in the continent. They both discuss the challenge of representing multi-nationals across the continent who may be subject multiple ongoing investigations and enforcement actions. They point out some of the unique compliance issues for the region. It is fascinating discussion of the current state of compliance and anti-corruption enforcement in Brazil and across the entire continent.

 As former DAG Sally Yates returns to private practice at King & Spalding, in the words of LL Cool J, “Don’t call it a comeback, I been here for years,” Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. Michael Cohen explodes across the compliance universe. Matt Kelly writes in Radical Complianceand Buzzfeed, Tom and Matt podcast on Compliance into the Weeds, Francine McKenna quotes Matt and Mike Volkov in her piece on com. Finally Joe Mont considers it from the Bank Secrecy Act compliance angle in Compliance Week(sub req’d).
2. Sally Yates returns to private practice at King & Spalding. com(sub req’d)and Washington Post.
3. Katie Smith is the first chief ethics and compliance officer at Convercent, and has brought with her some new ideas about how to use technology to improve E&C Corporate Counsel
4. GIR/JAC– Lawyers laud criminal division’s diversity provision for monitors (Pansonic Avionics DPA)
5. FCPA Blog– Dick Cassin writes about Colombia investigating a dozen companies for overseas bribery
6. FCPA Blog– Ankura’s Spinelli and Pilosio: Why is the construction industry so vulnerable to corruption?
7. WSJ Risk & Compliance Journal– Ben DiPietro -- The Morning Risk Report: Companies Need to Look Deeper at Supply Chains
8. WSJ Risk & Compliance Journal– Henry Cutter -- DOJ Targets ‘Duplicative Penalties’ Through Increased Coordination. See full text of Rosenstein remarks here.
9. Tom reports on a week of speaking to compliance professional in Brazil. See his blog post Reflections on Week of Compliance in Brazil.
10. Tom announces publication date of his next book, The Complete Compliance Handbook, which will be available on May 21, 2018 on Amazon.com. It is available for PreSale here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this first emergency Compliance into the Weeds podcast, Matt Kelly and myself review the information that Michael Cohen was paid by several US and international multi-national organizations for insight on and influence upon the Trump Administration. We consider it from the compliance angle and what steps a company is going to take if it hires the President’s personal lawyer as its paid lobbyist.

For more see Matt’s blog post on Radical Compliance entitled “Oh Lord, Michael Cohen Risk Is Now a Thing”

And for even more see Matt’s piece in buzzfeed.com entitled, “It's Harder To Pay Off Foreign Governments Than The US One”

In this podcast I have back well-known Board of Director thought-leader Sheila Hooda for a discussion on Boards can deal with the disruptive nature of current climate of economics, politics and business. She provides a clarion call for Board renewal through refocusing on strategy as a Board imperative. We explore several areas of Board refocus and renewal. 

We begin with some of the disruptions Boards face including digital, market, and regulatory disruption. We are seeing massive disruption – at a scale and pace never seen before and the pace is accelerating. There is disruption across industries and business models, brought about by a confluence of factors including Technology and digital forces, changing demographics and consumer preferences, regulation and market forces.

Tech has moved from being the enabler and supporter of business to being the primary driver and the differentiator. It has literally become the heart of the business, bringing both opportunity, challenges and new risks. Companies that do not change their strategy, innovate and move as a faster pace to keep ahead of this dynamically changing environment will risk losing their competitive advantage and ultimately go out of business.

 We next consider the implications for the Board, since the Board’s fundamental obligation is to enhance the long-term value of the company on behalf of shareholders. Therefore, the Board’s responsibility for dealing with disruption is grounded in this principle and this reality. As business disruption threatens the very sustainability of a company – it is the core fiduciary responsibility of the Board to manage, navigate and mitigate the risks of disruption for the companies they oversee.

Hooda believes that to discharge their responsibilities, Boards will need to evolve their practices and priorities with an urgency to remain relevant and to pivot and future-proof the companies they oversee. Boards set the tone at the top and with management for the organization. Embracing change, managing risks and fostering innovation-lead growth is needed to stay ahead of this tsunami of disruption to empower the organization to evolve faster and to succeed. Boards will need a new and enhanced role to play in managing change and disruption. High performance governance must lead, it does not follow.

