Guy LewisGuy V. Lewis died last week. For those uninitiated in college basketball, Lewis was one of the greats, coaching for over 30 years at the University of Houston. He went to the Final Four five times, alas though he did not win any titles during those trips. While he is best remembered for his tenure during the 1980s when he took the Phi Slama Jama (world’s tallest fraternity) to the NCAA championships three straight trips, many thought of Lewis as the guy who rolled the basketballs out to start practice and let his teams run (and run and run).

But the first Guy V. Lewis that I recall was the one who coached the University of Houston to defeating a previously undefeated Lew Alcindor-led UCLA team in the 1968 Game of the Century, held in the Astrodome. I also remember Lewis (along with UH Football Coach Bill Yeoman) as one of the true leaders in desegregating college sports in the South. Lewis brought later NBA Hall of Famer Elvin Hays and later NBA Coach Don Chaney to play for the Houston Cougars. For myself, and a generation of Southerners, Lewis was one of the leaders in the fight against hate, prejudice and segregation.

I thought about Lewis when I read an article in the New York Times (NYT) Corner Office Column by Adam Bryant where he profiled Margaret Keane, the Chief Executive Officer (CEO) of Synchrony Financial in an article entitled “When Hardship Informs Leadership”. I found the article had some excellent points for the Chief Compliance Officer (CCO) to consider in not only the role as a leader but also the role of a colleague to others in senior management.

When leading the compliance function or otherwise acting as a leader in any organization Keane pointed to the need to respect others in an organization. While many lawyers certainly do not take this into account in their role in a corporate legal department, it is a requirement in the compliance function. Keane said, “The biggest thing I learned when I first started managing people is that you really have to respect the people who were there before you showed up. So you could come in with all these great ideas, but if you come in acting like you know it all and you don’t get the buy-in, then they will reject you.”

Another key ingredient Keane talked about was how you interact with your subordinates, but not with the normal platitudes you associate with a CEO. She talked about working with talented and smart people under you. She said, “Another important lesson was getting comfortable with the idea of having people work for you who are smarter than you. When you’re young, there’s an insecurity that you have to do and know everything. There are leaders who never learn that lesson, even later on in life.”

When it came to leading with your peers at the senior management level I found her next thoughts insightful. Keane believes that “A leader has to be decisive. The most frustrating thing for any organization is when you’re just waffling around and no one knows what to do. You’re going to make mistakes, but you’re better off moving the organization forward than having them waffle. And then you have to be very clear with the organization about what’s happening and why.” Once again her remarks point out a clear distinction between the legal department and the compliance function. Many corporate legal departments are very good at presenting or at least explaining options. This is what lawyers do. However, this is not what the compliance function or CCO do. The role is to prevent, find and fix issues before they become problems (or Foreign Corrupt Practices Act (FCPA)) violations.

Keane also spoke about another angle to leadership not often discussed. It is the perception that she could not make difficult decisions. I found the reason and her response something a CCO often faces. Keane noted, “there was a perception that I couldn’t make hard decisions. And the reason they thought I couldn’t make hard decisions was because people liked me. I would get really angry about it because I know how to make hard decisions, but it’s always about how you treat the process when you’re making the hard decisions.”

I found this point very perceptive. A CCO generally has to be liked to do their job. They often struggle with how well they will be perceived if they have to say “No”. Keane makes clear that it is about the process. If you lay out your reasoning, having considered all the relevant facts, almost everyone will respect your decision because the process is rigorous.

Keane also talked about something that is becoming a greater problem as the compliance program matures and more compliance practitioners grow into the role of a CCO. She related, “because I’ve worked my way up, I know a lot of things. So it’s easy for me to want to jump in and try to solve something. So I’ve learned to hold myself back from solving the problem and to let the organization solve it first.”

Keane also had some thoughts that every CCO and indeed every company need to consider in the hiring process. She said, “I always ask, “Why are you leaving your current job, and why are you coming here?” You want to make sure people aren’t running away from something and you want to make sure they’re coming here for the right reasons. And then I want to know if they can build teams. Do they have a following? How many people have followed them from one job to the next?”

Finally, Keane ended with three points that are useful for any employee, which I found to be particularly applicable to a CCO or compliance practitioner. First she said that you must “work hard. You’re not going to get anywhere if you don’t dig in and work hard. And that means doing things you don’t like doing and not complaining about it.” Second she noted that you need to ask questions. Moreover, if you are not getting enough from your boss or out of an assignment, then “raise your hand “to get some attention to have the situation clarified.” Finally, and perhaps most importantly, “pick your head up from your phone. Look around, see what’s happening, engage socially. As much as we think they’re social, they’re not really that social because they do everything on their phones.”

So a fond farewell to the King of Houston Hoops, Guy V. Lewis. He helped move forward the cause of racial equality in the South. I hope you finally get that championship in the great beyond. As for more temporal matters, use the techniques that Keane has suggested, particularly to use the process of fair decision-making and get off the phone and out of your office.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

IMG_3310Today, I conclude my exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. The metrics for today’s consideration are around the source of the greatest risk under the Foreign Corrupt Practices Act (FCPA); that being third parties. The metrics laid about by Caldwell are as follows:

  • Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the managment of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, has noted, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.” But as Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so.

 Relationship Manager for Third Parties

I believe that as a starting point for the management of a third party, your company should have a Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the Relationship Manager to provide advice, training and communications to the third party.

 Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.


A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Tying it all Together

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Diana Lutz and her colleague Marjorie Doyle, in an article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, gave a checklist to test companies on their relationships with their third parties, which is as follows:

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out in this series, you need to fully document all steps you have taken so that any regulator, and specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics reviewed in this series may not have been anything new but she has laid out what the new Compliance Counsel will be reviewing and evaluating so you understand what will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.

Caldwell’s short mention of managing third parties is one of the most important metrics of any best practices FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at


© Thomas R. Fox, 2015

IMG_0834Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R Caldwell who called for her review of compliance programs. Today we review the first criteria and tie it to one specifically made applicable to financial institution but to which I believe both should and will soon apply to non-financial institutions. These metrics are:

  • Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
  • Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Stephen Martin, the head of Baker and McKenzie’s Compliance Consulting Practice, and his former law partner Paul McNulty, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally, express its ethical principles. But simply having a Code of Conduct is not enough so a second step mandates that every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are executed, followed and enforced.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Aiken Gump, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

John Allen, in an article in the Houston Business Journal (HBJ), entitled “Company policies are source and structure of stability”, said that written policies and procedures “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen identified five key elements to any well-constructed policy. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee, Garth Peterson, for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” This means that policies are applied fairly and consistently across your company. If there is not consistent application, Allen notes, “there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

These metrics also specifically set out that policies and procedures need to be translated into appropriate local language. This follows clear input from the FCPA Guidance, which says “it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” This means that training should also be in an appropriate local language so that your employees can understand their obligations under the FCPA and your company’s expectations around ethics and compliance.

Communication of Written Program

The communication of your anti-corruption compliance program is something that must be done on a regular basis to help ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

One of the key goals of any FCPA compliance program is to train the company. But more than simply training, I believe these new metrics mandate that you demonstrate the effectiveness of your compliance training. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook”, authors Martin and Daniel Biegelman explore some techniques, which can be used evaluate FCPA compliance training. They believe a general assessment of those trained on the FCPA and your company’s compliance program is only a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics that can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

While many companies have focused on the written components of a best practices compliance program, I believe these new Compliance Counsel metrics require that company’s work to ensure the training is effective. It must be communicated in a manner designed to make an impression. This includes appropriate translations of the written documents and translations of your oral training presentations as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at


© Thomas R. Fox, 2015