Podcasts about effective compliance program

In November, the Department of Health and Human Services' Office of the Inspector General (OIG) issued new compliance program guidance that affirms OIG's long-standing focus on the seven elements of an effective compliance program, first published in 2003. In this episode of Connected With Latham, partner Chris Schott and associate Danny Machado are joined by guest Lynn Robson of United Therapeutics. They discuss how the OIG's compliance framework is relevant to drug manufacturers, how past enforcement actions can inform implementation of a compliance program, and how an effective compliance program can be beneficial in the enforcement context.   This podcast is provided as a service of Latham & Watkins LLP. Listening to this podcast does not create an attorney client relationship between you and Latham & Watkins LLP, and you should not send confidential information to Latham & Watkins LLP. While we make every effort to assure that the content of this podcast is accurate, comprehensive, and current, we do not warrant or guarantee any of those things and you may not rely on this podcast as a substitute for legal research and/or consulting a qualified attorney. Listening to this podcast is not a substitute for engaging a lawyer to advise on your individual needs. Should you require legal advice on the issues covered in this podcast, please consult a qualified attorney. Under New York's Code of Professional Responsibility, portions of this communication contain attorney advertising. Prior results do not guarantee a similar outcome. Results depend upon a variety of factors unique to each representation. Please direct all inquiries regarding the conduct of Latham and Watkins attorneys under New York's Disciplinary Rules to Latham & Watkins LLP, 1271 Avenue of the Americas, New York, NY 10020, Phone: 1.212.906.1200

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the recent DOJ enforcement action involving Verizon Business Network Services for failure to have an effective cyber security compliance program. The recent case of Verizon's non-compliance with cybersecurity standards and subsequent remediation efforts has sparked a significant conversation in the realm of cyber compliance. Tom views this case as a roadmap for companies to enhance their cybersecurity programs, emphasizing the importance of gap analysis and pressure testing. He draws parallels between cybersecurity compliance and the Foreign Corrupt Practices Act (FCPA) compliance, suggesting that Verizon's case could serve as an example for other companies.  Matt applauds Verizon's voluntary self-disclosure and extensive remediation efforts. He underscores the importance of disclosure, cooperation, and remediation in both cybersecurity and corruption cases, viewing Verizon's actions as a positive example for other companies. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of the Compliance into the Weeds podcast.  Key Highlights ·      Verizon's Cybersecurity Program Failures ·      Enhancing Cybersecurity Compliance through Remediation Measures ·      Automating Compliance Efforts with GRC Tools ·      Potential Penalties for Non-Disclosure of Cybersecurity Issues  Resources Matt in LinkedIn Matt on Radical Compliance Tom   Instagram Facebook YouTube Twitter LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

Creating a tagline, slogan, or logo could be an effective way to market and promote your compliance program. In this episode, Captain Integrity Bob Wade dives into the marketing of your compliance program. Hear how a logo helps promote the identification of your compliance program, why it should be consistently used, why it doesn't ensure an effective compliance program on its own, the story of Captain Integrity, and some nostalgia around Schoolhouse Rock! Learn more and check out the white paper at CaptainIntegrity.com

I have been -- and continue to be-- hyper-focused on the proper role and responsibilities for Chief Compliance Officers. Not that I see any cause for alarm, but it is easy to lose focus in the sea of so-called hot issues -- ESG, Diversity, Climate Change, Threats to Democracy, Cybersecurity and Data Privacy, each of which is an important component and focus for organizations. All of these issues intersect, are interdependent and should be addressed through organizational commitment. But I want to take a step back and return to an issue of importance -- the proper role of CCOs. To do so, we need to remind everyone about basic requirements, lessons learned and ways forward to meet the fast-changing times. CCOs have to maintain and then advance their positions. In my view, given the interdependence of all of the important issues mentioned above, the role of the CCO has become even more critical. In this Episode, Michael Volkov reviews the standards applicable to the CCOs function in an effective compliance program. 

Compliance and ethics expert Kristy Grant-Hart joins us as she discusses the importance of the compliance function, how it plays into each aspect of ESG, and how CCOs are the most well-suited to take the first step in corporate ESG efforts. Watch ▶️ Leading Compliance Efforts as CCOs with Kristy Grant-Hart: Key points discussed in the episode: ✔️ Kristy Grant-Hart talks about the current situation at Spark Consulting, a book she co-authored, The Compliance Entrepreneurs Handbook, and its impact. ✔️ Compliance is a driver for reputation enhancement. People not only vote with their dollars but also their employee time. ✔️ Kristy Grant-Hart says the ability to gather people and put programs into a framework is what CCOs must have to lead ESG efforts. The 7 Elements of Effective Compliance Program can guide CCOs in creating an ESG program and its monitoring and implementation. ✔️ California becomes the first state to pass a gender-diversity-centered initiative. The social element of diversity goes deeper into the working conditions in the supply chain, sustainably-sourced products, and low carbon emissions. ✔️ With ESG, companies can be part of the solution. Bigger names shouldn't receive the brunt of the blame as businesses of all sizes should be accountable. ✔️ With the UK Modern Slavery Act, ESG has been placed at the forefront, pressuring companies to disclose the truth in what transpires in their supply chains. ✔️ Having a strong law background, Kristy Grant-Hart and Thomas Fox exchange ideas on the significance of lawyers in ESG endeavors. Learning the new jargon and talking to experts can help ease the hesitation to delve into this playing field. ✔️ CCOs are encouraged to be the frontrunners in compliance as they hold the authority to create a significant impact on a corporate scale. The ability to be relevant is a great opportunity in compliance. Kristy Grant-Hart is a compliance and data privacy thought leader specializing in transforming compliance departments into in-demand business assets. She's been featured in the Wall Street Journal, Financial Times, Compliance Week, Compliance and Ethics Professional Magazine, and many others. She was named a Trust Across America 2019 Top Thought Leader in Trust. She is the CEO of Spark Compliance Consulting, a London, Los Angeles, New York, and Chicago-based consultancy providing pragmatic, pro-business, proportionate compliance ethics solutions. She is the creator of Compliance Competitor, an facilitated online training game built on business simulation software. She's the author of the best-selling book, "How to Be a Wildly Effective Compliance Officer." LinkedIn: https://www.linkedin.com/in/kristygranthart/ ---------------------------------------------------------------------------- Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company. The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board.  This Hallmark was significantly expanded in both the 2020 Update and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2020 Update has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it? Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2020 Update make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you may be starting behind the eight-ball. Three key takeaways: How can you show the CCO really has a seat at the senior executive table? What are the professional qualifications of your CCO? Does your CCO have true independence to report directly to the Board of Directors? Learn more about your ad choices. Visit megaphone.fm/adchoices

