St. Mark'sThe Venice Travel Edition continues today by focusing on Saint Mark’s Basilica, one of both Venice’s and the world’s treasures. It sits on Saint Mark’s Square, one of the most famous locations in all of Italy. While today it is the cathedral church of the Roman Catholic Archdiocese of Venice, originally it was the church of the Doge, or civic ruler of Venice. It only became the Basilica, in 1807 after the city was conquered by Napoleon and ceased to be a Republic. Napoleon wanted to move the power of the church under his administrative control so relocated the city’s Basilica to Saint Mark’s.

One of the wonders of the church is how it continually reinvented itself through new additions added to the exterior of the Basilica. The most spectacular are the Horses of Saint Mark, which were installed on the balcony above the portal of the Basilica in about 1254. The horses were long displayed at the Hippodrome of Constantinople, and in 1204 Doge Enrico Dandolo sent them back to Venice as part of the loot sacked from Constantinople in the Fourth Crusade. Another prize stolen during the Fourth Crusade, which now adorns Saint Mark’s, is the Four Tetrarchs. They honor the attempt to stabilize the Roman Empire by the Emperor Diocletian who imposed a new Imperial office structure: a four co-emperor ruling plan called The Tetrarchy. These exterior additions are but a mere fraction of the changes the structure went through over the years as it continually updated itself and its place in Venetian culture and society.

I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the FCPA Guidance, your compliance program should be thoughtful and well considered. In an article in the Society for Corporate Compliance and Ethics (SCCE) Magazine, entitled “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.

  1. Get buy-in from decision makers at the highest level of the company

Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee

A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment

The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

  1. Determine translations and localizations

Channeling my inner Jay Rosen I would note you must hire both a reputable and approved company translation expert to translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

  1. Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.

  1. Stay on Target

If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

This article provides a useful guide to not only thinking through how to determine if your Code of Conduct needs updating, but also practical steps on how to tackle the problem. If you are a compliance practitioner, I would urge you to take a look at your company’s Code of Conduct. If your Code is pre-2012, I think you need to update sooner rather than later and take into account what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ in speeches and talks last fall, you may well need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IV. A New HopeToday I begin a series of Star Wars themed blog posts to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VII – The Force Awakens. Please note that I will only use the first three movies, now known as Episodes IV-VI, for the themes this week. So if you are a millennial and the prequels are your Star Wars sorry but you can write about them as the first three are my Star Wars movies. In conjunction with this series of blog posts, Jay Rosen and I are doing a trilogy of Star Wars themed podcasts this week, monikered May the Podcast Be With You. They were a ton of fun for Jay and I to put together so I hope you will check them out on my podcast site or on iTunes at the FCPA Compliance and Ethics Report.

I will begin with Episode IV – A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and steals a computer program detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, it told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate anti-corruption compliance risk under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption regime. Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations” in which she looked at the risk evaluation process used by Timken Company (Timken).

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

 

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

 

PRIORITY

 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-19

20-25

Low

Trivial

Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit and monitoring plan going forward. One of the methods used by the compliance group to manage such risk is to provide employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

A second approach to reviewing the results of a risk assessment was detailed in a Harvard Business Review (HBR) article, entitled “Managing Risks: A New Framework”, by Robert Kaplan and Annette Mikes. The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. Companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those that a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors listed several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks that arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks that turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

Whether you utilize one of these approaches or another approach, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

May the force be with you.

TexasBarToday_TopTen_Badge_Large

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Rubber SoulLast week was the 50th anniversary of one of the seminal Beatles’ albums, Rubber Soul. Even a half-century later, it remains one of the most critically acclaimed LPs in history. As noted in the Wall Street Journal (WSJ) article by Marc Myers, entitled “Crafting a Better Beatles”, it “marked rock’s shift from formulaic pop to studio experimentation and high art.” Furthermore, it changed “the direction of American pop.” However, I was surprised to find that the British album had 14 songs while the American version only had 12. There were four songs dropped from the UK version: Drive My Car, What Goes On, Nowhere Man and If I Needed Someone. Added in the US were I’ve Just Seen a Face and It’s Only Love. These changes resulted in a “more cohesive album” which turned “an unfocused album into a taut acoustic story of self-awareness and romantic confusion.”

I thought about the refocused nature of the American version of Rubber Soul when contemplating how to keep your compliance program not only up to date but also in the operation nature, as articulated by Department of Justice (DOJ) Compliance Counsel Hui Chen at the recent New York University Program on Corporate Compliance and Enforcement public forum. Chen made clear it is the operation of your compliance program, which is one of the key indicators of whether it would meet a best practices standard, under her review.

Especially in light of the compliance related events and announcements this fall, you should keep track of external and internal events which may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events that drive changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

 Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.

The FCPA Guidance makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any Foreign Corrupt Practices Act (FCPA) investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

The DOJ emphasized again with the Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:

  • On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
  • Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
  • Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
  • A review of the books and records of a sample of third party representatives which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.

