One of the key lessons I learned in doing the research for The Complete Compliance Handbook is how compliance programs have evolved beyond the basic requirements laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the Department of Justice’s (DOJs) 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking and where the compliance ball has moved since 2012. In this final post in a my four-part series, I wrap up my series on the exploration of this evolution of best practices and lay out where I think a best practices compliance program currently stands. Today, I take up Hallmarks IX and X and the new requirement for a root cause analysis of any FCPA violation. 

Hallmark IX – Continuous Improvement

Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as articulated in the 2012 FCPA Guidance, stated:

Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.

The 2012 FCPA Guidance made clear that each company should assess and manage its risks. It specifically noted that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) consider when evaluating a company’s compliance program in any Foreign Corrupt Practices Act (FCPA) investigation. This is why a “check the box” approach is not only disfavored by the DOJ, but, at the end of the day, is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

This insight was expanded upon in the DOJ’s Evaluation which listed three types of continuous improvement, each further refined with multiple attendant questions.

What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas? 

Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Keeping track of external and internal events which may cause change to business process, policies and procedures is a key step to meeting this requirement. Some examples of these potential events are new laws applicable to your business organization and internal activities that drive changes within a company (i.e., a company reorganization or major acquisition). 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Hallmark X – Merger and Acquisitions

  1. Pre-Acquisition

The 2012 FCPA Guidance stated, “mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.”While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners on the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together pre-acquisition due diligence and post-acquisition integration:

Due Diligence Process – Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

 The pre-acquisition process was then tied to post-acquisition with the following:

Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?

The 2012 FCPA Guidance emphasized the pre-acquisition phase and the Evaluation took a deeper dive into the need for the compliance component of your merger and acquisition (M&A) regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

2.     Post-Acquisition

The 2012 FCPA Guidance language states, “pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.”

The mandates of post-acquisition integration were carried forward in the Evaluation with the following sets of questions:

Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?

Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?

There was no new information in the Evaluation or FCPA Corporate Enforcement Policy changing any of the deadlines for completion of the post-acquisition integration as was originally formulated in the 2012 FCPA Guidance and the enforcement actions involving Johnson & Johnsonand Data Systems & Solutions LLCor Opinion Release 08-02.

Root Cause Analysis

One new and different item was laid out in the Evaluation, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may lead to a self-disclosure or enforcement action. Under Prong 1Analysis and Remediation of UnderlyingMisconduct, the Evaluation stated:

What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis? 

Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? 

The new FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language:

Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.

Initially you need to understand the difference between a root cause analysis and a risk assessment. Obviously, you would perform a root cause analysis after an incident occurs so to that extent it is reactive rather than proactive. Well known fraud investigator Jonathan Marks, has defined a root cause analysis as “a research-based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that was previously identified through a risk assessment.”

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegation or allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur.

This new requirement for a root cause analysis is a basic investigative tool that the DOJ now requires companies to incorporate into their best practicescompliance program. Not only must you engage in a root cause analysis but you must document your protocol and then show how you fed the information you obtained back into your remediation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018