Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: August, 2018
Aug 31, 2018

You can put away your all white linen suits and your seer sucker suits as well. With that hint of fall in the air, we are upon the (unofficial) end of summer with the Labor Day Weekend, Tom and Jay are back with a look at some of the week’s top compliance and ethics stories. 

  1. Second Circuit affirms most of Hoskins dismissal. Dick Cassin reports in the FCPA Blog.
  2. With a nod to Dwight Eisenhower, Hui Chen says compliance is about process not outcomes. Check out her article in Bloomberg.
  3. The 1MDB scandal only gets weirder. First Malaysian spies are linked to the scandal, Dick Cassin writes in the FCPA Blog. Next it turns out Chris Christie is representing Jho Low on a forfeiture case. Bradley Hope, Tom Wright and Rebecca Davis O’Brien report in the Wall Street Journal.
  4. Legg Mason bookends it NPA with a settlement with the SEC on its FCPA violations in Libya. Jack Hagel reports in the WSJ Risk and Compliance Journal. Tom reports in a tribute to Ed King on the FCPA Compliance and Ethics Blog. Dick Cassin reports in the FCPA Blog.
  5. Jaclyn Jaeger details some of the lessons learned from the Wynn scandal in Compliance Week. (sub req’d)
  6. Why is it important for integrity to a part of your brand. Nelson Pratt explains on Navex’s blog, Ethics and Compliance Matters. Tom tackles integrity in a tribute to John McCain on the FCPA Compliance and Ethics Blog.
  7. Does power corrupt or simply change you? Caterina Bullgarella explains why you must pay attention in a piece on com.
  8. Microsoft in trouble for its distributor network? Dick Cassin reports in the FCPA Blog. Tom details how to manage the distributor risk in Compliance Week. (sub req’d)
  9. Now former Cleveland Browns linebacker Mychal Kendricks indicted for insider trading. Tom Schad reports in USA Today. Once again demonstrating why they are the worst run organization in all of pro football, Browns only find out about the facts after then indictment and then cut him.Reported by Charlotte Carrol in Sports Illustrated.
  10. On this week’s featured podcast series, Tom explored the interestion of King Arthur and compliance. In Part 1 it was Arthuian leadership. In Part 2 it was the Pentecostal Oath and a Code of Conduct. In Part 3 it was the Round Table and whistleblowing. In Part 4 it was the Green Knight and whistleblower protection. In Part 5 it was the quest for the Holy Grail and a compliance defense for the FCPA.
  11. As the play off race begins to take shape, Astros lead the West by 2.5 games after taking 2 of 3 from the A’s in Houston. After being swept by the Rays, the Sox take it out on the Marlins and their lead is back to 7.5 games over the Yankees.
  12. The Compliance Master Class is coming to Boston on September 25 & 26. Learn how to create, design and implement a best practice compliance program from Tom Fox, the Compliance Evangelist. For information, click here. For registration click here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 30, 2018

The Administration’s attacks on allies, perhaps former allies and other in the area of trade and sanctions has not occurred in vacuum. Many other countries and groups such as the EU have retaliated with counter-sanctions. One area that the current administration does not seem to have considered too well is EU data privacy and data protection. In this episode of Life with GDPR we explore this issue in the age of trade policy as conflict. Some of the highlights are:

  1. Did the comments by US Secretary of Commerce Wilbur Ross about GDPR actually embolden GDPR enforcement?
  2. Is there a trade war between the US and EU over data?
  3. Is there a way to reconcile the divergences in approaches to data privacy and data protection between the EU and US? and
  4. Will the Privacy Shield framework survive the Schrems court challenge? Will it be renewed in September, suspended in September or even revoked in September?

For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Aug 29, 2018

What is due diligence? What is zero tolerance? How do these impact employee morale? How do these concepts link together? Richard Lummis and I explore these questions and more in considering the July Houston Astros trade for closer Roberto Osuna. The primary reason for these questions was that Osuna came off a 75-game suspension by Major League Baseball (MLB) for violation of its domestic abuse policy. It involved an incident for assault, for which Osuna pleaded not guilty to in a criminal case in Ontario. Some of the questions we consider are:

What is Zero Tolerance? Overlaid with Osuna and his suspension were the Astros, who have (or perhaps more appropriately had) a zero-tolerance policy for domestic abuse. David Barron, writing in the Houston Chronicle, said the club’s response was that the zero-tolerance policy did not apply to Osuna because the alleged assault occurred before he joined the Astros and that Osuna would benefit from “great examples of character in our existing clubhouse that we believe will help him and his family establish a fresh start.”

What is the purpose of employment sanctions?Should a person who commits a crime or unethical action be forever banned from practicing their craft? In his article Barron quoted Cindy Southworth, an executive vice president of the National Network to End Domestic Violence, who posed the following question “How do you balance redemption and behavioral change with holding people accountable?” She then answered her own question with “It’s messy. It’s not straightforward. But you can do both.” I would only add (parenthetically) that if your right arm is a cannon, you will probably get such a chance.

What are red flags and are they a predicter of future events?One incident of unethical behavior would be seen as a red flag for similar behavior in the future. It might be enough to prevent such a person or entity from passing a due diligence background screening. On the other hand, a person convicted or found guilty of bribery and corruption might well serve their time, become rehabilitated and use those experiences to help others avoid the scourge of corruption going forward.

What is Due Diligence?Is it a formal record check to see if a person is on the despicable persons list, have committed criminal acts or are at least alleged to have violated laws. Is due diligence determining whether someone or some other organization meets the minimum standards you set for yourself or your organization (See: zero tolerance, above)? Gonzales said, the “Astros say they truly don’t know the details about what took place between Osuna and the alleged victim.”

What is employee morale? Osuna is under charges in the province of Ontario for his domestic assault, to which he has pled not guilty. What will be the effect on all of this be in the Astros clubhouse, given the stances by several players on domestic abuse? Barron noted in his article that Astros pitchers Justin Verlander and Lance McCullers had previously made statements “against players who commit domestic violence.” Verlander said after the trade was announced “Obviously I’ve said some pretty inflammatory things about stuff like this in the past and I stand by my words. But I think in an ongoing case as is this one, we’ll see what happens.” Gonzales reported that Collin McHugh, the team’s representative with the Major League Baseball Players Association, was a bit more direct saying, “I don't think anybody’s comfortable with the situation,” McHugh later told the media. “I don't think anybody in baseball is comfortable with this situation. There’s a lot of ongoing things; there’s things that are happening. Nobody in this clubhouse is going to condone anything that’s happened off the field.”

Moral bankruptcy or shrewd business move?As for the Astros, it is pretty clear that the right arm of Osuna is the only currency the club is concerned about as it mounts a defense of its 2017 World Series championship. Yet in the court of public opinion, the Astros have certainly dropped a few notches. ESPN’s Buster Olney said of the trade, “Surprising…disappointing…shocking….appalling.” Yahoo! Sports’ writer Jeff Passan was even more direct when he said the Astros had engaged in “moral bankruptcy by acquiring a player of tainted character, because, in this case, he can get outs in the ninth inning.”

Aug 27, 2018

We conclude our Arthurian themed week with the Holy Grail, which has fired the imagination of artists for millennia. What was the Holy Grail? According to Professor Dorsey Armstrong in her Teaching Company lecture series, entitled “King Arthur: History and Legend”, the Holy Grail has taken various forms over the years. For Chrétien de Troyes, it was a fancy serving dish; for Wolfram von Eschenbach, it is a magical stone; for Robert de Boron, it is the cup that Christ drank from at the Last Supper; for the comedy troupe Monty Python, it is a cartoon sketch that no one ever finds; and for the modern-day author Dan Brown, it is both a person, who is a descendant of Mary Magdalene, and a bloodline which leads to the Merovingian kings of France. In other words, it means many things to many people. The quixotic quest for the Holy Grail informs the same quest to append a compliance defense to the FCPA.

One of the articulated reasons for the creation of King Arthur’s Round Table was tied to the Holy Grail, since it was allegedly used at the Last Supper, it seems only natural that Arthur would seek it from his table as well. Indeed, in Robert de Boron’s account of Arthur, the wizard Merlin tells Arthur the Round Table was established to identify the one Knight, who was pure of heart, who could find the Holy Grail. Only after the great quest for and locating of the Holy Grail was achieved could Arthur’s other ambitions come to pass.

