FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report





All Episodes
Now displaying: Page 1
Feb 19, 2018

In this episode, podcast favorite James Koukios returns to discuss highlights from international anti-corruption efforts, enforcement actions and developments highlighted in Morrison and Foerster’s December report. We highlight five developments: 

  1. The Keppel Offshore FCPA enforcement action and the attendant fallout in Singapore, where the country has announced it is investigation possible criminal charges against the company’s senior executives. We also highlight the new Singaporean initiative for a type of Deferred Prosecution Agreement. We explore how countries in the Far East are ramping up anti-corruption investigations and their continuing cooperation with the United States in investigations.
  2. The Trump Administration reaffirms fight against international corruption as a top priority. We discuss the December release by the Administration of its first National Security Strategy paper, detailing the administration’s top foreign policy priorities. Among five “Priority Actions,” the paper pledges that the U.S. will “continue to target corrupt foreign officials and work with countries to improve their ability to fight corruption. . . .” We explore how the administration see corruption as a threat to American companies’ ability to compete fairly abroad and also asserts that corruption and weak government allow terrorists and criminal networks to prosper and how vigorous anti-corruption enforcement is seen as one of several “economic tools” the U.S. will use “to deter, coerce, and constrain adversaries.”
  3. The public call by Attorney General Sessions greater cooperation in international criminal cases. We note how this follows several other public comments by political appointees of the Administration on the need for not only robust anti-corruption enforcement but also enhanced international cooperation in investigations and enforcement.
  4. United Kingdom Sets Course for Long-Term Anti-Corruption Strategy; and 
  5. The warnings issued by the Chinese government officials and employees of state-owned enterprises. We consider how this fits into the Chinese anti-corruption campaign and whether it will be inward or outwardly focused. We conclude with what it may mean for DOJ prosecutions under the FCPA and what US companies doing business in China may expect going forward.


For more information read the full Morrison & Foerster white paper Top Ten International Anti-Corruption Developments for December 2017

Feb 16, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. A very interesting article by T. Markus Funk and Andrew Boutros entitled, “The Evolution and Status of ‘Carbon Copy”. For the full copy go to Bloomberg White Collar Report.
  2. Time to go back to college and take that Econ course as John Bray explores the intersection of sunk costs and third party bribery payments, in the FCPA Blog.
  3. Bill Coffin really nails it this week. He opines that compliance officers are the conscious of a company in his Compliance Week (sub req’d)
  4. Dick Cassin notes that the Justice Department ends its investigation of Core Labs the company’s relationship to Unaoil (here) and Juniper Networks gets a Declination (here). Henry Cutter explains both the WSJ Risk and Compliance Journal.
  5. The PdVSA ‘management team’ in charge of bribes are all indicted over money-laundering based on FCPA violations. Sam Rubenfeld leads the coverage in the WSJ Risk and Compliance Journal.
  6. Sally Afonso explains why you need to get out of our compliance conference comfort zone, in the SCCE Compliance and Ethics Blog.
  7. Joe Mont explores whether businesses misuse NDAs in his article, “Companies twist and abuse non-disclosure agreements”. See article in Compliance Week (sub req’d)
  8. Ethisphere announces its 2018 World’s Most Ethical Companies Awards, see Press Release Matt Kelly explores some of the key similarities in Radical Compliance.
  9. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. You can find out more on his website by clicking here.
Feb 15, 2018

One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management.

The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.”

Board’s do this by posing questions to management that help them challenge their own assumptions, especially those assumptions which senior management is most confident about. Howell said that Board’s “need to help senior management consider the things that management is so sure about that maybe are going to play out the way that they expect. For example, the things that can hurt investors more than anything else is a surprise. Chaos does not help investors in general. The things that surprise investors frequently are the things that also surprise management. Does management consider all of the things that can go wrong and have they built an environment where they can both help prevent those things from happening and detect them when they’re small and they can actually do something about them.” 

Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.” 

One of continuing struggles I hear from Board members is asymmetrical information, largely due from the siloed nature of company information and structures. Howell acknowledged, “These sorts of barriers are pervasive in any company of any size that has a particularly operations and different product lines and different markets and different countries and different time zones. These limitations in the free flow of information by themselves create a risk to the organization, to the investors of the organization, to the employees of the organization and the board’s ability to ask questions. If nothing else in their governance control creates this reminder to management to open up itself to itself and listen carefully to its own organization and be able to link information to all of the places it needs to be fed.”

