FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report






All Episodes
Now displaying: 2017
Oct 4, 2017

Why should a company engage in pre-acquisition due diligence in the mergers and acquisition context? Certainly compliance with anti-corruption laws such as the FCPA or UK Bribery Act is a good starting point. However there are other reasons that were laid by Transparency International (TI) in, a White Paper entitled “Anti-Bribery Guidance for Transactions.” The TI White Paper suggests that there are greater forces driving compliance than simply compliance with anti-corruption and anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. A company engaging in an international acquisition should also strive to avoid the potential financial and reputational damage that may arise from investing in or purchasing a company associated with bribery or corruption.

Some of the specific consequences where investments are made in a company which has a history of bribery or corruption include.

  • Both the target company and the acquiring company may place themselves (and their respective Boards of Directors) at risk of criminal or civil fines and penalties.
  • The market value of the target company may be overstated and hence damage the overall financial position of an acquiring company. Conversely, such conduct may diminish the asset value and returns for a target company.
  • The business instability brought by such conduct. This can include aborted business deals where both sides work long and hard only to have the transaction fall apart near the end of the process.
  • The acquired business may not simply be dysfunctional but acquiring such a business may also introduce a culture into the acquiring company which will negatively impact it and bring about employee de-motivation.
  • Even if there are no individual criminal actions brought against target or acquiring company employees, there can be a long period of disruption due to lengthy and costly investigations and the attendant reputational damage.

There are several positive benefits from appropriate due diligence, including:

  • Management quality indicator which will assess the positive qualities of the target company, including the quality of the target’s management and its overall systems, including books and records. The evidence from due diligence of anti-corruption and anti-bribery programs is an indicator of overall management quality.
  • The mitigation benefits available if a bribery incident is discovered. Under the UK Bribery Act, if a company has “Adequate Procedures” it may have a defense to a claim of violation of the Act. Under the FCPA, evidence of a best practices compliance program can be used in mitigation of any alleged violation of the FCPA.
  • The reputational gain which an acquiring company may be able to gain with regulators or investors if it can show integrity and responsibility during the due diligence process.
  • Lastly an acquiring company can go a long way in meeting investor expectations in Environmental, Social and Governance (ESG) risks, which can include corruption and bribery, during M&A transactions.

To begin the process, the following should be actively explored:

  • Has bribery taken place historically?
  • Is it possible or likely that bribery is currently taking place?
  • If so, how widespread is it likely to be?
  • Does the target have in place an adequate anti-bribery program to prevent bribery?
  • What would the likely impact be if bribery, historical or current, were discovered after the transaction had completed?

Financial, legal or reputational risk can have a significant impact the valuation or a transaction or its desirability. The following potential impacts for a purchaser or investor of anti-corruption or anti-bribery risks during due diligence can be laid out visually in chart format, which is a useful way to think through and present your analysis.


Legal Risk

Financial Risk

Reputational Risk

Current bribery and/or corruption in target company discovered during transaction




Current bribery and/or corruption in acquired company discovered in post-transaction




Historical bribery and/or corruption discovered during transaction

High to low depending on jurisdiction

High to low depending on jurisdiction

Low to medium

Historical bribery and/or corruption in acquired company discovered post-transaction

High to medium depending on jurisdiction

High to medium depending on jurisdiction

High to medium

These factors provide the compliance practitioner strong ammunition when confronted with a management which fails to understand the need for a robust due diligence in a mergers and acquisition transaction. By not focusing on the regulatory aspects of M&A transactions but more on the market reasons for engaging in the appropriate due diligence, you can emphasize the business reasons for compliance.

Three Key Takeaways

  1. There are numerous legal and business reason to engage in anti-corruption due diligence in the M&A space.
  2. ESG can present significant corruption risks in emerging markets.
  3. Present your analysis in high, medium and low risk formats.


This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 4, 2017

Count Dracula is one of the four classic Universal Pictures movie monsters from the 1930s; including the Wolfman, the Mummy and Frankenstein’s Monster. What sets him apart from these other three? In particular what is the Dracula brand? Is it fanged teeth and a black cape? Is it the signature Bela Lugosi voice? Is it a bat? In this episode, Richard Lummis and I explore branding for business leaders and discuss the lessons a 21st century business leader can learn from a 1930s movie character.

Oct 3, 2017

Today, I want to consider some of the key FCPA enforcement actions involving mergers and acquisition. These cases and the 2012 Guidance have made clear that Justice Department and SEC will vigorously prosecute companies which allow bribery and corruption to continue after a merger or purchase occurs. The key point to remember is that if a company was engaging in bribery and corruption before it was acquired and continues to do so after the transaction is completed, it is now you which is engaging in bribery and corruption, not them. 

Syncor International Corporation (2002)

Allegations- Cardinal Health, Inc. acquired Syncor International Corporation, a radiopharmaceutical company based in California. Between 1997 and 2002, Syncor’s Taiwanese subsidiary made improper commissions payments totaling $344,000, to physicians who were employed by state-owned hospitals to influence the doctors’ decision to buy Syncor products and services. Another $600,000 in corrupt payments were made through Syncor’s foreign subsidiaries in Mexico, Belgium, Luxembourg, and France. All payments were authorized by and with the knowledge and approval of Syncor’s Founder and Chairman.

Penalties-Syncor Taiwan Inc., a wholly owned subsidiary of Syncor International Corporation, pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, was sentenced to 3 years of supervised probation and ordered to pay a US $2 million fine. The company also agreed to pay a $500,000 civil penalty and to cease and desist in future violations and was required to retain an independent consultant to review and make recommendations concerning the company’s compliance policies and procedures. At the time, it was the largest penalty ever obtained by the SEC in an FCPA case.

Key Lessons Learned- This was the first time the DOJ charged a foreign company under the 1998 amendments, for taking acts place in the US (i.e., Chairman’s approval). Parent liability was established through the foreign subsidiary’s books and records and employees of a state-owned entity are instrumentalities of the government. This case also demonstrated how a government investigation can slow the closing of an acquisition as the acquisition by Cardinal Health was delayed until the investigation was concluded and agreements were struck with the DOJ and SEC. The acquirer brought Syncor for a lower price than originally negotiated. 

Titan Corporation (2005)

Allegations- This case involved the acquisition of Titan Corporation, by Lockheed Martin Corporation but perhaps most importantly, the acquisition ultimately failed. Titan employed a consultant and paid $3.5 million to a known business advisor of the President of Benin. Of the $3.5 million paid to the advisor, approximately $2 million were indirect contributions to the President’s re-election campaign. At the direction of a Titan senior officer, at least two payments of $500,000 each were wired from Titan’s bank account in San Diego, California, to the agent’s account in Monaco. The remaining payments were made to the agent in cash. Payments were characterized on Titan’s books and records as “social program payments” that were required by its contract with the government, the company also falsified documents to enable its agents to under-report local commission payments in Nepal, Bangladesh, and Sri Lanka. Finally, Titan falsely reported to the US government commission payments on equipment exported to Sri Lanka, France, and Japan.

Penalties- Titan pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, as well as a tax violation, was sentenced to 3 years of supervised probation and ordered to pay a $13 million fine. SEC alleged violations of the FCPA’s anti-bribery and books and records provisions. Titan agreed to pay the SEC and additional $15.5 million in disgorgement and prejudgment interest penalties and a $13 million penalty, which was satisfied by payment of the criminal fines. Titan was required to retain an independent consultant to review its compliance procedures and to adopt its recommendations. Finally, the SEC issued a 21(a) Report criticizing Titan’s proxy statement for incorporating what it deemed false FCPA representations and warranties. Most importantly for Titan, its acquisition by Lockheed-Martin ultimately failed.