Another interesting twist on the Grail legend is that it was in Britain. Curiously it was first ‘discovered’ by some enterprising Monks in Glastonbury, England in the late 12thcentury. They just happened to come across a well that ‘bled’ water around the time of an annual pilgrimage. Going viral in the Middle Ages was tough but the Monks built upon their initial find by claiming that both King Arthur and his Queen Guinevere were also buried at their abbey. Do you believe any of the above? Are you on your own Grail Quest, however dreamy that quest might be?

I thought about the quest for the Holy Grail in the context of the renewed call for a compliance defense addition to the FCPA, which would give companies a pass if they had sustained a FCPA violation. I see this quest for a compliance defense for companies that violate the FCPA to be as quixotic as the quest for the Holy Grail. As there were two requirements for the Knight who was destined to find the Grail, we will begin pureness of heart. Recognizing that it might be difficult to find a corporation that is ‘pure of heart’, the appropriate analogy might be more than simply spending what may appear to be a large dollar amount on a compliance program.

How about the second part of the Grail quest that requires a ‘chaste’ Knight? Once again it is somewhat difficult to understand how a corporation could be chaste but I think the appropriate analogy is the doingof compliance. Put another way, it is not having a compliance program in place but having an effective compliance program. So not only does the amount of money a company spends become immaterial to our quest but also the same can be said to the claim that having a written program should entitle you some type of defense to any FCPA violations. Just as questing for the Holy Grail is seeking something that does not exist, affording companies a defense from their own FCPA violations by having a written program in place is not a temporal reality.

The 2017 FCPA Corporate Enforcement Policy, sounded the death-knell, once and for all time, of the call for a compliance defense. The protocol set up by the DOJ is certainly creative and perhaps even unique in federal criminal law enforcement. The enforcement aspects, coupled with the incentives provided to corporations and the detailing of a best practices are much more comprehensive to advance compliance than any argument for a compliance defense.

In considering the new Policy, most practitioners have started with the presumption that if a company meets the requirements under the new Policy, they will receive a declination. There are a variety of factors present in FCPA enforcement actions which would lead the DOJ to make this blanket offer. As stated in the new Policy “The investigation and prosecution of particular allegations of violations of the FCPA will raise complex enforcement problems abroad as well as difficult issues of jurisdiction and statutory construction.”

Finally, as with all quests, what will it bring you if you actually achieve it? As with the Holy Grail, it is a good story but that is about it. I find this view best articulated by Matthew Stephenson, in a blog post entitled “The Irrelevance of an FCPA Compliance Defense”, where he gave three reasons why a compliance defense is not warranted. First (and perhaps almost too obvious to state) is that if your company is invoking a compliance defense, there has been a FCPA violation. The second is “The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants.” Third is that “An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge.”

Stephenson discounts subpart 1 because DOJ lawyers already take a company’s compliance program into account. But his second subpart is even more important because no company will go to trial against the government using a compliance defense to a demonstrable FCPA violation. Simply put, no company is going to risk losing at trial when they can control their own fate through settlement. The modern-day Knights seeking the Holy Grail of a compliance defense will never find it because of this last fact. Moreover, just as there were no real Knights who could meet the requirements to actually find the Holy Grail after their quest, there are no companies which can meet the same criteria; that being that a compliance defense could or even should trump a FCPA violation.

We leave our King Arthur with our quest intact, bringing a message I hope that you have ascertained about some of the things you need to do around the nuts and bolts of anti-corruption compliance. I also hope that you might be able to look at the tales surrounding the King Arthur myth for your own inspiration.

Aug 27, 2018

As I end this month of the Land of 1000 podcasts, I conclude with a week of King Arthur and his Roundtable themed-podcasts. It turns out there are many compliance lessons from the entire oeuvre of Arthurian legends. Many of the tales can inform your (modern day) compliance program. Today we consider one of the most interesting characters in the Arthur canon, The Green Knight and how this character presages the ever-growing protections for whistleblowers.

The Green Knight was so called because his skin and clothes are green. The meaning of his greenness has puzzled scholars since the discovery of the poem, that identifies him as the Green Man, a vegetation being in medieval art; a recollection of a figure from Celtic mythology; a Christian symbol or the Devil himself. According to Wikipedia, C. S. Lewis suggested the character was “as vivid and concrete as any image in literature” and J. R. R. Tolkien called him the “most difficult character” to interpret in the introduction to his edition of Sir Gawain and the Green Knight. His major role in Arthurian literature includes being a judge and tester of knights, and as such the other characters see him as friendly but terrifying and somewhat mysterious.

In his primary story with Sir Gawain, the Green Knight arrives at Camelot during a Christmas feast, holding a bough of holly in one hand and a battle-axe in the other. Despite disclaim of war, the knight issues a challenge: he will allow one man to strike him once with his axe, under the condition that he return the blow the following year. At first, Arthur takes up the challenge, but Gawain takes his place and decapitates the Green Knight, who retrieves his head and tells Gawain to meet him at the Green Chapel at the stipulated time. One year later, while Gawain is traveling to meet the Green Knight, he stays at the castle of Bercilak de Hautedesert. At Bercilak's castle, Gawain’s loyalty and chastity is tested, Bercilak sends his wife to seduce Gawain and arranges that they shall exchange their gains for the other’s. On New Year's Day, Gawain meets the Green Knight and prepares to meet his fate, where upon the Green Knight feints two blows and barely nicks him on the third. He then reveals that he is Bercilak, and that Morgan le Fay had given him the double identity to test Gawain and Arthur.

This story of the Green Knight’s testing informs the protection of whistleblowers by the SEC. It began with the Paradigm securities SEC enforcement action where an award was made to the whistleblower based upon the company’s retaliation against her. The settlement was for $2.2MM and $600,000 of that amount was paid to the whistleblower for the firm’s retaliation. This was the first award to a whistleblower for retaliation from the act of whistleblowing. The award is 30% of $2.2MM, which is the maximum amount a tipster can get under the program. The agency said the “unique hardships” he faced were a factor in the size of his award. SEC Enforcement Director, Andrew Ceresney, was quoted at the time ““We appreciate and recognize the sacrifice this whistleblower made and the important role the whistleblower played in the success of the SEC’s first anti-retaliation enforcement action.””

Next there was the KBR pre-taliationfine and Cease and Desist Order involving KBR.   In this matter, KBR was fined for having language in its internal employee Confidentiality Agreement that required employees to go to the company’s legal department before releasing certain confidential information to outside parties such as the SEC. The SEC held that such restrictions violated the “whistleblower protection Rule 21F-17 enacted under the Dodd-Frank Act. KBR required witnesses in certain internal investigations interviews to sign confidentiality statements with language warning that they could face discipline and even be fired if they discussed the matters with outside parties without the prior approval of KBR’s legal department. Since these investigations included allegations of possible securities law violations, the SEC found that these terms violated Rule 21F-17, which prohibits companies from taking any action to impede whistleblowers from reporting possible securities violations to the SEC.” This was in the face of zero findings that KBR had actually used such language or restrictions to prevent any employees from whistleblowing to the SEC.

Then we have the case of Tony Menendez, who was profiled by Jessie Eisinger in an article entitled “The Whistleblower’s Tale: How an Accountant Took on Halliburton”. The article told the story of a whistleblower, who took his concerns to government regulators and was then outed by the company as the SEC whistleblower and retaliated against. Interestingly, the SEC took no action on the whistleblower claims and the company argued on appeal that “since the SEC hadn’t brought any enforcement action, his complaint about the accounting was unfounded.” The company also claimed that simply because the whistleblower was identified by name, this alone was not the basis for a “material adverse action” against him. While Halliburton won at the administrative hearing level, it lost at the Fifth Circuit Court of Appeals.

So now there is a Court of Appeals opinion holding that if whistleblowing was a “contributing factor” only to the retaliation. Further, the employee is not required to prove motive. Well-known whistleblower expert Jordan Thomas also explained in the Eisinger article, “Whistleblowers can be victims of retaliation even if they are ultimately proved wrong as long as they have a “reasonable” belief that the company was doing something wrong.”