I asked Howell to further explain his phase “open itself up to itself and listen”. He provided the following example, “how can the Chief Financial Officer make sure that he is giving all the information that the Chief Compliance Officer needs to do his job? Those questions from the board can be very valuable in making sure that the Chief Financial Officer doesn’t forget these issues and the Chief Compliance Officer has an opportunity to engage constructively with the Chief Financial Officer and others in the organization.”

Somewhat counter-intuitively, Howell noted that when it comes to the Board’s oversight role around internal controls, less is often more. This occurs by helping management understand a company can overdo a control environment, “in the sense that when management guides controls around risks that are not going to be the most serious risks to the company, that they end up building excessive amounts of energy and protection where they're not really needed. That you as a management team end up deluding your attention and deluding your resources.”

Howell went on to explain it is simply a matter of resources, “When things do go wrong, you’re in effect spread so thin that you don’t see those risks coming at you. The real question where less is more can be very valuable is when the board continues to challenge the management team on the scenarios that could play out. That could be devastating to an organization where risk really matters.”

I asked Howell if he could provide any discrete examples and he pointed to the food service industry for the following., “For example, in a food service company or a restaurant company, if there were contamination or if there were things that could happen either at the plant or by people who are touching the food. Those are very serious risks that a company needs to both be mindful of and to be able to prevent. If something goes wrong, you need to be able to detect early. When customers of the company or others are hurt that there’s a consequence of failures that can be devastating.”

In another example Howell said he had seen situations where internal “controls that are used for financial reporting for example, when examined in the light of where the risk really exists for the company, the companies have been able to reduce their controls actually by as many as half and improve their overall control environment and reduce the aggregate risk to the company. It’s interesting that even spending less money on controls by having fewer controls can improve the overall comfort that the company and its management and investors are protected from risk.”

A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities.

Feb 14, 2018

In this episode, Matt Kelly and I go into the weeds on the fascinating subject relating to the intersection of compliance and technology: AI and hotlines. Matt blogged on and podcasted with Scott LaVictor, CEO of Neighborhood Watch for Corporations. His firm has been developing an app to help employees report harassment in a way that is secure and anonymous for them, but useful for compliance officers. We explore how this phone app can assist the compliance practitioner by using technology to overcome the inherent tension in an anonymous reporting system where the reporter may desire anonymity while the CCO wants and needs as much information as possible. 

The hotline app example would seem to incorporate several of these concepts starting with an incredible ease of use as a phone app. But the AI features allow it to inquire directly from the reporter additional information which will be important to the compliance professional. We discussed the following example from Matt’s blog post; “an employee might call a telephone hotline and leave a recorded message, “I saw my boss bribing some guy $500 the other day!” An app could be programmed to ask: 

  • What is your boss’s title?
  • Had he met with the other person before?
  • What time of day did the meeting happen? 

We also discuss why if there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform. 

For additional reading and listening, see 

Matt’s blog post and podcast

Better Whistleblower Reporting


Tom’s blog posts

Using AI in Compliance-Introduction

Using AI in Compliance-Design Challenges

Using AI in Compliance-Implementation Challenges

Using AI in Compliance-AI Projects for Compliance

Feb 13, 2018

We are back with more leadership lessons from Oscar-winning Best Picture movies and today’s offering is the 1981 film Chariots of Fire 1981. It relates the based-on fact story of two athletes in the 1924 Olympics: Eric Liddell, a devout Scottish Christian who runs for the glory of God, and Harold Abrahams, an English Jew who runs to overcome prejudice. The film was directed by Hugh Hudson. It was nominated for seven Academy Awards and won four, including Best Picture and Best Original Screenplay. The film is also notable for its memorable electronic theme tune by Vangelis, who won the Academy Award for Best Original Score. Its principal stars were Ben Cross and Ian Charleson starred as Abrahams and Liddell, alongside with Ian Holm as Sam Mussabini, Abrahams coach. We will consider leadership lessons for these three characters.

Feb 12, 2018

In this episode I visit with Carlos Ayres, partner at Medea, Ayres and Sarubbi in Sao Paulo. We visit on the past year in anti-corruption enforcement in Brazil and where it may lead in 2018. Carlos discusses the continued fallout from the Odebrecht corruption scandal, across the continent of Latin America with the new anti-corruption laws being implemented in Argentina, Peru and Chile. We also discuss what US and UK companies need to do if they are doing business in those countries to protect themselves.

