Surfin BirdSurf music is certainly an under-rated rock and roll genre. One of my favorites is The Trashmen’s Surfin’ Bird. It reached Number 4 on the Billboard Chart in 1963. I happened to hear it recently when I was reading about some interesting corporate governance issues and how they relate to anti-corruption compliance.

Sometimes it really is unbelievable how tone-deaf companies can be at the highest level. While the Board of Transocean awarded bonuses to top management for safety the same year as the Transocean drilling rig Deepwater Horizon caught fire and sunk causing the largest oil spill in recorded history and 10 dead or missing. BP had its share of tone-deafness in and around that tragedy too but the company has recently been back in the news for a different tone-deaf act.

Last week the Board of Directors of BP awarded a pay raise of effectively 20% to the Chief Executive Officer (CEO) Bob Dudley. This was in spite of a company wide ban on salary raises during the economic downturn in the energy sector. As Houston Chronicle business columnist Chris Tomlinson wrote, in a piece entitled “Times tough at BP, so chief executive gets raise, this raise was “in compensation for managing the company through a dramatic drop in share price, for laying off thousands of employees and endangering the company’s dividend.” Brooke Masters writing in the Financial Times (FT) column The Top Line, in a article entitled “BP chief’s pay rise is maladroit and out of step with Europe, said the pay raise was after the company ran up a $5.2bn loss in 2015.

All of this is rather amazing in light of the BP shareholder near revolt over this pay raise. As Tomlinson noted, there was “a nonbinding vote where 59 percent of those shareholders said Dudley shouldn’t get a raise.” As Master noted, “The only time a UK pay vote has come out worse was in 2009, when shareholders in part-nationalised Royal Bank of Scotland slammed the decision to pay a £703,000 annual pension to Fred Goodwin, the man who drove the bank into the ground.” BP’s response to this criticism? Masters reported that the company “argues Mr. Dudley met all is operational targets and should not be blamed for falling oil prices, or a $9.8 bn charge to settle claims related to the 2010 Gulf of Mexico oil spill.”

Yet it really even gets better (or worse depending on your point of view). Tomlinson reported the Chairman of BP’s Board of Directors said about the shareholder vote “Let me be clear. We hear you.” That is about as close to flipping the proverbial (surfin’) bird at shareholders as one can come. Tomlinson wrote, “Apparently the board can hear but doesn’t care what shareholders think.” Finally, Tomlinson wrote, “What makes Dudley’s compensation hike even more outrageous is that his salary was frozen along with other executives. To get around the companywide policy, the board boosted his bonus 40 percent over last year’s and doubled the payment to his retirement fund.”

Tomlinson raises all of this in the context of just who does the Board represent? In the case of BP, he asks “are they the management team’s peer who run their companies and want the board deferential to them.” Masters focuses more on the optics of the pay rise, arguing “BP’s move seems particularly maladroit at a time of rising anxiety about income equality.” Couple BP’s move with the concerns raised by the release of the Panama Papers and you can see that BP has a very awkward public relations issue on its hands. (Or perhaps, see [Surfin’] Bird, above.)

The only other commentator who consistently ties questions about compensation to corruption is Richard Bistrong. He writes about incentives and how those issues impact employees ‘on the front lines’ of Foreign Corrupt Practices Act (FCPA) compliance. Yet the actions by BP’s board raise some equally troubling issues about compensation at the very top of an organization.

Tomlinson nailed it when he asked who does the Board represent, management or the shareholders? Now imagine a Board who is cozy with management and is made aware of a potential FCPA violation. If that Board has not shown the independence to even objectively evaluate the CEO’s performance in conjunction with compensation, what would give shareholders any comfort they would objectively investigate and evaluate such conduct? After all, any fine and penalty levied for a corporate FCPA violation will, at the end of the day, be borne by the shareholders to pay, not the culpable executives.

Moreover, how will such a Board attitude play out under the strictures of the Yates Memo and Department of Justice (DOJ) Pilot Program for enhanced credit for self-disclosure, investigating and remediation? One might hope that with criminal penalties hanging over their collective heads, Boards of Directors would follow their legal obligations and investigate thoroughly but if the Board is there to simply perform lip service to top management who knows?

