31 Days to a More Effective Compliance Program

The 2020 Update re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.” It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence. When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company's risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk. Three key takeaways: The key is objectivity and independence. The critical element is how did you use the information you developed in the root cause analysis? The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the biggest changes in the 2020 FCPA Resource Guide is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct”, which reads in full: The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company's response, including any disciplinary or remediation measures taken. In addition to having a mechanism for responding to the specific incident of misconduct, the company's program should also integrate lessons learned from any misconduct into the company's policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.  Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.” Three key takeaways: A root cause analysis is now required if you have a reportable compliance failure. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it. To properly perform a root cause analysis, you need trained professionals who really understand what they're doing. Learn more about your ad choices. Visit megaphone.fm/adchoices

Your company has just made its largest acquisition ever and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? A good place to start would be the 2020 FCPA Resource Guide language: Pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units. The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC clearly view both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence.  Three key takeaways: Planning is critical in the post-acquisition phase. Build upon what you learned in pre-acquisition due diligence. You literally need to be ready to hit the ground running when a transaction closes. Learn more about your ad choices. Visit megaphone.fm/adchoices

A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business's profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence.  The 2020 Update made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target's value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business's profitability and reputation and risking civil and criminal liability.” There are multiple red flags which could be raised in this process, which might well warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors' level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation. Three key takeaways:  The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward. Periodically review your M&A due diligence protocol. If red flags appear in pre-acquisition due diligence, they should be cleared. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the areas articulated in the 2020 Update was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low hanging fruit when there are much higher risks in your business operations. The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program. The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.  Three key takeaways: Payroll can be a key prevent and detect control. The 2020 Update specified the tying of the corporate compliance function to the corporate payroll function. Offshore payments remain a key indicator for a red flag. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company. The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board.  This Hallmark was significantly expanded in both the 2020 Update and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2020 Update has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it? Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2020 Update make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you may be starting behind the eight-ball. Three key takeaways: How can you show the CCO really has a seat at the senior executive table? What are the professional qualifications of your CCO? Does your CCO have true independence to report directly to the Board of Directors? Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the critical elements found in the 2020 Update is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company's risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company's commitment to compliance by following through on intentions as set forth in your strategic plan. What should you do with this information? Put a strategic plan in place ready to implement your findings of continuous improvement, by using the following: Review the goals of the strategic plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company. Design an execution plan. The KISS method (Keep it Simple Sir) is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed. Put accountabilities in place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representatives to put these in place and then mandate a report requirement on how the task assigned is being achieved. Schedule the next review of the plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis. Continuous monitoring is a key step but it is only the first step. It is not simply that you tested your compliance program but that you did something with the information you obtained to improve your program. Three key takeaways: Innovation can come through a new way to think about and use data going forward. Have a plan in place to use the information garnered in your monitoring incorporated back into your compliance program. Always remember that Document Document Document is critical if the regulators come knocking. Learn more about your ad choices. Visit megaphone.fm/adchoices

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities which violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.  However, many compliance professionals, and particularly lawyers think once a control is in place, it's set in stone, and it's there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based upon the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.  3 Key Takeaways 1. An internal control override is not necessarily a bad thing if proper procedure is followed. 2. Internal controls are not set in stone. 3. The key is to have a process for monitoring the controls, taking input, literally from each line of defense. Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company's culture and values to create an environment and expectation that managers will raise employee concerns. The reason is that a business's own employees are a company's best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem. Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.  Three key takeaways: 1. The DOJ and SEC put special emphasis on internal reporting lines. 2. Test your hotline on a regular basis to make sure it is working. 3. Every claim should be triaged before starting an investigation. Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2020 Update was very clear about the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company's business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”   Continuous improvement through continuous monitoring or other similar techniques will help keep your compliance program abreast of any changes in your business model's compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program.  Three key takeaways: Your compliance program should be continually evolving. Monitoring and auditing are different, yet complimentary tools for continuous improvement. Culture assessment and monitoring are also now required as well. Learn more about your ad choices. Visit megaphone.fm/adchoices

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company's compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.  You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process. One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, CCO at Aventiv Technologies, he noted, “for that short moment in time, you have everyone's full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone's full attention, and from then on, you're fighting with everybody else for their attention, like the normal things in business life.” Three key takeaways: A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward. Be aware of how your investigation can impact and even inform your remediation efforts. Be prepared to deal with the dreaded “where else” question. Learn more about your ad choices. Visit megaphone.fm/adchoices