Key Lessons Learned-some of the basic tenets of a compliance program were laid out in this enforcement action. They included: a company must conduct meaningful due diligence with respect to foreign agents and consultants and must ensure that the services alleged to be performed are provided. Internal controls must be designed to detect “red flags,” such as offshore payments and inconsistent invoices. From the M&A perspective, representations and warranties in a merger agreement must be accurate (or qualified) when included in a proxy statement. There can be a risk of additional prosecution under the International Traffic in Arms Regulations (ITAR) and possible suspension of export privileges, potential US and foreign tax exposure and possible contractor debarment issues by the Department of Defense. Ultimately and most importantly from the business perspective, the merger failed when Titan was unable to meet contractual agreement to settle with the US government by a certain time. 

Latin Node (2009)

Allegations-In June 2007, eLandia acquired Latin Node, which provided wholesale telecommunications services to several developing countries by leasing lines from local phone companies, in Latin America for $20 million. In August 2007, during a post-acquisition financial integration review, eLandia discovered evidence that Latin Node had paid approximately $2.25 million in bribes to Honduran and Yemeni government officials between March 2004 and June 2007. Subsequently, eLandia voluntarily reported the payments to DOJ, eventually paying a $2 million fine and placing Latin Node into bankruptcy and thereby losing its entire investment.

Penalties-Latin Node pled guilty to a one-count criminal information as part of a plea agreement with the government. Under the agreement, Latin Node agreed to pay a $2 million criminal fine, a $400 special assessment and agreed to continue its cooperation with the government. Four Latin Node executives were charged with criminal conduct for their actions. They were Jorge Granados, 54, the company's former CEO; Manuel Caceres, 64, a former vice president; and Juan Pablo Vasquez, the chief commercial officer; and Manual Salvoch, the company’s former CFO. All four pled guilty.

Key Lessons Learned-This was the first FCPA enforcement action based entirely on pre-acquisition conduct that was unknown to the buyer when the transaction closed. The purchaser’s entire $22+ million investment in Latin Node was wiped out due to inflated acquisition price of corrupt company and investigation costs. All of this demonstrated the need for rigorous pre-acquisition due diligence in addition to the post-acquisition integration. It also exposed individuals to the real possibility of jail time for their actions. 

There have been several M&A cases since these three but they set the model for the DOJ’s prosecution going forward. Every compliance practitioner should be aware of these cases and communicate to management that one of the most well settled areas of FCPA enforcement is around M&A. Simply put if you do not engage in appropriate pre-acquisition due diligence and there continues to be ongoing bribery and corruption after you acquire an entity, your company will bear the brunt of any prosecution.

Three Key Takeaways

  1. FCPA enforcement in the M&A space is one of the most well settled areas of enforcement.
  2. Failure to perform pre-acquisition due diligence can significantly devalue a purchased asset.
  3. Always remember that if bribery continues after an acquisition it is no longer them engaging in bribery and corruption but you who are engaging in bribery and corruption.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 3, 2017

In this episode, Matt Kelly and I take a deep dive into an article by Todd Haugh, in the most recent issue of the MIT Sloan Management Review entitled, “The Trouble With Corporate Compliance Programs that even best practices compliance program fail to take into account behavioral best practices and one important but too often overlooked key to strengthening both individual and overall corporate behavior is eliminating rationalizations. 

Haugh points to the Wells Fargo scandal which occurred in large part because of multiple rationalizations at multiple levels. At the employee level, they were pressured to violate both company policy and the law by their managers. At the senior management level the balance sheet rationalization came into play. Both of these led employees to “rationalize their conduct by denying responsibility and claiming relative normality.” 

We consider the steps Haugh recommends. The first was one of the most intriguing and it was for a company to employee a behavioral specialist to take current research and theory into practice in an organization. The second was to “use behavioral best practices to eliminate rationalizations.” The final suggestion is that companies should “use incentives to influence behavior in the right direction” by understanding how rationalizations come into play. Most interestingly Haugh believes that employee “praise and expressions of gratitude motivate more than money”. Think of the cost of a good word now and then or a pat on the back. 

The topic is a fascinating look at new insights for the compliance practitioner into how to motivate employees and make compliance more effective in an organization.

For more see Tom's blog post, The Fraud Triangle, Rationalizations and Compliance Programs. 

Oct 2, 2017

Today, I begin a one month series on how to have a more effective compliance program involving business ventures. This will include the role of compliance in mergers and acquisitions, the role of compliance in joint venture agreement, distributorship, franchises as well as other forms of business relationships.

The 2012 FCPA Guidance makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre-and post-acquisition context. A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies” said “I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don’t look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal.”

The 2012 FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. The DOJ and the SEC made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” This action was based upon the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

In a hypothetical, the 2012 FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, “(1) having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company’s customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years.”

The DOJ Evaluation of Corporate Compliance Programs also had some specific questions around M&A. Under Prong 11. Mergers and Acquisitions (M&A), the following topics were listed, including some specific questions. Under Due Diligence Process, the following questions were posed, Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? Under the topic, Integration in the M&A Process, the following query was posed, How has the compliance function been integrated into the merger, acquisition, and integration process? Finally, under the line area of interesting, Process Connecting Due Diligence to Implementation, the following queries were posed, What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

One of the key themes this month will be the integrated nature of compliance and business ventures. Whether the compliance work is seen in the mergers and acquisition context, joint venture context or one of the myriad of other business relationships of the current business world, there is an approach that a Chief Compliance Officer (CCO) or compliance professional should take to assess the risk, monitor the risk and then manage the risk with continued monitoring with a feedback of data and information into your risk management strategy.

Three Key Takeaways

  1. We will consider the role of compliance in a wide variety of business relationships, including mergers and acquisitions, joint venture agreements, distributorships, franchises as well as other forms of business relationships.
  2. Compliance for mergers and acquisitions should be seen as a unidimensional continuum.
  3. The Evaluation focuses on what data did your risk monitoring system turn up and how did you utilize it going forward.


This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at or check out

Oct 2, 2017

In this episode, I have a fascinating interview with David McLaughlin, founder and CEO of QuantaVerse, which has artificial intelligence and data analytics tools to help companies manage risk more effectively. We discuss the use of such tools and techniques for risk reduction solutions to provide insight into the details of your customer’s customers, which allows a company to not only identify bad actors but also aggressively fight financial crime, including fraud, bribery and corruption. We explore how this downstream approach would allow you to more effectively manage subcontractors to your company’s prime contractors. We consider how artificial Intelligence is transforming Internal audit investigations with technology; how it is enhancing compliance programs with predictive data analytics and how artificial intelligence can Help companies reduce FCPA risk. 

We conclude with a discussion how the use of AI can bring a more holistic approach to compliance as a business process rather than simply policies and procedures so that the end of the day a company is more profitable. The implications for the compliance profession are profound and these concepts will lead improvements on compliance efficiencies. 