This Board attitude also impacts employees in the trenches as well. While Tomlinson asks the basic question “Ask BP employees laid off in Houston if they got a big bonus and a doubling of retirement benefits”? I think the implication for a company’s FCPA compliance program may be equally troubling. I have often used the anecdote about the employee who is more worried about making his quarterly numbers than he is in following the Code of Conduct to make a sale.

Yet here, the Board would seem to be saying it does not really matter what you do (or don’t do). When you are at a high enough senior management level, we are going to reward you. If all that stands between an employee being laid off, without the packages mentioned by Tomlinson, what financial incentive do they have if senior management will receive a pay raise no matter what the individual employee does going forward?

In the area of executive compensation, Tomlinson believes greater government oversight is the answer. Masters, perhaps taking a more English view, hopes Boards and senior management will actually think about not only the consequences of their actions but the optics as well.

On that final note, perhaps an acknowledgment to Volkswagen (VW) might be in order. Last week, VW agreed to cut the bonuses of its top executives. This was done at the request of the Chairman of the Board on down. Too bad there is no cross-fertilization from the VW Board to the BP Board.

For a YouTube version of Surfin Bird, Click here.

For some additional ideas on leadership, just out my most recent book, Effective Leadership Skills in Compliance: CCO 3.0 and Beyond.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

Effective Leadership BookThe reviews and comments are in about my latest book, Effective Leadership Skills in Compliance: CCO 3.0 and Beyond, designed to provide the compliance professional with both tactical and strategic leadership skills to help navigate the host of corporate disciplines involved with the compliance function in the this modern era. It certainly appears that the volume has been well-received in the compliance community.

As readers of this blog and listeners to my podcasts know, I have striven to provide the compliance practitioner with solid information that can be used to implement, review and enhance a US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act based compliance program. I have written several books that provide you with information that can be used for the nuts and bolts of compliance with a goal of providing the specifics of best practices for an anti-corruption/anti-bribery compliance program.

My new book moves beyond the technical aspects that a CCO or compliance professional must master to have success in their field. I aim to provide solid guidance about the non-legal, non-technical skills needed to move past CCO 2.0 to CCO 3.0 and beyond. This is the landscape where the truly outstanding compliance professional will move to make compliance a part of the everyday DNA in the manner in which a company does business.

Just as the understanding of anti-corruption and corresponding compliance programs have evolved, the CCO and compliance practitioner position will continue to evolve. This book provides you with the tactics and strategy to advance your own professional skills so that you will become one of the most important components of any business moving forward. For failure to move compliance into the very fabric of your organization, whether you manufacture cars in Germany, are a large multi-national retailer, extract minerals around the globe or simply do business in China, puts your company’s reputation at risk in a way that cannot be measured or even foretold.

I break the book down into three general areas for discussion. In Part I, I discuss communication skills that you need to be an effective CCO. I review areas as diverse as incorporating the concepts and tools of social media into your compliance program, the conversation that all true leaders engage in and how to just say no and the power of that word. Finally, I review the always difficult issue of culture across the globe and how you can communicate across cultural boundaries in a multi-national organization.

In Part II, I investigate several techniques, which you can use to put innovation into your compliance program. There are two disciplines that are not associated with the compliance profession that I believe can help you to think through innovation for your organization: project execution and design thinking. Another area for innovation and even inspiration that you can turn to in your own organization is the supply chain (SC) so I explore how techniques in this area can help you move the ball forward. I conclude Part II with some thoughts about how you can not only drive compliance into the fabric of your organization but also even burn compliance into the DNA of your company.

In Part III, I review the always significant area of influence. I consider how you should manage both up and down the organization and use empathy in your compliance practice. I talk about managing talent in both your own compliance department and the company as a whole. I even drill down into the weeds, tactically speaking, by providing some thoughts on that bane of corporate existence, never ending meetings by including a section on how to run a more efficient and effective meeting.

As the compliance function matures, the roles called upon by the CCO and compliance department teams will continue to both expand and grow. The worldwide explosions of corruption scandals, best exemplified by Volkswagen (VW), will put more pressure on corporate compliance functions to be prepared to respond to persons and groups as diverse as the Board of Directors to the Chief Executive Officer (CEO) to regulators, shareholders and even the public. The skillset needed for this most important role will continue to grow as well.

