Perhaps the most consistent process in the compliance field is its evolution. Compliance programs began in response to the US Sentencing Guidelines for Corporations back in 1992. Since that time, everyone involved from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to corporations and compliance practitioners, have evolved in their thinking over what constitutes a best practices compliance program.

There are several reasons for this evolution. Perhaps the most forceful drivers have been the regulatory/prosecution side and the corporate response. When I began in the compliance arena in 2007, having a paper program in place, run by lawyers was about as good as it got. The company where I worked focus on compliance in the Supply Chain was so far beyond cutting edge that we might as well have been on Mars. Now having a paper program has been discarded as worse than useless and compliance for your Supply Chain is table stakes to get into a minimum compliance program.

Looked at from another perspective, as companies have come before the DOJ and SEC and presented information on their remediation efforts, the DOJ and SEC have come to appreciate what can be done to prevent, detect and remediate efforts by a company. As the DOJ and SEC perspectives evolved, they communicated that information in enforcement actions. Two of the clearest examples were the General Cable Corporation Deferred Prosecution Agreement (DPA), which was the first time the DOJ laid out a requirement for tailored training and in the SEC civil action involving Key Energy Services Inc., which discussed transaction monitoring for the first time in a Foreign Corrupt Practices Act (FCPA) enforcement action.

One of the key lessons I learned in doing the research for The Complete Compliance Handbook is how much compliance programs have evolved beyond the basic requirements laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the DOJ’s 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking. Over the next few blog posts, I will explore this evolution and lay out where I think a best practices compliance program is today. 

 Hallmark I – Commitment From All Leadership

This requirement moved beyond the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and, finally, how is such conduct monitored in an organization?

However, this commitment has been extended far beyond simply senior management. It has been extended down into middle management. This is certainly appropriate as it is usually middle management which has the most day-to-day contact with employees. There is also the understanding to fully operationalize your compliance program, corporate departments other than compliance and legal must be involved. This means Human Resources (HR), IT, Security, Treasury, Finance, Supply Chain/Procurement and most importantly business and operational managers, must all be a part of your company’s compliance solution.

Finally, is the evolution in the role of the Board of Directors. A Board of Directors should have a true compliance expert sitting on it, coupled with a Compliance Committee, separate and apart from the Audit Committee. The Compliance Committee should be chaired by the Board’s compliance expert. In addition to this great compliance expertise focus, a Board should now exercise real oversight of the corporate compliance function.

Hallmark II – Written Standards

Written standards consist of a Code of Conduct, Policies and Procedures and Internal Controls. The Ten Hallmarks moved us past the state where written standards were lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action by using it to claim we are an ethical company. Now companies need to show how the written standards were developed and, equally important, who was involved in their development. The business/operations part of your organization should be consulted and be a part of this process going forward.

There should be business unit input into the written standards. You should not only train your employees on them but they must be tested to determine effectiveness. When was the last time you tested the effectiveness of your written standards? Testing for effectiveness is mandated under the COSO 2013 Internal Controls Framework so that model can be one to use to test the effectiveness of your compliance internal controls.

Finally, is accessibility. Can your employees even access the information contained in your written standards and understand it? The original formulation of the Ten Hallmarks required that your Code of Conduct, together with policies and procedures be translated into local languages so employees outside the US could understand them. Accessibility also means training so your training must also be in local languages where appropriate. 

Hallmark III – Compliance Authority and Resources

The role of a Chief Compliance Officer (CCO) and compliance function has grown in prestige and in the eyes of regulators. The original Ten Hallmarks made clear that a CCO should have the ability to report up to the Board and have sufficient authority and standing within an organization. A corporate compliance function is also required to have sufficient resources to affect its obligations.

The 2016 FCPA Pilot Program was the first time the DOJ laid out specific information about the expertise it expects from a corporate compliance function. A compliance practitioner must now have both quality and experience. Most importantly, this expertise and experience is not limited to simply reciting the FCPA or even understanding compliance. Now every compliance practitioner must have sufficient understanding of the business, the transactions the companies engages in and the data and information which flows therefrom. In short, to help fully operationalize compliance in your organization, you must be able to read a spreadsheet. Finally, there must be adequate compensation paid to and opportunity for promotion for those in the compliance department within an organization.

The Evaluation added components on stature within a company. In addition to the obvious comparisons of a corporate compliance function with other strategic functions in the company in terms of stature, compensation levels and rank/title, there were new areas of inquiry. They included reporting line up to the Board and chief executives, resources, and even access to key decision-makers. You need to consider what has been the turnover rate for compliance and relevant control function personnel. Finally, and this is the area that may, at the end of the day, prove the most decisive, what role has compliance played in the company’s strategic and operational decisions? If compliance has not played a role in strategic and organizational decisions, it cannot adequately begin the risk management process, which still serves as the basis for your compliance regime.

Tomorrow, we continue with a look at the evolution of Hallmarks IV-VII.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018