All of this is tempered by  the US Supreme Court decision in Digital Realty Trust v. Somers. In a unanimous 9-0 decision, the Court made clear that only a person who reports actions to the SEC will benefit from the anti-retaliation and discrimination protections afforded under Dodd-Frank. The case involved Paul Somers, who was a Vice President (VP) at Digital Realty Trust, Inc. (DLR). He alleged he was dismissed after reporting suspected security law violations to senior management of the company for which he was terminated. Somers brought suit in federal district court for wrongful termination and retaliation barred by Dodd-Frank.

The Court detailed the differences in whistleblower provisions between Dodd-Frank and SOX. Under SOX, an “employee qualifies for protection when he or she provides information or assistance either to a federal regulatory or law enforcement agency, Congress, or any “person with supervisory authority over the employee.” However, a discriminated-against or retaliated-against employee must seek redress by filing a complaint with 180 days with the Secretary of Labor. If the Secretary of Labor does not respond, the whistleblower can file suit in federal court and obtain the remedies of “reinstatement, back-pay with interest, and any “special damages sustained as a result of the discrimination,” among such damages, litigation costs.”

It appears that the SEC will be more like the Green Knight going forward. It will be a tester to determine if retaliation against whistleblowers occurs. From preventing companies from trying to stop whistleblowing via CA’s, to monetary awards for retaliation even where there is no SEC or government action taken, to the award to whistleblowers as a part of an SEC settlement for retaliation by their former employers; the SEC is making very clear that they will test how your company treats whistleblowers. If the SEC finds your company’s conduct lacking, you may well be facing something like the Green Knight going forward.

Aug 27, 2018

As I end this month of the Land of 1000 podcasts, I conclude with a week of King Arthur and his Roundtable themed-podcasts. It turns out there are many compliance lessons from the entire oeuvre of Arthurian legends. Many of the tales can inform your (modern day) compliance program. Today we consider that most Arthurian piece of furniture, Arthur’s Round Table.

The Round Table is the famous table in history; around it he and his Knights congregated. Its shape implies that everyone who sits there has equal status. Wace, who relied on previous depictions of Arthur's fabulous retinue, first described the Round Table in 1155. The symbolism of the Round Table developed over time; by the close of the 12th century it had come to represent the chivalric order associated with Arthur's court, the Knights of the Round Table.

As with all things Arthurian, the origins of the Round Table are a bit murky. One commentator claims Arthur created the Round Table to prevent quarrels among his barons, none of whom would accept a lower place than the others. Others believe it came to prominences as a symbol of the famed order of chivalry that flourished under Arthur. In Robert de Boron's Merlin, written around the 1190s, the wizard Merlin creates the Round Table in imitation of the table of the Last Supper and of Joseph of Arimathea’s Holy Grail table. This table has twelve seats and one empty place to mark the betrayal of Judas. This seat must remain empty until the coming of the knight of purity and chastity who will achieve the Grail. When the Knight Percival comes to the court at Camelot, he sits in the seat and initiates the Grail quest. Whatever the origins of the Round Table, it may be the single most tangible item associated with King Arthur.

I thought about these concepts surrounding the legend of the Round Table in consideration of whistleblower awards paid out by the SEC to compliance professionals. The first one was an anonymous award to a whistleblower who was in the company’s internal audit and compliance function. Daniel Hurson noted at the time that this initial whistleblower payment to a compliance practitioner marked a change in SEC policy because “It has generally been understood that compliance officers and internal auditors are not permitted to receive whistleblower awards because information they reported to a superior, constituting allegations of misconduct was not to be considered “original information” under the Dodd-Frank Act and SEC rules.”

The next award to a compliance professional was reported by Sam Rubenfeld in the Wall Street Journal, where he said the award was paid “to a compliance officer who provided information that helped the SEC in an enforcement action against the tipster’s company, marking the second time a compliance professional received an award under the SEC’s whistleblower program.”

This un-named whistleblower took his (or her) concerns internally to management but was not successful in persuading management to cease the illegal practices. Moreover, “The compliance officer had a reasonable basis to believe disclosure to the SEC “was necessary to prevent imminent misconduct” from causing “substantial financial harm” to the company or investors, the SEC said.” The FCPA Blog, in a post entitled “Compliance officer awarded $1.5 million under SEC whistleblower program”, reported, “After that award, Sean McKessy, then chief of the SEC’s whistleblower office, said employees who perform internal audit, compliance, and legal functions can be eligible for an SEC whistleblower award “if their companies fail to take appropriate, timely action on information they first reported internally.”” This second award makes clear that the SEC will treat compliance professionals as all other whistleblowers when it comes to making an award based upon the fine or penalty.

King Arthur’s Round Table may have been designed so that all Knights were treated as equals. As noted in some of the legends the Round Table is part of the Holy Grail quest storyline, requiring purity of heart and chastity to achieve the Grail. Both strands of the Round Table legend inform the debate on whistleblowers. 

Aug 27, 2018

As I end this month of the Land of 1000 podcasts, I conclude with a week of King Arthur and his Roundtable themed-podcasts. It turns out there are many compliance lessons from the entire oeuvre of Arthurian legends. Many of the tales can inform your (modern day) compliance program. I begin with King Arthur and some leadership lessons that might apply to a Chief Compliance Officer, compliance practitioner. Today we consider Arthur’s Pentecostal Oath and your corporate Code of Conduct.

One thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d'Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s LeMorte d’Arthurand in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oathformed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA. These requirements were incorporated into the 2012 FCPA Guidance, the Evaluation of Corporate Compliance Programs and new FCPA Corporate Enforcement Policy. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world. What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oathwas required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

Aug 27, 2018

As I end this month of the Land of 1000 podcasts, I conclude with a week of King Arthur and his Roundtable themed-podcasts. It turns out there are many compliance lessons from the entire oeuvre of Arthurian legends. Many of the tales can inform your (modern day) compliance program. I begin with King Arthur and some leadership lessons that might apply to a Chief Compliance Officer or the compliance practitioner.

According to the legends, King Arthur achieved quite a bit in one lifetime. He, established a kingdom, ruled his castle, Camelot and brought peace and order to the land based on law, justice, and morality. He founded an order known as the Knights of the Round Table where in all knights are seated as equals around the table, symbolizing equality, unity, and oneness. Nicole Lastimado, in a blog post entitled “Characteristics of a Good Leader :)”, identified five characteristics that she believed made Arthur a good leader.

Adapting Lastimado King Arthur was (1) Honest, in that he displayed sincerity, integrity, and candor in his actions. (2) Intelligent, because he read and studied. (3) Courageous, because he had the perseverance to accomplish a goal, regardless of the seemingly insurmountable obstacles. (4) Imaginative because he adapted by making timely and appropriate changes in his thinking, plans, and methods. Finally, (5) Inspiring, because through demonstrating confidence, he inspired his knights and those in his Kingdom to reach for new heights. I would add as a separate category that Arthur led from the front.

What are the lessons from for the CCO or compliance practitioner? You should channel your inner King Arthur and lead. You have to lead management to understand that one of the best sources of information on your own business is your employees. There is a reason the FCPA Guidance lists internal reporting as one of the Ten Hallmarks of an Effective Compliance Program. You must give employees a way to report misconduct and then you must use that information to investigate and communicate to employees going forward. If there are lessons to be learned use those lessons for in-house compliance training. If a true catastrophe or disaster befalls the company, do not wait to remediate. Do so as soon as is practicable, not when the government calls.

Aug 27, 2018

In this episode, I chat with Erica Salmon Byrne, the EVP and Executive Director of Business Ethics Leadership Alliance for Ethisphere. We visit on Ethisphere’s 2018 World’s Most Ethical Company awards. Since 2007, Ethisphere has honored those companies who recognize their critical role to influence and drive positive change in the business community and societies around the world and work to maximize their impact wherever possible. The 2018 awards were no exceptions, with the designation going to 135 companies spanning 23 countries and 57 industries. We explore some of the following and much more.

  1. How long has Ethisphere awarded WME?
  2. What is evaluated for WME? The five categories include: Ethics and Compliance Program, Corporate Citizenship and Responsibility, Culture of Ethics, Governance, Leadership, Innovation, and Reputation.
    3. What is the 3-year ethics premium?
  3. How does that compare with previous years?
  4. Did Ethisphere see any common or significant themes for WME 2018 companies?
  5. Company X is on the list. Problem Y is on the list. Why are they being honored?
  6. Description of the Ethisphere internal evaluation.
  7. How does WME literally set the standard benchmark for companies in the area of ethics and compliance? 