For more information on QuantaVerse, check out their website,

Sep 29, 2017

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including: 

  1. The DOJ announces a major criminal case which rocked the world of college athletics, involving pay for shoes scandal. See article by Michael McCann in Sports Illustrated. See article by Mark Schlabach on Sam Rubenfeld looks at the corruption in college sports angle in the WSJ Risk and Compliance Journal.
  2. Consumer product sellers need to check the SDN list before a sale? Before shipping? If you are Cartier jewelers, yes, according to SEC enforcement action. See article by Dick Cassin in the FCPA Blog.
  3. Alere settles FCPA and accounting fraud SEC enforcement action. Dick Cassin reports in the FCPA Blog. See copy of SEC Cease and Desist Order.
  4. McKinsey reminds us that a promise to pay can be a FCPA violation as its imbroglio in South Africa continues. See article Tom’s article in Compliance Week.
  5. Todd Haugh, an assistant professor of business law and ethics at Indiana University, wrote in the most recent issue of the MIT Sloan Management Review that even best practices compliance program fail to take into account behavioral best practices and one important but too often overlooked key to strengthening both individual and overall corporate behavior is eliminating rationalizations. See Tom’s blog post in the FCPA Blog.
  6. Uber loses it license in London and for the first time an Uber CEO apologizes for the company’s unethical behavior. Prashant S. Rao and Amie Tsang reports in the New York Times.
  7. After the Equifax breach comes news the SEC was hacked. Joe Mont reports in Compliance Week. Matt Kelly reports on SEC Chairman Jay Clayton’s testimony before Congress on this and other subjects this week in Radical Compliance.
  8. Jose Altuve reaches 200 hits for fourth straight season, becoming on the 4th Second Baseman to do so. He has also clinched the AL top hitter for the 3rd time in four years. Is an MVP far behind. Cubs clinch and Red Sox magic number is 1, having been stomped by the Astros 12-2 last night.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In October, I will consider compliance with business ventures such as in the M&A context, joint ventures, distributors, channel ops partners, teaming agreements and all other manner of business venture. The first week I take a deep dive in M&A under the FCPA. This month’s sponsor is the Volkov Law Group. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. The Jay Rosen weekend report preview.
Sep 29, 2017

As I end this section on innovation, I want to conclude by laying out a road map which allows a CCO or compliance practitioner to make more effective and better operationalize a corporate compliance program. With the DOJ’s Evaluation of Corporate Compliance Programs emphasis of operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that I believe is too often overlooked.  One of the best recent roadmaps I have seen was suggested by LRN Corporation’s 2016 Ethics and Compliance Program Effectiveness Report.

The Report detailed four key findings which are symptomatic of an operationalized compliance program. Susan Divers, Senior Advisor at LRN Corporation, noted overarching theme in is that ethics and compliance “programs centered on values are more effective than ones that aren’t. A values-based approach toward shaping culture emphasizes and sets expectations, not just about what can and cannot be done according to rules, but rather what should and should not be done in alignment with core beliefs. In rules-based environments, that is, everyone’s job is to do the next thing right—to act correctly. In values based environments, in contrast, everyone’s job is to do the next right thing—to act morally.”

It is this drive to burn compliance into the DNA of an organization that fully operationalizes compliance. Think of any recent scandal, Volkswagen (VW), Wells Fargo, Valeant, Uber or you name the scandal, where if an employee had simply done the right thing instead of the illegal action, how much better off a company would have been. The four findings were:

The most effective E&C programs are embedded in business operations. Diver pointed out it is critical a company should think “about ethics and compliance and values as part of your brand.” By doing so, each level in a company will understand its role going forward, from the Board of Directors, senior management, middle management and the employee base. Moreover, the company will train, develop and promote an ethics and compliance program through each of these levels.

Susan Divers provided an insightful example, “I think if I were to use one word to characterize all of them together, it would be holistic. The first one of embedding your ethics and compliance programs in your business operations, one big piece of that is your brand. For example, Volkswagen used to have a fantastic brand. You thought of Volkswagen and you thought of basically a green car, and one that was well engineered. Now it’s a massive fraud. One headline I saw called it Hoaxwagen.”

The most successful ethics and compliance programs use a variety of channels to convert guidance into practice. An effective compliance program will communicate the corporate ethics and compliance values through multiple channels throughout the company, on an ongoing basis. This speaks not only to upward and downward communications within an organization but also inbound and outbound to the company as well. But more than simply saying there should be communication, the Report also assesses how communications occur through inquiring into the clearness and conciseness of messages and whether an organization uses more effective communication techniques such as shorter, more frequent training models or facilitated workshops as opposed to rote one hour lectures from lawyers.

Communications can be made in other, more subtle manners. Consider what are the actual behaviors that the conduct demonstrates? Divers said that at LRN, “We’re not so fond here of tone at the top. We’re more fond of actions at the top, because tone can be one thing and actions are another. Looking at whether managers’ ethical behavior counts in terms of promotion and bonuses, that’s really where the rubber meets the road in a lot of places, and that makes a huge difference. Another aspect of that is making middle managers accountable for ethics and compliance in their business, and the good programs coach people in that aspect. That’s really some of the key aspects we looked at for how you embed in business ops.”

High-performing programs proactively convert regulatory guidance into practice. I found this to be one not often enough discussed as many compliance practitioners struggle to convert DOJ pronouncements, comments or lessons learned from FCPA enforcement actions into practical guidance. The most effective compliance programs internalize such guidance from prosecutors and regulators and continuously improve. Here one might consider an example torn from the headlines: when the Wal-Mart corruption scandal in Mexico broke, I called one CCO the next day who told me he had already put a PowerPoint presentation in front of his senior management about the perils of finding your corporate name splashed across the front page of the New York Times alleging your organization of bribery and corruption.

Divers considered this finding from another perspective. She stated, “You have to look for the actual challenge the people view in the company, whether that’s sales force, or other disciplines. There in lots of different ways and in positive ways, not just negative ways. One of the things we did, which we didn’t just tell people that serious actions meant this, we looked at actual business cases where people had done the right thing and made the right choices to comply with regulations, and that’s very powerful for modeling. Another aspect of that is how you embed your Code of Conduct. Do you just put it out on the website and say, “Great, here it is. Read it,” or you have discussion? Obviously, those are more effective.”

High-performing programs spread their impact broadly, recognizing that it is the whole organization that needs to be engaged in ethics. This finding considers whether an organization has moved away from a “silo-based approach to ethics and compliance.” It did so by reviewing how the different corporate functions work as catalysts for imbuing your organization values in their specific corporate discipline. Here Divers related that “high performing programs aren’t sitting in a closet somewhere, only visited when there’s an ethics issue. High-performing programs are out there. They work across the corporation with human resources, with internal audit, with legal, and even with sales and marketing, and finance and accounting, to make sure that ethics are a part and parcel of business operations.”

This month I have reviewed a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.

Three Key Takeaways

  1. Innovation is one of the most overlooked and under-utilized tools in compliance.
  2. Operationalizing your compliance program will require innovation in your compliance program going forward.
  3. As with most CCO initiatives, you are only limited by your imagination.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 28, 2017

While many compliance departments may have begun more as a command and control function, set up by lawyers to comply with anti-bribery laws such as the FCPA, UK Bribery Act or others; this type of leadership model is now becoming outmoded in today’s world. It is not that employees are interested in the ‘why’ they should do business ethically and in compliance with such laws but it is more that power is shifting inside corporations. In a HBR article, entitled “Understanding “New Power””, authors Jeremy Heimans and Henry Timms explore how leadership dynamics are changing and what companies might be able to do to harness them. I found them to have some excellent insights, which a CCO moving to CCO 2.0 or compliance practitioner might be able to garner for a compliance function. 

The authors begin by noting that ‘new power’ differs from ‘old power’ in a bi-lateral dimension of intersection. This intersection is between the models used to exercise power and the values which are now embraced. It is the understanding of this shift in power, which will facilitate the compliance function moving more to the forefront of a business integration role. The new power models are fourfold. Under sharing and shaping a company is much more integrated with its customers and supply chain. Second is funding which continues this integration by adding a vertical component of funding, whether equity positions or some other type of funding. Third is producing in which “participants go beyond supporting or sharing other people’s efforts and contribute their own.” Finally, there is co-ownership, which is the most decentralized, pushing participation down to the lowest or most basic levels. 