For more on Carlos Ayres and his firm Meada, Ayres and Sarubbi, check out their website by clicking here

Feb 10, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week. 

  1. What do Steve Wynn’s resignation and Wells Fargo’s continuing problems tell us about corporate governance? Matt Kelly takes a look at Wynn on Radical Compliance. Tom explores the Fed’s penalty levied on Wells Fargo and its Board on the FCPA Compliance Report. They explore the intersection of both on Compliance into the Weeds.
  2. Bill Coffin asks why Wells Fargo, Volkswagen and Samsung are on Fortune’s World’s Most Admired Companies list in his Compliance Week (sub req’d)
  3. Japan is offering leniency deals for companies which provide information on other violations. Michael Griffiths reports in GIR. (sub req’d)
  4. Banks behaving badly. Dick Cassin on Rabobank’s guilty plea, $369MM forfeit for laundering Mexico drug money. Jessica Tillipman and Samantha Bland ask if $4.8bn in penalties has deterred HSBC? Both articles appear in the FCPA Blog. Sam Rubenfeld weighs in on Rabobank in the WSJ Risk and Compliance Journal.
  5. Both the UKSerious Fraud Office and US Justice Dept. and SEC reopen their investigations into allegations of GSK corruption in China. Henry Cutter reports on the UK reopening in the Wall Street Journal Risk and Compliance Report. Dick Cassin considers the US reopening in the FCPA Blog.
  6. Why does the ABA oppose transparency in anti-money laundering law reform? Matthew Stephenson ask in Global Anti-Corruption Blog.
  7. The Pentagon loses some money ($$millions really). Brian Bender reports in Politico.  
  8. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. You can find out more on his website by clicking here.
  9. Join Tom and Jonathan Marks at his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  10. The lads reflect on the Super Bowl win by the Eagles over the Patriots.
Feb 8, 2018

In this episode, Matt Kelly and I take a deep dive into the events which led to the resignation of Steve Wynn as the CEO and Chairman of Wynn Casinos for sexual harassment and misconduct. We consider how quickly the scandal escalated after it was initially reported by the Wall Street Journal and the response (or lack thereof) by the Board of Directors to Wynn’s conduct which had been an open secret for almost 20 years. We review what structural inputs a company should have in place when it has a true charismatic leader. We consider the role of the Board of Directors in light of the recent Wells Fargo penalty levied by the Federal Reserve to limit growth and require the Wells Fargo Board to refocus its efforts on more robust corporate risk management.

For more on the Wynn scandal and corporate governance, see Matt’s blog post So Much Wynning You Can’t Stand It

For more on the Federal Reserve’s penalty on Wells Fargo and the Board of Director’s need for a compliance profession on the Board, see Tom’s blog post, Wells Fargo, Put a Compliance Professional on Your Board

Feb 6, 2018

In this episode I visit with Dr. Marsha Ershaghi Hames, Managing Director, Strategy Development at LRN. We discuss the ongoing national conversation about sexual harassment which has been ongoing from Weinstein to #METOO. How has this awareness of sexual harassment changed the corporate conversation? Dr. Ershaghi Hames has written the article The Value in Having a Difficult Conversation. We explore why she wrote this and why not is the time to have that conversation. We consider the role of senior management, as well in that conversation? What is the role of compliance? How should supervisors, managers and co-workers be trained to report harassment they might observe that happens to others or that others report to them.

Feb 2, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including:

  1. Justice Department Escalates Inquiry on Global Sports Corruption. Rebecca Ruiz reports in the New York Times. Andy Spalding comments in the FCPA Blog.
  2. On his Conflicts of Interest Blog, Jeff Kaplan discusses a new review of the Wells Fargo scandal.
  3. COSO gets and new chairman and may consider internal controls guidance. Tammy Whitehouse reports in Compliance Week (sub req’d). Matt Kelly details in Radical Compliance.
  4. Jonathan Marks considers whether the roles of the GC and CCO should be split, in his Board and Fraud
  5. US becomes second largest home of tax havens (although Trump says we’re No. 1). Sam Rubenfeld reports in the Wall Street Journal Risk and Compliance Report. The issue is impacting home sales in Houston. See article in Houston Chronicle.
  6. Ben DiPietro considers when a company should use its CEO as a point spokesperson during a crisis in the WSJ Risk and Compliance Report.
  7. An article in GIR reviews SFO Director David Green’s called for the UK defence bar to embrace artificial intelligence and said the authority will use the newly-enacted unexplained wealth orders in corruption case. See article by Waithera Junghae (sub req’d).
  8. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. You can find out more on his website by clicking here.
  9. Join Tom and Jonathan Marks at his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  10. Tom announces his new podcast series Countdown to GDPR with Jonathan Armstrong. It will be a monthly series for the US compliance practitioner about how to prepare for the upcoming go live of GDPR in May, 2018.
  11. Tom and Jay announce their Super Bowl predictions.
Jan 31, 2018