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:  Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners' reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party. This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:  Business Justification by the Business Sponsor; Questionnaire to Third-party; Due Diligence on Third-party, including triage of results; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing. Three key takeaways: Use the full 5-step process for third party management. Make sure you have business development involvement and buy-in. Operationalize all steps going forward by including business unit representatives. Learn more about your ad choices. Visit megaphone.fm/adchoices

What are internal controls? The best definition I have come across is from Jonathan Marks who defined internal controls as: An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures:  The achievement of the process objectives linked to the organization's objectives; Operational effectiveness and efficiency; Reliable (complete and accurate) books and records (financial reporting); Compliance with laws, regulations and policies; and  The reduction of risk-fraud, waste and abuse, which,    Aids in the decline of process and policy variation, leading to more predictive outcomes. The DOJ and SEC, in the 2020 FCPA Resource Guide, stated: Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company's internal controls must take into account the operational realities and risks attendant to the company's business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. This was supplemented in the 2020 Update, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing? The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice. Three key takeaways: Effective internal controls are required under the FCPA Internal controls are a critical part of any best practices compliance program There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency. Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to the Paint The Medical Picture Podcast, created and hosted by Sonal Patel, CPMA, CPC, CMC, ICD-10-CM. Help Sonal kick off her 2nd year of podcasting by supporting it!! Sonal's 11th episode of Season 4 features a Newsworthy update on the OIG Work Plan for October 2021. Trusty Tip features Sonal's new series on Back to Basics with her compliance recommendations for Effective Compliance Program Elements. Spark inspires us all to reflect on illumination based on the inspirational words of Elisabeth Kübler-Ross. Go ahead and listen, subscribe, rate and review! Paint The Medical Picture Podcast now on: Anchor: https://anchor.fm/sonal-patel5 Spotify: https://open.spotify.com/show/6hcJAHHrqNLo9UmKtqRP3X Apple Podcasts: https://podcasts.apple.com/us/podcast/paint-the-medical-picture-podcast/id1530442177 Google Podcasts: https://podcasts.google.com/feed/aHR0cHM6Ly9hbmNob3IuZm0vcy8zMGYyMmZiYy9wb2RjYXN0L3Jzcw== Amazon Music: https://music.amazon.com/podcasts/bc6146d7-3d30-4b73-ae7f-d77d6046fe6a/paint-the-medical-picture-podcast Breaker: https://www.breaker.audio/paint-the-medical-picture-podcast Pocket Casts: https://pca.st/tcwfkshx Radio Public: https://radiopublic.com/paint-the-medical-picture-podcast-WRZvAw Find Paint The Medical Podcast on YouTube: https://www.youtube.com/channel/UCzNUxmYdIU_U8I5hP91Kk7A Find Sonal on LinkedIn: https://www.linkedin.com/in/sonapate/ And checkout the website: https://paintthemedicalpicturepodcast.com/ If you'd like to be a sponsor of the Paint The Medical Picture Podcast series, please contact Sonal directly for pricing: PaintTheMedicalPicturePodcast@gmail.com --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/sonal-patel5/message Support this podcast: https://anchor.fm/sonal-patel5/support

In this segment Sean discusses the ins and outs of building an effective compliance program. The seven steps outlined by the OIG are address in addition to step 8 (Risk Assessment). This is not just an introduction to compliance... Sean takes the time to engage in the various components to ensure your complete understanding.

Welcome back to The Securities Compliance Podcast! As we kick off Season 2, we begin by reviewing a recent report from the Congressional Research Service looking at the SEC’s current guidance on ESG and help break down an incredibly challenging couple months in this area. For our feature interview, we welcome in New York City Attorney and compliance expert, Richard Chen. Together we discuss the practical tilt of running an effective compliance program and how compliance officers can be more productive. To wrap up the first episode of Season 2, we offer another installment of the History Has Your Back segment where we look back at the dating life of Warren Buffett, a quote from the most famous citizen of Motunui, and a good lesson in both life and compliance. Headlines CRS Reviews SEC Disclosure Policy and Practice on Climate Risk Recent Timeline of SEC statements regarding ESG Future state of ESG and avoiding regulation by enforcement Interview Setting priorities using the Eisenhower principle. Compliance calendars and time management. Identifying the Proper Allocation of Resources: Automation and the use of technology Cutting and delegating compliance responsibilities Collaborating with firm leadership and other business units How CCOs can protect themselves Fostering a culture of compliance within your organization History Has Your Back Pitfalls in the dating life of Warren Buffett Navigating the separation between work and personal life Quotes: ““I think that one of the helpful frameworks I use is called the Eisenhower Principle, which categorizes tasks based on whether they’re important or urgent.” “...As compliance professionals, we are collaborative. We all want to get to the same place and so, it’s important for us to each put in what we know best about what’s going on, in order to perform effectively.” Resources: Compliance in Context

Effective Compliance Program Hallmark: Training and Communication with Ronnie and Ricardo Organizations take measures to articulate their policies and guidelines realistically. Doing this ensures that they can promote their compliance and ethics programs to people with unique positions and obligations by meaningful preparation and exchanging knowledge relevant to them. However, due to their limited understanding of the hallmarks of effective compliance, specifically training and communication, plus the amount of consideration and attention they provide to it, companies sometimes fall far short of the compliance goals. While several companies and regulatory agencies assume that they treat the training and communication hallmark well, this is the area they sometimes curve out of their most vital point. The reasons why most organizations struggle to fulfill the criteria of this hallmark can be: Lack of daily scrutiny and continuing contact For the employee, not ensuring preparation and policy coordination are appropriate. Incorrect or insufficient assessment of preparation and policy efficacy Not giving regard to the risk prioritization of training. In today's Compliance Handbook chapter, we'll dive deeper into the fourth hallmark of effective compliance frameworks: training and communication. We're joined by two experts in the compliance field, Ronnie Feldman and Ricardo Pellafone.   Key takeaways discussed in the chapter: While training is valuable most of the time, it's not a tool to an end in compliance. It's a tool you use to prevent misconduct, but it's not an end in itself. It fills a unique niche within the compliance officer's means, but it's compelling when used for the right purpose.  Discover how not to lose trust. Note that if compliance training is boring and preachy, people are annoyed at you for making them go through the experience. As a result, they don't think well of compliance, which means they are much less likely to speak up to ask questions and report concerns.  Analyze who among the players in your organization had to undergo compliance training. Find answers to questions like, "Will the compliance training benefit the regular employee, or it should be those that are in the higher ends—with the authority to either create or control risk?" Training is good, but also consider that people need reminding more than they need instruction. Simplicity and utility are the keys! Your compliance framework should not be extensive and complicated. When things are designed well and they are useful, people will use them. Have you ever been caught in a situation where you're a manager, you have to approve an invoice from a third party. What are you looking for? That is something that pretty much no one is ever trained on what to do. This is the big difference between the traditional top-down model of training versus the training model used by Ricardo Pellafone. If you want to learn more about this training method, tune in to the chapter.  Comedy and entertainment principles can go along with compliance? Sure thing! We like trying new things and discover how well Ronnie blended these elements to create an effective compliance framework.  Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off. http://www.lexisnexis.com/fox25