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:   Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?  Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?  Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish? In a presentation Jay Martin, retired Chief Compliance Officer at Baker Hughes and now Senior Counsel at Willkie Farr & Gallagher LLP and Jacki Trevino, Senior Director, Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained. Three key takeaways: A written protocol, created before an investigation, is a key starting point. Create specific steps to follow so there will be full transparency and documentation going forward. Consistency in approach is critical. Learn more about your ad choices. Visit megaphone.fm/adchoices

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.  The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.” The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward. There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company's risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.  Three key takeaways: A Level I due diligence should only be used where there is a low risk of corruption. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared. Level III due diligence is deep dive, boots on the ground investigation. Learn more about your ad choices. Visit megaphone.fm/adchoices

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider. Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins. Three key takeaways: Have a strategic approach to third-party risk management. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing. Managing the relationship is where the real work begins. Learn more about your ad choices. Visit megaphone.fm/adchoices

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:  Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners' reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party. This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:  Business Justification by the Business Sponsor; Questionnaire to Third-party; Due Diligence on Third-party, including triage of results; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing. Three key takeaways: Use the full 5-step process for third party management. Make sure you have business development involvement and buy-in. Operationalize all steps going forward by including business unit representatives. Learn more about your ad choices. Visit megaphone.fm/adchoices

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”: Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses. William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation. The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment. Three key takeaways: Even after you complete your risk assessment, you must evaluate those risks for your company. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk. Create a risk matrix and rank your risks; then remediate and monitor as appropriate. Learn more about your ad choices. Visit megaphone.fm/adchoices

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization's business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually but in reality it should be done each time your risk change. Over the past couple of years, every company's risks changed in going from Work From Home to Return to the Office to Hybrid Work environments. Have you assessed each of these new paradigms for risks from the compliance perspective?   As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company's compliance program.” There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.  Three key takeaways: Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence. You should base your compliance program on your risk assessment. Learn more about your ad choices. Visit megaphone.fm/adchoices

