Why is innovation so critical in every compliance program? Is it simply because the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) say it is so; or are there other reasons? After all, there are still commentators who believe that compliance programs should be maintained in the same state today as they were in 1977 when the Foreign Corrupt Practices Act (FCPA) was enacted into law. The reason compliance programs must continually innovate is that businesses continually innovate, risks continually change and the bad guys out there who are prone to engaging in bribery and corruption are coming up with new and different ways to lie, cheat and steal their ways into bribery and corruption, illegal under the FCPA.

Begin by considering the starting point, which is an innovation strategy. In the most recent DPAs and NPAs issued by the DOJ they all include an element along the following strictures:

The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.

The 2012 FCPA Guidance stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements”. Both of these statements mean that the DOJ and SEC expect innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy.

Yet even more importantly, you must have an innovation strategy for your compliance program to keep up with business changes and the changing nature of fraudsters. The key to success is something that every CCO or compliance practitioner should take to heart; a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts that will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance (i.e., employees), third-parties, and the customer; show how the company will capture that compliance value going forward; and, finally, which types of compliance innovation to pursue.

In a 2015 Harvard Business Review article, entitled “You Need an Innovation Strategy”, author Gary P. Pisano said a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good innovation strategy for your compliance program, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary with sufficient feedback.

There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; i.e., your employees and relevant third-parties? Your innovation can make compliance faster, easier, quicker, nimbler and more agile. Focus on that creation of value going forward. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process? Both are equally valid.

Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs. A supply-push approach comes when your innovation is focused on something that does not yet exist, for example if you are initially implementing a FCPA compliance regime. A demand-pull approach works more closely with your existing customer base to determine what they might need and work to implement innovation around those needs.

You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally, use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program. It is that the latter that creates an active, vibrant and effective compliance program. That is the bottom line for innovation of your compliance program going forward.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The above is excerpted from my latest book, The Complete Compliance Handbook, which contains an entire chapter on Innovation in Compliance. For more information on this topic and the full panoply of the design, creation and implementation of an operationalized compliance program, check out my book on Amazon.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

One of the key lessons I learned in doing the research for The Complete Compliance Handbook is how compliance programs best practices have evolved beyond the basic requirements laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the Department of Justice’s (DOJ’s) 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking and where the compliance ball has moved since 2012. For this series, I am exploring this evolution and lay out where I think a best practices compliance program currently stands. Today, I take up Hallmarks VII and VIII. 

Hallmark VII – Third Parties

Third-parties are still recognized as the highest risk for corruption. Management of third-parties is therefore a critical component for any best practices compliance program. Under the 2012 Guidance, it discussed three prongs on inquiry. The first focused on risk-based due diligence, mandating companies to understand the qualifications and associations of its third-party partners, including its business reputation and relationship, if any, with foreign officials. Second is a business justification, requiring companies to have an understanding of the business reason for including the third party in the transaction. Third is compliance terms and conditionsin the commercial contract.

This original formulation has expanded into five distinct steps: business justification, questionnaire, due diligence, compliance terms and conditions and management after the contract is signed. Understanding and properly using each step is critical to fully manage the lifecycle of third-party relationships. The Evaluation devotes an entire prong to third-party management. It begins with the following:

How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

What was the business rationale for the use of the third-parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

This first set of queries clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third-party risk management. Moreover, the management of the third-party relationship after the contract has been signed is becoming much more important. This integrated approach is further confirmed by another series of questions in the Evaluation.

Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?

Managing your third-parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those four are, in reality, the easy steps. Managing the relationship is where the real work begins. 

Hallmark VIII – Reporting and Investigations

This was one of the shortest Hallmarks in the Ten Hallmarks. It had three parts: (1) internal reporting; (2) investigations; and (3) remediation. The Evaluation and FCPA Corporate Enforcement Policy gave extended discussions on what the DOJ expects in this area, beyond the basic formulation found in Hallmark VII.

  1. Reporting

The 2012 FCPA Guidance had as clear and concise a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated:An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation: How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communication resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

2.  The Investigation Protocol

The 2012 FCPA Guidance had only a short statement about investigations, which stated: once an allegation is made, companies should have in place an efficient, reliable,and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.