How Do You Create an Effective Compliance Program with Stephen Martin  The compliance department is frequently viewed by companies as an afterthought. Many companies scramble to bring procedures in place only on time or after it's too late. Worse still, the position is siloed by several companies, with the sales team seeing compliance officers mostly as too fast to respond "No!".    Ironically, though, businesses lacking a compliance culture frequently contend with more disciplinary measures and lawsuits than their complying rivals rather than concentrating on operating a profitable company. In other terms, vital resources are saved with a successful compliance policy, covering individuals, time, and capital. Realistically, building a compliance foundation is the most significant security for an organization to reduce risk. Thus, growing to achieve sales and creating proof of compliance with applicable laws, compliance should be recognized as an internal insurance system. With that, organizations should strive to develop a successful compliance program. But, how do you create an effective compliance program? Most organizations start by implementing 'StoneTurn's Global Compliance Framework'. These standards have been widely recognized and applied internationally to lead enterprises in day-to-day activities, thus aligning with national rules, regional codes, and sector best practices. In this chapter of The Compliance Handbook, we're joined by a renowned expert in the world of compliance, Stephen Martin. Join us as we understand the essence of creating a practical compliance framework for your organization.   Key takeaways mentioned in the chapter:  Realize that compliance is far beyond FCPA compliance. AML, Anti-trust, Fraud, FCA, trade sanctions. It is helping the business better return on investment and driving ethics in a much more visible way. The number one challenge in compliance right now is the expectation that you can use data analytics to help with your oversight and monitoring of your compliance program. Learn how to get above this challenge and set compliance systems in place so you'll never encounter the same issue in the future.  Take something on board to focus much on the ethics and the culture side by implementing your effective compliance program.  Remind yourself that, Ethical Leadership is the best compliance measure that you could put in place. But again, companies struggle with that area about how do you do it? Culture change is not easy, and cultural impact is not easy. The "31 Days to a More Effective Compliance Program" is the answer to all your compliance issues. Learn more about this framework straight from the expert himself, Stephen Martin. Have a deep dive into the six elements of compliance;  Risk Assessment Governance and Structure Policies, Procedures, and Controls Training and Education Oversight and Reporting Response and Enhancements Watch the full episode on Youtube here: https://youtu.be/14rqfEA5hg8 or catch it on your favorite podcast app. About Thomas Fox: Thomas Fox, the Compliance Evangelist®, is one of the leading writers, thinkers and commentators on anti-bribery and anti-corruption compliance. In this latest edition of The Compliance Handbook he continues to arm seasoned compliance professionals, and those new to the realm, with the practical, actionable guidance and tools needed to design, create, implement and continually enhance a best practices compliance program. Understanding Compliance Responsibility Across the Organization The Compliance Handbook also takes a close look at the role of all professionals with compliance responsibility, from Compliance Officers and Boards of Directors, to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals. Order your copy OR copies of the The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.  http://www.lexisnexis.com/fox25

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company. The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board.  This Hallmark was significantly expanded in both the 2020 Update and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2020 Update has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it? Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2020 Update make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you may be starting behind the eight-ball. Three key takeaways: How can you show the CCO really has a seat at the senior executive table? What are the professional qualifications of your CCO? Does your CCO have true independence to report directly to the Board of Directors? Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the specific requirements laid out in the 2020 Update, is around internal controls and more specifically control testing. It stated: Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?    Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.  Three key takeaways: An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach. For an anti-corruption compliance program, you can use the Hallmarks of an Effective Compliance Program as your guide to test against. Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.  This scenario was driven home by the SEC in a 2015 FCPA enforcement action involving Mead Johnson Nutrition Company. In this enforcement action, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations. Internal reporting. The 2020 FCPA Resource Guide has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states: "An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation." Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem. Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation. Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces. Three key takeaways: The DOJ and SEC put special emphasis on internal reporting lines. Test your hotline on a regular basis to make sure it is working. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol. Learn more about your ad choices. Visit megaphone.fm/adchoices

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:  Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party. This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:  Business Justification by the Business Sponsor; Questionnaire to Third-party; Due Diligence on Third-party; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing. Three key takeaways: Use the full 5-step process for third party management. Make sure you have business development involvement and buy-in. Operationalize all steps going forward by including business unit representatives.

Do you have contracts in place that require you to attest to meeting CMS compliance requirements?​​​​​ Do you have questions about what those requirements are?What is an "effective compliance program" and how do you put one together?Having policies and procedures and training in place on Fraud, Waste and Abuse is a huge benefit for any provider, whether they have contractual obligations or not.What are you doing to stay current on best billing and coding practices to avoid any issues and reduce your risk of external audit?Are you performing chart audits?Learn from our compliance experts, Chad Schiffman and Loretta Maddox as they discuss everything from effective compliance programs, code of conduct, and how we can help you identify coding audit risk and help avoid fines and penalties.

What are internal controls? The best definition I have come across is from Jonathan Marks who defined internal controls as:  An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures:  The achievement of the process objectives linked to the organization’s objectives; Operational effectiveness and efficiency; Reliable (complete and accurate) books and records (financial reporting); Compliance with laws, regulations and policies; and  The reduction of risk-fraud, waste and abuse, which,    Aids in the decline of process and policy variation, leading to more predictive outcomes. The DOJ and SEC, in the 2020 FCPA Resource Guide, stated: Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. This was supplemented in the 2020 Update, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing? The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice. Three key takeaways: Effective internal controls are required under the FCPA Internal controls are a critical part of any best practices compliance program There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency.