But beyond these new power systems, the authors believe that “a new set of values and beliefs is being forged. Power is not just flowing differently; people are feeling and thinking differently about it.” The authors call them “feedback loops” which “make visible the payoffs of peer-based collective action and endow people with a sense of power. In doing so, they strengthen norms around collaboration”. 

The authors lay out five new values. They include the area of governance where the authors note, “new power favors informal, networked approaches to governance and decision making.” Next is in the area of collaboration where the authors believe that this new power value rewards “those who share their own ideas, spread those of others, or build on existing ideas to make them even better.” The next new value is DIO or do it ourselves. Under this value, there is a “belief in amateur culture in arenas that used to be characterized by specialization and professionalization.” Next is transparency which, while not a new concept, says that more permanent transparency between business and social lives will lead to a “response in kind from our institutions and leaders who are challenged to rethink the way they engage with their constituencies” specifically including their employee base. The final new value identified by the authors is affiliation, which means that new and younger employees are less like to “forge decades-long relationships with institutions.” 

The authors have three prescriptions that I found could be useful for the CCO or compliance practitioner to incorporate into a mature and evolving compliance program moving forward. Compliance functions need to “engage in three essential tasks: (1) assess their place in a shifting power environment, (2) channel their harshest critic, and (3) develop a mobilization capacity. 

Assess where you are 

This prong is quite close to something compliance practitioners are comfortable with in their role, a risk assessment. However the authors suggest that the assessment be turned inward so you should assess the compliance function on this “new power compass—both where you are today and where you want to be in five years.” You can benchmark from other companies in responding to this query. Internally, you can begin this process with a conversation about new realities and how the compliance function should perform. More importantly such an assessment can help you identify the aspects of their core models and values that should not be changed. 

Incorporate business unit interests 

The authors note, “Today, the wisest organizations will be those engaging in the most painfully honest conversations, inside and outside, about their impact.” However, I think this question should be asked first by the CCO or compliance practitioner. For it is not only what you are doing to work with your business units but more importantly what are you doing to incorporate their concerns and suggestions into your compliance regime. If you are going to ask the business unit to be a significant partner or better yet be your business partner, you will need to have a mechanism in place to engage your business unit so there can be an inflow of input before the compliance function has an output of requirements. As the authors write, “This level of introspection has to precede any investment in any new power mechanisms” to which I would add any successful compliance function. 

Mobilize your capacity 

Here I suggest you consider contracted third parties and other third parties such as joint venture (JV) partners as an avenue through which the compliance function can bring greater benefits to an organization. Compliance expert Mary Jones, the former  Global Industries Director of Compliance, often discusses her training of the company’s third parties and how thankful they were that when she would personally travel to their locations and put on in-person training. Her efforts to travel to their locations, spend the money required to do so not only directly strengthened Global Industries’ compliance function but created allies for her efforts by giving these suppliers the information and training they needed to comply with their customers requirements. By reaching out in this manner, Global Industries used its contracted third party suppliers to create a stronger company compliance program. 

As the anti-corruption compliance profession matures, it will become more a component of a company’s business function. This means less of a lawyer’s top down mentality of do it because I said to do it, to more collaboration. 

Three Key Takeaways

  1. The lawyer driven command and control method for compliance is outmoded and outdated.
  2. Innovation in compliance leadership is recognizing the bi-lateral nature of power and communications in an organization.
  3. A feedback loop can be used in the leadership function as well. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 28, 2017

Today, I visit with noted fraud examiner, Jonathan Marks, a partner at Marcum LLP on the relationship of the internal auditor, fraud good governance and board governance. Marks began by noting that an organization which has in place a strategically integrated governance risk management structure at the Board level has an ethical and operational backbone against which an entire business can be managed. While doing significant fraud investigations he has found that when one considers the governance, it often has a key role in the overall determination. He went on to note that corporate government is the systems and processes and organization has in place to protect the interests of the first diverse stakeholder group. Good corporate governance consists of the Board of Directors, its committees managing the legal and regulatory environment where business practices intersect all around transparently monitoring enterprise risk management. 

The Board has a key role in any organization helping determine their risk profile through its oversight of management. He believes it is the Board which has ultimate responsibility of risk parameters and setting the risk profile. Moreover, from an oversight perspective the Board should be ensuring that management is not doing things which put the organization at risk. Marks stated, “We all know from the various frauds that have already occurred and have been in the newspapers and in the public eye are looked at from a siloed perspective and not looked at in the aggregate.” 

A Board should ensure that management does not overstep its boundaries when management is looking at certain transactions. It is important the Board take an active role. They need to ensure that management is doing risk assessments on a regular basis. If one considers the Hewlett-Packard acquisition of Autonomy to see how the Board failed in its oversight role in the merger context by not asking the right questions or seeking enough relevant information from the CEO. More recently is the Telia FCPA enforcement action, where the Board allowed senior management, literally right up to the CEO, engage in bribery and corruption to do business in Uzbekistan. 

Marks emphasized the Board’s role should be looking “at this from a fresh set of eyes and really understanding what the risks of the organization might be to help the organization better manage their risks. And the other thing the board can do is ensure that management is constantly thinking about the ways that things can actually go wrong.” This is critical when considering internal controls around fraud or even financial reporting and disclosure required under SOX.

One of the most asked questions is how much information should a fraud examiner or other provide to a Board. Marks considered it from another perspective saying, “I'm less concerned about the quantity I'm more concerned about the quality of information. For me, it is about getting the right information to the Board. A Board book filled with white noise does the Board no good. You would hope that it would not be the case but it often is.” He believes the key is to put together information that is almost surgical in approach, with very detailed information allowing Board members to assess for themselves. 

It is all about good communication. From an information perspective, Marks would provide the Board the information it needs to properly assess the risk of the business. This should lead to a dialogue with them. The Board should be actively engaged and ideally would have questions back to the fraud examiner. Marks emphasized that communication includes feedback you know so you know they have not only reviewed but thought about the information you have presented.  

Sep 27, 2017

Now consider the use of video to assist ongoing communications in a best practices compliance program. It has certainly been proven that social video can boost your company’s brand awareness and its sales. Why not consider using video to boost your compliance functions brand awareness and help spread the message of your corporate values and ethos. In an article in Inc., entitled “Everything You Need to Know About Creating Videos for Your Business (Even If You Have No Video Experience)”, it reported that Facebook now generates an “average of eight billion video views per day and YouTube reaches more 18- to 49-year olds than any cable network in the U.S.” Why not take advantage of this natural tendency to produce compliance focused content that would engage your compliance customer base – your employees. 

The article provides three short guidelines to consider which are equally valid for considering communications from the compliance function. The first is to have a plan around what you want to do. This includes not only your script but also your budget. It does not have to a large high dollar production. You can shoot a video in your office, literally using your iPhone if that are all the resources you can muster. I recently attended the tech conference Collision 2017 and in the press area, there was a set up for interviews using iPhones. At the 2016 SCCE Compliance and Ethics Institute, Kortney Nordrum recorded Roy Snell and myself for a live session of our Unfair and Unbalanced podcast using an iPhone. 

Another resource is your corporate media function. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. The cost for the video was quite reasonable as it was produced internally. 

This CenterPoint Energy example brings up another key point which is timing. Just as many CCOs used the New York Times’ breaking story on Wal-Mart’s alleged FCPA violations in Mexico back in 2012 as an opportunity to brief senior management on what can happen when your company appears on the front page of a Sunday NYT edition for FCPA violations; CenterPoint Energy used the VW emissions-testing scandal as an opportunity to not only reaffirm its own corporate values but also engage in ongoing communications. 

