Today is the anniversary of the most historic day of many in the history of the great state of Texas, the date of the fall of the Alamo. While March 2, Texas Independence Day, is when Texas declared its independence from Mexico and April 21, San Jacinto Day, is when Texas won its independence from Mexico, probably both have more long-lasting significance, if it is one word that Texas is known for around the world, it is the Alamo. The Alamo was a crumbling Catholic mission in San Antonio where 189 men, held out for 13 days from the Mexican Army of General Santa Anna, which numbered approximately 5,000. But on this date in 1836, Santa Anna unleashed his forces, which over-ran the mission and killed all the fighting men. Those who did not die in the attack were executed and all the deceased bodies were unceremoniously burned. Proving he was not without chivalry, Santa Anna spared the lives of the Alamo’s women, children and their slaves. But for Texans across the globe, this is our day.

While Thermopylae will always go down as the greatest ‘Last Stand’ battle in history, the Alamo is right up there in contention for Number 2. Like all such battles sometimes the myth becomes the legend and the legend becomes the reality. In Thermopylae, the myth is that 300 Spartans stood against the entire 10,000-man Persian Army. However there was also a force of 700 Thespians (not actors; but citizens from the City-State of Thespi) and a contingent of 400 Thebans fighting alongside the 300 Spartans. Somehow, their sacrifices have been lost to history.

Likewise, the legend that lifts the battle of the Alamo to the land of myth is the line in the sand. The story goes that William Barrett Travis, on March 5, the day before the final attack, when it was clear that no reinforcements would arrive in time and everyone who stayed would perish; called all his men into the plaza of the compound. He then pulled out his saber and drew a line in the ground. He said that they were surrounded and would all likely die if they stayed. Any man who wanted to stay and die for Texas should cross the line and stand with him. Only one man, Moses Rose, declined to cross the line. The immediate survivors of the battle did not relate this story after they were rescued and this line in the sand tale did not appear until the 1880s.

But the thing about ‘last stand’ battles is they generally turn out badly for the losers.  Very badly. I thought about this when Chuck Duross, when he was head of the Department of Justice’s (DOJ) Foreign Corrupt Practices Act (FCPA) unit, said at a conference that he viewed anti-corruption compliance practitioners as “The Alamo” in terms of the last line of defense in the context of preventing violations of the FCPA. I gingerly raised my hand and acknowledged his tribute to the great state of Texas but pointed out that all the defenders were slaughtered, so perhaps another analogy was appropriate. Everyone had a good laugh. But in reflecting on the history of Texas and what the Alamo means to us all; I have wondered if my initial response too facile?

What happens to a Chief Compliance Officer (CCO) or compliance practitioner when they have to make a stand? Do they make the ultimate corporate sacrifice? Will they receive the equivalent of a corporate execution as the defenders of the Alamo received? This worrisome issue has certainly occurred even if the person ‘resigned to pursue other opportunities.’ Michael Scher has been a leading voice for the protection of compliance officers. In a post entitled Michael Scher Talks to the Feds he said, “a compliance officer (CO) working in Asia asked for recognition and protection: “A CO will not stand up against the huge pressure to maintain compliance standards if he does not get sufficient protection under law. Most COs working in overseas operations of U.S. companies are not U.S. citizens, but they usually are first to find the violations. Since the FCPA deals with foreign corruption, how could the DOJ and SEC not protect these COs?””

The DOJ is now looking at not only the quality of your CCO and compliance function, but how they are perceived, treated and received in the corporate setting. In the 2020 Update to the Evaluation of Corporate Compliance Programs (2020 Update), the DOJ expanded out its inquiry evaluate the “sufficiency of the personnel and resources within the compliance function, in particular, whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.”

Further there were four specific areas of inquiry and evaluation: (1) Structure; (2) Experience and Qualifications; (3) Funding and Resources; and (4) Autonomy.

In the section entitled “Structure” the Evaluation made the following inquiries:

  • How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?
  • What has been the turnover rate for compliance and relevant control function personnel?
  • What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns?
  • Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

In the section entitled “Experience and Qualifications” the 2020 Update made the following inquiries:

  • Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities?
  • Has the level of experience and qualifications in these roles changed over time?
  • Who reviews the performance of the compliance function and what is the review process?

In the area of “Funding and Resources” the 2020 Update asked:

  • Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts?
  • Has the company allocated sufficient funds for the same?
  • Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?

Finally, in the area of “Autonomy” the 2020 Update asked:

  • Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee?
  • How often do they meet with directors?
  • Are members of the senior management present for these meetings?
  • How does the company ensure the independence of the compliance and control personnel?

These were all deeper and more robust focus on the CCO and compliance team from the DOJ. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. The same is true for promotions and other opportunities for advancement within an organization. Not many organizations have such a mature compliance function that a CCO is appointed to another senior level position within an organization.