To read the Ethisphere Research Report Leading Practices and Trends from the 2018 World’s Most Ethical Companies® click here.

Aug 24, 2018

Jay has returned from an Alaskan Disney cruise with the family. As OSU suspends its head coach and added a new phrase to our compliance and ethics lexicon significant memory issues; Tom and Jay are back with a look at some of the week’s top compliance and ethics stories.

  1. OSU head coach Urban Meyer suspended for three games by the OSU Board. The Board stated in part, “We also learned during the investigation that Coach Meyer has sometimes had significant memory issues in other situations where he had prior extensive knowledge of events. He has also periodically taken medicine that can negatively impair his memory, concentration, and focus." See articles in Sports Illustrated here, here and here. In ESPN here and here. On The Ringer here.
  2. Corruption and PdVSA: another one bites the dust as former Swiss banker pleads guilty to money-laundering. Harry Cassin reports in the FCPA Blog. Sam Rubenfeld weighs in on the WSJ Risk and Compliance Journal.
  3. Should sports officials have a Code of Conduct? David Dodge says aye, writing in the SCCE Blog.
  4. Mike Volkov takes a look at CIFUS and what it means for compliance. Part 1 on the increasing risk in cross border M&A and Part 2 on CIFUS expanding authority.
  5. Former head of Brazilian soccer is sentenced to 4 years in jail for role in FIFA bribery scandal. Sam Rubenfeld rerports in the WSJ Risk and Compliance Journal.
  6. The paper chase: no it’s the paper trail. Francine McKenna considers the Cohen guilty plea from the paper trail perspective in MarketWatch.
  7. How did the tipping point in personal misconduct actually tip? Matt Kelly explores in the Navex blog Ethics and Compliance Matters.
  8. Would a no-deal Brexit be a disaster for compliance? Paul Hodgson reports in Compliance Week. (sub req’d)
  9. How did the CCO move from Hall Monitor to Strategic Partner? Maurice Gilbert Gan Integrity’s Valarie Charles on CCI’s, Connected
  10. Tom considers compliance and the movies. Matt Kelly considers compliance on television. Tom says Film Noir informs better compliance, with an assist from Ethisphere on the FCPA Compliance and Ethics Blog. Matt lists his favorite TV shows featuring compliance, on Radical Compliance.
  11. Tom and Jay review their Top 5 film noir
  12. On this week’s featured podcast series, I interviewed Vin DiCianni and Eric Feldman on ethical culture. Check out these podcasts: Part 1-What is an ethical Culture? Part 2-What factors influence culture?;Part 3-The role of a CCO in an ethical culture; Part 4-How does a company assess its culture? And Part 5-Ethical Culture as part of an E&C program assessment.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 23, 2018

The recent case involving the Jehovah's Witnesses and data privacy in the UK raised some very interesting legal issues. It also demonstrated just how broad the reach of GDPR could be. In this podcast Jonathan Armstrong and I unpack the case, detailing the underlying facts, the Court's rationale behind its decision and conclude with some of the implications for not only corporations but also individuals and data privacy practitioners.

Aug 22, 2018

In this episode, Richard Lummis and I consider how the Houston Astros went from literally the worst team ever in baseball to World Series Champions, as been chronicled by Sports Illustrated writer Ben Reiter in his book “Astroball: The New Way to Win It All”. The book tells the story of how two persons had a vision of using data analytics to literally change the game of baseball. The two men were Jeff Luhnow, the former Director of Scouting for the St. Louis Cardinals, and former NASA rocket scientist Sig Mejdal, who became Luhnow’s assistant at the Astros. Team owner Jim Crane had the foresight to buy into Luhnow’s vision and the wherewithal to put up with people like me who were unpitying in their criticism of the Astros and their plan. It turns out they did have a plan and, more importantly, they executed it.

Key highlights are:

  1. The use of data analytics in player selection. 
  2. The use of data analytics in player development.
  3. How data analytics supplement but do not replace scouting. 
  4. The use of data analytics in both defensive shifts and offensive plays in baseball. 
Aug 20, 2018

Over the past five podcasts, I have visited with Vin DiCianni, founder and CEO and Eric Feldman, Senior Vice President both of Affiliated Monitors, Inc., who is the sponsor of this series. In it, we explored an organization’s ethical culture and its relationship to ethics and compliance. In this fifth and final  episode I visit with DiCianni on how ethical culture is a part of an overall ethics and compliance program assessment and how to go about it.  

We began with an exploration around the areas assessed to help determine if a company has an ethical culture. DiCianni said you need a framework for such an assessment. DiCianni advocates  starting with the program itself. This means a review of what does the organization’s compliance program look like and does it meet the foundational tenants? He would ask such questions as whether it is educational; does it have a process for detection; and is there some type of remediation when something is found? From this baseline, you might consider what the company is doing for training to educate their staff, are they really touching on the elements of the parts of education that the staff need and is it meaningful to them in their positions? In other words, is the training both focused and effective?

Next DiCianni suggested talking to employees in the field. The goal here is to determine alignment between the aspirations laid out in the organization’s culture with the reality on the ground. It could be as simple as whether there is training and the depth of the training. Are there detection methods in place, i.e. hotlines and internal communications, and, most importantly, are people comfortable using a hotline? He added that when you talk about a culture, the effectiveness of compliance program is also critical.

I was quite gratified when DiCianni discussed institutional fairness and institutional justice as key indicia of culture. He called it accountability and internal enforcement. This can turn on whether there is an effective disciplinary process, if it is fair and is it objective. If it does not meet these basic criteria, the compliance program probably does not fulfill its obligations and this speaks to a low or even negative culture. He even said this reaches to how companies may treat third parties.

Some companies have very strict disciplinary processes for dealing with ethics violations. Then you find out, the same company’s efforts to instill that type of accountability and enforcement with its third parties is meaningless. Put another way, if you have a zero-tolerance policy and allow someone to work with your organization who violates this policy, it may well negatively impact your culture. DiCianni advocates reviewing the foundational elements of culture. He suggests holistic pieces around an ethical culture, including the recruiting process, performance metrics, the communications process, internal controls and, of course, an independent assessment.

Yet the institutional fairness reaches beyond even the specifics noted above. DiCianni said, “if you’re talking about culture, you’re talking about people and how they perceive things and how they perceive their role and how they perceive people above them.” This means that if the senior leaders are perceived as being fair, employees generally view them with greater favorability. However if there a perception that if “you’re on the inside, you will do well in the organization and if you’re not on the inside then you don’t do well”, it is a strong statement of culture. He believes that how you treat your employees and how they see themselves within this organization structure is a foundational element of a strong culture. This means in focus groups and interviews, one item that is important to discern is whether there is a perception of fairness, objectivity and transparency.

All of these factors are important because even if a company puts in place a gold standard compliance program and conclude they have a great compliance program, the reality is quite different as it is just a paper program. You have to determine if the compliance program is real and then how to make it impactful. The Department of Justice (DOJ) would say the program must be operationalized. DiCianni said, “staff should be vested in that compliance program.”

He then tied the compliance program to the organizations ethical culture. He analogized it to  neon signs as “these flashy policies and processes that companies will put in place, employee of the month or something that is very flashy but only lasts for 10 minutes.” This type of approach will not last, for if an organization is going to achieve cultural change, it must be done in a manner which “really touches people and it’s not just the flavor of the month kind of thing.” This is achieved by learning about your people and learning about what is important to them. Some suggestions to get them involved in the compliance and ethics culture might be to have them speak up at a meeting, lead a discussion on an ethical moment, have them participate in the creation of a policy or the design of compliance training.

DiCianni concluded with accountability. He said, “I think the other one that I can’t emphasize enough is accountability. You know if there are serious violations of an ethics policy of the company, be it conflicts of interest or code of conduct. If nothing is done about it, everyone in the organization knows about that. It diminishes all of the efforts that have gone into creating this program and trying to have an ethical culture. If you do not do anything to enforce it, when something serious happens, it literally becomes a futile exercise”.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 20, 2018

In this episode, I visit with Jonathan Marks, a partner at Baker & Tilly.  This podcast part of my Land of 1000 podcasts celebration. In this special series of podcasts I am reviewing the growth, maturation and development of topics over the past five years. Marks visits with my about some of the key developments in the field in forensic investigation and compliance from his perspective as an internal auditor and forensic investigator. Some of the key highlights are:

  • The expanding role of the Board and the C-Suite in forensic investigations.
  • How did the Justice Department’s requirement for a root cause analysis change the dynamics?
  • What do compliance professionals need to understand about forensic auditing in a best practices compliance program.
  • How the role(s) of the forensic auditor have expanded.
  • Internal controls must do more than exist, they must be effective.
  • What is a control?
  • Forensic audit is no longer just about the numbers.
  • How the behavioral aspects of fraud are becoming more prevalent in anti-corruption compliance.