The 2020 Update emphasized the need for the corporate compliance function to ensure both consistency and fairness not only in monitoring investigations but also in monitoring the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. One of the challenges companies have is facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country different in terms of discipline, it does create potential gaps in a compliance program. This can then give certain countries a feeling that they can do what they want, without the risk of punishment from corporate headquarters. This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in ensuring an effective compliance program. The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one which has been around for some time and it is Root Cause Analysis (RCA). It is not new because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017. The focus on consistency is both insightful and instructive as a key element of a best practices compliance program. Consistency forms the basis of both institutional justice and institutional fairness. That in turns, facilitates a speak up culture, which is the role of the compliance department to foster. Three key takeaways: Consistency is a key part of any compliance program. Consistency forms the basis of both institutional justice and institutional fairness. Consistency facilitates a speak up culture.

We next consider how to create a more effective compliance program involving business ventures. This will include the role of compliance in M&A, JV agreements, distributorships, teaming agreements and franchises as well as other forms of business relationships.  The FCPA Resource Guide, 2nd edition made clear that one of the Hallmarks of An Effective Compliance Program is around M&A, in both the pre- and post-acquisition context. A company that does not perform adequate due diligence prior to a merger or acquisition it may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective due diligence on their acquisition targets can evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. Equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward. The 2020 Update went on to say that to “The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization” and posed the following queries. One of the key themes in this chapter is the integrated nature of compliance and business ventures. Whether the compliance work is seen in the M&A context, JV context or one of the myriad of other business relationships of the current business world, there is an approach that a CCO or compliance professional should take to assess the risk, monitor the risk and then manage the risk with continued monitoring with a feedback of data and information into your risk management strategy. Three key takeaways:  Consider the role of compliance in a wide variety of business relationships, including M&A, JV agreements, distributorships and franchises as well as other forms of business relationships. Compliance for M&A should be seen as a unidimensional continuum. The Evaluationfocuses on what data did your risk monitoring system turn up and how did you utilize it going forward?

Is a Board of Directors a compliance internal control? The clear answer is yes. In the 2020 FCPA Resource Guide, Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. One states, “Within a business organization, compliance begins with the Board of Directors and senior executives setting the proper tone for the rest of the company.” The second is found under the Hallmark entitled “Oversight, Autonomy and Resources,” which says the CCO should have “direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).” Further, under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: Do the directors exercise independent review of a company’s compliance program, and are directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. Three key takeaways: Board oversight over the compliance function is a separate internal control so document it and use it. Board must perform oversight over your company’s internal controls. Does your Board use the five principles for involvement in compliance internal controls?

As they made clear with several FCPA enforcement actions in 2020, the SEC has continued to emphasize the accounting provisions of the FCPA, specifically the internal controls provisions. Charles Cain, the Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC is committed to protecting investors in U.S. public companies and those which list other securities in the U.S., through enforcement of the accounting provisions, including internal controls provisions of the FCPA. The reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and continued SEC enforcement emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the 2012 FCPA Guidance. While most compliance practitioners are familiar with the Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point. As a CCO or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute. Three key takeaways: Learn the internal controls your company currently has in place. Map your compliance internal controls to the COSO 2013 Internal Controls Framework. Use your gap analysis as a basis for remediation.

James Doty, former Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control. In the FCPA Resource Guide, 2nd edition, in the Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board. Three Key Takeaways A Board must engage in active oversight. A Board should review the design of internal controls on a regular basis. Failure to do so could form the basis for an independent legal violation under SOX.

The OIG white paper “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (OIG Guidance), provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations. As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It states: The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity. The OIG Guidance sets out four areas of Board oversight and review of a compliance function: Roles of, and relationships between, the organization’s audit, compliance, and legal departments; Mechanism and process for issue-reporting within an organization; Approach to identifying regulatory risk; and Methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives. The OIG Guidance is an excellent review for not only compliance professionals and others in the healthcare industry but a good primer for Boards around their own duties under a best practices compliance program. The U.S. Sentencing Guidelines, the Hallmarks of an Effective Compliance Program, the OIG Guidance, and OIG Corporate Integrity Agreements can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. Three key takeaways: Information flow up to the Board is critical. Compliance should be institutionalized in your company as a way of life. A Board needs to consider all risks. This month's sponsor is Affiliated Monitors, Inc. 

Welcome to this month's offer of 31 Days to a More Effective Compliance Program. This month I will focus on the Board of Directors and its role in an effective compliance program. At the end of August, you will not only have a good summary of the basics of a best practices compliance program for a Board of Directors but information that you can incorporate into your compliance regime. Case law. As to the specific role of best practices in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959, (Del. SCt. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” 2020 FCPA Resource Guide, 2nd edition and U.S. Sentencing Guidelines. A Board’s duty under the FCPA is well-known. In the FCPA Resource Guide, 2nd edition, there are two specific references to the obligations of a Board. The first, in Hallmark No. 1, states: “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 and notes that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: 1) Do the Directors exercise independent review of a company’s compliance program? and 2) Are Directors provided information sufficient to enable the exercise of independent judgment? From the Delaware cases, a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute. Three key takeaways: The Delaware courts have led the way with the In Re Caremark and Stone v. Ritter decisions. Note the obligations of the Board under the Ten Hallmarks of an Effective Compliance Program. The U.S. Sentencing Guidelines also require Board involvement and oversight. A special thanks to this month's sponsor, Affiliated Monitors, Inc. 

We talk with Boon Kim Fam, Senior Legal Counsel, Compliance, Asia Pacific at PVH Corp. (parent company of Calvin Klein and Tommy Hilfiger).2:10 How prior government experience helped Kim in her compliance role today.3:13 What kind of compliance issues are unique to a retail business?4:26 Is the scope of a typical compliance role becoming broader now to cover things like data privacy?8:20 How do you get your message across in training the business teams?12:04 How do you do trainings for 3rd party business partners such as vendors and distributors?13:18 Any differences between working with the business teams in China and in other parts of Asia Pacific?16:38 How to get the senior management to help drive and support the compliance program?21:21 How about empowering middle management who are often the first to encounter problems?23:40 Making your presence felt in the region when the compliance team sits in the regional headquarters.26:38 Is face time still important in a compliance program with the prolific use of video conferencing now?28:20 Business is getting done despite a dramatic reduction in travel and entertainment with clients because of COVID-19. Will this lead to a permanent reduction in compliance risk to the company?29:05 What do you see as changing trends for compliance in Asia Pacific?