Companies have finally come to realize that institutional justice and fairness are perhaps the most basic tenet of any successful workplace. If employees believe they will be treated fairly, it will engender a level of trust that can work to not simply motivate employees but lead to a more successful workplace and, at the end of the day, a more profitable company. This encompasses the entire lifecycle of the employment relationship, from hiring through separation. It works in areas as seeming disparate as compensation and incentives, discipline, promotion and internal reporting.  On this final point, Kyle Welch and Stephen Stubben, in their 2019 paper entitled “Evidence on the Use and Efficacy of Internal Whistleblowing Systems”, noted that a robust whistleblower reporting system speaks to a functioning and ethical corporate culture. Employees who can report issues, in a fair manner, without fear of retaliation are more empowered to make the company run more efficiently and more profitably. Yet an equally interesting finding was where there was robust internal reporting, employees were more likely to speak up to improve overall business processes, thereby making the company more profitable. An often-overlooked role of any CCO or compliance professional is to help provide employees with institutional justice. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to appropriate and consistent discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program. Three key takeaways: The DOJ and SEC have long called for appropriate and consistent application of both incentives and discipline. The Fair Process Doctrine will help set institutional justice as the norm in your organization. Inconsistent application of discipline will destroy your compliance program credibility. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer's compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, then SEC Director of Enforcement Stephen M. Cutler noted that integrity, ethics and compliance needed to be part of promotion, compensation and evaluation processes: “At the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.”  The 2020 FCPA Resources Guide stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company's compliance program, and rewards for ethics and compliance leadership.” Obviously, the power of a compensation plan is to motivate employees to not only to sell more but to act in ways that support your company's business model and overall culture and values. For the compliance practitioner, one of the biggest reasons is to first change a company's culture to make compliance more important, and then integrate it into the DNA of your organization. But you must be able to evolve in your thinking and professionalism to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company's everyday business process.  Three key takeaways: The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors Keep the compliance aspects of your compensation structure simple and easy for your employees to understand Have full transparency in the framework of your compensation structure Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. While it seems axiomatic that compliance training is a mainstay of any best practices compliance program, the conversation around training has evolved over the years. Beginning in the fall of 2016, through the announcement of the FCPA Enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This conversation continued with the 2017 Evaluation where it asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training. It evolved further in the 2020 Update with the mandate that training must be “truly effective”. Finally, the training must be presented in a language in which the employees understand, which means in a local language, if the training is outside the US or other non-English-speaking countries. The 2017 Evaluation focused into whether your training was “tailored” for the audience. This added two requirements. The first was to assess your employees for risk to determine the type of training you might need to deliver by risk ranking your employees. Obviously, the sales force would be the highest risk but there may be others who are deserving of high-risk training as well. From this risk ranking, you were required to develop tailored training for the risks those employees will face. What are ‘espresso shots' of training to help facilitate effective training? Tina Rampino, Associate Managing Director, at K2 Integrity suggests keeping your compliance training segments concise as “shorter, bite-size learning is a trend in training programs.” This means that instead of offering half-day and full-day sessions, break programs into shorter segments of 20 minutes or less, which are easier for participants to absorb - and schedule. Another example is that short cartoons or animated videos can be excellent quarterly reminders. Done properly, they do not feel like an assessment or certainly not a ‘check-the-box' exercise. The bottom line is that with all training most employees must undergo now and even more so in the continued time of the Covid-19 Omicron Variant, espresso shots give people back a lot of time.  Three key takeaways: How and why have you tailored your compliance training and how do you determine its effectiveness? Try an espresso shot of training. How is your training presented: both in languages and media? Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communications are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward?  Louis Sapirman, Vice President and Chief Ethics & Compliance Officer for Panasonic Corporation of North America – Panasonic USA, often talks about the integration of social media into compliance. You should start with the tech-savvy nature of the today's workforce. It is not simply about having a younger workforce but a workforce whose primary tool for communication is social media. If your company is in the services business, it probably means your employee base is using technological tools to deliver business solutions. Finally, consider the data-driven nature of business today so using technological tools to deliver products and solutions is something your company most probably does now. Finally, never forget the social part of social media. Social media is a more holistic, multiple-sided communication. Not only are you setting out expectations but also these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program. Another approach is to use audio as a part of your compliance communications. Podcasts are a great way to tell a long form story about your compliance successes and challenges. Ronnie Feldman, founder of L&E Entertainment continually reminds us that the engagement of your compliance audience is through the entertainment of your compliance communications. But the key is the audio format can be a powerful tool for you and a way to reach your employee base that you are not taking advantage. It can be as simple as interviewing employees on the importance of culture and how they use culture to guide their decision-making process in their daily work. You are only limited by your imagination.  Three key takeaways: 1. Incorporation of social media into your compliance communications can pay big dividends. 2. Focus on the ‘social' part of social media. 3. Consider incorporating podcasts and other audio clips into your compliance communications and training. Learn more about your ad choices. Visit megaphone.fm/adchoices

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the “Land of No.” A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program. This is important as the 2020 Update mandates that for a compliance program to be effective, it must be understood by a wide variety of stakeholders. Communications is often thought of as a two-way street, upward and downward, inbound and outbound, or side-to-side. However, it is better to think of it as a 360-degree effort. You simply can no longer effectively communicate in just two ways. You now communicate in a more holistic manner, and in multiple ways. If you are just thinking about communications in the classic form, you are missing something that is happening around you. 360-degrees of compliance communication is not just a classic form of communication but rather it is a communication in the concept of every interaction, whether they be planned or accidental. It is all a form of communication. This is particularly true if you are a compliance professional, practitioner or CCO. The things you do, the way you act, and the way people see you, you are always communicating. It is not simply communicating one to one as often you may be communicating to a group across siloed boundaries, to the constituencies you had not even planned to initially communicate with. It also allows you to see and hear new ideas, concepts or simply ways to create a more effective compliance regime for your front line BD folks and your first line of defense.  Three key takeaways: 1. Remember the definition of 360-degrees of communication. It is an effort that moves the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times 2. What is your objective? What are you trying to do with your 360-degrees of communications and how are you using that mechanism to deliver the objectives of your compliance program? 3. Evaluate. You need to evaluate three factors: 1) has the message been delivered; 2) has it been heard; and 3) is it being implemented? Learn more about your ad choices. Visit megaphone.fm/adchoices