Jonathan Marks can be reached at jonathanmarks@bakertilly.com.

Aug 20, 2018

Over the past five podcasts, I have visited with Vin DiCianni, founder and CEO and Eric Feldman, Senior Vice President both of Affiliated Monitors, Inc., who is the sponsor of this series. In it, we explored an organization’s ethical culture and its relationship to ethics and compliance. In this fifth and final  episode I visit with DiCianni on how ethical culture is a part of an overall ethics and compliance program assessment and how to go about it.  

We began with an exploration around the areas assessed to help determine if a company has an ethical culture. DiCianni said you need a framework for such an assessment. DiCianni advocates  starting with the program itself. This means a review of what does the organization’s compliance program look like and does it meet the foundational tenants? He would ask such questions as whether it is educational; does it have a process for detection; and is there some type of remediation when something is found? From this baseline, you might consider what the company is doing for training to educate their staff, are they really touching on the elements of the parts of education that the staff need and is it meaningful to them in their positions? In other words, is the training both focused and effective?

Next DiCianni suggested talking to employees in the field. The goal here is to determine alignment between the aspirations laid out in the organization’s culture with the reality on the ground. It could be as simple as whether there is training and the depth of the training. Are there detection methods in place, i.e. hotlines and internal communications, and, most importantly, are people comfortable using a hotline? He added that when you talk about a culture, the effectiveness of compliance program is also critical.

I was quite gratified when DiCianni discussed institutional fairness and institutional justice as key indicia of culture. He called it accountability and internal enforcement. This can turn on whether there is an effective disciplinary process, if it is fair and is it objective. If it does not meet these basic criteria, the compliance program probably does not fulfill its obligations and this speaks to a low or even negative culture. He even said this reaches to how companies may treat third parties.

Some companies have very strict disciplinary processes for dealing with ethics violations. Then you find out, the same company’s efforts to instill that type of accountability and enforcement with its third parties is meaningless. Put another way, if you have a zero-tolerance policy and allow someone to work with your organization who violates this policy, it may well negatively impact your culture. DiCianni advocates reviewing the foundational elements of culture. He suggests holistic pieces around an ethical culture, including the recruiting process, performance metrics, the communications process, internal controls and, of course, an independent assessment.

Yet the institutional fairness reaches beyond even the specifics noted above. DiCianni said, “if you’re talking about culture, you’re talking about people and how they perceive things and how they perceive their role and how they perceive people above them.” This means that if the senior leaders are perceived as being fair, employees generally view them with greater favorability. However if there a perception that if “you’re on the inside, you will do well in the organization and if you’re not on the inside then you don’t do well”, it is a strong statement of culture. He believes that how you treat your employees and how they see themselves within this organization structure is a foundational element of a strong culture. This means in focus groups and interviews, one item that is important to discern is whether there is a perception of fairness, objectivity and transparency.

All of these factors are important because even if a company puts in place a gold standard compliance program and conclude they have a great compliance program, the reality is quite different as it is just a paper program. You have to determine if the compliance program is real and then how to make it impactful. The Department of Justice (DOJ) would say the program must be operationalized. DiCianni said, “staff should be vested in that compliance program.”

He then tied the compliance program to the organizations ethical culture. He analogized it to  neon signs as “these flashy policies and processes that companies will put in place, employee of the month or something that is very flashy but only lasts for 10 minutes.” This type of approach will not last, for if an organization is going to achieve cultural change, it must be done in a manner which “really touches people and it’s not just the flavor of the month kind of thing.” This is achieved by learning about your people and learning about what is important to them. Some suggestions to get them involved in the compliance and ethics culture might be to have them speak up at a meeting, lead a discussion on an ethical moment, have them participate in the creation of a policy or the design of compliance training.

DiCianni concluded with accountability. He said, “I think the other one that I can’t emphasize enough is accountability. You know if there are serious violations of an ethics policy of the company, be it conflicts of interest or code of conduct. If nothing is done about it, everyone in the organization knows about that. It diminishes all of the efforts that have gone into creating this program and trying to have an ethical culture. If you do not do anything to enforce it, when something serious happens, it literally becomes a futile exercise”.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 20, 2018

Over these five podcast episodes, I have been visiting with Vin DiCianni, founder and CEO and Eric Feldman, Senior Vice President both of Affiliated Monitors, Inc., who is the sponsor of this series. In it, we have explored corporation culture and its relationship to ethics and compliance. In this fourth episode, I visit with Feldman on how a company can begin to assess its own culture.  

We began by considering whether a company should try and perform a self-assessment of its own culture or whether it should bring in a truly independent professional to do the assessment. Feldman said that both are valid but each has a different focus. The self-assessment is really more akin to ongoing monitoring. In this scenario, a company has the responsibility to monitor its own workforce and culture literally on a day-to-day basis. He stated, “That ongoing monitoring and oversight is critical to being able to manage what is a very normal ebb and flow of the culture in an organization. Cultures are dependent on people and people come and go in companies and that can influence the culture. The market and financial stress can influence the culture and what happens within a company.” These are all things a company should track and monitor. 

When an external independent monitor comes into the picture, a company is able to garner a broader picture of where it’s culture exists. Many employees are more willing to open up to an independent outsider, rather than someone in their own organization. Feldman said that sadly, many leaders do not know their own workforce because they do not interact with them. Such leaders tend to only get filtered information and reports, which do not necessarily represent the true culture or even the way people might feel in their jobs. Such leaders are really relying on hope and not the facts on the ground as they might be presented to an independent, outsider assessor. 

Some of the ways to consider the culture of an organization are employee surveys, conversations, visits to field operations. Surveys can be very important tools and take the temperature of what’s going on in the company, but often there is a wasted opportunity there to put in questions that are specifically targeted toward culture and the ethical culture of the company. These need to be two-way conversations to get a true understanding. Feldman said, “often leaders don't understand how they’re being perceived and whether employees are getting mixed messages.” 

Another key area is whether the company has created a true speak up culture. Feldman explained this means “whether there is a comfort level for employees to raise issues, questions or identifying misconduct up through their managers or whether there’s a fear if they do that, they’ll be retaliated against.” This problem can be further acerbated  in organizations where employees do not trust their company. They will tell the company what it wants to hear on surveys, rather than be honest. This means that employee survey results are skewed because employees do not trust the confidentiality of the survey and they are telling the company what they want to hear. That makes it even more challenging to understand what may be going on an organization. 

I asked Feldman about multi-national/cultural organizations and if there are differences which must be considered when assessing a global company. He said there can vast culture differences which come into account around the hotlines, reporting and even disrespect of a supervisor. This means one must “fine-tune” a cultural survey to get a good understanding of the company’s culture and obtain meaningful metrics. Feldman further explained that in such situations, there are other metrics you can look at, consider the data and cases of employees coming forward and saying, that “something just doesn’t look right without being anonymous.” Gauging this type of comfort level, in surveys and even focus groups, can be helpful, most particularly if an  external independent third party is involved. 

The bottom line is that it is helpful to take the temperature of your employees internally by doing regular monitoring of your company to understand its culture and what needs to be done. However, employees are not going to be as honest and forthcoming with someone in their company as they would be with an independent third-party. This is because employees are almost always afraid of the potential blow back from superiors. Employees will be much more reserved with people that they know or people in their own company so it can be much more powerful and much more effective for an independent third party performing cultural assessment work.

 Tomorrow we conclude with how ethical culture is a part of an overall ethics and compliance program assessment.

Aug 20, 2018

Over this five-part podcast series, I am visiting visit with Vincent DiCianni, founder and Chief Executive Officer (CEO), and Eric Feldman, Senior Vice President both of Affiliated Monitors, Inc. (AMI), the sponsor of this series. In it, we explore corporate culture and its relationship to ethics and compliance. In this third episode I visit with Feldman on what is the role of a Chief Compliance Officer (CCO) in strengthening the ethical culture of an organization.   