In this episode Matt Kelly and myself take a deep dive into the weeds of the recent remarks by Neomi Rao, head of the Office for Information and Regulatory Affairs (OIRA), the Administration’s top regulatory review office outlining ambitious plans for more deregulation in 2018 — including efforts to sweep independent federal agencies into her purview and to crack down on the “sub-regulatory” guidance that corporate compliance professionals consume all the time. The talk was given before the Brookings Institute and she touted the 2 for 1 kill order for new regulations the Administration heralded last year and claimed that over 1500 planned regulations had been pulled from review.

For the compliance practitioner, this may all be much ado about nothing or more simply Rao and the Administration is simply Waiting for Godot to arrive as both the SEC and regulations relevant to military, national security, or foreign policy are exempt. New regulations required by statute are exempt from the guillotine of which Rao speaks. However, it does cause one to ponder if the 2012 FCPA Guidance and 2017 Evaluation of Corporate Compliance Programs would have been released under this new system of hari-kari.

Matt and I explore the differences be proposing to repeal two rules but not actually repeal them as those proposed repeals must go through the usual public comment and review process. We also discuss how the Administration approach hurts businesses by removing a source of practical guidance from the general public. Think about how the business community clamored prior to 2012 for specific guidance from both the SEC and Justice Department on what constituted a best practices compliance program. Finally, we consider if there is a positive effect at all for business and the American public not be given guidance by the government.

For more information see Matt Kelly’s post Regulatory Czar Eyes Agency Guidance

Jan 31, 2018

I hope you have enjoyed this 31-day series on how to design, create and implement a best practices compliance program. These blog posts and podcasts over the past 13 months will form the basis of my next book The Complete Compliance Handbook which will be published by Compliance Week in April, 2018. It will be the most up-to-date handbook for every compliance practitioner, including the most recent Department of Justice pronouncements on what constitutes a best practices compliance program, in the FCPA Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs. I know you will find it useful.

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Under the Evaluation of Corporate Compliance Programs (Evaluation) it states in Prong 10. Third Party Management: Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

The question becomes how do you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. I break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candice Tal in an article entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.” 

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the Foreign Corrupt Practices Act (FCPA); you can use a Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. 

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to

Jan 30, 2018

We previously considered the Prong in the Evaluation of Corporate Compliance Programs which was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s new FCPA Corporate Enforcement Policy. I want to consider how you should utilize the results of a root cause analysis in remediating a compliance program. 

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

I begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP who believes the key is both “independence and objectivity”. It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.


Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply ‘cataloguing’ and ‘assigning cause’ to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting ‘human error’ from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect. This means the person selecting the root cause has actually performed 5 Whys, fishbone diagram analysis, human factors analysis, fault tree analysis, and/or many other tools for actually determining root cause(s).” 

Locwin went on to state that it is “unlikely that the real cause of the deviation was human error, it makes sense to adopt the lean manufacturing principle of a no-blame culture. Use an error as an opportunity for elevating your company’s problem-solving processes; don’t think of it as an annoyance that must be rapidly misclassified and pushed into the deviation process black box.

This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.” 

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.


The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be repeatable, step-by-step processes, in which one process can confirm the results of another. By focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event you will have a much more robust solution in place. This is because the solution(s) are more effectively when accomplished through a systematic process with conclusions backed up by evidence. 

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to

Jan 30, 2018

Welcome to Episode 9 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on things, which actually could kill compliance in the organization. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov. 

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance perspective. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth #1 Absence of support from top management could kill compliance as a concept in the organization. Tim, would you agree with this statement? 