What are internal controls? The best definition I have come across is from Jonathan Marks who defined internal controls as: An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures:  The achievement of the process objectives linked to the organization's objectives; Operational effectiveness and efficiency; Reliable (complete and accurate) books and records (financial reporting); Compliance with laws, regulations and policies; and  The reduction of risk-fraud, waste and abuse, which,    Aids in the decline of process and policy variation, leading to more predictive outcomes. The DOJ and SEC, in the 2020 FCPA Resource Guide, stated: Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company's internal controls must take into account the operational realities and risks attendant to the company's business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. This was supplemented in the 2020 Update, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing? The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice. Three key takeaways: Effective internal controls are required under the FCPA Internal controls are a critical part of any best practices compliance program There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency. Learn more about your ad choices. Visit megaphone.fm/adchoices

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2020 Update made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance. The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2020 FCPA Resources Guide, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.  Three key takeaways: 1. Written compliance policies and procedures, together the Code of Conduct, with form the backbone of your compliance program. 2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization. 3. Institutional fairness for the application of policies and procedures demands consistent application of your policies and procedures across the globe. Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator's face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company's internal law? What should be the goal in the creation of your company's Code of Conduct? How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on violation of the company's Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United's operations at the company's huge east coast hub at Newark, NJ. The substance of your Code of Conduct should be tailored to your company's culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company's disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company's Code should emphasize it will comply with all applicable laws and regulations, wherever it does business. The code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it. Three key takeaways: 1. A Code of Conduct is a foundational document in any compliance regime.  2. The substance of your Code of Conduct should be tailored to the company's culture, to its industry and corporate identity. 3. “Document, Document, and Document” your training and communication efforts regarding you Code of Conduct. Learn more about your ad choices. Visit megaphone.fm/adchoices

The most significant development for Boards and compliance in 2021 came from the Delaware courts, which have been expanding the civil law obligations of Boards through a series of court decisions involving the expansion of the Caremark Doctrine for a couple of years. These developments began with the Marchand decision which required Boards to manage the risks their organizations face. Next was the Clovis Oncology which required ongoing monitoring by the Board. The next case is Hughes which stands for the proposition that having the structures, policies and procedures in place is not enough. The Board must fully engage in oversight of a compliance program. Finally in 2021 came Boeing which stands for the continuing proposition that a Board cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document). The decision in Boeing is yet a further expansion of the Caremark Doctrine, once again beginning with Marchand. Boeing also stands for the proposition that a company must assess its risks and then manage those risks right up through the Board level. Finally a Board must be aggressive in their approach and not simply passively taking in what management has presented to them.  The DOJ has also made clear its thoughts on the role of the Board of Directors. The role of the Board is different than that of senior management. Both the 2020 Update  and DOJ Antitrust Division's 2019 Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations was even more explicit in announcing their expectation for robust Board oversight of a corporate compliance function.  Name any of the most recent corporate scandals; Wells Fargo, Theranos, Volkswagen, Boeing, etc., and there was no compliance expertise on the Board. It is now enshrined as a best practice for companies to have a seasoned compliance professional on the Board. I would also add the DOJ may soon expect there be a Compliance Committee separate and apart from the Audit Committee. The DOJ continually speaks about the need for companies to operationalize their compliance programs. Businesses must work to integrate compliance into the DNA of their organization. Having a Board member with specific compliance expertise or heading a Compliance Committee can provide a level of oversight and commitment to achieving this goal. The DOJ enshrined this requirement in the FCPA Corporate Enforcement Policy. This means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific subject matter expertise (SME) on the Board and on that committee. All of this means that every Board of Directors needs a true compliance expert. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background, and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and SME that can help all companies with their financial reporting and other finance-based issues. So why is there not such SME at the Board level from the compliance profession? #Comment Begins  Three key takeaways: 1. The 2020 Update required active Board of Director engagement and oversight around compliance. 2. Board communication on compliance is a two-way street; both inbound and outbound. 3. The Delaware courts have been expanding Boards roles through expansion of the Caremark Doctrine. Learn more about your ad choices. Visit megaphone.fm/adchoices