Upon further reflection I now believe Duross was correct and the Alamo reference was appropriate for compliance officers. It is because sometimes we have to draw a line in the sand to management. And when we do, we have to cross that line to get on the right side of the issue, the consequences be damned. The DOJ has made clear they expect CCOs and compliance professionals to draw that line when they must do so and when they do, companies must heed their warnings.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2021

In this episode of The Compliance Handbook, I asked the Great Women in Compliance (#GWIC) co-hosts Mary Shirley and Lisa Fine to talk about some of their best practices around written standards for a compliance program.

The definition of a successful compliance program is not foreign for many compliance specialists. However, the challenge is to understand what it truly means for a compliance program to be effective. 

Most organizations claim that the central meaning of compliance is to define and enforce guidelines and standards that can minimize the possibility of a violation of compliance. Though, the truth remains that if misconduct exists, your attempt to highlight that your compliance policy conforms with regulatory requirements will increment your culpability score and contribute to a noticeable difference in fines and jail time.

To help you paddle through your compliance programs, I recently met two influential women in compliance, Lisa Fines and Mary Shirley. These phenomenal women will add transparency to these ethics and compliance concerns. We will dive into written compliance and touch base on #GWIC (Great Women In Compliance) and how it has become a powerful platform that supports compliance practitioners.  

Key takeaways discussed in the episode:

  • Know what is written compliance inside out. Understand that everybody needs to know what the rules are. But, it should not be lawyer-written, 20 pages long. Use the simplest terms possible, break things down to the absolute essential thinking. 
  • Call to mind that the code is our ethos, and the policies are the regulations to explain them. If possible, get your message across in the shortest possible time using the least words possible.
  • Hark back to the truth that there is no one size fits all compliance program. Thus, make learning come to life and apply it to people’s job roles. As much as possible, tell people what the expectations are and help facilitate their decision-making.
  • Factor into that it’s natural to maintain your relationships with former colleagues, but It’s not okay and could be risky if you talk shop with them.
  • Support Women Empowerment and appreciate their contributions, especially in compliance. Learn how #GWIC grew into a community of great women who share valuable resources and support compliance practitioners.

The Compliance Handbook, 2nd Edition incorporates the most current government pronouncements governing best practices compliance programs, including the 2019 Evaluation of Corporate Compliance Programs released by the Fraud Section of the Department of Justice, and its 2020 Update; the updated FCPA Resource Guide 2nd edition; the Framework for OFAC Compliance Commitments; and the 2019 DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust.

eBooks, CDs, downloadable content, and software purchases are non-cancellable, non-refundable, and non-returnable. Click here for more information about LexisNexis eBooks. The eBook versions of this title may feature links to Lexis + for further legal research options. A valid subscription to Lexis + is required to access this content.

Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.


How does a risk assessment provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks. 

One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The 2019 SEC FCPA enforcement action against Quad Graphics was just such a situation, where a newly emerging international sales operation, acquired through an acquisition, was executed through third party agents.

The compliance function should understand the corporate or business unit controls over the international business in addition to the necessary controls over agents. Some of the questions you might consider are the following: Is there a U.S. based international sales manager who is responsible for growing the business? What is the incentive compensation plan? How good are the SODs? In other words, can the international sales manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are these internal controls documented?

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a U.S. based sales force which only travels to locations outside the U.S. for temporary visits of generally short duration? This situation minimizes, retains and shifts some compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside the company.

The retained risks are the risks associated with gifts, travel and entertainment; approval of credit terms to customers; product pricing; special arrangements with customers such as providing product samples; knowing who the ultimate customer is and where the goods are ultimately shipped; and use of freight forwarders and customs agents. Shifted risks are created if there is no physical location outside the U.S. because the accounting must be done in the U.S. This means that compliance risks regarding the accounting function simply shift to the U.S. accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for U.S. employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the U.S., not only due to language but also due to traditional local business practices, cultures and customs.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, “Internal Control over External Financial Reporting: A Compendium of Approaches and Examples”, catalogued possible approaches and examples in the context of internal controls over financial reporting, and could be useful for companies complying with compliance internal controls under the FCPA. COSO has also published an additional companion document, “Illustrative Tools for Assessing Effectiveness of a System of Internal Control”, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2021

Effective Compliance Program Hallmark: Training and Communication with Ronnie and Ricardo

Organizations take measures to articulate their policies and guidelines realistically. Doing this ensures that they can promote their compliance and ethics programs to people with unique positions and obligations by meaningful preparation and exchanging knowledge relevant to them.

However, due to their limited understanding of the hallmarks of effective compliance, specifically training and communication, plus the amount of consideration and attention they provide to it, companies sometimes fall far short of the compliance goals.

While several companies and regulatory agencies assume that they treat the training and communication hallmark well, this is the area they sometimes curve out of their most vital point.

The reasons why most organizations struggle to fulfill the criteria of this hallmark can be:

  • Lack of daily scrutiny and continuing contact
  • For the employee, not ensuring preparation and policy coordination are appropriate.
  • Incorrect or insufficient assessment of preparation and policy efficacy
  • Not giving regard to the risk prioritization of training.

In today’s Compliance Handbook chapter, we’ll dive deeper into the fourth hallmark of effective compliance frameworks: training and communication. We’re joined by two experts in the compliance field, Ronnie Feldman and Ricardo Pellafone.