Tim Khasanov-Batirov: I think we should define whom we consider a top management and what we mean by support. If we start with a question of top management, I would think that there is no need to expect appreciation or kind attitude to compliance from everyone among senior management. It will never happen. You obviously want to have an understanding of what you have been doing among your company’s decision-makers. Still it does not lead to full support in everything a compliance officer is proposing. I believe it is about values. If key stakeholders appreciate integrity and compliance that something which really matters for compliance officer.   


The second question is about support. Based on my practice there is no way to have daily support from everyone in the organization. If compliance person maintains good working relations with employees from different levels of corporate hierarchy, that makes operationalization of compliance program more effective. What is your opinion, Tom? 

Tom:  A couple of things come to my mind, Tim: First and foremost, There are several key issues why top management support is more than simply critical, it is mandatory. It is senior management that sets the priority of a company and if they are not committed to compliance and ethics, everyone in the organization will understand it. I often provide the example of Regional VP who said the following: If I violate the Code of Conduct, I may or may not be caught; If I violate the Code of Conduct and am caught, I may or may not be disciplined; If I miss my numbers for two quarters I will be fired. If senior manage focuses only on numbers, that will be communicated throughout the organization. 

Yet another key issue I would like to touch upon is the question of trust. When a compliance officer is promoting a compliance initiative across the organization, they could be successful if employees embrace it. He has to demonstrate that they have being doing right thing rather than just executing corporate compliance requirements. You can achieve this result if people trust you. If there is no trust neither senior management, nor employees will support compliance. What must a compliance officer should do to get trust? Just be risk oriented, try to suggest ethical solutions to achieve business tasks, be open-minded, and feel interested in corporate processes. In other words, you must operationalize compliance to make it a part of the very DNA of your organization. You have to become a trustworthy partner in order to get the level of support required for effective execution of the corporate compliance program.   

Myth #2. Bad corporate culture can kill Compliance in the organization. Tim, will you agree with this concept?

Tim: I agree that culture of non-compliance could kill the compliance idea in the organization. I believe that no matter if it is a big corporation or a small firm the culture starts from the CEO. There is always someone in the organization who is not a fan of compliance. It is fine, unless CEO himself does not support ethics. In this case, you have no chance to survive. In our attached issue of the Compliance Man illustrated series, we have depicted challenges, which compliance professionals face. However, in my view issues like decrease of the department’s headcount or budget are something, which cannot stop compliance officer.       

Tom: I believe that strong ethical culture is a key factor for building a solid compliance program. From practical perspective, I think surveying personnel about their attitude towards integrity could give you a real picture about state of culture in your organization. Another point to mention is the necessity to understand views of managers who due to their job responsibilities pose compliance risks, those in high-risk positions. This may be heads of construction or procurement teams as they interact with governmental officials. In ideal scenario, they share your values or at least strictly follow respective compliance procedures. In the worst case your efforts in embedding compliance program could be diminished by ignorance from actors which play critical role in its effectiveness.   

Thus, as key takeaways from today discussion, which is inspired by famous Unstoppable video of Sia, I think we can mention the following:

  • A compliance officer should be ready to overcome difficulties at all stages of compliance program execution. The best way to do it is to obtain trust from key stakeholders, win minds and hearts for compliance and never give up. Just be unstoppable.

Tom Fox and Tim Khasanov-Batirov are here for you. Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

Jan 29, 2018

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

 Root Cause AnalysisWhat is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

 Prior IndicationsWere there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

The site has defined root cause analysis as “The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.” 

Well known fraud investigator Jonathan Marks, has noted, has noted a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” 

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegation or allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur. 

There is no one formula for performing a root cause analysis. An approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the site believes this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “5 Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.” 

Yet another approach was suggested by risk management expert Ben Locwin in an article entitled, "Human Error" Deviations: How You Can Stop Creating (Most Of) Them”. It is the “Fishbone Diagram”, also known as the “Ishikawa diagram” for its progenitor, Kaoru Ishikawa, if because it looks like the skeleton of a fish. Locwin noted that “You put the problem statement at the “head” of the fish, and the causal factor categories as the “ribs” (remember, fish have cartilage, not bone, so these categories can be adjusted to suit your needs). By having a working group list causal factors under each category, you begin to develop a visual of how many things could contribute to your main effect (the problem statement).” 

The bottom line is there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.”