Mike Volkov has said, “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management. A company's culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must articulate the message of ethical values and doing business in compliance and then drive that message from the top down, throughout your organization. What should the tone in the middle be? What should middle management's role be in the company's compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and, consequently, they will take their cues from how middle management responds to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills in the overall context of providing training for their “Manager's Toolkit.” This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be organizational justice so that people believe they will be treated fairly. For if there is organizational justice, it engenders perceived procedural fairness which makes it more likely an employee will be willing accept a decision that they may not like or disagree with the end result. Even with great “tone at the top” and positive “mood in the middle”, you cannot stop. One of the greatest challenges of a compliance practitioner is how to impact the most front-line employees or the “tone at the bottom”. One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into the theory and practice of compliance in your company. Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of large, multi-national organizations may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.  Three key takeaways: 1. Tone at the top—direct supervisors become the most important influence on people in the company 2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance 3. Organizational justice is an additional way to help operationalize compliance Learn more about your ad choices. Visit megaphone.fm/adchoices

DAG Lisa Monaco's speech on FCPA enforcement and compliance laid out the very basics; that the key to every company is culture. She stated, “corporate culture matters. A corporate culture that fails to hold individuals accountable, or fails to invest in compliance — or worse, that thumbs its nose at compliance — leads to bad results.” From the enforcement perspective, the DOJ will be assessing companies for the ethical cultures. From the compliance perspective, the ethical tone of a company and accountability all starts at the top and, most specifically, senior management. This requirement is more than simply the ubiquitous “tone-at-the-top,” as it focuses on the conduct of senior management. The DOJ wants to see a company's senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior on a company's values and finally, how is such conduct monitored in an organization? I once had a Chief Executive Officer (CEO), observe the following, “You want me to be the ambassador for compliance.” I immediately said yes, that is exactly what I need you to do. A CEO, as an “Ambassador of Compliance”, can fully model the conduct that senior management engage in going forward. Another area a CEO can forcefully engage an entire company is through a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President and CEO. He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with an additional resource, entitled, Manager's Toolkit—What does Integrity mean to you? that managers used to facilitate discussions and ongoing communications with employees around the company's ethics and compliance programs. Finally, the cost for the video was quite reasonable as it was produced internally.  Three key takeaways: 1. Senior management must actually do compliance; not simply talk-the-talk of compliance but also walk-the-walk. 2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization. 3. Your CEO as Compliance Ambassador. Learn more about your ad choices. Visit megaphone.fm/adchoices