Key takeaways discussed in the chapter:

  • While training is valuable most of the time, it’s not a tool to an end in compliance. It’s a tool you use to prevent misconduct, but it’s not an end in itself. It fills a unique niche within the compliance officer’s means, but it’s compelling when used for the right purpose.
  • Discover how not to lose trust. Note that if compliance training is boring and preachy, people are annoyed at you for making them go through the experience. As a result, they don’t think well of compliance, which means they are much less likely to speak up to ask questions and report concerns.
  • Analyze who among the players in your organization had to undergo compliance training. Find answers to questions like, “Will the compliance training benefit the regular employee, or it should be those that are in the higher ends—with the authority to either create or control risk?”
  • Training is good, but also consider that people need reminding more than they need instruction.
  • Simplicity and utility are the keys! Your compliance framework should not be extensive and complicated. When things are designed well and they are useful, people will use them.
  • Have you ever been caught in a situation where you’re a manager, you have to approve an invoice from a third party. What are you looking for? That is something that pretty much no one is ever trained on what to do. This is the big difference between the traditional top-down model of training versus the training model used by Ricardo Pellafone. If you want to learn more about this training method, tune in to the chapter.
  • Comedy and entertainment principles can go along with compliance? Sure thing! We like trying new things and discover how well Ronnie blended these elements to create an effective compliance framework.

Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.

As the state of Texas goes dark due to cold weather and our jr. Senator Ted Cruz (#CancunTed) heads out to Mexico to get away from it all, Tom and Jay look at this week’s stories top compliance and ethics stories which caught their interest on This Week in FCPA.

  1. How does weather inform compliance? Tom explores from an undisclosed power and water free location in Texas. Managing Risk, Root Cause Analysis and Continuous Risk Assessments.
  2. What is the ‘Baader-Meinhof phenomenon’ and how does it inform compliance? Dick Cassin explores in the FCPA Blog.
  3. Embezzlement and corruption? CISCO discloses both in a filing. Dylan Tokar in the WSJ Risk and Compliance Journal.
  4. Former Braskem CEO in talks to plead out. Dylan Tokar in the WSJ Risk and Compliance Journal.
  5. Hiring and screening in a pandemic. Matt Jaye in CCI.
  6. How does Tom Brady (TB12) inform compliance? Jay explores in this LinkedIn
  7. Where is SEC enforcement going under Biden. Dylan Tokar in the WSJ Risk and Compliance Journal.
  8. On The Compliance Life, Natalia Shehadeh, CCO at ABB joins me this month. In the first episode, Natalia explained why she choose the compliance profession. Check out the Episode 1 and Episode 2. In Episode 3, Natalia discusses moving into the CCO chair.
  9. New podcasts out on the Compliance Podcast Network this month. In ComTech, Valerie Charles joins Tom for an exploration of the intersection of compliance and technology. Episode 2 which posted Monday, February 8, featured Parth Chanda, the Skywalker of Compliance. In Big Brains in Compliance, Tom is joined by Stephen Martin to visit with some of the top thinkers and doers in compliance. It premiered February 22. Finally Tom premiers a new video podcast (PodTube) on YouTube. The Compliance Handbook, a podcast on the nuts and bolts of compliance. In Episode 1, he is joined by Stephen Martin to talk about how to best think through a comprehensive compliance program. In Episode 2, Tom was joined by Mike Volkov to discuss the Board’s role in Compliance.
  10. A new AMI podcast is out, Integrity Through Compliance. It will have AMI’s expert observations and guidance in the fields of ethics, antitrust, healthcare, government contracting, corporate governance, cybersecurity, construction, telecommunications, consumer protection and more. In the Episode 1, AMI founder Vin DiCianni visits with AMI MD Jerry Coyne the future of telehealth & home healthcare during a pandemic and beyond. In Epsiode 2, Brenda Morris and Dionne Lomax visit with Jennifer Newton. In upcoming Episode 3 on February 24, Joseph K. West, Partner & Chief Diversity and Inclusion Officer, Duane Morris joins the podcast.
  11. On Thursday, February 25, join the “Ask an Expert FINQuiry” webinar on DOLFIN: K2 Integrity’s financial crimes compliance experts will respond to your AML/CFT, sanctions, and other financial-integrity-related questions. Information and Registration here.
  12. Join the Baker Tilly Fraud 1st Annual Fraud and Compliance Summit, Tuesday, Feb 23, 2021, to Thursday, Feb 25, 2021. Details and registration here.
  13. Interested in podcasting? Want to be a part of a Guiness World Record attempt? PodFest Global Summit is a gathering for those who are passionate about sharing their voice and message with the world through audio and video. Join Tom and others at Podfest Global Summit at any time during March 1-5. Best all of listeners to this podcast can attend at no charge. Register here, using promo code CPN.
  14. Tom announces his latest book, The Compliance Handbook, 2nd edition is available for presale purchase. Use Use the code FOX25 and go hereThe Compliance Handbook 2ndedition will be available in both print and eBook editions.

Tom Fox is the Compliance Evangelist and can be reached at Jay Rosen is Mr. Monitor and can be reached at