This was expanded in the Evaluation under Prong 7, where it stated: How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

Moreover, with the advent of the SEC Whistleblower Program, companies must quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the compliance department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance department to have not only flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

3.  Remediation

In the 2012 FCPA Guidance, it stated: “Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.” Clearly lessons learned are near and dear to the heart of any ‘Nuts and Bolts’ compliance practitioners as it clearly means you need to input your investigative findings into the solution of the issue which led to the compliance failure.

This was expanded in the Evaluation with the following: “Response to Investigations– Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?”

Finally, in the FCPA Corporate Enforcement Policy, the DOJ had several different pronouncements on the remedial aspect of any investigation. Initially, it noted there should be a “remediation to the root causes” and then went on to add the following points:

  • Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred; and
  • Any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks. 

There is nothing like an internal whistleblower report about a Foreign Corrupt Practices Act (FCPA) violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger Board of Directors and senior management attention to the compliance function and the company’s compliance program. You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. You will have everyone’s attention on remediation and you must use that attention to provide for the required steps to not only fix the issue but, as the FCPA Corporate Enforcement Policy says, implement measures to reduce the risk that the same or similar conduct will occur again.

I will conclude tomorrow with Hallmarks IX, X and the new requirement for a Root Cause Analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

One of the key lessons I learned in doing the research for The Complete Compliance Handbook is the evolution of compliance programs beyond the basic formulation laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the Department of Justice’s (DOJs) 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking and where the compliance ball has moved since 2012. Over the next few blog posts, I am exploring this evolution and lay out where I think a best practices compliance program currently stands. Today, I take up Hallmarks IV through VI. 

Hallmark IV – Risk Management

Under the original formulation of the Ten Hallmarks of an Effective Compliance Programs, risk assessment was articulated as the cornerstone of all compliance programs. However now a full risk management program is the standard for any best practices compliance program. This consists of three components. First is forecasting, which allows you to consider your business strategy and wed the risks you can foresee. By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. The second is that risk assessments allow you to evaluate and measure known risks. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Third is risk-based monitoring which allows you to monitor both the compliance risks you know about and detect those you do not know, on an ongoing basis. The basis of your compliance program in many ways turns on the robustness of your risk management process.

As compliance evolves, and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three, six, twelve to twenty-four months. This can facilitate resource deployment where deemed appropriate in order to meet these future demands. This tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process.

Hallmark V – Communication and Training

One of the key goals of any compliance program is to train employees in awareness and understanding of the Foreign Corrupt Practices Act (FCPA); your specific company compliance program and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation where they asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet it is now a key metric for the government in evaluating compliance training.

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. This added new requirements. One being that you must assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. 

Hallmark VI – Incentives and Discipline

a. Incentives

The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.” This same concept was expanded in the Evaluation under Prong 8, Incentives and Disciplinary Measures:

How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

As your compliance program matures and your strategy is more fully operationalized, your sales force should embrace this operationalization to help achieve compliance. The prescription for you, as the compliance practitioner, is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to integrating anti-corruption compliance with the DNA of your company. There are three key questions you should ask yourself in modifying your compensation structure from the compliance perspective. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effect on behavior immediate due to the change?

b. Discipline

In the original formulation of the Ten Hallmarks it stated, “DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.”In the Evaluation, the requirements around discipline expanded to “Have the disciplinary actions and incentives been fairly and consistently applied across the organization?” Similarly, the FCPA Corporate Enforcement Policy states: “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.”

One of the areas which can work to more fully operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to reward those employees who integrate such ethical and compliant behavior into their individual work practices going forward. In addition to providing a financial incentive for ethical behavior, it also provides a sense of institutionalobjectivity. Institutional objectivity comes from procedural fairness and is one of the areas that will bring credibility to your compliance program.

Today, that is called the Fair Process Doctrine, which recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. As you incorporate the Fair Process Doctrine in your compliance program, consider these three key areas: (1) Administration of discipline; (2) Employee promotions; and (3) Internal investigations.

Tomorrow, I will consider Hallmarks VII to IX.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

With The Complete Compliance Handbook sitting at the top of the rankings in its first week of sales, Jay Rosen and myself take a look at some of the top ethics and compliance stories over the past week.