We began by considering that there are multiple levels and roles for those within and outside of the corporate compliance function within an organization. They include the CCO, a compliance practitioner and the compliance function itself. I asked Feldman how he sees the role of the corporate compliance function itself in strengthening the ethical culture of an organization? Feldman said it all begins with the response to a simple question, “who is responsible for culture in an organization?” 

Feldman says at the C-Suite level you might get a response that the CEO, head of Human Resources (HR) or perhaps the General Counsel (GC) is. This drives home the uncertainty of who really is responsible for culture, although intuitively most employees understand that everyone is responsible for culture. The point is that you must look at the operations of a company through the prism of whether or not it is consistent with the company’s core values.

Most of the time it falls upon the CCO. This means the CCO and the entire compliance function need to be able to coordinate the various inputs and support mechanisms that guide employee behavior. Ultimately the CCO is responsible for anything relating to the Code of Conduct and employees’ compliance with that code. The CCO is often the face of the ethics program for the company, as Feldman noted, “kind of the spokesperson for the company that helps to drive behavior.” 

Feldman believes it is important for the CCO to be proactive in the role of shaping ethical culture, separate and apart from the CCO role in investigations, root cause analysis or ongoing monitoring. The CCO should work to eliminate barriers to aid in driving business success rather than being Dr. No from the Land of No. The CCO can work to coordinate all of the activities relating to building culture in an organization. Feldman provided a couple of examples. 

The first was in the area of hiring and recruiting. Obviously, the nuts and bolts of this process is run through HR but the CCO can create a culture where the organization would only hire the right type of persons as employees. These hires would have an attitude and core values that are consistent with your company. A CCO can work to make sure that they understand the organization’s position with regard to fraud and other misconduct and this is incorporated into the interview process. Once a new employee is hired, the onboarding and training begins. Feldman noted that while HR certainly has a leadership role in those areas a CCO or corporate compliance function should also maintain a lead role to make sure the new employees understand their responsibilities in these critical areas. Further, Feldman believes, “it is a serious lapse” if the compliance function does not make clear that the company is quite serious about its Code of Conduct, that employees follow it and not violate it going forward. 

When managing upward, the CCO has an equally critical role. Feldman believes that it is a clear best practice for the CCO to have unfettered access to the Board of Directors and to provide information to the Board regarding the compliance and ethics posture at the company, specifically including the culture. It really is up to the CCO to understand and have their finger on what the culture is, where the challenges are, and what needs to be done in order to continually strengthen the culture. 

This task is much more difficult without the leadership and the support of the Board. Feldman considers the role of the Board “is to provide leadership.” This is complimentary to the role of the CCO to ensure that the Board is “currently informed about the ground truth of the ethical culture and decision making of the company”. He believes one of the key areas has to do with warning signs, what are the warning signs of an unethical culture. This means it really is up to the compliance professional in the organization to have a good understanding of what is going on in the company and communicate any warning signs up to the CCO, CEO and the Board. 

These warning signs can be a wide variety of behaviors and actions. Feldman said, “things like disrespectful attitudes, favoritism or nepotism in promotions or bonuses, low employee morale, lack of teamwork, a large number of anonymous whistleblower complaints which could reflect a fear of speaking up, employees who report that they were uncomfortable talking to their supervisors and are afraid of retaliation.” These are the kinds of things that a CCO needs to be on top of and communicate both the condition and recommended solutions to the CEO and Board. 

Tomorrow we consider how a company assesses its own culture.

Aug 20, 2018

Over the next five episodes, I visit with Vin DiCianni, founder and CEO and Eric Feldman, Senior Vice President both of Affiliated Monitors, Inc., who is the sponsor of this series. In it, we explore corporation culture and its relationship to ethics and compliance. In this second episode I visit with DiCianni on what some of the factors are which influence the ethical culture of an organization.  

We began with senior leadership. A company does not have an ethical culture unless the top management commits to it going forward. Employees not only listen to what they say but they watch how they act. Employees look for signals about what really counts in an organization. But you must then move down to implementation of this goal. Employees want to know if senior leadership is committed to the company’s core values. But equally important is a sense of organizational justice and fairness. Employees want to not only see they will be treated fairly but there is not a delineation of favorites and non-favorites in an organization. DiCianni emphasized that it is the senior leadership who really drives the alignment between incentives and performance.

DiCianni next turned to one of the key elements for any effective leader, which is listening. Are the senior leaders in the organization listening to their people? He went to explain this meant are they giving their people the opportunity to be heard as to whether or not the employees are receiving those messages? Do the senior leaders get out of the ivory tower, go to the field and meet with employees. Are there town halls or other types of group get-togethers?

Finally, do the employees see whether or not the leaders are living those kinds of values? All of this means establishing good communication from management with line staff. DiCianni stated, “They never take the time to actually go sit with people or have an all hands meeting or just reach out to a few people, have a cup of coffee with them, see how they’re doing. Those kinds of behaviors are very important” in terms of driving ethical behavior from the top.

As many listeners to my podcast, 12 O’Clock High, a podcast on business leadership, know I  consistently talk about the importance of listening for a leader. However DiCianni tied this basic leadership skill directly to an ethical culture. Listening can make employees feel like they are a part of the company but it also allows management to further articulate and expand on their desire for an ethical culture throughout the company. By going out into the field and listening, senior management can further get the mission and vision of the company out and employees will have a greater understanding of how it all applies to them in the field.

DiCianni emphasized how important it is for perception to equal reality. It is one thing for a CEO to say he has an open-door policy; that he wants to hear from anyone about nefarious conduct or that type of conduct which is antithetical to the company’s values. However, if no employee has ever brought forward any information because they are too afraid to approach the CEO there is an obvious disconnect between practice and reality at that company. It is even worse if there has been retaliation for any employee who raised his or her hand in that manner.

Employees are watching for signals on what is important to senior leadership. If top management says compliance is number one but a person who skirts the rules is not disciplined, or worse rewarded through promotion for such conduct; that word gets around. It is more than simply modeling the conduct, it means running your business based upon those ethical values. A key insight is how senior leaders treat their staff. But if senior leadership is only driven by the bottom line, that message will get out to the employees. In short, words are important but actions are where the rubber meets the road.

The key is that there be an alignment between what top management says, coupled with the company’s core values and what the organization says together with what they do. This all comes from senior management getting out of their office and talking to employees in the field to see not only what they think but how they feel. No company aspires to be unethical and most assuredly employees do not want to engage in unethical behavior but if senior management does not talk to employees they will not know how their messages are being received. Feldman says that it does not take long when there is a disconnect between what senior management says and what the employees take away. Feldman finds its disconcerting how little top management really understand their employees. Because of this, senior leaders do not know what messages they are receiving, both verbal and non-verbal.

Tomorrow we consider the role of the CCO in strengthening the ethical culture of an organization.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 20, 2018

Over the past few months, senior leaders at both the Department of Justice (DOJ), Deputy Attorney General Rod Rosenstein and Securities and Exchange Commission (SEC) Chairman Jay Clayton, have given speeches discussing the need for appropriate corporate culture around compliance. We therefore begin with the question of ‘what is corporate culture?’ It is not simply a social science question as Feldman believes “culture is everything” for an organization. Culture is a foundational internal control, without which all your other controls are likely to be ineffective. He went on to explain that this mean corporate culture is the way things really are in an organization and the way things really work. While corporate culture can be reflective of the core values of a company, this usually only occurs if a company operationalizes those values throughout an organization.

Feldman emphasized that there can be more than one culture in an organization and that there might well be multiple subcultures in a company. Moreover, you simply cannot force one culture throughout an entire organization. This is because you are dealing with different inputs in every company. He stated, “Culture is made up of all the different people that work for that organization, which means that it’s going to differ by necessity based on population and geography.” This could mean that different locations will have different cultures. Feldman believes that “the linkage between culture and compliance, is that it drives ethical behavior.” Every employee you hire, up to every organization you acquire will change your culture. This is why mergers and acquisitions (M&A) due diligence is so critical.

I asked Feldman about the different kinds of cultural systems which could impact a company. He said it could “involve locations, languages, rituals of heroes and role models and other informal mechanism for building a particular culture. Yet even with subcultures in an organization and throughout the world, the significant thing is to have some overarching key themes of that culture.” This involves being consistent with the core values, integrity and ethical behavior. You must also work to serve your stakeholders.