As many compliance practitioners came out of a corporate legal department or have a law school background, they traditionally have received very little training on how to lead. Knowing the answer or going to look it up and then writing a well-crafted memo thereon was about as much leadership training as those persons received. However, in the second half of this decade, those legal-training skills are simply not enough to be effective in the wide variety of roles a compliance practitioner currently has and will have in the future.

To be an effective compliance officer, you have to embrace skills that you may not have been trained for academically. These leadership skills are required to move compliance into the DNA of an organization, it will take much more than the brute force used by most corporate legal departments. Persuasion, influence, and communication skills will be required going forward. After all the roles of compliance and legal are very different. A corporate legal department is there to protect the interests of a company while the role of compliance is to prevent, find and fix problems before they become legal violations. Put another way, the role of legal is to tell the truth and the role of compliance is to tell the whole story. These are different roles that require very different skill sets in today’s corporation.

Nonetheless there are specific skills, tools and techniques that you can use to move forward both the message of compliance and burning it into the fabric of your organization. I have laid out some of the tools that I believe you can implement at little to no cost to you and your organization. The role of the compliance function has moved from the structural change identified in Compliance 2.0, where the CCO function moved out from under the legal department to the a functional unit, to CCO 3.0 which advocates incorporating cutting edge communication tools, for example social media, the two-way discussions. Moreover, the workplace is evolving. As a leader, you will need to evolve your leadership skills to lead generations as diverse as the greatest generation, to baby-boomers, gen-Xers, millennials, and I-gens. Both soft skills and hard skills are needed. This book gives you the tools you need to move forward into the next era of the compliance profession.

To purchase a copy of this book on, click here.

George MartinSir George Martin died yesterday. For anyone born after the break up of the Beatles, this name is probably not too familiar. However, even more than Brian Epstein, the band’s first professional manager, Martin truly was the 5th Beatle. He not only signed the group to its first recording contract but produced all of their hits as well. As noted in his obituary in the New York Times (NYT), “Martin, the urbane English record producer who signed the Beatles to a recording contract on the small Parlophone label after every other British record company had turned them down, and who guided them in their transformation from a regional dance band into the most inventive, influential and studio-savvy rock group of the 1960s.” Moreover, he was one of the very few producers who became as famous as the musicians he worked with in the recording studio.

The tributes poured in yesterday. Ringo Starr tweeted out, “God bless George Martin”. Mark Ronson (lead guitarist on Bowie’s Ziggy Stardust tour) added, “Thank you Sir George Martin: the greatest British record producer of all time. We will never stop living in the world you helped create.” Even UK Prime Minister David Cameron, tweeted, “Sir George Martin was a giant of music – working with the Fab Four to create the world’s most enduring pop music.” I can only add, To Sir George – thanks for everything and it was a great ride.

Today I want to finish my exploration of the Olympus Corporation of America (Olympus) Corporate Integrity Agreement (CIA) and how it might portend emerging best practices in a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. Yesterday I reviewed the concepts of how a Compliance Committee and Board involvement, as detailed in the CIA, might well help your compliance program going forward. In this blog I want to consider the obligations for senior management, training, third parties and risk assessments.

Senior Management Certification

The CIA requires a list of senior management to certify their business units are all in compliance with Federal health care obligations. The certification required is as follows:

“I have been trained on and understand the compliance requirements and responsibilities as they relate to [insert name of department or functional area], an area under my supervision. My job responsibilities include ensuring compliance with regard to the [insert name of the department or functional area] with all applicable Federal health care program requirements, FDA requirements, obligations of the Corporate Integrity Agreement, and OCA policies applicable to [department or function], and I have taken steps to promote such compliance. To the best of my knowledge, the [insert name of department or functional area] of OCA is in compliance with all applicable Federal health care program requirements, FDA requirements, and the obligations of the Corporate Integrity Agreement. I understand that this certification is being provided to and relied upon by the United States.”

If the manager cannot make the above certification, he or she must explain why they cannot do so and the steps being taken to remediate.

Imagine the power of a similar certification in the FCPA context. This is beyond the usual employee certification that they have not violated the FCPA in the past year and they are not aware of any violation. This would proactively require management to make some type of assessment as to whether their business unit was in compliance with the company’s anti-corruption compliance program.