Capital Records in the US took a very good Beatles album and tinkered with it to make it one of the greatest rock and roll records of all-time. Rubber Soul certainly stands the test of time. By keeping your compliance ear to the ground, you can respond to changes in the regulatory schemes and in your business operations that allow your compliance program to be nimble and a winner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Enron LogoToday we acknowledge (I cannot say celebrate) one of the seminal events which led to the explosion of Foreign Corrupt Practices Act (FCPA) enforcement actions from 2004 forward. On this day in 2001 the Houston based company Enron filed for bankruptcy. While other larger financial scandals came afterwards, at the time Enron was the largest corporate failure. In prior years the company posted revenues of $111 billion and at the time of its bankruptcy, its share price hovered at $0.26. The reason – it was all one big accounting fraud.

Enron and the later (and bigger) WorldCom scandal led to the passage of Sarbanes-Oxley (SOX). Many have speculated that the requirements for corporate certifications of financial statements led to greater corporate internal investigations and subsequent disclosures of corporate wrongdoing; Enron had other influences that led to the increased FCPA enforcement.

The weak and ineffective SOX whistleblower provision led to the more robust protections for whistleblowers found in the Dodd-Frank Act. These whistleblower provisions provided for both greater protection of whistleblowers from retaliation and greater incentives for whistleblowers through the payment of bounties for information that leads to successful Securities and Exchange Commission (SEC) prosecutions or agreed resolutions of a FCPA violation.

The Enron scandal led to the destruction of the venerable (former) Big Four accounting firm Arthur Anderson when it went to trial to contest charges of destruction of its Enron documents. After sustaining a guilty verdict, the firm ceased to exist. To this day, many cite this unnecessary wipeout of a company as a reason for the development of an alternative form of prosecution, the Deferred Prosecution Agreement (DPA).

While there were certainly other factors that help explain the increase in FCPA enforcement from 2004, self-disclosure and DPAs are two of the abiding legacies of Enron. I thought about these twin peaks when I watched a YouTube video cast of the recent New York University Program on Corporate Compliance and Enforcement public forum where Andrew Weissmann and Hui Chen discussed the newly created Compliance Counsel position at the Department of Justice (DOJ) to help the DOJ evaluate corporate compliance programs. While Weissmann’s remarks focused more on the reasons for the position, Chen discussed four primary areas that she indicated she would focus on as DOJ Compliance Counsel. If you are a Chief Compliance Officer (CCO) or compliance practitioner, you need to consider how you would answer these inquiries from the DOJ (or SEC).

Thoughtful Design of Your Compliance Program

Echoing the FCPA Guidance admonition that “if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately”, Chen believes there should be some significant thought put into a company’s compliance program. She expounded that stakeholders need to be a part of your compliance program design process and have input into the compliance internal controls. If your company has a violation, Chen said she would look at whether your compliance program addressed the wrongful conduct or if there was a gap in compliance coverage. Finally, she added, you need to perform a root cause analysis over your heightened risk.

How Operational Is Your Compliance Program?

This point follows number one above in that your compliance program should be tied to the functional unit of a company. This means that Human Resources (HR), Payment, Audit, Vendor Management and all traditional indirect cost functions need to be involved in the operation of your compliance program in their respective areas of influence. The key question she will focus on is how did the compliance program you designed to remediate the conduct that led to the violation work in the operation of your company?

How Well Do You Communicate with Your Stakeholders?

Here Chen really wants to see evidence that you, as the CCO or compliance practitioner, got out of your office and met with the stakeholders of your compliance program. But this is more than simply in your compliance program design, it includes the compliance program implementation. She suggested evidence to show more than compliance simply had a seat at the table but the compliance was actively involved with operational decision-making.

In a question from the audience Chen further articulated an example around compensation. She said compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.

It would seem this is an appropriate place and time to remind everyone that the three most important things in FCPA compliance are DOCUMENT, DOCUMENT and DOCUMENT. If you cannot document it, the inference is that it never happened so as a CCO or compliance practitioner you need to be prepared to demonstrate your involvement in operational decisions.

How Well Are You Resourced?

Chen emphasized that this meant more than monetary resources or even head count. She specified the twin resources of attention and commitment. She will inquire into how often you meet personally with your Chief Executive Officer (CEO), Audit Committee of the Board and the full Board of Directors. She also said she would inquire into the details of these briefings, so, for instance, are the briefings based on employee surveys, quantitative data or is it simply anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.

However with regard to CCO compensation, Chen noted there were a couple of areas of inquiry. First is that the amount the CCO is paid could be an issue. For instance is the CCO compensated at an amount at or near the General Counsel (GC) level? If it is one-half what does that communicate within the organization? She also would inquire into whom in the company sets the CCO compensation and who reviews it.

Interestingly she indicated there was not a DOJ position on where a CCO should sit in an organization, whether in the GC’s office or in a separate department. It depends on what works best for your organization however it has to be thoughtfully designed but the most important element is that compliance can and is heard from by senior management.

Chen’s remarks were quite important because they provide insight into how she and the DOJ will look at your compliance program if you are entangled in a FCPA enforcement action.

To view a YouTube video of the event, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015