Today I begin a series of Star Wars themed blog posts to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VIII – The Last Jedi. Please note that I will only use the first three movies, now known as Episodes IV-VI and then Episode VII – The Force Awakens, for the themes this week. If you are a millennial and the prequels are your Star Wars sorry but you can write about them. The original three came out in 1977 – A New Hope, 1980 – The Empire Strikes Back and 1983 – Return of the Jedi, and these are my Star Wars movies. In conjunction with this series of blog posts, Jay Rosen and I are doing five-days of Star Wars themed podcasts next week, monikered May the Podcast Be With You. In each podcast, we review the theme of the movie and tie it to a compliance concept. In today’s posting, we consider risk which might be unique to your business model.

I will begin with Episode IV – A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and has blueprints detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, is told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate compliance risk under the Foreign Corrupt Practices Act (FCPA) or an economic sanctions regime. Failure to appreciate risk can lead to some very serious and perhaps lethal consequences.

Whether you utilize one approach or another, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course, for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

I thought about risk when I read a recent article in the New York Times (NYT) by Liz Alderman, entitled “Biggest cement maker a focus in an inquiry on ISIS finances. This is a matter involving the world’s largest cement manufacturer, LafargeHolcim (LHN) and whether “the company helped finance the Islamic State militant group and other armed factions while operating a factory in Syria.” It drove home the issue of risk and how your business risks can morph in war-torn regions.

The company has been under investigation relating to its former operations in Syria. An internal investigation found “managers of Lafarge’s Syrian plant had paid armed groups to allow employees to move to and from the factory so that it could continue operating.” This led to the resignation of the Chief Executive Officer (CEO), Eric Olsen. French authorities now have him under investigation, examining if he and other senior executives knew about the payments and, more ominously, “whether the company may have bought oil linked to the Islamic State.”

When the Syrian Civil War broke out every other western company eventually left their facilities in the country. However, LHN kept its plant open. Alderman reported, “In 2012, Lafarge’s local managers started using intermediaries to pay the armed groups to ease the passage of employees and suppliers, the company’s internal inquiry found. Lafarge has said it saw little choice if it wanted to keep its operations running, and sought to avoid direct contact with the groups to minimize potential risks that could arise with the Syrian government or other militants.”

The company said in a statement in April 2017, “Very simply, chaos reigned and it was the task of local management to ensure that the intermediaries did whatever was necessary to secure its supply chain and the free movement of its employees.” That seems like an admission of payments to either criminal gangs or terrorist organizations in violation of at least US sanctions laws.

While the LHN situation may seem like an extreme one, with the company possibly making payments to ISIS; the same situation may be faced by US companies on a much smaller scale, much closer to home. In Mexico, many swaths of the country are under the sway of large criminal enterprises. The Zetas, Colima Cartel, Guadalajara Cartel, Juárez Cartel, Sinaloa Cartel, Sonora Cartel and Tijuana Cartel are to name only a few. What if a US company makes a payment so that its trucks can transport through their territory? Does such payment violate any US laws on making payments to those entities on sanctioned lists?

What does the geographic area you conduct business in mean for your company’s risk? This is beyond the Transparency International-Corruption Perceptions Index (TI-CPI) for payments to corrupt local officials, although that could certainly come into play. What if you have to make payments to criminals to, as LHN did, “secure its supply chain and the free movement of its employees.” What is the liability for a company which puts its employees in such a high-risk environment?

If you do not ask questions about risk and then pay attention to the answers, you may find yourself in the same position as Grand Moff Tarkin.

May the Force be with you.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017