Another key element is also built around time and it is that “short videos are good videos”. You can have a series of short videos communicating different aspects of your compliance program. It can range from short messages from your CEO, to videos of your CCO to videos of employees. Employees will always tune in when senior management speaks to them internally through a video. They want to hear from the President and a message of commitment to the culture values of doing business ethically and in compliance is always a message that will resonate with employees. 

Also consider having employees in short discussions on how they may have overcome compliance challenges. Celebrate these events but do not forget their power to educate and inspire other employees. Such techniques can give your employees a peek behind the curtain, not to show the wizard has no clothes but because it makes your internal compliance function seem more authentic. 

What are some of the venues you can utilize for these videos? Of course internal channels are appropriate to use. If you have an internal Twitter like function, you can post short videos that can be posted and reposted multiple times per day. If you have a tech savvy, media-friendly company you might consider an Instagram type approach, combining videos and pictures. Finally, do not forget the power of YouTube. It is one of the largest search engines behind Google and the prime location for video watching by the vast majority of folks these days.  

Finally, never forget that one of the key factors listed in the Morgan Stanley Declination to Prosecute was 35 compliance reminders provided to their recalcitrant FCPA violating Managing Director Garth Peterson over seven years. These types of videos can certainly be used in a variety of ways, including as a legal defense to any FCPA investigation. 

Three Key Takeaways

  1. Use all the tools available to you to communicate the message of compliance.
  2. Use current events as starting points to discuss your corporate values.
  3. Do not forget the Morgan Stanley declination and 35 compliance reminders. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 27, 2017

In this Episode 2 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition, we focus on real priorities of the corporate compliance programming at high-risk markets.  In each podcast, we take two typical concepts or probably misconceptions from in-house compliance reality. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years and myself.

Corporate Concept #1. We have officially deployed compliance program at a high-risk market. All hallmarks are duly identified in it. I do not understand what kind of priorities I have to consider in addition to regulatory hallmarks. When enough is enough?     

Tim Khasanov-Batirov: Here are my pros:

Argument #1.

To address regulatory expectations you should have a program that is comprised of 10 Hallmarks. Here are your priorities. This is a very straightforward and in my view a very clear philosophy.

Argument #2.

10 Hallmarks cover both legal aspects along with implementation side. If we want to find priorities for particular organization among already identified regulatory priorities we can simply choose them from 10 Hallmarks.

Argument #3.

Attempt to perplex the framework could harm the execution of the program. I do not see any merits from practical side to distract attention of the team and to spare resources on reinventing the wheel.

Tom:  OK, let me give you some examples, which probably allow you to re-think about priorities. Here are cons:

Argument #1.

You definitely want to avoid paper compliance program. Therefore, you probably need to distinguish 10 Hallmarks from practical methods on implementing them. We can call these practical methods priorities.    

Argument #2.

The following priorities come to my mind when I think about practical side on implementation of the corporate compliance program in emerging markets. First, clear understanding by compliance personnel of how they could achieve goals prescribed by the hallmarks. Second, obtaining trust from the management by compliance team. It is vital. Third, constant engagement and cooperation with key stakeholders aimed on keeping compliance team’s eye on the ball.    

Tim: I believe Compliance man referred to this topic in the first episode of the illustrated series entitled: First Things First.  

 Corporate Concept #2 “In real world compliance goals and priorities mismatch business needs or even prevent business from growing”. Tim, will you support this philosophy if you look at high-risk markets?  

Tim: It is common place to oppose corporate compliance efforts to business growth. Moreover, this statement is a kind of vague. I strongly disagree with it. I believe compliance priorities exist on the radar of business leaders at least due to very pragmatic and even cynical reasons. 

 Argument #1.

Threat of personal liability and possible negative impact on the company in case of enforcement actions.

Argument #2.

Wish to comply with corporate rules and maintain status of a “good corporate citizen” in the company.

Argument #3.

I also believe in scenario when compliance philosophy gets a high priority status in the in-house reality due to Compliance team’s efforts.

Tom: My concerns are the following:

Argument #1.

As we know the main business goal is earning money. What we call compliance in certain cases is viewed by business leaders as obstacle in money making.

Argument #2.

Sometimes top managers unfortunately are not aware about compliance risks and consequently their own duties to mitigate them. Thus, unintentionally management might ignore even basic compliance rules.

Argument #3.

The worst-case scenario when compliance team was not able to demonstrate the ability to work in the team rather than being just bureaucratic “Dr. No” department.

Tim: As key takeaways from today discussion, I think we can mention the following ones: a compliance practitioner should implement the program based on regulatory requirements in cooperation with business leaders. To achieve this goal he or she should obtain trust from top management and get awareness (and even appreciation) of compliance activity by key stakeholders.  

Join Tom Fox and Tim Khasanov-Batirov for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition.  Join us again as we bust more corporate compliance myths.

Sep 26, 2017

How do you tap into your largest resource of innovation for your compliance program, which  is of course your employee base? That topic was explored in an article in the MIT Sloan Management Review, “How to Catalyze Innovation In Your Organization” by Michael Arena, Rob Cross, Jonathan Sims and Mary Uhl-Bien. This article posits that companies can “fuel the emergence of new ideas by understanding and tapping the power of employee networks.” 

The tenets and concepts the authors articulated provided several useful insights for a CCO or compliance professional. The first was that “companies need to create context that allows people, ideas and information to flow across different groups.” The second identifies a group of employees who operate as brokers and they create “bridges between groups” within a company. These brokers should work with “central connectors, who are well-connected in one subgroup” to form a powerful network. Finally, “when facing a problem, innovators should engage their network early on.” 

Interestingly, as with the ever-dwindling myth of the rogue employee in FCPA enforcement, the authors note, “Tales of a lone inventor with a blinding insight are unhelpful myths when it comes to corporate innovation. Successful service, product, or process innovations within large, complex organizations are very much a social phenomenon.” A successful CCO will know that they need to leverage employee networks for both innovation and communications of compliance initiatives. 

The authors key insight was their three divisions of social networking within an organization. They believe “A key to catalyzing emergent innovation is identifying and positioning innovators within an organization.” Moreover, it is the use of these networks which can move innovation back up to the top of an organization and communications down through a company as well. 


Brokers are the group of employees which build bridges from one group to another within and outside an organization. This allows them to act as critical channels of information and ideas. Brokers offer three competitive advantages: broader access to diverse information, early access to new information, and control over the diffusion of the information. Yet more than simply acting as conduits, “Brokers facilitate this discovery process through their social connections and then determine how and when these insights can be introduced to other parts of the organization. The creation of adaptive space enables brokers to more actively connect and navigate beyond their local subgroups to explore new possibilities.” 

Central Connectors 

The second group is “central connectors” who provide group cohesion for implementation of innovation and communications going forward. The authors stated, “Group cohesion represents how connected individuals are to one another within a group. A group is considered cohesive when many redundant connections exist among group members. That is, the likelihood of any individual within the group being connected to any other individual within the group is high. As a result, cohesive groups can quickly share information and generally operate with high levels of trust.” These central connectors can take an idea and move it into more disparate groups to diffuse both ideas and communications; in short it is often these central connectors who will drive an innovation to success. 

While some industries and companies resist rotation for a CCO or compliance profession, it would appear the better practice is to use rotation as a catalyst for innovation and change. The authors noted one example where employees were moved between projects every three years or so which allowed knowledge to flow around more readily. The authors concluded that the company had “provided the space that enabled an active interplay between brokers and connectors.” 