2:10 How prior government experience helped Kim in her compliance role today.3:13 What kind of compliance issues are unique to a retail business?4:26 Is the scope of a typical compliance role becoming broader now to cover things like data privacy?8:20 How do you get your message across in training the business teams?12:04 How do you do trainings for 3rd party business partners such as vendors and distributors?13:18 Any differences between working with the business teams in China and in other parts of Asia Pacific?16:38 How to get the senior management to help drive and support the compliance program?21:21 How about empowering middle management who are often the first to encounter problems?23:40 Making your presence felt in the region when the compliance team sits in the regional headquarters.26:38 Is face time still important in a compliance program with the prolific use of video conferencing now?28:20 Business is getting done despite a dramatic reduction in travel and entertainment with clients because of COVID-19.  Will this lead to a permanent reduction in compliance risk to the company?29:05 What do you see as changing trends for compliance in Asia Pacific?

Continuous improvement can come in many different, shapes, sizes and packages. As with all things compliance, you are only limited by your imagination. Have you ever thought about a tech implementation as a way for continuous improvement? Probably not but it is also a way forward for continuous improvement. Think about that for a moment as this is taking the concept of continuous improvement and adding an ongoing tech solution. This is one of the areas both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discussed in their jointly issued 2012 FCPA Guidance, as Hallmark 9 in the Ten Hallmarks of an Effective Compliance Program. This is not simply taking data from your compliance program and feeding it back in to create continuous improvement, but it is using a tech solution to not only make your compliance program run more efficiently but using that same tech solution to help continuously improve your compliance program. Such an approach uses the subject matter expertise (SME) of the tech solution provider to help the compliance professional come up with a more effective compliance program. For the compliance professional it is expanding out their reach and scope through the use of not only this tech SME but with the information from their own compliance program to create greater efficiencies and effectiveness.  Three key takeaways:  Even in continuous improvement, you are only limited by your imagination. The delivery of a tech solution for compliance can be beneficial in multiple ways. Start your analytics at the transaction level and move upwards.

We previously considered the Prong in the Evaluation that was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. The requirement was first raised in the 2017 Evaluation. It was then carried forward as a requirement in the FCPA Corporate Enforcement Policy, later in 2017. It was discussed again in the 2019 Guidance. You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution. Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2019 Guidance and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.” Three key takeaways: The key is objectivity and independence. The critical element is how did you use the information you developed in the root cause analysis? The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

We previously considered the Prong in the Evaluation that was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. The requirement was first raised in the 2017 Evaluation. It was then carried forward as a requirement in the FCPA Corporate Enforcement Policy, later in 2017. It was discussed again in the 2019 Guidance. You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution. Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2019 Guidance and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence. Three key takeaways: The key is objectivity and independence. The critical element is how did you use the information you developed in the root cause analysis? The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2012 FCPA Guidance, under Hallmark Three of the Ten Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”  This Hallmark was significantly expanded in both the 2019 Guidance and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the corporate compliance function. The 2019 Guidance has four general areas of inquiry around the corporate compliance function. (1) What is the seniority and stature of the compliance function within an organization? (2) What are the experience and stature of the compliance personnel with an organization? (3) What is the funding and resources made available to the compliance function? (4) How much autonomy does the compliance function have to report to the Board of Directors? Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2012 FCPA Guidance, under Hallmark Three of the Ten Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the 2019 Guidance and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the corporate compliance function. The 2019 Guidance has four general areas of inquiry around the corporate compliance function. (1) What is the seniority and stature of the compliance function within an organization? (2) What are the experience and stature of the compliance personnel with an organization? (3) What is the funding and resources made available to the compliance function? (4) How much autonomy does the compliance function have to report to the Board of Directors? Three key takeaways: How is compliance treated in the budget process? Has your compliance function had any decisions over-ridden by senior management? Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

The role of the CCO has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the Ten Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating: In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors. This Hallmark was significantly expanded in both the 2019 Guidance and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2019 Guidance has four general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company?   Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the Ten Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating: In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors. This Hallmark was significantly expanded in both the 2019 Guidance and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2019 Guidance has four general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Three key takeaways: How can you show the CCO really has a seat at the senior executive table? What are the professional qualifications of your CCO? Does your CCO have true independence to report directly to the Board of Directors?

Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?    Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls. Three key takeaways: An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.

Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?    Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.  Three key takeaways: An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against. Learn more about your ad choices. Visit megaphone.fm/adchoices

  As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The Evaluation of Corporate Compliance Programs - Guidance Document (2019 Guidance) devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.   This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2012 FCPA Guidance and in the Ten Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are: Business Justification; Questionnaire to Third-party; Due Diligence on Third-party; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing. Three key takeaways: Use the full 5-step process for third party management. Make sure you have business development involvement and buy-in. Operationalize all steps going forward by including business unit representatives.

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The Evaluation of Corporate Compliance Programs - Guidance Document (2019 Guidance) devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.   This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2012 FCPA Guidance and in the Ten Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:  Business Justification; Questionnaire to Third-party; Due Diligence on Third-party; Compliance Terms and Conditions, including payment terms; and Management and Oversight of Third Parties After Contract Signing.   Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the intersection of innovation in your compliance program and the requirements of an effective compliance program? Today, Tom Fox continues his 5-part series on the front lines of compliance with Hallmark 10 of the Ten Hallmarks of an Effective Compliance Program.Hallmark 10 states that: “A good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” What does that actually mean? In short, it’s about putting compliance into the fabric of your organization. There are many ways to go about doing this, and one of the most effective ways is through the continuous improvement technique of ‘internal inspection.’ Ben Locwin discusses this in Episode 266 of the FCPA Compliance and Ethics Report Podcast.With internal inspection, you’re looking at your program from the inside out. Ben Locwin explains it like this: “We have a problem. Let’s not run away from it. Let’s embrace it.” To do that, you should ask what you can do better, and what can you do next. The willingness of the organization to look at itself is key to continuous improvement.It’s not enough to admit there was a mistake and get rid of the employee who made it. Tom talks about how people aren’t willfully ignorant; they try to do the right things. It could be as simple as a clarity issue with how they understand their role or their work, and if that’s the case, the next employee could easily make the same mistake.Instead of laying blame at the people in the organization, it is wiser to do a ‘root cause analysis’ to determine and develop the preventative actions that can keep the problem from happening again. In other words, you fix the system and processes that led to the problem in the first place.Ongoing EducationIf you’re a compliance professional looking for a convenient and effective way to fulfill your continuing education requirements, visit Tom’s website and choose from 4 hour-long training packages that will keep you up to date with the latest developments in the compliance field. Learn more about your ad choices. Visit megaphone.fm/adchoices

Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as articulated in the 2012 FCPA Guidance, states: "a good compliance program should constantly evolve." Learn more about your ad choices. Visit megaphone.fm/adchoices

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Learn more about your ad choices. Visit megaphone.fm/adchoices

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. Learn more about your ad choices. Visit megaphone.fm/adchoices

We previously considered the Prong in the Evaluation of Corporate Compliance Programs which was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s new FCPA Corporate Enforcement Policy. I want to consider how you should utilize the results of a root cause analysis in remediating a compliance program.  Learn more about your ad choices. Visit megaphone.fm/adchoices

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Learn more about your ad choices. Visit megaphone.fm/adchoices

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Learn more about your ad choices. Visit megaphone.fm/adchoices

A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the new areas articulated in the Evaluation of Corporate Compliance Programs was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role for a corporate payroll function in the operationalization of a corporate compliance program. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance (Guidance), under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program (Hallmarks), the focus was articulated by the title Oversight, Autonomy, and Resources. This Hallmark was significantly expanded in both the DOJ's Evaluation of Corporate Compliance Programs and the new FCPA Corporate Enforcement Policy. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance Programs (Evaluation) is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. Learn more about your ad choices. Visit megaphone.fm/adchoices

How do you assess internal compliance controls under a best practices compliance program? In this episode I consider how to do so in the most effective manner. Learn more about your ad choices. Visit megaphone.fm/adchoices

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. Learn more about your ad choices. Visit megaphone.fm/adchoices

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check. Learn more about your ad choices. Visit megaphone.fm/adchoices

Focusing on investigations under Prong 7 in the Evaluation it stated, Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?  This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do. Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. Learn more about your ad choices. Visit megaphone.fm/adchoices

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important Learn more about your ad choices. Visit megaphone.fm/adchoices

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. Learn more about your ad choices. Visit megaphone.fm/adchoices

After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Learn more about your ad choices. Visit megaphone.fm/adchoices

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. Learn more about your ad choices. Visit megaphone.fm/adchoices

In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System – Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the FCPA Corporate Enforcement Policy it states, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred”. Under Hallmark Six of the Ten Hallmarks of an Effective Compliance Program it states: In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences. However, I believe that the 2012 FCPA Guidance’s best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.” One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. This is more than financial incentives for ethical behavior but institutional objectivity for your employees. Institutional objectivity comes from procedural fairness. This is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by, processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program. Administration of Discipline One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed. Similarly and as was re-emphasized in the FCPA Corporate Enforcement Policy, there must be real consequences to employee who violate your compliance program. If the regulators come knocking and you have not disciplined any company employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude pretty quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is with the organization. Employee Promotions In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle. Internal Investigations The third area the Fair Process Doctrine is critical in, is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair. This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess. An often-overlooked role of any CCO or compliance professional is to help provide employees procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program. Three Key Takeaways The DOJ and SEC have long called for consistent application in both incentives and discipline. The Fair Process Doctrine ensures employees will accept results they may not like. Inconsistent application of discipline will destroy your compliance program credibility. This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the key goals of any FCPA compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. In the 2017 Evaluation of Corporate Compliance Programs the DOJ asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training. Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Learn more about your ad choices. Visit megaphone.fm/adchoices

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. Learn more about your ad choices. Visit megaphone.fm/adchoices

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself. Learn more about your ad choices. Visit megaphone.fm/adchoices

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct? Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs for more fully operationalizing a best practices compliance program. Learn more about your ad choices. Visit megaphone.fm/adchoices

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move down through the organization from senior management down to middle management and into its lower ranks. This means that one of the task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The Justice Department wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and finally how is such conduct monitored in an organiza Learn more about your ad choices. Visit megaphone.fm/adchoices

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Learn more about your ad choices. Visit megaphone.fm/adchoices

Over the next 31 days, I will be exploring the best way to more fully operationalize a compliance program using the DOJ resources. Join me as we engage in 31 days to a more effective compliance program. Learn more about your ad choices. Visit megaphone.fm/adchoices

We are now less than six months away from a new Revenue Recognition (“new rev rec”) standard which may significantly impact the compliance profession, compliance pr Learn more about your ad choices. Visit megaphone.fm/adchoices

Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation. A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance: Corporate Compliance Policy and Code of Conduct - A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate. Risk Assessment - A Board should assess the compliance risks associated with its business. Implementing Procedures - A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Training - There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program. Monitor Compliance - A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.  There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.   Three Key Takeaways GTE compliance internal controls are low hanging fruit, pick them. Compliance internal controls can be both detect and prevent controls. Good compliance internal controls are good for business. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Kara Brockmeyer, the former Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point.  As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Do any personnel from accounts payable review and approve that expenses have the requisite receipts attached? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur? Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those recipients of any such gift, travel or entertainment identified on the expense reimbursement form? Was the business purpose of the meal, gift or entertainment recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program. You can take this exercise through each of the five objectives under the COSO 2013 Internal Controls Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.  As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute. Three Key Takeaways  Learn the internal controls your company currently has in place. Map your compliance internal controls to the COSO 2013 Framework, Use your gap analysis as a basis for remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following:  Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to: devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that— (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences ….  The Justice Department (DOJ) and Securities and Exchange Commission (SEC), in their 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”  Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and the author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”  Internal controls expert Joe Howell, EVP at Workiva, Inc. has said that internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Howell adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.  The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its 2013 Internal Controls Framework defined internal controls, in its publication entitled “Internal Controls – Integrated Framework”, as follows:  Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition reflects certain fundamental concepts. Internal control is:  Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance A process consisting of ongoing tasks and activities - a means to an end, not an end in itself Effected by people - not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control Able to provide reasonable assurance - but not absolute assurance, to an entity’s senior management and board of directors Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process. The Integrated Framework goes on to note, “This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.”   Why are internal controls important in your compliance program? Two FCPA enforcement actions demonstrate the reason. The first came in late 2013 when the DOJ obtained a criminal plea from Weatherford International (WFT). There were three areas where WFT failed to institute appropriate internal controls. First, around third parties and business transactions, limits of authority and documentation requirements. Second, on effectively evaluating business transactions, including acquisitions and joint ventures (JVs), for corruption risks and to investigate those risks when detected. Finally, around excessive gifts, travel, and entertainment, where such expenses were not adequately vetted to ensure that they were reasonable, bona fide, and properly documented.  The second case involved the gun manufacturer Smith & Wesson (S&W). The case did not include a criminal charge filed by the DOJ but a civil matter was prosecuted administratively by the SEC. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Moreover, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization”.  The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe.  As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist. This will help you to determine whether adequate compliance internal controls are present. From there you can move to see if they are working in practice or ‘functioning’.  Internal controls will only become more important in FCPA enforcement. This month you will learn how to get ahead of the curve.  Three Key Takeaways Effective internal controls are required under the FCPA. Internal controls are a critical part of any best practices compliance program. The Weatherford and Smith & Wesson FCPA enforcement actions demonstrate the enforcement spotlight on internal controls. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