Another indicium of a strong ethical culture is having a speak up culture. This leads to more formal cultural systems and processes which also impact culture. Here Feldman emphasized the hiring process; who you hire, how you train people and what performance management systems are used throughout the employment tenure. This also leads to the Fair Process Doctrine and whether it is consistently applied within the culture. Finally, are you incentivizing, through measurement, compensation and recognition, the right kind of behavior?

I asked Feldman about holding employees throughout the organization accountable. Feldman responded that it is no longer just top management’s responsibility. There still must be an appropriate tone at the top, but there should also be an appropriate mood at the middle management of an organization as well as a buzz at the bottom of the company about compliance, ethics and values. This is because employees are more influenced by their immediate supervisor and their peers than a faceless CEO, even if that CEO is saying all the right things.

The key is that there be an alignment between what top management says, coupled with the company’s core values and what the organization says, together with what the organization does. This all comes from senior management getting out of the ivory tower and talking to employees in the field to see not only what they think but how they feel. No company aspires to be unethical and most assuredly employees do not want to engage in unethical behavior but if senior management does not talk to employees they will not know how their messages are being received.

Feldman says that it does not take long to see when there is a disconnect between what senior management says and what the employees take away. He finds its disconcerting how little top management really understand their employees. Because of this, senior leaders do not know what messages they are receiving, both verbal and non-verbal.

Tomorrow, we consider what factors influence the ethical culture of a company?

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 18, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive the implications from President Trump’s tweet on Friday, August 17th about quarterly financial reporting by public companies.

Some of the highlights from this podcast are:

  1. What was the reason behind the tweet?
  2. Is this simply an attempt to require less transparency in financial reporting?
  3. Would a longer financial reporting cycle allow companies to plan to the longer term?
  4. Would this negatively impact short-sellers?

We unpack of all these points and consider the SEC’s response going forward.

For more reading: see Wall Street Journal Article, “The End of Quarterly Reporting? Not Much to Cheer About”.

See NYT Dealbook article, “Trump Asks S.E.C. to Study Quarterly Earnings Requirements for Public Firms”.

Aug 17, 2018

Jay is on an Alaskan Disney cruise with the family. Through the prism of Trump’s attacks on the US free press and their robust response, Tom takes a solo look at some of the top compliance stories from the past week. Jay returns next week.

  1. What is the role of a free press in the fight against bribery and corruption? I explore in an article for Compliance Week (Sub req’d)
  2. In his final column at the Wall Street Journal, Ben DiPietro, writes about how social activism prioritizes push for integrity, inclusion. In the WSJ Risk and Compliance Journal.
  3. Where is the Tesla board of directors? The SEC has issued a subpoena to them. Tom discusses in the FCPA Compliance Blog. Emily Glazer reports in the WSJ. More on the infamous ‘funding secured’ tweet on Compliance Week. (Sub req’d)
  4. Why is it stupid to become to the US to (1) demand and (2) accept a bribe? Sam Rubenfeld expains in the WSJ Risk and Compliance Journal.
  5. Is the UK pushing back on US jurisdictional outreach? Evan Norris and Alma M. Mozetic pose this question in NYU’s Compliance and Enforcement blog.
  6. Valerie Charles says to consider the new FCPA Corporate Enforcement Policy from the compliance program perspective. In this month’s SCCE Magazine.
  7. Would a no-deal Brexit be a disaster for compliance? Paul Hodgson reports in Compliance Week. (sub req’d)
  8. Maurice Gilbert interviews Moore & Van Allen’s Valecia McDowell on compliance, leadership and promotion to the firm’s management committee. On CCI’s, Connected.
  9. The scandal at Maryland around the death of Jordan McNair deepens. The Trainer resigns, the University accepts responsibility and his parents call for the firing of the head coach. See coverage in Sports Illustratedand ESPN.
  10. The number of podcasts on the Compliance Podcasting Network has now reached the 1000 podcast milestone next week. To celebrate, running each week in August I am running a week-long special series as a tribute. This week it has been a series on the the future of audit, compliance and analytics. Next week it will be a series on ethical culture, what it means, how to measure and assess it and how to drive it. You can download the entire series next Monday at noon, on iTunes. The series will post daily at 10 AM on the Compliance Podcast Network.
Aug 16, 2018

To celebrate the Month of 1000 podcasts I am running for each of my podcasts this month, in this episode, the Everything Compliance gang focuses on the past five years; giving a retrospective of where we were, where we are and where we are going from their own perspectives. After the commentary we follow with rants and shout outs.

  1. Matt Kelly considers how did the 2013 Internal Controls Framework and the 2016 ERM Framework change things (or not)? He notes the two Frameworks provided widely distributed information to consider compliance in a disciplined way. Matt rants on Elon Musk. 
  1. Mike Volkov explores FCPA enforcement over the past 5 years. He lists the top 3 developments: (1) the long road to the FCPA Corporate Enforcement Policy; (2) The Yates Memo and individual prosecutions and (3) The global framework, built by the DOJ and SEC for anti-corruption investigation and enforcement. Mike rants on disgraced Representative Chris Collins.
  1. Jonathan Armstrong focuses on the evolution of data privacy. Numerous actors, including legislatures, regulators, individuals and pressure groups have all influenced EU/UK policy in this area. Further as US companies have become larger and larger, EU/UK Fair Trade/anti-trust and privacy laws will be used to greater effect on these entities. Armstrong shouts out to compliance when walking one’s bovine in Norwich City.
  1. Jay Rosen considers changes in compliance from the vendor perspective. He notes that many vendors brought a business process approach to not only how law firms and investigative firms worked but also how companies approached compliance programs. Jay rants on the NFL owners attempting to stop players from exercising free speech.
  1. Tom throws in a shout out for retiring Wall Street Journal reporter Ben DiPietro, who retires from the WSJ Risk and Compliance Journal on August 14.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I have been exploring the future of internal audit (IA), compliance and analytics. In the final episode, Part V, we discuss how IA can get started and provide some concluding remarks. We consider whether the technology is here today to implement the suggestions put forward this week. Can (or perhaps should) a company outsource internal control testing or internally develop a tool for analytics? We consider some of the biggest obstacles audit leaders cite for moving forward; lack of resources, business complexity, and lack of staff and how the Chief Compliance Officer (CCO) can aid IA in this evolution. We conclude with some thoughts that to succeed, an organization should know its objectives, get good data and think in terms of harnessing and channeling risk, rather than fulfilling compliance.

It begins with complete and accurate reports and all of the financial data present. You must begin with complete and accurate list of data. You need to think all of this through at the beginning and have strong internal controls around it because without good data you get bad data, which leads to bad internal controls and this leads to bad conclusions. From that point, Kelly noted, “everything we have talked about here goes out the window because it started with a bad foundation.”

From there it moves to the analytics. Fortunately there are multiple vendors which currently provide those types of products which have some type of data analytics capabilities. For instance, they exist in the gift, travel and entertainment (GTE) database space, third party management platforms and hotline reporting tools. The key is to have a central repository of data that you can trust, that is validated and tamper-proof. The next step is to extract the data out from its respective repositories with an analytics tool and present the data in a visualization tool.

The next requirement is staff. Right now (and for the foreseeable future) data analytics professionals can write their own tickets. So this may be a problem for startups or smaller companies. However, larger companies may have business analysts who could fill this role. Kelly said that you could potentially pair them with IA to perform analysis projects. IA are going to know how to audit and what questions to ask, however they may not know how to get the visualization and the analytics done well and that is where the business analysts come in.

The pairing of a subject matter expert (SME) with IA can also work. Kelly pointed to the example from the Cleveland Clinic where the Chief Integrity Officer, Don Sinko, has had success using employees from the nursing staff as they know the operations inside and out and when you pair them with an internal auditor it “creates a nucleus of operational knowledge.” Other examples are banks which use employees from the customer care centers because they have the greatest knowledge of the company’s problems.

Another key issue which Kelly pointed to was does the company truly understand its objectives? He stated, “What are the actual objectives? Does everybody know them? Does everybody know which one is ranked number one and which one is ranked two, three and four? You really need to think through this is what we want to achieve.” From there you should ask what are the risks that might prevent us from achieving these objectives? The next step is to then reverse engineer what business process controls are to minimize that is going wrong. Kelly said another way to consider it is that “you need to manage the risk and actually the more technical school of thought out there is, it's an objective based risk management is what you need. What are my objectives? What are the risks to achieving them? How do I reduce those risks?” The implicit assumption is the business knows what its objectives are and which ones are more important than others.  