The final group identified by the authors are the “engergizers” who can work to “trigger the interest and engagement of others and unleash the passion necessary for bold innovations to advance.” The authors believe that many factors can drive this including “Network energy, or enthusiasm, drives diffusion, co-creation, and active engagement across the larger organization.” The energizers challenge those within a company to “think more boldly than they would within their own subgroups and creates a contagious mindset as the innovation progresses.” Finally, “Energizers are able to fully engage in interactions, inspiring others to devote more time and energy to an initiative. The reputation of an energizer spreads quickly across the network, attracting others to aggregate multiple ideas into bolder, integrated concepts that are more likely to succeed. Energizers connect with individuals who have different expertise or backgrounds. These differences can be embraced as elements essential to the creation of bolder innovation.” 

Through these three differentiated groups, there are five steps around innovation for the CCO to consider going forward. 

  1. Tap into adjacent expertise and a broad network early in problem-solving.Almost universally, more successful innovators did not immediately solve a problem they were given as “they were likely to ask questions and engage their network early to help them think about the problem differently and to find people with tangentially relevant expertise who might give them a different perspective on the solution.”
  2. Make early interactions beneficial to others. Innovators, drew ideas to and from others, not fostering off their vision on their co-workers. This is directly attributable to sharing and exchanging as a more collegial approach.
  3. Spread ownership of the idea and seek feedback.This is the point which lays bare the myth of the lone innovator working in a closeted office. Indeed, the authors noted, “among our interviewees, trying to develop an idea in isolation until it was seen as bulletproof was a sure recipe for failure. The more successful innovators made decisions on whom to include and how to run initial meetings in ways that shaped both the innovation and the network.”
  4. Develop a prototype early.While the authors admonish to “Be open in process” they suggest strongly that you “insist on pushing to a prototype as early as possible.” It is because, “Early prototypes provide proof of concept. But even more important is that a working prototype dramatically changes the nature of the conversation and engagement with the network.”
  5. Communicate the early-stage solution and then iterate with the network. The authors noted, “As more stakeholders and end users give input, ensure that your team is prepared to make incremental changes, test, and adapt quickly.” 

There are always pockets and groups within an organization which resist change. Often this is one of the CCOs most difficult task. Yet the authors have laid out a clear path to overcoming such resistance and it is equally applicable to moving compliance communications through an organization. By using central connectors and energizers, a CCO, the broker, can get the message of compliance moved faster, in a more complete and enthusiastic manner. Finally, this will go quite a long way towards operationalizing your compliance regime. 

Three Key Takeaways

  1. Employees can be the greatest advocates for your compliance program.
  2. Employee engagement is one of the most direct and cost effective ways to operationalize your compliance regime.
  3. Use the five-step approach to facilitate greater employee engagement in compliance. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 26, 2017

In this episode, Matt Kelly and I take a deep dive into the Telia FCPA enforcement action. It is the largest FCPA fine ever, coming in at $965MM. The breadth and scope of Telia’s illegal conduct was about as far-ranging as one could imagine. The fines and penalties certain bore this out. The bribes were specifically approved by the highest level of Telia, including senior executives and the Board of Directors. There was an explicit awareness that the bribery scheme would violate the FCPA, so the company tried to navigate its way out of potential FCPA liability. Clearly those efforts were lacking.

We discuss the blatant nature of the bribery scheme, the international investigation and enforcement effort involved, how this enforcement actions differs from other types of enforcement actions and lessons to be learned from the matter. We also consider that the company did not self-disclose but did cooperate in the investigation and provided extensive remediation. This netted the company a 25% discount off the minimum penalty as calculated under the US Sentencing Guidelines. 

The resolution documents include the SEC Cease and Desist Order, the DOJ issued an Information and a Deferred Prosecution Agreement, Telia. The DOJ also issued an Information and DPA for Coscom LLC, the Telia subsidiary through which the bribery occurred and a Plea Agreement

In a separate Press Release, Telia said in part, “The information being reported by media about the terms of the resolution is not complete. Telia Company has already announced that it has taken a provision with respect to the expected financial sanctions. It is correct that we are very close to a final resolution with all authorities (SEC, DOJ and the Dutch prosecutor), but cannot comment further at this time.” Cassin reported, “The company said in April it had adjusted its “estimate of the most likely outcome of the ongoing investigations into the company’s market entry and operations in Uzbekistan to $1 billion from $1.45 billion.”” 

The bribery scheme involved the company illegally buying its way into the Uzbekistan telecom market through its bribery of Gulnara Karimova, the eldest daughter of the late Uzbek President Islam Karimov. Karimova was also the bribery conduit in the VimpleCom matter, resolved in February 2016. In the Telia case Karimova parlayed her providing telecom licenses and upgrades into bribe payments of over $330MM to shell companies which she controlled. 

In the DOJ Press Release, Acting US Attorney Joon H. Kim stated “Telia, whose securities traded publicly in New York, corruptly built a lucrative telecommunications business in Uzbekistan, using bribe payments wired around the world through accounts here in New York City. If your securities trade on our exchanges and you use our banks to move ill-gotten money, then you have to abide by our country’s laws. Telia and Coscom refused to do so, and they have been held accountable in Manhattan federal court today.” 

The SEC Press Release stated, “Telia entered the Uzbek telecommunications market by offering and paying at least $330 million in bribes to a shell company under the guise of payments for lobbying and consulting services that never actually occurred. The shell company was controlled by an Uzbek government official who was a family member of the President of Uzbekistan and able to exert significant influence over other Uzbek officials, causing them to take official actions to benefit Telia’s business in Uzbekistan.” 

For more on the Telia enforcement action, see Tom’s blog posts:

Part I-Background;

Part II-the Bribery Schemes; and

Part III-the Individuals involved

Compliance into the Weeds is a part of the Compliance Podcast Network

Sep 25, 2017

Much has been written on hiring a new CCO. As with the hiring of other senior executives, such as a CEO or CFO, there can be specific questions about challenges the candidate has faced in prior engagements. For the CCO position having one who has literally been through the wars, usually in the form of an extensive Foreign Corrupt Practices Act (FCPA) investigation or enforcement action, is a critical inquiry. In most instances, Boards will want a candidate who can lead the company through the situation currently faced. 

But what about hiring at a level below the CCO? Most companies take the best athlete approach, hiring the most well rounded candidate with a varied background. However an article in the Harvard Business Review (HBR) Idea Watch column, entitled “When Hiring Execs, Context Matters Most”, reported on a new CEB study which “suggests that companies will be more successful if they consider the particular leadership context when hiring for every level. Instead of taking on generalists trained to meet any management test, the researchers say, firms should use an assessment system that identifies candidates whose personality attributes and experience are custom-tailored to the contextual challenges of the position.” 

Basically, CEB came up with a quantitative approach, looking at 27 different contexts around projects, challenges and issues. From this list they, “assessed leaders’ personality attributes, tracked relevant experience, and solicited opinions about behavior, performance, and effectiveness from supervisors and direct reports.” The research team “also coded 60 variables that inform context, such as whether the job involves a high degree of uncertainty, requires managing a geographically dispersed team, or calls for cost cutting.” From this they ran data analytics and “worked to understand why some leaders succeeded while others underperformed, the biggest factor that emerged was how well a leader’s personality, skills, and experience meshed with the specific challenges of the job.” 

Some of the challenges which included the following areas are well familiar to the compliance practitioner: leading global or cross-cultural teams; transforming a high-conflict culture; leading an organization through a merger or acquisition, operating a corporate function with high resource constraints; growing through innovation; growing the function through cost competitiveness; and managing a broad portfolio of products and services. 

The bottom line is that the more challenges a leader will face, the more difficult their job will become and the success rate will inevitably drop. Yet the article suggests that the context of experience may well be a key indicator. But it moves beyond simply hiring, noting “For example, if success in a leadership role is context-specific, and if the context is apt to change quickly in a fast-moving business environment, firms might need to move leaders in and out of roles quickly. Awareness of contextual challenges can also change the way a company approaches development.” Jean Martin of CEB was quoted “Once you recognize how well-suited leaders are to the context in which they’re about to be placed, you can use that information to drive much more specific investments in development and find ways to coach people to account for the greatest areas of mismatch.” 