  1. Tom’s new book The Complete Compliance Handbookwas released on Monday May 21. It is No. 1 in Amazon’s New Releases in Business Ethics. Available on Amazon.com. Purchase an autographed copy here. It is reviewed in the FCPA Blog, Radical Complianceand Corruption, Crime and Compliance.
  2. GDPR is live. Are you ready? Check out Tom’s blog postand white paper. For yet more on GDPR see the podcast series Countdown to GDPR: Episode 1 –Introduction; Episode 2 – The Role of the Data Protection Officer; Episode 3 – Policies and Procedures; Episode 4 – DPIAs; Episode 5 – Vendors in GDPR Compliance; Episode 6 – GDPR for Communications Professionals; Episode 7 – Data Security and Data Breaches and Episode 8 – Subject Access Requests
  3. Compliance Week 2018 is in the books. We review some of our highlights.
  4. The SFO brings new charges in the Unaoil matter. Dick Cassin reports in the FCPA Blog. Mara Lemos Stein reports in the WSJ Risk and Compliance Review.
  5. Matt Kelly considers doing compliance in the midst of corporate downturns, in Radical Compliance.
  6. DOJ announces two new indictments in the Rolls Royce bribery case. Dick Cassin reports in the FCPA Blog.
  7. Doing business with Pemex, it now requires contractors to have compliance program. Luis Corres reports in the FCPA Blog.
  8. What is nudging in compliance? Ben DiPietro reports in the WSJ Risk & Compliance Journal.
  9. The DOJ’s Evaluation of Corporate Compliance Program still resonates with complaince practitioners to help think through compliance programs and issues. Sascha Mastussak considers it in the SCCE Blog.
  10. Rockets take the lead in their series with Golden State 3-2 and are heading out west. Celtics head back to Cleveland up 3-2.
  11. The Everything Compliance gang is back in the Cohen and Friends edition. Check it out here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

With Uncle Duke joining the compliance debate around Michael Cohen, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. The fallout from the Michael Cohen revelations continue to explode across the compliance universe. Matt Kelly considers it from a COSO perspective in Radical Compliance, Tom and Matt podcast have another podcast about it on Compliance into the Weeds, Tom channels his inner Hunter S. Thompson for a three part series, Part I-the Start, Part II-Full Gonzo and Part III-Uncle Duke. The NYT reports that the Novartis GC loses his job over the scandal.
  2. Rod Rosenstein announced a new “anti-piling on” policy. What does it mean for FCPA enforcement? Lara A. Covington and Michael E. Hantman, writing in the FCPA Blog, point out the strings attached and potential rewards. Tom considers the new policy (channeling Tom Wolfe) here.  For the full text of Rosenstein’s remarks see here.
  3. Writing in forbes.com, Dan Pontefract says we need ethics professionals more than ever.
  4. The purveyors of the most excellent Global Anti-Corruption Blog, Rick Messick and Matthew Stepenson both post articles decaptitating the arguments against transparency into shell corporations. Rick’s piece is here. Matthew’s piece is here.
  5. What is it like to negotiate a FCPA/Bribery Act resolution, while heading up the remediation. Phoebe Seers reports on how the Innospec GC/CCO handled it in Mlex.
  6. Trump tweets out to protect Chinese jobs in the ZTE sanctions case. What are the implications? Sam Rubenfeld takes a look at the landscape in WSK Risk & Compliance Journal.
  7. Businesses are finding value in combining sustanibility and compliance. Ben DiPietro reports in the WSJ Risk & Compliance Journal.
  8. Cybersecurity whistleblowers are becoming increasingly important to the SEC and in the corporate world. Henry Cutter reports in the WSJ Risk & Compliance Journal.
  9. Rockets square their series with Golden State 1-1 and are heading out west. Celtics head to Cleveland up 2-0.
  10. Tom announces publication date of his next book, The Complete Compliance Handbook,which will be available on May 21, 2018 on Amazon.com. If you are attending Compliance Week 2018, Tom is have a book signing party on Monday, from 2:15 to 2:45. Come by and pick up an autographed copy.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.