Continuous monitoring and continuous improvement are two of the most important phrases for any compliance program. These twin concepts were perhaps the biggest modifications in the 2020 Update to the Evaluation of Corporate Compliance Programs. In 2021, all companies' risks changed as we moved from Working From Home to Return To Office and now a hybrid work model. These changes in our basic work location drove home perhaps the most prescient comment I heard during the pandemic year of 2020, which was by Jed Gardner, who said “We have moved from disaster recovery to business continuity to business as usual.” What this means is that risks will change in ways you may not see at speeds you not anticipate. Your compliance program must be ready to respond to whatever those risks might be going forward.  In the 2020 Update, the DOJ it began to address this from the compliance program perspective with several questions. “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”  The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. Here questions included “When was the last time your policies and procedures were updated? Perhaps more importantly under the 2020 Update what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring or continuous access to operational data and information across functions?” The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review. Here the question included the following, “How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” Three key takeaways:  1. How has your company's risks changed over the past year? 2. What is your process for continuous monitoring and improvement? 3. What sources of information do you use come from outside your organization? Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days series in January 2021, I will post a key part a best practices compliance program each day. By the end of January, you will have enough information to create, design or enhancement a compliance program. Each podcast will be short, at 6-8 minutes with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will plan to join each day in January for this exploration of best practices in compliance. 2021 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate FCPA enforcement actions, the three enforcement actions were significant with multiple lessons for the compliance professional. In Deutsche Bank, we learned about the costs of a corrupt culture and recidivism, in Amec Foster Wheeler, we saw happens to a company which pays bribes and then tries back out; the criminals they are dealing with have them in an untenable position that they must continue to pay the bribes and how catastrophic failure in pre- and post-acquisition due diligence can lead to massive FCPA violations. Finally, in WPP, we saw how accepted business incentives can become perverse, what happens when you ignore whistleblowers. However, there were two major policy announcements from the Biden Administration which every compliance professional needs to not simply be aware of but study and implement solutions based upon these announcements.  In late October, Deputy Attorney General Lisa O. Monaco key changes in the DOJ approach to FCPA enforcement.: (1) “today I am directing the department to restore prior guidance making clear that to be eligible for any cooperation credit, companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue. To be clear, a company must identify all individuals involved in the misconduct, regardless of their position, status or seniority.” This portends a return to the strictures of the Yates Memo. (2) “The second change I am announcing today deals with the issue of a company's prior misconduct and how that affects our decisions about the appropriate corporate resolution. (3) The final change I am announcing today deals with the use of corporate monitors.” This final change is a rejection of the strictures laid out in the Benczkowski Memo regarding the DOJ use of corporate monitorships. In November, the Biden Administration released the United States Strategy on Countering Corruption (the “Strategy”); subtitled “Pursuant To The National Security Study Memorandum On Establishing The Fight Against Corruption as a Core United States National Security Interest”; in response to President Biden's prior declaration of corruption as a national security issue of the United States. While obviously focused on the US government's role in leading the fight against corruption, the entire document portends a major sea change in the approach of fighting bribery and corruption, literally on a worldwide basis. For this reason alone, it should be studied by all compliance professionals. Obviously, this more holistic approach is most welcomed. Corruption does more than simply steal money from the world economy.  Three key takeaways: The Biden Administration released its Strategy on Countering Corruption. Deputy Attorney General Lisa Monaco gave a speech refocusing the DOJ's efforts on FCPA and other white-collar crime. Even with a paucity of FCPA enforcement actions, there were multiple lessons for the compliance professional. Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2020 Update re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”  It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence. When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk. Three key takeaways: The key is objectivity and independence. The critical element is how did you use the information you developed in the root cause analysis? The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the biggest changes in the 2020 FCPA Resource Guide is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct”, which reads in full: The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken. In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.  Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.” Three key takeaways: A root cause analysis is now required if you have a reportable compliance failure. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it. To properly perform a root cause analysis, you need trained professionals who really understand what they’re doing. Learn more about your ad choices. Visit megaphone.fm/adchoices

Your company has just made its largest acquisition ever and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? A good place to start would be the 2020 FCPA Resource Guide language: Pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units. The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC clearly view both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence.  Three key takeaways: Planning is critical in the post-acquisition phase. Build upon what you learned in pre-acquisition due diligence. You literally need to be ready to hit the ground running when a transaction closes. Learn more about your ad choices. Visit megaphone.fm/adchoices

A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence.  The 2020 Update made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.” There are multiple red flags which could be raised in this process, which might well warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation. Three key takeaways:  The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward. Periodically review your M&A due diligence protocol. If red flags appear in pre-acquisition due diligence, they should be cleared. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the areas articulated in the 2020 Update was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low hanging fruit when there are much higher risks in your business operations. The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program. The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.  Three key takeaways: Payroll can be a key prevent and detect control. The 2020 Update specified the tying of the corporate compliance function to the corporate payroll function. Offshore payments remain a key indicator for a red flag. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company. The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board.  This Hallmark was significantly expanded in both the 2020 Update and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2020 Update has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it? Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2020 Update make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you may be starting behind the eight-ball. Three key takeaways: How can you show the CCO really has a seat at the senior executive table? What are the professional qualifications of your CCO? Does your CCO have true independence to report directly to the Board of Directors? Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the critical elements found in the 2020 Update is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan. What should you do with this information? Put a strategic plan in place ready to implement your findings of continuous improvement, by using the following: Review the goals of the strategic plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company. Design an execution plan. The KISS method (Keep it Simple Sir) is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed. Put accountabilities in place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representatives to put these in place and then mandate a report requirement on how the task assigned is being achieved. Schedule the next review of the plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis. Continuous monitoring is a key step but it is only the first step. It is not simply that you tested your compliance program but that you did something with the information you obtained to improve your program. Three key takeaways: Innovation can come through a new way to think about and use data going forward. Have a plan in place to use the information garnered in your monitoring incorporated back into your compliance program. Always remember that Document Document Document is critical if the regulators come knocking. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the specific requirements laid out in the 2020 Update, is around internal controls and more specifically control testing. It stated: Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?    Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.  Three key takeaways: An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach. For an anti-corruption compliance program, you can use the Hallmarks of an Effective Compliance Program as your guide to test against. Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.  This scenario was driven home by the SEC in a 2015 FCPA enforcement action involving Mead Johnson Nutrition Company. In this enforcement action, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations. Internal reporting. The 2020 FCPA Resource Guide has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states: "An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation." Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem. Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation. Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces. Three key takeaways: The DOJ and SEC put special emphasis on internal reporting lines. Test your hotline on a regular basis to make sure it is working. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol. Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2020 Update was very clear about the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”   Continuous improvement through continuous monitoring or other similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program.  Three key takeaways: Your compliance program should be continually evolving. Monitoring and auditing are different, yet complimentary tools for continuous improvement. Culture assessment and monitoring are also now required as well. Learn more about your ad choices. Visit megaphone.fm/adchoices

