The DOJ has made clear that middle management is a critical part of any compliance program’s success. While it does all start at the top, with the Board of Directors and senior executives setting the tone for the rest of the company; prosecutors are mandated, under the 2019 Guidance to “how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.” Moreover, the 2019 Guidance posed several question directly to middle management including the following: What actions have middle-management stakeholders taken to demonstrate their commitment to compliance or compliance personnel, including their remediation efforts? Have they persisted in that commitment in the face of competing interests or business objectives?

It is clear that the DOJ expects compliance to be operationalized down into the middle management level. Further experience has widely shown that employees prefer to speak to their direct supervisors about issues or potential compliance violations they become aware of. The question is how can a corporate compliance function reach middle management. This is a key area of assistance that can be provided by Human Resources as one of the ways that HR can help to operationalize compliance is to assist each level of an organization to have a proper tone, specifically, the middle of an organization

You must think about your lines of communication and your communication skills when conveying your message of compliance down from the top into the middle of your organization.

Three key takeaways:

  1. While tone at the top is critical, the tone in the middle can actually work to more fully operationalize compliance.
  2. How do you train middle managers?
  3. What compliance tool kit do you provide to middle managers?



This week’s guest on the Innovation In Compliance show is Sean Freidlin, Director of Product Marketing at SAI Global. He and Tom Fox chat about the article he recently posted on LinkedIn, Rise and Shine: The Morning Show’s Wakeup Call to Corporate America.

Overlapping Themes

Sean says that the central themes in movies often overlap with the common themes in ethics and compliance programs. In particular, he noticed that Apple’s flagship program, The Morning Show, tackles almost every issue that compliance teams build training about or write about in their code of conduct. Issues such as sexual harassment, diversity and inclusion, whistleblowing and retaliation are issues that many companies deal with. Sean comments that he applauds the risk Apple took to make the show, which shows their commitment to speak up about abuse of power when they see it.

Compliance and Ethics Issues

Tom asks Sean what is the general story arc of The Morning Show. Sean summarizes the plot, which includes a sexual harassment scandal, and comments that the show explores the butterfly effect on the culture and the people working there, as well as the corporate politics that are involved in managing a scandal. Sexual harassment is one of the top two issues that ethics and compliance professionals have focused on in the last year, according to Sean. He highlights several lessons ethics and compliance professionals can garner from the show, including:

  • Some people don’t know what isn’t allowed;
  • There should be a deeper commitment to communicating company values and policies;
  • The show highlights the role personal connections and relationships play in perpetuating a culture where people don’t do the right thing.

A Dilemma

You might find it harder to do the right thing if you like your boss or your colleague, but you know they’re doing something wrong. Your relationship with that person may cloud your judgment, Sean says. A positive and ethical leader has a positive influence on employees’ behavior; but a manager or leader who disregards the rules, policies and values of the company, will negatively affect everyone else. The bottom line, Sean points out, is that relationships are an essential part of a compliant organization or a culture where people do the right thing.

Tom quotes a line from Sean’s article, “Successful and powerful men can manage to survive and even thrive on their charm and influence, despite the unethical and immoral choices they make.” He and Sean discuss the moral and ethical dilemma of doing the wrong thing if it will help you be more successful.

The Reality of Whistleblowing

Sean says that The Morning Show does an excellent job of exploring what happens after you blow the whistle. A common mantra today is ‘If you see something, you should say something,’ However, saying something is just the beginning, Sean says. The one who blows the whistle faces more than just retaliation: the emotional impact is even weightier. That person has to live with the stress of knowing that the misconduct they reported is ultimately going to be the catalyst for so much drama, such as people losing their jobs, and the company losing money.


Rise and Shine: The Morning Show’s Wakeup Call to Corporate America

Sean Freidlin on LinkedIn

The role of HR in corporate compliance programs, is often underestimated. If your company has a culture where compliance is perceived to be in competition or worse yet antithetical to HR, the company certainly is not hitting on all cylinders and maybe moving towards dysfunction. Another way you can operationalize compliance is in HR’s involvement in employee promotion. Such compliance embedded into the promotion process can also be considered an internal compliance control. By doing so, your compliance may well work to create an effective internal controls regime as mandated by the FCPA and other anti-corruption laws.

Three key takeaways:

  1. Denying a promotion or award due to an employee’s ethical lapses.
  2. Use promotions to reinforce your company’s commitment to compliance and ethics.
  3. Should you wait for great?

