There are three core areas upon which Directors should focus their attention to help establish and maintain an effective compliance program. They are: (1) structure, (2) culture, (3) risk management.

Structural Questions

This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Some of the structural questions Board members should ask are the following.

  • Who oversees the operation of the program?
  • What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
  • How are complaints being received?
  • Who conducts investigations and acts on the results?
  • What corporate resources are being devoted to the compliance and ethics program?
  • How much money is allocated to the program?
  • What types of training is required? How effective is it?
  • Have any compliance failures been detected? If so, how was such detection made?
  • If a company’s compliance program is less mature, what are the charter compliance documents?
  • If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. What is the CCO reporting structure?

Cultural Questions

This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Some of the cultural questions Board members should ask are the following.

  • When did the company last conduct a survey to measure the corporate culture of compliance?
  • Is it time for the company to resurvey to measure the corporate culture of compliance?
  • If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
  • Did any compliance investigations arise from a cultural problem?
  • Regardless of any survey results, what can be done to improve the culture of compliance within the company?
  • If there were any acquisitions, were they analyzed from a compliance culture perspective?
  • Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?

Risk Management Questions

Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.

  • What is the risk assessment process?
  • How effective is this risk assessment process? Is it stale?
  • Who is involved in the risk assessment process?
  • Does the risk assessment process take into account any new legal or compliance best practices developments?
  • Are there any new operations that pose substantial compliance risks for the company?
  • Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
  • Has the company moved into any new markets which impose new or additional compliance risks?
  • Has the company developed any new product or service lines which change the company’s risk profile?

Three Key Takeaways

  1. A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
  2. Cultural questions should be asked to garner an understanding of what message is being communicated not only from senior management but also middle management.
  3. Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation and management.

Over the weekend, my wife and I caught the current Bon Jovi This House is Not For Sale Tour. My rock and roll foundation was laid in the 60s/70s so the group is not all that relevant for me. However, they are substantially relevant for my wife so she rocked out the three-hour show as did about 98% of the sold out house. Even if they are not in my top ten bands, I know a great show when I see one and these guys put on a heck of a rock and roll show.

One thing that Jon Bon Jovi said during the show struck me as a great insight for the Chief Compliance Officer (CCO) or compliance practitioner. He was explaining the inspiration which came to him for the name of the latest Bon Jovi album which was the title of this year’s tour. He also said that while the band was cutting the album, he put out the name of the album along with some concept art to the band’s fan base. He expected some response but he was overwhelmed by the use of album’s theme, what it meant to so many others and how the band’s fans collective vision influenced his thinking while writing songs for the album and then recording them. I found it to be a great insight around the two-way use of social media.

For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of a number of business leaders I have studied for my multiple books on leadership and my podcast, 12 O’Clock High, a podcast leadership, is the art of listening. I thought about Bon Jovi’s comments when I read  an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative.

I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.”

However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout isan employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.”

For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena.

An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform – including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen.

Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.”

Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s.

But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”.

Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy.

Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization.

To further facilitate your experience, I would suggest you fire up Bon Jovi’s latest album, This House is Not For Sale.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.

In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.

  1. Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.
  2. Foster a culture of compliance risk management-all stakeholders should understand the compliance risks involved and manage such risks accordingly.
  3. Incorporate compliance risk management directly into a strategy-oversee the design and implementation of compliance risk evaluation and analysis.
  4. Help define the company’s appetite for compliance risk-all stakeholders need to understand the company’s appetite or lack thereof for compliance risk.
  5. Execute the compliance risk management process-the compliance risk management process should maintain an approach that is continually monitored and had continuing accountability.
  6. Benchmark and evaluate the compliance process-compliance systems need to be installed which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.

Three Key Takeaways

  1. The Board’s role is to keep really bad things from happening to a Company.
  2. There are six general areas the point can inquire into and lead from.
  3. SEC Reg SK 407 may put greater scrutiny on Boards.

What are 6 fast and efficient areas of inquiry for a Board around compliance?

On this day in 1836, Colonel William Barrett Travis issued his now famous call for help on behalf of the Texan troops defending the Alamo. It has gone down as one of the great cries for freedom-loving peoples everywhere. The plea was made the day after a large Mexican force, commanded by General Antonio Lopez de Santa Ana, arrived suddenly in San Antonio. Travis and his troops took shelter in the Alamo, where they were soon joined by a volunteer force led by Colonel James Bowie. Though Santa Ana’s 5,000 troops heavily outnumbered the several hundred Texans, Travis and his men determined not to give up. On February 24, they answered Santa Ana’s call for surrender with a bold shot from the Alamo’s cannon. Furious, the Mexican general ordered his forces to launch a siege.