This approach also allows you to get to the granular level of team projects. The article said that companies could use such techniques to “revise responsibilities, streamline goals and objectives or try and solve a particular problem”. A company could also use this method to consider its internal bench strength, focusing on who could assist the compliance function in rolling out a new initiative or even a new compliance innovation. The piece ended with a few thoughts on the best athlete approach. It suggested a term called ““spiky,” meaning that they excelled at a few specific capabilities but were not above average in all. “Chasing managerial agility instead of allowing for specialization is ineffective,” the researchers concluded.” 

HBR also included an interview with a company which had utilized this analytical approach, Adecco Group, a Zurich based workforce solutions entity. The company’s global head of talent strategy and development, Courtney Abraham, was interviewed. As much as they tried the company inevitably fell back on a non-analytical approach; i.e. using intuition in the hiring process. Mostly, Abraham felt such an approach did not deliver consistent results. 

While Adecco did not use the full 27 context approach suggested in the CEB study, they did develop its own 6 “most important challenges some will face in a new role and compare them to candidate’s skills, competencies, motivations and runaways.” This allowed the decision to move away from the gut level to one of a “shared language” among those evaluating the talent. 

An interesting side effect and one not expected by Adecco was that the data often led to an internal candidate who was not “next in line” for a promotion. It allowed internal promotion with “eyes wide open” to a candidate’s strengths and areas where they needed additional development. It also has implications for development as employees have a better understanding of their weaknesses and what gaps they may need to fill. Abraham stated, “we can use onboarding and development to actively coach and support them.” Internal hires bring the benefit of having already bought into and have been a part of the company culture and “they understand our business, the people and the competitive landscape.” 

The use of data can help a compliance professional identify internal candidates to move a corporate compliance program forward. This can also give a company a boost by bringing non-compliance professionals into the compliance realm which will allow them to more fully operationalize compliance if they return to a more traditional business unit role. 

Three Key Takeaways

  1. Develop the criteria of challenges your CCO and compliance team will face and incorporate that into your hiring analysis.
  2. Consider bringing non-compliance professionals into your compliance function using the same hiring techniques.
  3. Build your compliance bench strength on a project by project basis using the same techniques. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 25, 2017

Linda Justice bring Nancy Drew to your side to fill all those knowledge gaps in your pursuit of clients. Using her technical background in corporate investigations, brings experience to business development, strategic management of risk and compliance. In this episode, she discusses her new consulting venture and how using a range of tactics, from strategizing with a CEO of a small company on the best go-to-market strategy, to helping a solo practitioner target and triangulate a very specific company, to working with a larger group of Partners within an organization create an underlying process and nurture multiple opportunities simultaneously. It is fascinating interview with a learn know compliance practitioner from the Bay Area. 

Linda Justice can be reached at 

Sep 22, 2017

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including: 

  1. Telia settles massive FCPA enforcement action. See reports by Dick Cassin the FCPA Blog, here and here. The Telia resolution documents include SEC Cease and Desist Order, SEC Press Release, DOJ Information, DOJ Press Release and DOJ DPA. The Coscom settlement documents include the DOJ Information and Plea Agreement.
  2. New concerns about money laundering in Venezuela for US commercial entities. See article in the FCPA Blog.
  3. Airbus Launches Internal Probe Into Unexplained Payment. See article by David Pegg and Rob Evans in The Guardian.
  4. ENI releases new information about allegations of bribery and corruption in Africa. See article by Jaclyn Jaeger in Compliance Week.
  5. Compliance Week Editor Bill Coffin interviews Hui Chen. See Bill’s article in Compliance Week.
  6. More details on the FCPA probe of Uber. David Ingram reports in Reuters.
  7. Astros clinch the AL west.
  8. Burner phones, Ole Miss recruiting scandal and compliance. Tom explores in Compliance Lessons from Burner Phones.
  9. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include superforecasting in your compliance program, OODA feedback loop, real-time v. right-time monitoring in your compliance program, improvisation in compliance and putting compliance at the center of business strategy. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. The Jay Rosen weekend report preview.
Sep 22, 2017

Innovation can come in various forms for an organization. Innovation can appear in a structural form. You can move compliance more deeply into your organization with new or different structures. One I have seen have success is a compliance committee more closely tied to the geographic market in the field, or the Regional Compliance Committee. 

Two of the most common compliance focused committees are those at the Board level and those which sit between the CCO and the Board, usually consisting of senior executives such as members of a company’s executive leadership team. However, a Regional Compliance Committee can will help the corporate compliance function to more effectively ensure employee and business partner engagement with compliance by integrating compliance into every aspect of functions and generating the necessary information to continuously improve the overall compliance function. A Regional Compliance Committee can also operate on multiple planes to fully operationalize compliance in a company, augment the internal controls and make the company a more efficient and profitable entity. 


Most companies have a Board Committee dedicated to ethics and compliance or something like a Board Audit Committee which the CCO will report into. Once again, there are many companies with senior executives populating another level of oversight with a compliance committee between the CCO and the Board. A Regional Compliance Committee, formed at the regional level, helps to create more direct ownership, accountability, and valuable transparency.  This moves compliance down into all levels of a company’s operations.  This approach also significantly improves the consistency of compliance execution, and helps to ensure that all of business objectives are achieved in a legally compliant fashion. A Regional Compliance Committee does not have primary responsibility for internal investigations but is charged with reporting any known compliance issues to the CCO. 

A Regional Compliance Committee can provide clear and frequent compliance-related communication on related matters throughout the region, strengthening a company’s compliance culture.  It allows compliance topics to be more thoroughly discussed at regularly occurring operations meetings. A Regional Compliance Committee can have communication structures designed to facilitate communication up the chain and down the chain. This allows a CCO to have a more direct set of eyes and ears closer to the ground. Finally, the Committees give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis. 


One of the key elements of the Committees are their makeup, which is market centric. A Regional Compliance Committee should include some or all of the following: (a) the Vice President of the region; (b) the regional Ethics and Compliance Director; (c) the regional Legal and Compliance Director; (d) the regional HR Director; (e) the regional Finance Director; (f) the regional Trade Compliance Director; (g) the regional Supply Chain Director; (g) the regional Sales Director and (h) senior representatives of Operations in the market. This composition of the Regional Compliance Committee, coupled with their structures, allow compliance to be fully operationalized into the Company’s global organization.   

Authority and Responsibility 

There are multiple possible responsibilities for a Regional Compliance Committee. Some of these possible responsibilities include: 

  • Assisting in identifying not only potential compliance risks in the region but also reputational risks to the organization.
  • Establishment of goals and metrics to measure against these compliance goals in the region.
  • Exercising oversight of the implementation and effectiveness of the company’s global compliance program in the region.
  • Reviewing and monitoring implementation of Code of Conduct in the region and assisting in the identification of best practices, alternative strategies and local initiatives to enhance the compliance program.
  • Assuring to the CCO and the senior leaders of operations that compliance goals and requirements are both established and communicated across the organization.
  • Advice management of its assessment of the compliance program, ethics and compliance risks in the region and steps taken to both manage and lessen such risks.
  • Reviewing the company’s helpline complaints and other information to assure the region that appropriate steps are taken to modify the compliance program to reduce identified ethics and compliance risks. 

The innovation represented by the formation of a Regional Compliance Committee operationalizes compliance into a company’s operations where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Department’s Evaluation of Corporate Compliance Programs for companies to move the doing of compliance down into the business of the organization, or operationalize compliance. The make-up of a Regional Compliance Committee, while including compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice. 

