In this special live, on location episode, Jay Rosen and I discuss the recent SCCE 2017 Utilities and Energy Conference held in Washington DC. He hit on the highlights, topics, vendors and key note speakers. We also discuss the impact of the recently released DOJ Evaluation of Corporate Compliance Programs. Finally we have a guest appearance by Jim Moore, recently installed as SVP at Trust Point International. For a copy of the Evaluation of Corporate Compliance Programs, click here. For my two blog posts on the Evaluation, Part I and Part II.

In this episode I visit with Morrison Forrester partner James Koukios on the firm’s December newsletter on the Top Ten International Anti-Corruption Developments for December 2016. James and I visit about some of the lesser known highlights from the month of December 2016 in the global enforcement of anti-corruption.

Show Notes:

  1. The SFO announces an investigation into the Swiss engineering giant ABB, Ltd. for allegations of corruption coming out of the Unaoil scandal. See article in the FCPA Blog.
  2. Former Magyar Telekom exec settles with SEC before trial. See article in FCPA Blog.
  3. Tom goes on an extended rant about the ISO 37001 certification process and why it is “worse the useless”. See Tom’s post on the topic on the FCPA Compliance and Ethics Blog.
  4. Jay Rosen’s discusses his new gig with Affiliated Monitors.
  5. Everything Compliance-Episode 7 is out. It is dedicated exclusively to the first two chaotic weeks of the Trump Administration.
  6. Jay Rosen Weekend Report preview.

For some additional reading see:

1.) Mike Volkov Article on Monitors

2.) Jay Rosen Weekend Read

The “Real” FCPA, SCCE + Hello Goodbye

3.) Kristy Grant-Hart on The Top Five Myths about ISO-37001 Exposed

4.) Jay Rosen new contact info

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

This episode is dedicated to the chaotic (at best) first three weeks of the Trump administration.

  1. Jonathan Armstrong leads a discussion of the Trump administrations devolution towards Privacy Shield and what it may portend for American companies doing business in the UK and EU. He highlights the recent opening of a new trial in Ireland brought by Max Schrems and also discussed the putative Muslim refugee ban in the context of broader business implications.

For the Cordery Compliance client alert on Privacy Shield, see here

  1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the Tech sector response to the Muslim refugee ban and the more general business response to the first few weeks of the Trump administation.

For Jay’s post see, Where Do Politics End and Ethics & Compliance Begin?

  1. Matt Kelly opens with a discussion of the management process practices of the Trump administration in issuing Executive Orders and lays down some markers around compliance and regulatory issues under the new administration.

For Matt Kelly’s posts see the following:

Compliance in the Trump Era: More Markers Placed

Five Questions for SEC Nominee Jay Clayton

Yes Government Ethics is Happening

Dodd-Frank Reform Starts Coming into View

 For Tom Fox’s posts on these topics see the following:

The Trump Administration-Kaos is Bad for Business

The Trump Administration-Part II, Failures in Leadership and Management

The Trump Administration-Part III-Preparing for a Catastrophe

The Trump Administration-Part IV-the Business Response

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

Today’s headline is inspired by two recent notices; the first is from a January 25 ENI Press Release crowing that “Eni is the first Italian company to receive that certification”. The second came from an article in the Financial Times (FT) entitled “Eni chief Claudio Descalzi charged with international corruption” by James Politi, where he began his piece with the opening, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”

The international corruption, also involving Royal Dutch Shell, involved questions regarding “an offshore exploration bloc called OPL 245, which is estimated to contain up to 9bn barrels of oil and is considered one of Nigeria’s most highly-prized energy prospects.” It was further noted that “The main accusation is that Eni and Shell knew the money paid to the government for OPL 245 would then be funnelled to other Nigerian individuals, essentially as bribes.” In what can only be said is a non-denial denial, both “Eni and Shell have said that they simply transferred money to the Nigerian government, without making any arrangements with third parties or the ultimate beneficiaries.”

The problem I see with one headline is that it brings up the uselessness of the ISO certification process. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’? The ISO certification issue is separate and stands apart from the ISO 37001 standards themselves. When I sat down to read the more than 100 pages of what might constitute good compliance practices, I, for the most part, did not have too many disagreements with the articulation. However, in the global world of anti-bribery/anti-corruption enforcement there were multiple standards for an effective compliance program, including, but not limited to the Ten Hallmarks of an Effective Compliance Program, Six Principles of Adequate Procedures, the OECD 13 Good Practices and multiple others. Indeed, I published an entire book some 2 1/2 years ago to laying out what constitutes an effective compliance program. So while it is mildly interesting from an intellectual perspective, the reality is that it is not anything new, different or innovative.

Yet the title of this blog post makes clear that any ISO 37001 certification is much worse, for it can lead an unsuspecting person to conclude that because a company has the ISO 37001 certification, it is actually doing compliance. From the ENI Press Release it stated, “quality of the system of rules and controls aimed at preventing corruption”. If that does not sound like a paper compliance program I do not know what does. I should also note the same Press Release goes on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI chief executive under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former ENI chief executive.

What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company which has an ISO 37001 certification? This is where the worse than useless part comes into play. People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.

The Department of Justice (DOJ), Securities and Exchange Commission (SEC) and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.

What about a company which thinks it needs an ISO 37001 certification? This is equally problematic but for different reasons. The DOJ and SEC jointly issued FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. Moreover, this flexibility allows a Chief Compliance Officer (CCO) or compliance practitioner to put forward clear evidence of compliance with this approach if the government comes knocking in a FCPA investigation. The evidence from the Pilot Program is that the DOJ is taking this approach into account and has doled out multiple declinations and Non-Prosecution Agreements (NPAs) since its inception in April 2016.

So which headline is right: that ENI received an ISO 37001 certification or that the chief executive of ENI will stand trial for corruption? Unfortunately, they are both right and that simple answer communicates to every CCO and compliance practitioner across the globe that the ISO 37001 certification process is worse than useless. This is both for the company assessing the effect of such a certification from a potential third-party and a company considering whether it should obtain the certification to prove it is actually doing compliance.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017