With all this disruption on the horizon, what is the Board’s role and how can they be part of the solution to insure their company is ahead of the curve and competitive?Hooda believes that to answer the call for Board governance renewal, what can Boards do to reshape their roles to (1) Embrace change and disruption ; (2) Foster innovation; and (3) Manage the inherent risks.

Hooda concludes by noting that leading through disruption and fostering innovation is not easy and will require a delicate rebalance of the fiduciary responsibility of the Board and the executive power of management. To achieve this, she says there needs to be a brand-new way of thinking about Board-management engagement. Management and their Boards need to begin to have a different kind of dialogue, one that is characterized less by fully baked ideas and more about an open-door policy characterized by a free exchange of ideas and perspectives. This shift requires a new vulnerability on the part of management and the willingness to seek out Board members’ perspective on a regular basis.

On the Board’s part a stronger partnership with management is needed to share ownership. This will require a higher level of trust and transparency. Sufficient time should be allocated on the Board’s agenda to continued education, brainstorming, debate and discussion, and honest feedback about ideas. This model of governance also requires both management and Boards to stay current which is a major challenge in the face of constant change. Boards will need to be create some space to have blue ocean type of continual education and thinking so that Boards and managements can discuss alternatives, changing assumptions and the competitive environment.

In this episode we consider the presidency of the 10^thPresident, John Tyler. Tyler was the first president to ascend to the position after the death of President in office, William Henry Harrison. This ascendency, as his presidency was fraught with difficulties and conflict. We consider the following:

1. Tyler was not viewed as a legitimate president as he ascended due to the death of a President in office, William Henry Harrison.
2. Tyler was the first President against whom impeachment proceedings were brought.
3. Tyler had no real political base while President as he had been in the Democratic Party up until he became a Whig to run in 1840.
4. Tyler was the first President to veto legislation based upon policy, not constitutional considerations.
5. Tyler was the first President to have a mass Cabinet resignation.
6. Tyler was the first President to have his Cabinet nominees defeated in the Senate.
7. Tyler was the only President to face an open, armed rebellion from a State, the Dorr Rebellion in Rhode Island; up until Lincoln.

In addition to the foregoing Richard Lummis and I consider the leadership lessons from Tyler in the following areas:

1. His ascension to the Presidency and establishment of the Tyler Principle for succession.
2. Economic issues including the tariff and veto of the Bank bills.
3. His handling of the Dorr Rebellion
4. Texas Annexation
5. The Princeton Incident

Over the next five podcasts, I will visit with Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. on working with monitors. Over this series we will consider, in Part I-Fears and Concerns in Working with Monitors; in Part II-the Impact Monitors Can Have for an Organization; in Part III-How Monitors Do Their Jobs; in Part IV-Regulators Using Monitors; and in Part V-Attorneys Using Monitors. At the end of this series you will have a much broader appreciation on the benefits of an independent monitor, how monitors work and how the different types of monitorships can benefit a wide variety of businesses, transactions and business relationships.

There can be a wide variety of concerns for those considering or being required to work with a monitor, both from the corporate perspective and individual employees. From the corporate perspective, the concerns can include the costs of a monitorship and that impact on the bottom line; opening up books the books to an outsider and interference with business operations. These are acerbated by a fear the monitor does not understand the business of the organization or even how business in done in the real world. Things that tend to bring more fear are that the monitor will engage in slow but sure mission creep and exceed the boundary of the charge. Many see monitors as an extension of the government and believe that monitors are  junior G-men and investigators, tasked by the by the government to investigations ongoing. Employees tend to be more afraid the monitor will come in dictatorial powers and exercise them. Employees are usually more concerned with the company’s reputation and business credibility with employees and subcontractors.

Stern believes some of the fears and concerns are understandable, particularly if a company, does not have experience with the positives of the use of an independent monitor and a monitor’s assisting a company in improving the compliance program. While some of it may have to do with the unknown, one area is simply the extra costs associated with a monitor. If the monitor is a part of a government settlement or resolution, there can be the fear, sometimes driven by war stories, that monitors will have mission creep and continue the investigation, even after a resolution. A company may fear that a monitor will come in and look under every nook and cranny. This feeds into both concerns of cost and mission creep.

Another concern is that many monitors are former prosecutors and still retain a prosecutorial mindset. This can lead many companies and their employees to fear a ‘got-cha’ mentality of a monitor who is looking for items to run back to the government or regulators with through their monitorship investigations.