It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. A Regional Compliance Committee can provide your compliance program a unique structure to perform these functions. 

Three Key Takeaways

  1. Innovation can occur in structural changes to your organization.
  2. A Regional Compliance Committee puts compliance closer to the ground in geographic regions outside the US.
  3. A Regional Compliance Committee facilitates execution in your compliance program. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 21, 2017

Another innovation is to put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” 

This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not often considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not considered in moving the compliance effort forward. 

Communicate the Strategy 

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a companywide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. 

Continually improve your compliance productivity 

Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.  

Improve the human element in your compliance program 

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. 

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. 

Make your compliance strategy relevant 

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world, this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. 

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more than simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. 

Three Key Takeaways

  1. Communicate your strategy and improve the human element in compliance.
  2. Continually improve your compliance productivity.
  3. Make compliance relevant to the business. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 21, 2017

The top compliance roundtable podcast is back with a wealth of new topics. 

  1. Matt Kelly has a discussion on the current state of the SEC and what he sees for changes by SEC Chairman Jay Clayton. 

For Matt Kelly’s posts on SEC and Chairman Clayton, see the following: 

SEC Chair Clayton Talks Compliance Costs

Framing the Arguments Over SOX Compliance

The Private Market Stresses Driving SOX Compliance Debate

 2. Mike Volkov considers the intersection of anti-corruption compliance and anti-trust compliance in connection with the role of the Chief Compliance Officer. 

For Mike Volkov’s post on the intersections on anti-corruption and anti-trust compliance, see the following:


Chief Compliance Officers Have to Address Criminal Antitrust Risks

Focusing Antitrust Compliance Programs on the Real Criminal Risks

 The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at
Sep 20, 2017

How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.” 

Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries. 

Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies - ultimately with an eye toward improving project results and innovation.”

There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation. 

Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure. 

Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.” 

The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step. 

Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.” 

Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets. 

Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.” 

The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.   

Three Key Takeaways

  1. Whether deliberately or not, compliance must improvise.
  2. Improvisation may seem spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities
  3. Work to have the changes seen as a positive in your organization. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 20, 2017

In this episode, Matt Kelly returns to his journalism roots with a live report from TEC 2017, the Workiva user conference. We discuss some of the hot topics at the conference including possible repeal or modification of SOX sections 404 and 302. We consider how internal controls around financial reporting intersect with compliance internal controls and how SOX reporting has elevated effective compliance internal controls as required under the FCPA. We also discuss document and information security and the concept of a single source of truth. We take a deep dive into the subject in the areas of audit trails for documentation in an FCPA investigation and in the upcoming SEC requirements around CEO Pay Ratio Reporting.

For more insights, see Matt’s blog post SOX Compliance: Do Better Than a ‘C’ Grade

Sep 19, 2017

If it is not clear already this month, innovation does not simply come from a technical or even service perspective but can improve your compliance program from a wide variety of perspectives. We have considered a variety of issues related to innovation. Now we consider how you think through a compliance related issue as an innovation. 

Every compliance practitioner recognizes the prevent, find and fix tripartite approach to compliance. Many compliance practitioners believe that if you can move your program from one focused on detection to one focused on prevention, you have not only a more robust program but also one which is more fully operationalized as it would be closer to the ground and the front lines of employees. 

Data and its analysis can be used in both approaches. Further data can be used in both approaches for multiple approaches to doing compliance. It can be used to simply stop behavior. However, data and data analytics can be used to further training, education and communication around compliance. The question becomes, which is better: real-time monitoring or right-time monitoring? 

Consider the critique that monitoring of gifts, travel and entertainment (GTE) is always going to be 30-60 days behind the actual real-time event because it will take an employee 30 days to input their expenses into the system, have a supervisor approve it, and it goes to accounts payable for input. Does such a critique defeat a best practices compliance program which is dedicated to moving from simply a detect prong to a prevent prong? 

However, an innovation can occur from how you consider the problem. So instead of a real-time review focus, consider a ‘right-time’ review focus. Patrick Taylor, President and CEO of Oversight Systems says the way to think through the issue is “What is the right time for the analysis?” He detailed the situation where your company has a corporate card program, or you use a corporate credit card. Through those mechanisms, you should be able to access those feeds every day from your card vendor, from your bank or card issuer. If you had that quantum and quality of information, there might well be certain things worth looking for. The classic example might be somebody spends some money at an adult entertainment establishment that masquerades as a restaurant because I may want to reprimand that employee or that behavior immediately. 

Yet if your company uses an expense reporting system like a Concur or Pro River; the expenses can be previewed while they are in process; that is, before they are paid by your organization. It might be perhaps even before the employee’s manager approves the expenses. There could be a rash of information and data to look for at that time to give the manager a heads up to take a bit of a deeper dive into the expense report.           

Finally, there are some GTE expense which are best looked at with the longer-term view. This could include expenses reports used to try to influence employee behavior. As a compliance professional, you are better off demonstrating a pattern of questionable or abusive expense-related items, as opposed to nagging one-off expenses report entries. Further there may be situations where there are literally bursts of activity which I would like to let pass by before trying to download that analysis. The question for the compliance professional is “What do I have, right?” Obviously, you cannot perform the analysis before you have data. The question you must work through is when do you have the data and then what is the right time to do any particular kind of analysis of that data? Because it may not always be the "real-time" when I found, when I've got it. Be much more concerned about what's the "right" time. 

By thinking about what you are attempting to accomplish through your monitoring, it can help to inform your compliance program going forward, usually in a variety of ways. In the GTE example discussed in this piece, if you want to move to something closer to real-time monitoring, you will need to move towards the corporate credit card model, with real-time viewing of the purchases on the card. From there you can make a preliminary assessment if you want or need to use that data from the compliance perspective. Moreover, you should never forget that a much longer right-time review and perspective can be equally valuable for many of your other business processes going forward. 

It is this final point, which makes clear the power of operationalizing your compliance program. If you put the architecture of compliance closest to those in the field who are literally on the front lines of your organization you should be able to obtain the data nearest to the customer. That data can be sliced and diced in a variety of ways which allow incorporate back into your continuous learning loop (OODA feedback loop) so that you can determine the most efficient business process going forward. When compliance can wed its prevent, find and fix mandate with overall business process performance, it can make a company more efficient and more profitable. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. Remember the differences in real-time v. right-time review.
  3. Consider what the review is for and how you will use it going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

Sep 19, 2017

I welcome you to a new series entitled Compliance Man Goes Global podcast of Compliance Report-International Edition. I am joined by Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years. In each podcast, we take two typical concepts or more-probably misconceptions from in-house compliance conventional wisdom. We check out if these concepts work in emerging jurisdictions. For each podcast, we divide roles with one of us advocating the particular concept identifying pros; the other will provide arguments finding cons. Tim will conclude each concept with some practical solutions for in-house compliance practitioners for high-risk emerging markets.

Today we explore the following two concepts:

Corporate Concept #1. We have detailed policies in the HQ. We deployed those policies at our subs located in emerging markets. We will be just fine.  

Corporate Concept #2. If there is a compliance person located at high risk market we could significantly mitigate our corporate compliance risks.

Sep 18, 2017

Innovation can come in form of new ideas or simply fresh ways to consider old problems. The idea of how to use the information available to a CCO is one that can be explored through different avenues. One of the most interesting, originated in the dogfights from World War II. The insights gained were instrumental in the US military’s swift victory in the First Gulf War. 

It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is your greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster. 

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data. 

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud. 

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.” 

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.” 

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments. 

Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks. 

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”. 

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.



This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

1 « Previous 3 4 5 6 7 8 9 Next » 20