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.  You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process. One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, CCO at Aventiv Technologies, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.” Three key takeaways: A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward. Be aware of how your investigation can impact and even inform your remediation efforts. Be prepared to deal with the dreaded “where else” question. Learn more about your ad choices. Visit megaphone.fm/adchoices

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:   Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?  Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?  Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish? In a presentation Jay Martin, retired Chief Compliance Officer at Baker Hughes and now Senior Counsel at Willkie Farr & Gallagher LLP and Jacki Trevino, Senior Director, Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained. Three key takeaways: A written protocol, created before an investigation, is a key starting point. Create specific steps to follow so there will be full transparency and documentation going forward. Consistency in approach is critical. Learn more about your ad choices. Visit megaphone.fm/adchoices

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.  The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.” The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward. There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.  Three key takeaways: A Level I due diligence should only be used where there is a low risk of corruption. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared. Level III due diligence is deep dive, boots on the ground investigation.

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider. Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins. Three key takeaways: Have a strategic approach to third-party risk management. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing. Managing the relationship is where the real work begins.

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:  Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party. This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:  Business Justification by the Business Sponsor; Questionnaire to Third-party; Due Diligence on Third-party; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing. Three key takeaways: Use the full 5-step process for third party management. Make sure you have business development involvement and buy-in. Operationalize all steps going forward by including business unit representatives.

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:   Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses. William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation. The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment. Three key takeaways: Even after you complete your risk assessment, you must evaluate those risks for your company. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually.  As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.  Three key takeaways: Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence. You should base your compliance program on your risk assessment.

Companies have finally come to realize that institutional justice and fairness are perhaps the most basic tenet of any successful workplace. If employees believe they will be treated fairly, it will engender a level of trust that can work to not simply motivate employees but lead to a more successful workplace and, at the end of the day, a more profitable company. This encompasses the entire lifecycle of the employment relationship, from hiring through separation. It works in areas as seeming disparate as compensation and incentives, discipline, promotion and internal reporting.  On this final point, Kyle Welch and Stephen Stubben, in their 2019 paper entitled “Evidence on the Use and Efficacy of Internal Whistleblowing Systems”, noted that a robust whistleblower reporting system speaks to a functioning and ethical corporate culture. Employees who can report issues, in a fair manner, without fear of retaliation are more empowered to make the company run more efficiently and more profitably. Yet an equally interesting finding was where there was robust internal reporting, employees were more likely to speak up to improve overall business processes, thereby making the company more profitable. An often-overlooked role of any CCO or compliance professional is to help provide employees with institutional justice. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to appropriate and consistent discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program. Three key takeaways: The DOJ and SEC have long called for appropriate and consistent application of both incentives and discipline. The Fair Process Doctrine will help set institutional justice as the norm in your organization. Inconsistent application of discipline will destroy your compliance program credibility.

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, then SEC Director of Enforcement Stephen M. Cutler noted that integrity, ethics and compliance needed to be part of promotion, compensation and evaluation processes: “At the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.”  The 2020 FCPA Resources Guide stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” Obviously, the power of a compensation plan is to motivate employees to not only to sell more but to act in ways that support your company’s business model and overall culture and values. For the compliance practitioner, one of the biggest reasons is to first change a company’s culture to make compliance more important, and then integrate it into the DNA of your organization. But you must be able to evolve in your thinking and professionalism to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.  Three key takeaways: The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors Keep the compliance aspects of your compensation structure simple and easy for your employees to understand Have full transparency in the framework of your compensation structure