Stern believes that all of these concerns can be handled if not fully alleviated, through thorough discussions with monitor candidates. . Stern noted that one of the areas a company needs to be asking during the monitor selection process is what is “the approach that the monitor is going to take? What's the approach in a meeting or an interview with a mid-level employee in a branch office. Is that person going to feel as if they're under attack or are they brought in a to explain all the good things and all the bad things that are going on so that the monitor can basically make some helpful recommendations.”

In addition to the monitor interview process, companies should understand that the terms of any monitorship are set in the resolution agreement. This is why it is important not only to address these issues during settlement discussions but also take care in the drafting of such agreements to try and remove as many ambiguities as possible. At times, the parties may not want to address what they believe are sensitive issues head on as part of the negotiation process, other times there is not a full understanding of how monitors works. Stern has been brought in as the parties have negotiating to simply educate people as to what monitors do and how they operate and, to demonstrate how the monitorship can be more successful for both sides, for the government side and the company. In drafting the resolution agreement, the key is to lay out the scope, properly and tightly designed. When there are ambiguities which come up in the process of the monitors work, the monitors should work with both sides, as a facilitator to have both parties basically come together and to resolve those issues.

The key is for companies to have a thorough understanding of the monitorship process, whether it is a post-resolution monitorship where the monitor is focused on the company’s compliance with its agreement in the resolution document, Deferred Prosecution Agreement, Non-Prosecution Agreement or other; or a pro-active monitorship. This understanding comes from discussions, reviewing and negotiating the scope of the agreement and hiring experienced monitors who understand their role and more importantly what is not their role going forward.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we take up the impact using a monitor can have on an organization.

Interestingly many of the benefits of a company in working with a monitor come from answering the employees fears and concerns. Many employees are intimidated by attorneys and some even fell guilty about themselves and their work even though they have done nothing wrong. Often employees do not feel like them can trust the company, particularly if the company does not employ the Fair Process Doctrine or institutional justice as a core value of the organization. Other employees feel validated and when they can open up to outsiders it can be a cathartic experience for employees. For the larger organization, the monitor can tell the company what it does not know and provide a much needed “Big Picture” impact; delivering insight on how the company can be run more efficiently and profitably. The bottom line is that the benefits in using an independent monitor can be as behavioral and psychological as compliance and legal.

Stern described the impact of working with a monitor is present at several different levels. The first is a very personal, at the employee level. He said, “I've seen this time and time again when we will sit with either an individual employee at different levels, it could be at a lower level, it could be at the CEO level. The employee will feel validated and in some ways innocent. It sounds odd to say that because you would think that if the company was working properly that each employee would have an opportunity to sort of say their piece, describe observations and things that they were experienced. Unfortunately, that is not the way the real world works when people have concerns and fears of retaliation and the like.”

Stern has found after doing an interview or a focus group, they will sometimes say, “ I have been wanting to say these things to somebody and I hope that, this is not attributed this to me. I'm not looking for you to go back ono anybody and say that I said this, but I hope that you will take what I have said and what others have said and make some suggestions to the company.” The bottom line is that a key impact from working with a monitor is that the monitor listens and “I do think that employees feel better kind of explaining their perspective on what's happening internally in the company.”

Another important reason all of this works is if an organization uses a truly independent monitor. This means one which is not the lawyer for the firm or with the company’s regular outside counsel. This is something most employees more fully appreciate talking to “outsiders who were being were coming in, who they do not interact with on a day to day basis.” Even if the monitorship is required under an enforcement action and in the in the context of a government settlement, Stern has found that if the monitor makes it clear they are independent from the government, employees are more likely to not only open up but also appreciate the experience.  

These concepts tie directly into the Fair Process Doctrine, which most generally holds that if the process is fair, people are more likely to accept undesired outcomes. An independent monitor, who does not perform ongoing work with the company, will certainly be perceived as more fair. As Stern noted, “it’s just human nature.”

This independent nature also gives the monitor the ability to impact the company by helping it turn the page on any conduct which may have gotten it into trouble in the first place. This is particularly true where a company has gone through an enforcement action and resolved the matter with the government and is now ready to move on in a positive way. Stern said that employees typically want to feel good about the organization they work for, they want to be proud of who they work for. Stern said, “time and time again, people aspire to work for a company that they feel good about. They want to tell their spouse that wants to tell their children. They want to feel good. When the neighbors asked them, who do they work for and when companies get into trouble, um, they liked the fact that the pages being turned in that once again, that can be very proud of where they work.”