Three Key Takeaways

  1. A root cause analysis is now required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need these trained professionals who really understand what they're doing. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to


Jan 28, 2018

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance language which stated, “pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” You also recall that the 2012 Guidance did not have the time lines established in the previous enforcement actions involving Johnson & Johnson (J&J) and Data Systems & Solutions LLC and the Opinion Release 08-02, the Halliburton Opinion Release. Yet you do remember the FCPA M&A Box Score Summary of Opinion Release and enforcement actions regarding M&A issues.

You are also aware of the language from the Evaluation of Corporate Compliance Programs about mergers and acquisitions (M&A), which reads under Prong 11, Mergers and Acquisitions:

Integration in the M&A ProcessHow has the compliance function been integrated into the merger, acquisition, and integration process? 

Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

Yet many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the Justice Department and SEC clearly view both the pre-and post-acquisition phases of mergers and acquisitions as tied together in a unidimensional continuum. If  pre-acquisition due diligence is not possible, you should the requirements and time frames laid out in Opinion Procedure Release No. 08-02, so as was noted in the 2012 FCPA Guidance, “pursuant to which companies can nevertheless be rewarded  if they choose to conduct thorough post-acquisition FCPA due diligence.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to

Jan 27, 2018

In this special Supplemental edition Jay Rosen reports on Friday’s SCCE Southern California Regional Compliance and Ethics Conference. The topics he highlights are: 

  1. GDPR update by Megan Duffy and Dominique Shelton.
  2. Engaging your Board of Directors by Malissia Clinton and Dixie Johnson.
  3. How compliance training has morphed, and marketing and communication are now more impactful than training alone by Marsh Ershaghi-Hames.
  4. High risk FCPA Markets by Brian Michael, Tedra Foster and Julie Myers Wood.
  5. The networking and breadth of the attendees.
  6. Jay gives a full report on LinkedIn, review by clicking here.
Jan 27, 2018

A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence ProcessWas the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

The 2012 FCPA Guidance emphasized the pre-acquisition phase and the Evaluation took a deeper dive into the need for the compliance component of your mergers and acquisition regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

There are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny from the compliance perspective. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to

Jan 26, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. The government indicts 5 KPMG partners and one former PCAOB professional for tipping the firm off from upcoming reviews of KPMG audits. Matt Kelly discusses in Radical Compliance. Francine McKenna reports in MarketWatch. Tom considers the matter in the FCPA Compliance Blog. Tammy Whitehouse asks if audit results should be restated in Compliance Week. Finally go into the weeds with Tom and Matt Kelly in Compliance into the Weeds, Episode 67.
  2. Mike Volkov suggests that CCOs renew Corporate Vows to the Chief Compliance Offi
  3. Dick Cassin considers whether employees are measuring up to the aspirations set in their corporate Code of Conduct, in the FCPA Blog. Taking a AI angle, Sam Rubenfeld reports how Accenture uses bots to bring it Code of Conduct to employees, in the WSJ Risk and Compliance Journal.
  4. Jonathan Marks write about the Board of Directors Guide to FCPA Compliance, in his Board and Fraud
  5. Is your compliance function a part of your pre-acquisition M&A team? Henry Cutter explores this issue in the Wall Street Journal Risk and Compliance Report.
  6. Eric Newcomer and Brad Stone have a terrifying yet story you cannot put down about the fall of Travis Kalanick. They report in Bloomberg Business Week.
  7. Vince Walden writes about preventing fraud, enhancing compliance using digital twins. His article appears in
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  10. Join Tom at the SCCE Utilities and Energy Conference in DC on February 4-7. For registration and information click
Jan 26, 2018

One of the new areas articulated in the Evaluation of Corporate Compliance Programs was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role for a corporate payroll function in the operationalization of a corporate compliance program.

It is found in Prong 4, “Operational Integration”, which is the section that includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any Foreign Corrupt Practices Act (FCPA) violation and how oversight is dedicated in your organization. The questions posed are, “Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?” This is immediately followed by an equally important set of questions, “Approval/Certification Process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process?” Finally, the questions around payment systems are proceeded by the following, “Controls – What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?” 

Taken together, these three groups of questions may not seem particularly new, innovative or even something different from what payroll currently does for an organization. However, the Evaluation, with its emphasis on the operationalization of a corporate compliance program, clearly demonstrates the role of payroll in compliance. The Evaluation requires that payroll not only form a part of any best practices compliance program but when it comes to the specific subject matter expertise (SME), payroll is on the front lines of any attempts to prevent, detect and then remediate anti-corruption compliance violations.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is most particularly true around offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in payroll on this issue, they may well pick up the phone, and notify compliance when they see a request for payment in a geographic location separate and apart from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The Department of Justice has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well suited corporate discipline to provide this first level of oversight and controls. 

