All Hail Rock and Roll as Check Berry died over the weekend. According to his New York Times (NYT) obituary “While Elvis Presley was rock’s first pop star and teenage heartthrob, Mr. Berry was its master theorist and conceptual genius, the songwriter who understood what the kids wanted before they knew themselves. With songs like “Johnny B. Goode” and “Roll Over Beethoven,” he gave his listeners more than they knew they were getting from jukebox entertainment.” His guitar work was phenomenal and the bottom line is a quote from John Lennon who said, ““If you tried to give rock and roll another name, you might call it ‘Chuck Berry’.””

Last week I interviewed Susan Divers, Senior Advisor at LRN Corporation, on the company’s 2016 Ethics and Compliance Program Effectiveness Report (Report). The Report was a fascinating review of the evolution of compliance and considering the input was compiled before the release of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs (Evaluation) sometime in February, eerily omnipresent. I found the survey spoke not only to the issue of doing compliance as opposed to simply having a compliance program in place but also to give solid advice by which a Chief Compliance Officer (CCO) can use to benchmark a corporate compliance program. The Report also provides a framework for the creation of a values based organization. I found the Report to be so important towards moving a company to operationalizing a corporate compliance program that I am devoting a multi-part blog post series to it this week. My podcast with Susan Divers will post on Wednesday of this week in the FCPA Compliance Report series on this site.

The Report on the dichotomy between having a compliance program in place and actually doing compliance or as the DOJ said in the Evaluation, operationalizing compliance. In preparation for the Report, LRN reviewed multiple surveys regarding compliance program effectiveness and with one exception, according to Divers they all “focused on components of programs. In other words, they focused on the inputs.” They asked such facile questions as “Do you have a code? Do you do training? Do you have tone at the top? In effect, it was a checklist approach and nobody was really focusing on outputs, which is how are you changing behavior and what are the things that actually change behavior?”

This approach certainly answers the critics of Foreign Corrupt Practices Act (FCPA) enforcement who claim that the FCPA is not effective because there continue to be companies that violate the law. The clear answer is that companies have not accepted their responsibility to comply with the law by operationalizing compliance. The DOJ and Securities and Exchange Commission (SEC) have both consistently made clear the requirement to do compliance not simply put a paper program in place. As far back as 2004 with Opinion Release 04-02, the DOJ laid out the foundations of operationalizing compliance. This was brought forward in 2012 with the FCPA Guidance. As the Report  stated, former “SEC chair Mary Jo White noted that her agency expected senior management and boards of directors to “imbue the organization from top to bottom with corporate culture demanding compliance with the law and the highest ethical standards. We are not talking here about a check the-box compliance program or nice sounding code of conduct. The goal is much deeper.””

The LRN survey focused on the operationalization of compliance by looking at what makes a compliance program effective. One of the key findings was that effective compliance is not simply having policies and procedures in place but rather “values-based workplace cultures are significantly more effective at influencing employee behavior than those solely oriented toward rules or procedures. E&C programs that define their approach as values-based scored highest on LRN’s new Program Effectiveness Index (PEI) and on all key outputs including level of C-suite support, cross-functional integration, middle management engagement, and code of conduct and policy accessibility.”

Most interestingly, a key indicia of an effective compliance program was trust. Divers said, “We looked at that, we looked trust, and we looked at really whether people are in fact, walking-the-walk, not just talking-the-talk. Again, rather than focus on, “Do you have this, do you have that, how many policies to you have”, we looked at the degree of which the workplace is characterized by trust, by respect, and by integrity.” I found this a unique way to review companies but also consistent with the Evaluation when the DOJ specifically talked about organizational justice in Prong 8 by inquiring into whether there was consistency in the application of discipline for Code of Conduct or FCPA violations.

Divers noted that when making an assessment on trust, “It’s not so straight forward or easy. You can’t just ask a question and say, which people tend to do on the employee survey, “Do you feel comfortable speaking up?” Some of the questions we asked were a little more subtle and based on years of doing this kind of work, of analyzing cultures. One is employees in my company questioned decisions when they conflict with our values. Another is employees in my company hesitate to speak up during team meetings because they worry how their managers will react.”

The Report found there are three systems influencing individual and organizational behavior: governance, culture and leadership. Governance refers to formal structure, rules and policies. Culture refers to norms, traditions, habits and mindsets. Leadership refers to how managers behave, as well as the source of authority and how it is exercised.” The Report delineated three dominant archetypes and assessed the impact of each on organizational performance.

The first was an organization which the Report characterized was run with “blind obedience.” This was described as “Power-based, task-driven organizations that operate through command-and control-based principles and policing, and which place little emphasis on building enduring relationships among colleagues, with customers, or within society. Employees are coerced to do as they are told under the threat of punishment or adverse consequences. Such organizations focus on short-term goals.”

The second was an organization led through “informed acquiescence” which was defined as “Rules-based, process-driven organizations that operate through hierarchy, policy and 20th-century “good management” practices. Employees are motivated by performance-based rewards and expected to fulfill the expectations of their roles. Long-term goals are identified but are often set aside in favor of short-term success.”

The final type of organization was called “self-governance” and was defined as “Purpose-inspired, values-based organizations that are led with moral authority and operate with a set of core principles and social imperatives. Employees are inspired by a desire for significance and encouraged to act as leaders regardless of role. Such organizations are focused on long-term legacy and sustainable performance.”

Tomorrow I will consider what a CCO can do to move towards a more values based compliance program through operationalizing compliance throughout the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017