Addressing one of the pleas to “The People of Texas and All Americans in the World,” Travis ended his call for help with the following, “I call on you in the name of Liberty, of patriotism and everything dear to the American character, to come to our aid, with all dispatch. The enemy is receiving reinforcements daily and will no doubt increase to three or four thousand in four or five days. If this call is neglected, I am determined to sustain myself as long as possible and die like a soldier who never forgets what is due to his own honor and that of his country.


While Travis certainly took the direct approach with General Santa Ana, the same cannot not be said to always be appropriate for a Chief Compliance Officer (CCO) or compliance practitioner. Indeed, I am continually amazed at the sources that would seem about as far from the world of Foreign Corrupt Practices Act (FCPA) compliance that lends itself to CCO lessons. One such unexpected source was the Financial Times (FT) Business Book of the Year Award judging competition. Andrew Hill, in his On management column, wrote about the “horse-trading, mind games and bluff” engaged in by the business executives, professorial types and editors who make up the judging panel, in a piece entitled “Seven lessons from the FT’s business book prize judges”. There are two rounds: the first selects a shortlist of six books and the second chooses the winner.

The seven lessons were about navigating “the fine art of group decision-making”. As every CCO must lead through group consensus, I thought it was an excellent article to draw upon for leadership lessons for such a person. Hill thought the discussions around this book award could be “lessons for far weightier decisions, such as selecting a chief executive.”

Hill believed the first point was almost self-obvious, which is “people whose time is precious must set priorities.” I often say that meetings are the bane of corporate existence and this book award process is no different. Hill noted that while the selection process in fiction awards can drag on for hours, in the initial meeting “the jury ruthlessly dismissed the weakest titles in the first 30 minutes.”

Second, “preparation is everything.” This is more than simply reading the books or even for a CCO reading all the memos but being ready for the political aspects of the event. Hill noted, “I have seen judges strike alliances in taxis en route to the meeting, or over coffee before the formalities begin, as they jockey to get their favourite titles through to the final six.”

Third, at times team decisions require deft and nuanced leadership. One example was the change in meeting styles from Fed Chairmen Alan Greenspan to Ben Bernanke. Greenspan was an autocrat who “quashed dissent…by laying out his preferences at the start of the policy discussion.” Contrastingly, Bernanke changed the tone of the meetings by “inviting others to voice their options first” and reserving his “judgment to the end.”

Fourth, a “diversity of approach yields the best decision”. Hill reported that “Some judges apply a strict, quasi-scientific method — separating the books into genres or styles — and some trust their gut. Executives tend to put a premium on the topic of the books (the rise of China, say, or the march of technology); journalists and writers on the panel naturally favour elegant prose. To win, business books have to satisfy those contrasting viewpoints.”

Fifth, “flexibility is important.” But more than being flexible Hill noted there was the technique of reciprocity, as articulated by Robert Cialdini who wrote about the concept in his seminal work, Pre-Suasion. Cialdini’s key thesis is “people say yes to those they owe” and Hill wrote that by “gracefully conceding on one of their choices, panelists may win reciprocal support for another.”

Sixth, use your veto power sparingly or I might say, listen, listen and listen before making up your mind and then making a decision. A team by its nature will move towards consensus. If you break that consensus with a veto, rash or otherwise, you will probably hear about it for some time to come.

Seventh, and finally, “compromise with care.” While it is certainly a requisite to listen, it is important to listen with empathy to understand the perspective of other parties and you must “strike a balance between co-operation and competition.” If you have too much empathy, you may fail to “advance your own interests.”

Hill concluded with an interesting twist. He wrote, “Sometimes a surprise contender bursts through to the shortlist of six, ahead of books that initially seemed bound to reach the final. As one judge and non-executive director told me, there are dark parallels with the way boards sometimes mishandle succession planning. A candidate for chief executive who is some board members’ favourite loses out to a less suitable rival who was their second choice. That is tolerable when only book sales are at stake, unacceptable when the future of a whole enterprise depends on the decision.”


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017


In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement.

The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point.

Step 1-has the company identified the compliance issues relevant to the Board?

Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy?

Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function.

Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses.

The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management has to achieve and report on the actual performance against established goals to justify compensation payouts.

Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward.

These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program.

Three Key Takeaways

  1. Having a long term strategy is critical.
  2. What is the Board’s framework for assessing compliance?
  3. Create KPIs to measure senior management’s actions around compliance.