The IA evolution that we have explored over this five-part series follows what I see as the evolution of compliance where it went from a paper program to doing compliance to operationalizing compliance and beyond that now. IA, compliance and a wide variety of other corporate disciplines really need to change their thinking about risk and looking at risk as not only an opportunity to harness and channel but also to more nimbly manage that risk going forward, not simply just fulfilling some legal compliance. Kelly added some thoughts from the compliance realm, which is that “many compliance officers’ wince at the idea of compliance as a bolt on addition which you engage in only at the end of the business process.” This outdated definition of the corporate compliance function, “is a drag at the end of the otherwise aerodynamic operation. It slows everything down and you don't want that. You want compliance embedded throughout the whole organization and smart ethical conduct all the way through.”

This has a similar dynamic with IA because historically IA would do a financial statement audit and it would be bolt on because you only do the annual audit once a year. It was performed and completed after the end of the fiscal year. Now we are moving beyond this as Boards of Directors need more assurance on more risks. They need to know that risk is governed and it is governed all the way through from the risk management cycle.

Now overlay the same dynamic with the compliance function. As Kelly noted, “we're talking about risk monitoring and internal audit as opposed to ethics and compliance and the compliance function. This is where internal audit needs to get to because this is where business processes are moving to. All information is becoming datafiedand you are able to monitor this data.” Kelly added a visualization when he said, “You are able to analyze when something drifts out of the Green Zone and into the Red Zone.” Kelly believes this is where we are headed and closed by stating, “I think we can probably get there, but there's no reason why we cannot do so. With  some good thinking and good use of technology now, there is no reason why you could not start your organization on that path right away.”

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part IV, we consider the new relationships which can be created based upon the evolution of IA. These changes will allow IA to work more closely with 1stand 2nd lines of defense. However, how does your organization prepare for that empowered audit function? Finally, we will consider corporate culture and ask if analytics and monitoring can drive behavior even more forcefully than ethics?

Typically, IA is thought of a part of the Third Line of Defense. However, through the use greater use of analytics, IA can move closer to the second or first line of defense or at least work more closely with those who are traditionally seen as the first or second lines of defense. This speaks to one of Kelly’s key points, that the evolution of IA will change the relationship between audit and other functions. Kelly also said it raises in important question, “As internal audit moves towards better analytics and risk monitoring drives up the importance of strong control design,  people really need to start thinking about how to detect, how to monitor the risks that are important to my business process.”

Consider internal financial controls and the review of its effectiveness by an external auditor. In most situations bribes are funded through marketing or similar internal budgetary items. An external auditor will only consider material costs so if your marketing budget is over $100,000,000,000 annually for a worldwide, multi-national, a bribe payment of even $1,000,000 hidden in marketing expenses might not be considered material. Therefore, under this IA evolution, the function would need to not only understand the company’s risk but work with the first line business process owners to “clarify what your risks really are and figure out how to manage more accurately, more closely and more effectively.”

This does not mean IA will become a new department of risk monitoring as it will always need to maintain independence and objectivity. It does mean that other corporate departments, such as compliance, should consider taking advantage of IA’s expertise to help create a control for compliance risk that can be monitored and the results quantified. By having that conversation between IA and compliance, both corporate functions can become aware of the types of controls they are using and how they can be made more efficient or even streamlined. Now imagine that conversation with other risk areas in a corporation; anti-harassment, anti-trust, anti-bidding rigging, IT security and data privacy. It is all about the operational risk for each corporate function. But the business process owner would continue to actively manage the risk.

CCOs and heads of other functional units need to be having those conversations now as Boards of Directors are starting to ask those same questions. But it comes with something along the lines of “If not, why not?” Boards see these types of conversations are improving the overall risk management process. I believe that compliance is uniquely suited to having those conversations now with IA to move the process down into the business unit to more fully operationalize the compliance function into an organization. This is certainly the approach advocated by the Department of Justice (DOJ).

Now consider a world where analytics is more prominent. If your organization is more analytics driven, how will it work in your corporate culture? Obviously, if abused or mis-used, a data driven analytics culture can also wind up being a negative place to work. In most organizations, we have seen that that which is managed or measured gets managed well. However, if you measure and manage everything, then you are micromanaging people. Everyone involved will need to consider how does this really impact the human beings who are in an organization? You should also realize that if you are managing and observing everything, what does that say about making your organization a nice place to work? Is it an interesting and challenging place to work or is it simply an organization which manages risk well? Finally, will analytics and monitoring drive behavior even more forcefully than ethics? Those are the types of conversations every company should be having now, not later.

Tomorrow we conclude with getting started and moving forward.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. For Part III, we consider three examples of how a framework of a risk management process could be used. The examples are (1) Invoice before PO; (2) Travel and Entertainment (T&E) spending at $49; and (3) Hotline metrics for compliance and culture analysis. 

Invoices and no POs 

The first one actually comes from Cisco Systems, Inc. (Cisco) where they develop all their technology in house and while the technology they are using is not important, it is interesting to think through the theory of what they are trying to accomplish. Cisco wanted to determine how many times they get an invoice hitting the accounting department to be paid before a Purchase Order (PO) has been received by the accounting department. What Cisco was trying to do was track every instance where an invoice arrived before the PO. The company created a visualization tool so there would be a little red dot for each instance and studied how often this happened across several quarters. 

Through this visualization tool Cisco was able to classify every expense by such criteria as:  When did we get the purchase order? When did we get the invoice? What department is this for? From this point, the company could begin to detect and analyze. Equally important, with the use of the visualization tool, literally anyone in the company could see and use the data. By defining the practice as it violated internal company policy, quantifying it and then putting it into a visual format, this led to a reduction in the number of times this situation occurred because employees were more attentive to their spending.

T&E Spend at $49 

The second example came from a public utility company in the Midwest. The company had a policy where any employee with a T&E expense for more than $50 had to submit a receipt. For any expense at $49 or less, the employee could submit an expense without the receipt and it would be processed and paid. This process was an anti-fraud measure to see if any employee(s) were trying to slip something by at the $49 level where they were not required to supply documentation. 

Interestingly, the company did not find any instances of egregious fraud. However, they were able to communicate to all employees it could monitor such reimbursement requests and could impose strong fraud controls in the situation where there was no requirement for the employee to supply documentation. This innovation gave them the opportunity to monitor when the $49 threshold was “just a little bit too often or a little bit too frequently where it seemed shifty”. Kelly emphasized that this is the clear analytics which improve the company's bottom line and risk management because (1) you are improving your ability to find instances of fraud in the transaction and (2) it communicates to the employees the strength of the control environment. This can be an important signal to send from a control environment perspective.

 Hotline metrics for compliance and culture analysis

 The third example was one of hotline metrics and analysis. Many Chief Compliance Officers (CCOs) and compliance professionals focus on metrics from hotlines such as are you having a lot of calls or having no calls? Is that good or bad? Is your program working or is it not? What does it say about the culture tracking hotline calls themselves? However, following such metrics does not tell a CCO anything really about the culture. Kelly believes the better way to do this is to configure your intake system to get as many characteristics about the call as possible, specifically around retaliation complaints. 

Kelly said such analysis would include looking at questions, such as how many retaliation complaints relative to: all complaints; a type of manager; a specific time of year; in specific markets; at specific levels of the company or even against specific people if you can track it all the way down? What you are trying to do is identify where the problem areas are and where people seem to be retaliating more than usual. If you track those metrics over time, not only does it tell you about your culture but it gives insight into why we have this retaliation problem in the first place. It can lead to an analysis around your ethics training if it is working because if complaints about retaliation continue to increase, that tells you that maybe the ethics and anti-retaliation training you are providing to your managers is not working. 

Kelly concluded by noting that these three examples on invoices before PO orders, a T&E reimbursement expense request without documentation and examining retaliation complaints to get a better sense of your corporate culture can provide very practical steps you can take today which you might not have been able to accomplish 10 years ago because the tech was not available. However, with the evolution in the IA function and capabilities, you should be able to do going forward.   

In Part IV we will consider new working relationships based upon the evolution of IA.

1 2 Next »