Prior to the Schrems decision by the European Court of Justice, US based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question. In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be around personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available.  I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can't be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?”  With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information; I believe there will be additional pressure put on the compliance function. Obviously any US company with EU based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.   Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company which is seeking cooperation credit because such company is required to turn over any and all information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use. Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it very improbable that anyone, European or otherwise, would give such a consent but in the unlikely event such consent is given, you have told the target, they are the target and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] have already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.”  How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard; it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through the use of internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to proscription of any FCPA violations.  Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel and the VW emissions-testing scandal; the Schrems decision will change the need for a more robust compliance program going forward to help protect a company.  Three Key Takeaways The Schrems decision significantly impacted US based internal investigations. Study the privacy laws of the country where you are performing your investigation. Informed consent is difficult to obtain but it may be critical for your investigation.         Learn more about your ad choices. Visit megaphone.fm/adchoices

In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states:  Incentive System – How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?  Further, one of the key points that representatives of the DOJ and Securities and Exchange Commission (SEC) have continually raised when discussing any best practices compliance program; whether based on the Ten Hallmarks of an Effective Compliance Program, as articulated in their 2012 FCPA Guidance, or some other articulation such as in a Deferred Prosecution Agreement’s (DPA) Attachment C embedded in a compliance program. They continually remind Chief Compliance Officers (CCOs) and compliance practitioners that any best practices compliance program should have incentives  as a part of the program.  The 2012 Guidance is clear that there should be incentives for not only following your own company’s internal Code of Conduct but also doing business the right way, i.e. not engaging in bribery and corruption. On incentives, the Guidance says, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But the Guidance also recognizes that incentives need not only be limited to financial rewards as sometime simply acknowledging employees for doing the right thing can be a powerful tool as well.  All of this was neatly summed up in the Guidance with a quote from a speech given in 2004 by Stephen M. Cutler, the then Director, Division of Enforcement, SEC, entitled, “Tone at the Top: Getting It Right”, to the Second Annual General Counsel Roundtable, where Director Cutler said the following: [M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record. All of this demonstrates that incentives can take a wide range of avenues. The oilfield services company Weatherford, annually awards cash bonuses of $10,000 for employees who go above and beyond in the area of ethics and compliance for the company. While some might intone that is to be expected from a company that only recently concluded a multi-year and multi-million dollar enforcement action; if you want emphasize a change on culture, not much says so more loudly than awarding that kind of money to an employee.  While I am sure that being handed a check for $10,000 is quite a nice prize, you can also consider much more mundane methods to incentivize compliance. You can make a compliance evaluation a part of any employee’s overall evaluation for some type of year end discretionary bonus payment. It can be 5%, 10% or even up to 20%. But once you put it in writing, you need to actually follow it. But incentives can be burned into the DNA of a company through the hiring and promotion processes. There should be a compliance component to all senior management hires and promotions up to those august ranks within a company. Your Human Resources (HR) function can be a great aid to your cause in driving the right type of behavior through the design and implementation of such structures. Employees know who gets promoted and why. If someone who is only known for hitting their numbers continually is promoted, however they accomplished this feat will certainly be observed by his or her co-workers. Three Key Takeaways The DOJ evaluation specifically calls out incentives for doing business ethically and in compliance. HR can lead the efforts around incentives. Incentives go beyond financial rewards.   This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis.  I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this.  Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.”  By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.  Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”  All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.”  Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.” In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement.  I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.  Three Key Takeaways The risk management process is an important backbone of operationalizing compliance. You should be able monitor and measure both known and unknown risks. All of these steps help a business to run more efficiently and more profitably.  This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on operationalizing your compliance program as the questions posed are designed to test how far down your compliance program is incorporated into the very DNA and fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program over the past 18 months and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Three Key Takeaways The Evaluation follows a consistent theme of DOJ pronouncement over the past 18 on to operationalize your compliance program. There is one new area with a focus on root cause analysis and risk assessments. There is a greater consideration of how the CCO is treated and viewed within an organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

Last month, the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The document has one clear theme that I will be exploring this month—you must operationalize your compliance program. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.   Three Key Takeaways The DOJ Evaluation requires you to operationalize your compliance program. The DOJ Evaluation makes clear compliance is a business process. The DOJ Evaluation is significant for what it does not focus on, legal solutions or even legal language. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Matt Kelly and myself take a deep dive into the Department of Justice (DOJ) recent release, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), which went up on the Fraud Section website on February 8. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Matt Kelly and myself take a deep dive into the Department of Justice (DOJ) recent release, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), which went up on the Fraud Section website on February 8. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices

James Doty, Acting Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program. Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement. I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board. Three Key Takeaways A Board must engage in active oversight. A Board should review the design of internal controls on a regular basis. Failure to do so could form the basis for an independent legal violation under SOX. Learn more about your ad choices. Visit megaphone.fm/adchoices