Three Key Takeaways

  1. Payroll can be a key prevent and detect control.
  2. The Evaluation specified the tying of the corporate compliance function to the corporate payroll function?
  3. Offshore payments remain a key indicium for a red flag.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to

Jan 25, 2018

In this episode I visit again with Rakhi Kumar, the Managing Director, Head of ESG and Asset Stewardship at State Street Global Advisors. We discuss the firm’s role in advocating for greater Board of Director Diversity. With a campaign which began with the ‘Fearless Girl” statue in Wall Street, to pushing companies in the US, UK, England, Canada and Japan to include more female candidates at the Board of Director level; SSGA continues to be a leading advocate for a wide variety of Board level ESG issues. 

We discuss Kumar’s role as an asset manager for SSGA, why Board’s should seek both racial and gender diversity and the results SSGA has seen to-date. She also discusses five questions laid out by SSGA State Street President and COO Ron O’Hanley, for companies to use in thinking through how to improve gender diversity at the Board level. He gave this information at a speech to the fourth biennial Breakfast of Corporate Champions hosted by the Women’s Forum of New York on November 14, 2017. 

First, are you assessing unconscious gender bias in the director search and nomination process? And if you think your company is the exception on this issue, you probably haven’t spent enough time examining it. 

Second, are your companies actively assessing the current level of gender diversity within your management ranks? It’s not only about the board. Are you keeping diversity metrics around the percentage of new hires, managers and executives? 

Third, are you acting on those metrics? Are you establishing goals to enhance gender diversity on the board and within senior management? Are you tying those goals to business scorecards, performance and other key metrics? 

Fourth, do you have “diversity champions” on the board and within management? I don’t mean token figureheads — but leaders who are engaged on this issue and who support the initiatives to meet these goals. 

Fifth, is gender diversity something your company actively communicates about to employees, shareholders and the broader public? The conversation about gender diversity in the boardroom shouldn’t be confined to the boardroom. 

For additional information on SSGA’s Board gender diversity efforts, see the following: 

SSGA Report: Q3 Stewardship Activity Report 

Expanding the Call for Board Gender Diversity, speech by Ron O’Hanley

SSGA White Paper: Gender Intelligence: Bridging the Gap with Research, Science and Relevance

Jan 25, 2018

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance (Guidance), under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program (Hallmarks), the focus was articulated by the title Oversight, Autonomy, and Resources. When it came to the corporate compliance function the Guidance simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). The Evaluation made the following query about the CCO position: 

  1. Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed? 

In the Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program:

  1. The resources the company has dedicated to compliance;
  2. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  3. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  4. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  5. The reporting structure of any compliance personnel employed or contracted by the company.

Funding and Resources

You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals and the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Now such blanket management will be penalized.

Role of Compliance and Empowerment

More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

Outsourcing of Compliance

This area of compliance practice has arisen largely since the articulation of the Hallmarks in the Guidance. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly a function as important as compliance. Here a company must not only have a rationale in place, which will largely be cost-savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The Evaluation and Policy both demonstrate the continued evolution in the thinking of the DOJ around the compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Three Key Takeaways

  1. How is compliance treated in the budget process?
  2. Has your compliance function had any decisions over-ridden by senior management?
  3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to

Jan 24, 2018

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. In it the 2012 FCPA Guidance focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.”

This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Over the next two blog posts, I will be considering how the Department of Justice (DOJ) has increased the prestige, authority and role of both the CCO and corporate compliance function.

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? 

 Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? 

In the Policy, the DOJ laid out additional factors around CCO authority: 

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.

There is a new requirement for compliance “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

The Evaluation and the Policy build upon the 10 Hallmarks of an Effective Compliance Program and demonstrate the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about independence, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance positions in their organizations.

