I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Show Notes for Episode 5, Year End Review, Part II

We turn to the 2016 year in review, in this Part II of a two-part series.

Jonathan Armstrong leads a discussion on Privacy Shield, information and data privacy issues the past year. Mike Volkov relates what he saw as the top enforcement highlights from 2016, the block-buster year for FCPA fines and penalties and the growing trend of globalization of enforcement. Matt Kelly discusses the arrival of front pay, and general escalation of retaliation risk for company’s vis-a-vis whistleblowers, ideas on auditing corporate culture and what types of data and information should go on a compliance dashboard.

For Matt Kelly’s posts on these topics see the following:

  1. Another Front in Retaliation Risk: Front Pay
  2. Ideas on Auditing Organizational Culture
  3. What Goes on a Compliance Dashboard?

Rants will return next week.

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.

 

Show Notes for Episode 4, Year End Review, Part I

We turn to the 2016 year in review, in this Part I of a two-part series.

  1. Jonathan Armstrong leads a discussion on a very interesting UK Bribery Act enforcement action out of Scotland involving the Braid Group Ltd. It has some very significant implications for Bribery Act enforcement actions going forward. He also discusses the continued evolution of the UK DPA process and who it all works into the burgeoning global anti-corruption enforcement we saw in 2016.

For Cordery’s piece on the Braid case, click here.

For Cordery’s piece on the continued evolution of the UK DPA practice, click here.

  1. Jay Rosen takes us through a Paul Krugman NYT post on some of the invidiousness of corruption, focusing on the corrupting nature of compliance around undue influence. Rosen explains incentives more than anything else and how such incentives skew the marketplace. He asks a couple of provocative questions. First are there too many FCPA, ethics and compliance conferences? Second, even with the robust FCPA enforcement and maturation of compliance programs, why does corruption still exist? For a link Krugman post, click here.

Rants will return in a couple of weeks.

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.

 

 

 

Last summer I ran a two-week, combined blog and podcast series on the Ten Hallmarks of an Effective Compliance Program. The series was quite well received. As I fancy myself the Nuts and Bolts compliance guy and inspired an Aussie blogging and podcasting maven named Darren Rowse and his 31 days to a better blog series, this month I am running a 30-day program on how to create and implement a better compliance program. My plan is to run similar series during 2017 where I focus on one issue which the Chief Compliance Officer (CCO) or compliance practitioner can use immediately going forward.

Each day this month, I will present one issue which you can incorporate into your compliance program. The podcasts will be shorter than my normal podcasts, coming in (usually) at 10-15 minutes. I will present a short written text for you and three key takeaways which you can utilize to help create a better compliance program. At the end of the 30 days, you will have a wealth of information which you can use to create not only a better compliance program but a more effective compliance program as well.

The podcasts will be available here, on YouTube, my Libsyn podcast site and on iTunes. Do not worry, I will continue to maintain my other podcasts as well but I wanted start 2017 providing something that no other person or company is providing to the compliance community, short solid tips which you can use to make your compliance program more effective, more efficient and better run.

To give you a taste of what each day in January will look like, I have placed below the text which accompanies today’s post entitled Tones in an Organization.

Welcome to Day 1 of 30 days to a better compliance program. Together with a podcast each day, I will be giving you tip to help you create a best practices compliance program in 2017. At the end of January, you will not only have a good summary of the basics of a best practices compliance program but information that you can incorporate into your compliance regime. Today I consider the various Tones in an organization. Any compliance program starts at the top and flows down throughout the company, which sets the proper character for each level of your organization.

At The Top 

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. So how can a company overcome employee attitudes and set, or re-set, its “Tone at the Top”? I once had a Chief Executive Officer (CEO) of a client who described his role at the company as “the ambassador for compliance” and I can think of no better description of the role of a CEO for a best practices compliance program.

In the Middle 

A company must have more than simply a good ‘Tone at the Top’; it must move it down through the organization from senior management to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization, is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Tone at the Bottom 

Even with a great ‘Tone at the Top’ and in the middle, you cannot stop. One of the greatest challenges for a compliance practitioner is how to affect the ‘tone at the bottom’. To do so, you must work to engage those at the front lines, including training, communication and the tools to accomplish these tasks. A key question is how to tap into this belief system? The answer is to engage employees in a manner which allows you to not only find out what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program.

Three Key Takeaways

  1. What is your tone at the top?
  2. What is your tone in the middle?
  3. What is your tone at the bottom?

For more information on how to set, maintain and evaluate the different tones in an organization, check out my book Anti-Bribery Leadership, co-authored with Jon Rydberg, which is available through Amazon.com by clicking here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Yesterday, together with Baker Hughes Inc. (BHI) Chief Compliance Officer (CCO) Jay Martin, I wrote about a new and innovative compliance committee BHI has initiated, the GeoMarket Compliance and Ethics Committee. In researching the new committee, I thought it presented an excellent opportunity to discuss other compliance committees that an organization can utilize its obligations to create a compliance program. Today, I focus on a Compliance Committee at the Board of Directors level.

Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance (Guidance) requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture.

At the Board of Directors level, a Compliance Committee can devote itself exclusively to non-financial compliance, such as Foreign Compliance Practices Act (FCPA) compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks.

The Board Compliance Committee should begin its inquiry with a basic: ‘How do we know it is working?’ In other words, is a company’s compliance program living up to the hallmarks of an effective compliance program in the eyes of the government. Here I lay out four areas of more specific inquiry.

Compliance Committees should obtain information on the processes to carry out the compliance function, rather than details on specific compliance issues. They need to understand that there is a single individual or internal corporate discipline keeping track of the compliance function and making sure that it is being handled properly. They need to understand that there is a system in place that keeps track of compliance requirements.

Another area the Compliance Committee interest should be in is the area of hotlines or other internal reporting mechanisms. Here, the Compliance Committee needs to know details about both inbound issues and the responses thereto. In the inbound side this means details about who answers the reports, that come in either via email or phone, how this information is triaged and in what time frame. It also requires an understand of whether the reporting system is truly anonymous, with no use of caller-ID or GPS tracking.

The next series of questions deals with the responses to any information which comes to the attention of the company, including such basic inquiries as how are the reports classified and routed? Who gets notified for what types of calls? How the investigative process is divided among various functions or is it outsourced? Finally, what is the response rate and response time?

The Compliance Committee must know who is accountable and responsible for each segment of a compliance program. They should obtain assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability. While it is true an effective Compliance Committee will allow management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy.

Strategic planning is another area well suited for oversight by a Board Compliance Committee. For such a committee to be both effective and informed it must have an appreciation of where the corporate compliance function stands not only at the present moment, but also has a strategic plan for how the compliance and ethics program can continue to grow. Similarly, Stephen Martin, a partner at Arnold and Porter, has long advocated a 1-3-5-year compliance game plan. However, a Compliance Committee should demand the compliance function be nimble enough to respond to new information or actions, such as mergers or acquisitions (M&A), divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”

Today’s regulatory climate band hyper-transparency in social media make a Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016