The Office of Inspector General (OIG), Department of Health and Human Resources, issued a paper entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). It provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations.  As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.” While noting that a corporate compliance function should promote the prevention, detection and remediation of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should evaluate and discuss how management works together to address risk, including the role of each in:  identifying compliance risks, investigating compliance risks and avoiding duplication of effort, identifying and implementing appropriate corrective actions and decision-making, and communicating between the various functions throughout the process.  A key component of Board oversight is through the flow of information. The OIG Guidance says, “The Board should set and enforce expectations for receiving particular types of compliance-related information from various members of management. The Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts—separately and independently”. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these help create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board. But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance also notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” However the key component is that “Through a system of defined compliance goals and objectives against which performance may be measured and incentivized, organizations can effectively communicate the message that everyone is ultimately responsible for compliance.” A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions when it says, “Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.” Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally. It states, “Boards should also consider establishing a risk-based reporting system, in which those responsible for the compliance function provide reports to the Board when certain risk-based criteria are met. The Board should be assured that there are mechanisms in place to ensure timely reporting of suspected violations and to evaluate and implement remedial measures. These tools may also be used to track and identify trends in organizational performance against corrective action plans developed in response to compliance concerns.” Ultimately a Board should drive home of the message of compliance as “a way of life” so that it permeates into the DNA of a health care organization. For if a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.   The OIG Guidance is an excellent review for not only compliance professionals and others in the health care industry but a good primer for Boards around their own duties under a best practices compliance program. The US Federal Sentencing Guidelines, the Ten Hallmarks of an Effective Compliance Program, the “OIG voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs) can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. The Guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The compliance program guidance documents were developed by OIG to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.”  Three Key Takeaways Information flow up to the Board is critical. Compliance should be institutionalized in your company as a way of life. A Board needs to consider all risks. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Case Law As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.” According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses. FCPA Guidance and US Sentencing Guidelines A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement. From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute. Three Key Takeaways The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions. Note the obligations of the Board under the 10 Hallmarks of an Effective Compliance Program. The US Sentencing Guidelines also require Board involvement and oversight. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA,  the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point. As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur? Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program. You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible. As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute. Three Key Takeaways  Learn the internal controls your company currently has in place. Map your compliance internal controls to the COSO 2013 Framework, Use your gap analysis as a basis for remediation. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices

You should work to create a culture of data in your compliance program. This comes from an understanding that data is a product, which you can consume internally in the compliance function. Your data is a corporate asset so why not use it. That is a key point that you should recognize. Yet data is not simply big or even scary. It is information that you can use in helping you make better decisions. The CCO needs to find a way to deliver compliance analytics in a manner that is timely within your company’s everyday decision-making calculus.  One of the biggest misunderstandings about using data is that compliance practitioners tend to be myopic. They only look at individual data when it is more useful to know what a population of people are doing. As a CCO how many times have you heard something along the lines of “If we look we might find something”. This defensive attitude can keep you from making use of some of the most useful information to you, your own data. The more transparency there was involving data, the less they thought of it as a liability.  A key insight for the compliance function the democratization of data access has allowed companies to become much more data oriented in decision making. So do not hoard your data. This means more than simply using it but also making it available to the business folks to help them to make their decisions more in compliance. This transparency will not only improve the quality of your decision making but it should also allow you to bring more robust compliance analysis into the fabric of your organization.  Innovation in compliance is really nothing new. Best practices compliance programs have evolved from as far back as the Metcalf and Eddy enforcement action, through Opinion Release 04-02, to the current Ten Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance. Even within these frameworks there has always been evolution of compliance. This is to be embraced because the consequences of not doing so are too catastrophic.  All of this means that compliance should use data to help establish a culture of innovation in the compliance function. Every CCO should be looking beyond today. Arnold & Porter LLP partner Stephen Martin has long advocated a one, three and five year compliance program outlook that you should regularly review and update. From the data perspective you should consider what this might mean from a technological perspective and how you can enable that transformation going forward.  Key Takeaways  Look at aggregations of data to spot trends. The more transparency you have in data the less potential there is for liability going forward. Data is a product and compliance should consume data. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today’s topic will be an overview of the second Element of an Effective Compliance Program, specifically: Designating a Compliance Officer and Compliance Committee. Presented by Ahmed Salim Co-Founder of Comply Guys, Dave Monaghan CEO of Compliatric, and hosted by Brad Phillips Director of Sales for Compliatric. Ahmed mentioned the HCCA's Compliance 101 book in this episode. Here is the link: http://www.hcca-info.org/Products/ProductInfo.aspx?productcd=COMPLIANCE101  For questions or information about Complyguys please contact: ahmed.salim@complyguys.com or go to www.complyguys.com, or for questions or information about Compliatric please contact: bphillips@compliatric.com or go to www.compliatric.com. 

The FCPA Guidance has about as clear, concise and short a statement about hotlines than any other Tenet of an Effective Compliance Program. It states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.  The reason is that its own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the US Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.  What are some of the best practices for a hotline? I would suggest that you start with at least the following: Availability. Anonymity. Escalation. Follow-Up. Oversight.  In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.  I would emphasize, yet again, that after your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.  What is your FCPA Investigation Protocol?  With the advent of the Securities and Exchange (SEC) Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do. The following is a suggested starting point.  Step 1: Opening and Categorizing the Case. Step 2: Planning the Investigation. Step 3: Executing the Investigation Plan.  Step 4: Determining Appropriate Follow-Up.  Step 5: Closing the Case. Three Key Takeaways 1.Pre-taliation is becoming a more important SEC enforcement tool. 2. Test your hotline on a regular basis to make sure it is working. 3. Utilize social media for both tips and reports and to spot trends.   For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Topic: Intro to the Seven Elements of an Effective Compliance Program Presented by Ahmed Salim Co-Founder of Comply Guys & Brad Phillips Director of Sales for Compliatric.com In this episode we will be covering what the basics are for the 7 Elements of an Effective Compliance Program: How the government scores an organization using culpability scoring What punishments an organization can face And how you can use the 7 elements to help build a compliance program in your own organization….  For Questions or comments, reach out to us on twitter @ThinkComply, or email: ahmed.salim@complyguys.com or info@compliatric.com  

In this episode I review Hallmark 9 - Continuous Improvement: Periodic Testing and Review. This podcast series is produced in a 10 article series. To read more, check out my blog post series on Hallmark 9. For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.   Learn more about your ad choices. Visit megaphone.fm/adchoices