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO?
  3. Does your CCO have true independence to report directly to the Board of Directors? 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to

Jan 24, 2018

In this episode, I visit with Andi Simon, the Principal of Simon Consulting and author of On the Brink: A Fresh Lens to Take Your Business to New Heights. Simon is a corporate anthropologist and works with corporations to improve culture and effect change. In this episode we discuss how Simon’s background gives her a unique insight into corporate culture and how that insight informs the work of Simon Associates. She discusses why she wrote On the Brink and how leaders can use it to effect cultural change, bring businesses greater success and drive profits. Andi details her six steps for changing culture in an organization.

Simon noted that “In a corporate setting, leaders espouse values, beliefs and expectations so people know what to do and how to get it done. Everything is fine until something begins to change and that culture must change, too.” Simon suggests any business facing the need for a culture change should try these six steps:

  • Step 1:Ask what your culture is today. Simon suggests thinking about what you value in terms of six key areas: dominant characteristics; organizational leadership; management of employees; the glue that holds the organization together; strategic emphases; and criteria of success. 
  • Step 2: Ask what it should be tomorrow? Consider what you want your culture to become. Should it be less controlling and more empowering? More results oriented or more collegial? Do rules “rule” or are you open for new ideas and empowered staff members?
  • Step 3:Tell a story. With you staff, tell a story about what the culture is today. “Let them all create a visualization of how you get things done now,” Simon says.
  • Step 4:Visualize tomorrow. What will tomorrow’s culture feel like? How will you get things done? Will people be enabled to make decisions and risk making mistakes? “Frame this with stories,” Simon says. “They are how the brain takes data and makes sense out of it.” 
  • Step 5:Create pilot experiments. Through these experiments you can get people to see how the new culture is actually going to feel when they live it. “Set up some small win situations for your folks to test it out,” Simon says. “Think of this as if it is improvisation with good rehearsal time. You are asking people to change what they value, their beliefs and their behaviors. That’s not easy and it’s full of risk.”
  • Step 6:Celebrate. People need symbols and they need to celebrate and share experiences. “You need to seriously think about which rituals you will no longer do and which new ones you will introduce,” Simon says. “Be careful, though. Things that didn’t seem important can be very sacred to people when you are taking them away.”

Andi Simon, author of On the Brink: A Fresh Lens to Take Your Business to New Heights, is a corporate anthropologist, award-winning author and trained practitioner in Blue Ocean Strategy® ( She is the founder and CEO of Simon Associates Management Consultants, designed over a decade ago to help companies use the tools of anthropology to better adapt to changing times. Simon also is a public speaker and an Innovation Games facilitator and trainer. 

Jan 24, 2018

In this episode Matt Kelly and I take a deep dive into the absolutely stunning indictment of five former partners or employees of KPMG and one former employee at the Public Company Oversight Accounting Board (PCAOB). Last spring, KPMG dismissed the following: David Middendorf, KPMG’s then-national managing partner for audit quality and professional practice, Thomas Whittle, KPMG’s then-national partner-in-charge for inspections and David Britt, KPMG’s banking and capital markets group for lured the following former professionals from the PCAOB: Brian Sweet, Cynthia Holder and Jeffrey Wada, all certified public accountants with promises of jobs at the accounting firm in exchange for stolen information. Sweet did not make the cut was not hired.

Apparently these three were offered jobs if they provided KPMG with information on the PCAOB’s planned reviews of certain KMPG audits of specific public companies. The six were charged with conspiracy and wire fraud, alleging they repeatedly used stolen confidential regulator information to subvert KPMG’s regulatory inspection process. Even more troubling is the report that Middendorf, Whittle and Britt pressured Holder and Wada to continue providing the information or their jobs were in jeopardy.

All of these six are now facing criminal indictments. We explore what all of this might mean for KPMG, the PCAOB and the SEC. Can KPMG audits be trusted going forward? What type of culture existed that allowed this type of behavior to occur and continue for over two years before it was internally reported. Who else at KPMG knew or should have known about this conduct? What audits are now suspect? What happens if KPMG is found guilty at trial or accepts a guilty plea? Can it continue to perform audits?

Turning to the PCAOB, does it have a revolving door problem? Should it prevent its professionals from going to auditors? How does it assure such confidential information does not walk about the door? For SEC, what is the appropriate sanction against KPMG given the senior partner involvement? Is the SEC investigating other audit firms?

For more reading see Matt Kelly’s blog post Six Charged in PCAOB Inspections Leak

For additional reading see Francine McKenna’s article in MarketWatch KPMG indictment suggests many who weren’t charged knew regulator data was stolen

1 2 3 4 5 6 7 Next » 25