This independence from the government also works to positively impact the work of a monitor. Stern noted that although an independent monitor has “an obligation to report to the government faithfully as to what we are seeing; the good, bad and the ugly; an independent monitor is not beholding to the government.” Stern’s experience has been “at the end of the day respect us and they recognize that it's in their interest for us to be independent. If we're in the company's pocket and we do whatever the company wants it at the end of the day, the government will see right through that and it's not going to be a good outcome.”

The bottom line is that the positive impacts of working with a monitor can happen on many levels. Obviously for a company which has recently concluded an enforcement action, a monitor can yield many benefits to improve a compliance program. Yet some of the greatest benefits may be more behavioral and psychological to the company’s employees. Not only can talking to a truly independent outsider be cathartic for employees but the entire process can help to reinstill a sense of pride in who they are, who they work for and what the organization means.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider how monitors work.

Stern explained that there are variety of tasks and roles a monitor uses when engaging in an independent monitorship. A monitor should understand type of approaches they will take to make an organization more compliant, starting with understanding the work plan. Many times, the monitor must push the organization along by getting buy-in and building consensus. Finally, there should be an awareness of helping the company being compliant in the future.

The starting point is understanding what is the mission of the monitorship. As Stern put it, “we really begin at the beginning.” We meet sometimes meet separately with the government agency to get an appreciation understanding as to why they think things have reached that point, what they see as the problems in the company, what they see as the problems in the industry. And then of course we do the same thing with the company.” Such meetings could also include “outside counsel who have been sort of living with the whatever the precipitating cause a problem which led to the settlement with the government or the investigation. They've lived with it for years. And in many cases, by the way, the company has already remediated significant portions of the problem.”

A monitor should have a particular focus on a particular goal, a particular set of tasks. Yet from there, Stern explained it is “very much a people exercise. The thing that is often obvious relatively early on, a one way or the other is whether the company has a paper program or real program.” Stern indicated that a monitor should spend time at both the higher levels of the company and at the middle and lower levels of the company. Some of the specific techniques can be one on one interviews, site visits to specific offices and with “focus groups where we get people at the same level so we don't get middle managers and upper managers together in one room.”

Stern emphasized it is critical that both company management and the regulators not be surprised by a finding. This means the monitor (and team) should literally “pour through the company” to come up an honest final assessment or report for the organization. It is important to give the company credit where it has remediated or shown improvement and this means emphasizing to the government the wins a company’s compliance program may have sustained.

Interestingly, Stern emphasized that in monitorships as with compliance programs in general, one size does not fit all. A monitor should test whether there is sufficient training on the Code of Conduct, compliance policies and procedures and other issues such as Conflicts of Interest policy. There should also be inquiries into hotline overview and use. Yet there can also be recommendations which arise from the employee interviews, which the monitor may raise to senior management for implementation.

Here Stern presented a simple yet powerful example. It was around having a compliance moment once per week at company meetings. The organization was an engineering company and they took safety very seriously, opening each company meeting with a safety moment. This led to the suggestion of opening meetings with a compliance moment, which employees used not simply to state ethics and compliance issues but to describe situations they faced daily.

A situation arose where an employee was offered tickets to a baseball game by a vendor. The company policy on conflicts of interest prevented the employee from accepting the tickets and he felt conflicted because he wanted to go to the game. More importantly he did not know what to tell the vendor to make them understand he could not accept the tickets. Through discussing this issue after a compliance moment in a company meeting, there was a dialogue allowed the company employees to feel that they have an opportunity to be part of the process. It demonstrated that ethics and compliance is not something imposed on them, but something that is part and parcel of their job and part and parcel of their responsibility.

A monitor must literally work with groups as diverse as the Board of Directors to employees on the shop floor. It is incumbent to use a variety of tactics and techniques to fulfill the mission of a monitor. An independent and experienced monitor is required to use a variety of tools to help an organization move forward with a compliance regime. Stern noted, “a monitor should also have the experience to come in and not only look at how your company is doing, but also benchmark against what is happening not only in your industry but in other industries. And at the end of the day it's a little bit like the making of sausage. At the end of the day we're going to have some recommendations and the expectation is that your company is going to be top of the heap, that you will have a state of the art compliance and ethics program and you will have contributed to making it better.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.