The exit interview can be a further mechanism to operationalize compliance. This type of interview is used when someone voluntarily departs from a company, as opposed to a lay-off or reduction in force exercise. Typically departing employees are more willing to share about their experiences, concerns and issues which led to their employment departure.

Three key takeaways:

  1. The exit interview is an excellent opportunity to obtain information to inform your compliance program.
  2. Use the exit interview to create advocates from departing employees.
  3. Use the exit interview for probing and insightful questions around compliance.


One of the ongoing questions faced by compliance practitioners is how to measure the effectiveness of your compliance program. One of the mechanisms to do so is through Key Performance Indicators (KPIs). KPIs are a critical component in showing compliance program success (or failure), if you have been working towards your stated goals and for reporting success. And while specific requirements for this kind of reporting have been hotly debated in the industry for some time, KPIs are a requirement. Your KPIs are going to be specific and unique to your company and what business it conducts along with what goals you’re trying to achieve as a whole and as a compliance program – so there is no “set” list of these metrics.

How can you think about setting your KPIs? There are several steps you need to take to pursue this approach. The first thing you must do is to agree on the manner in which to use KPIs and then the blueprint for going forward. You should apply the KPIs to as wide a swath of your compliance program as possible, literally to all employees across the globe and including your Code of Conduct and the policies and procedures of your compliance program. Standardization of the measurements is key through standard mechanisms and forms. This is important not only to achieve consistency but also due to the upfront cost of development. If you can develop and utilize the same measuring mechanisms and reporting forms this will decrease costs and increase efficiencies over monitoring cycles.

Next is the area of reporting. Obviously by assigning values to KPIs you can more easily track the results to move to increase efficiencies. This will also allow you to better track progress over times as well. Ongoing monitoring provides not only the opportunity but sets the basis for ongoing enhancement to your company’s compliance program. You can utilize the results to effect improvement on a broad-based focus or into the weeds at a more granular level. Any new, emerging risks or noteworthy changes to the likelihood or severity of your organizational profile, either due to business changes or environmental developments can also be tracked.

Such results can be used in a wide variety of other compliance areas as well. One of the hardest areas in compliance is determining effectiveness of training. Putting KPIs around how many employees have successfully completed training and policy requirements, including the results of any post-training tests and policy attestation rates, can assist in this endeavor. In the area of employee feedback, KPIs received through employee focus groups, culture surveys and knowledge assessments, and how you are using this feedback to drive improvements. Finally, you can put KPIs around audit findings, specifically around the results of both internal and external audits and what these findings mean for the organization and the compliance program.

How do you go about measuring KPIs? One of the greatest things about the compliance profession is that we are only limited by our collective imagination. This means that in an area such as compliance and KPIs there are no clear guidelines for compliance professionals, you can use today’s data-saturated world and the heightened sensitivity around compliance across industries to develop the right KPIs for your organization. Start with the proposition that you need a sound method to measure your compliance programs’ effectiveness. From there consider a risk-based program to specifically account for an organization’s unique risk profile. Working from a risk-based assessment framework can establish the KPIs needed to identify program improvements. One way to do so is to provide a quantitative process maturity rating scale of 1-4 for each KPI. Each identified and evaluated compliance program area is then given a rating. An aggregate rating can then be calculated for each area. The ratings allow you to identify opportunities, analyze the root cause of the deficiency, assign ownership for improvement action and track next steps to ensure any vulnerabilities or weaknesses are resolved.

The rating scale would go something like the following. Ranking of 1, the issue is not fully mitigated by control or there are inconsistencies in the processes that make them susceptible to breakdowns and/or scrutiny. Under level 2, your compliance program processes and controls are in place to mitigate risk and are consistently operating. The third would be best practice, where your compliance processes have achieved best practice criteria. Finally, level 4 is where your compliance program has matured beyond best practice criteria.

KPIs provide yet another mechanism for you to monitor and update your compliance program on an almost continuous basis. KPIs can be extremely low in cost and therefore something you can put in place without a lot of approval from higher ups in your organization that you might have to go to for budget approval. Finally, innovation can come in many ways. Obviously ComTech can be a huge jump forward. But sometimes innovation can occur at much less cost and a much more granular level. KPIs can be such a mechanism for you.

I am presenting two upcoming events, sponsored by Convercent, where we are going to discuss compliance innovation, specifically including KPIs. I hope you can join me for one of them. The first one will be Roundtable in Houston TX, on March 10 from 12-2 at Steak 48. Registration and information is here. The second will be a Forum in NYC on March 12, from 3:30 to 7 at Santina. Registration and information is available here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2020