Many would no doubt exclaim, “What an order, I can’t go through with it.” However, it might make such senior managers actually do their job and manage rather than put their head in the sand around FCPA compliance. At the very least it would certainly end the rogue employee defense, which companies are quick to bring out when under a FCPA investigation or most any other corporate matter. (Witness Volkswagen’s (VW’s) abysmal claims of the ‘rogue engineers’ creating and maintaining its emissions-testing fraud.)

Training and Education

The CIA has very detailed instructions around training which require the company to outline steps which will ensure employees receive compliance training. Within 90 days from the date of the CIA, Olympus is required to present its plan for training essentially high-risk employees on the applicable laws, the personal obligations for employees, the company’s policies and procedures, criminal penalties for violations and reporting mechanisms. If any compliance practitioner wondered what should go in training that is a pretty good description.

However, the CIA goes further to require that a qualified trainer put on the training, employees certify receipt of training and periodic updating of the training and training protocol. Finally, the Board must be trained on all of the above plus the Board’s separate role in the company’s compliance efforts going forward.

Third Parties

The CIA had some interesting insights into the management of third parties, which are not normally considered in a FCPA compliance program. The CIA requires Olympus to prepare annual budgets around consultants and they are to be identified before pursuing due diligence. The CIA states, “The purpose of this review shall be to ensure that Consultant arrangements and related events are used for legitimate and lawful purposes in accordance with applicable [laws and company] Policies and Procedures.”

It goes on to require the company to set up a “needs assessment to justify the retention of a Consultant prior to the retention of the Consultant.” This rigor is probably required due to the company’s prior transgressions but it provides an interesting model for a FCPA compliance practitioner to consider of putting the onus on the business unit to plan out and justify the retention of a third party representative.

Charitable Donations

Here the rigor is once again quite stringent. The company must “establish a grants management system which shall be the exclusive mechanism though which requestors may request or be awarded grants for independent medical education grants, other grant activities (including in-kind grants involving equipment loans), and healthcare-related charitable contributions supported by” the company. But the is kicker that the company’s “sales and marketing personnel shall have no involvement in, or influence over, the review and approval of medical education grants or healthcare-related charitable contribution requests.” This is certainly one way to keep a business unit from engaging in charitable donations to influence business decisions.

Risk Assessment Process

Here the CIA requires centralized risk assessments “to evaluate and mitigate covered risks”. This process requires, “compliance, legal and business unit leaders, at least annually, to evaluate and identify risks associated with [the sales of products and services], including risks associated with the sales, marketing.” Moreover, it requires a centrally developed plan to mitigate identified risks. This is required for all company business units and each is required to identify and mitigate risks unique to its services or products.

The totality of Olympus’ actions warranted this very strict and robust oversight. There are several more conditions in the CIA including a monitor and continuing oversight that I have not discussed. Clearly the Department of Justice (DOJ) does not yet have the full confidence that the company has the will to comply with US laws going forward so robust oversight is warranted.

Nonetheless, many of the strategies the government has pursued may move from the very robust best practices to the new normal. In 2007, I went to work for a company that had a Deferred Prosecution Agreement (DPA) that required stringent due diligence, monitoring and oversight of third parties who came into contractual relationships with the company. This was beyond cutting edge at that point in time. Now it is standard practice. The FCPA compliance practitioner would do well to study the Olympus CIA as it may well portend things to come.

I think I will spend the rest of the week listening to the Beatles catalogue. To Sir George Martin one very large thank you and  maybe you can produce David Bowie in the great beyond.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016


7K0A0246Today, I continue my exploration of the resolution documents from the long-standing Foreign Corrupt Practices Act (FCPA) probe into the Dutch telecom giant VimpelCom Ltd. (VimpelCom) for a spectacular, long-standing bribery scheme for the company to garner the rights to the mobile communications business in Uzbekistan. There were multiple bribery schemes appear to have been approved at the highest levels of the company and should provide a wealth of case studies on bribery schemes for the compliance professional going forward. Today, I want to begin with the initial start of the scheme and then discuss what led to the first bribery payment in what I term the fraudulent buy-out.

Board of Directors and Senior Management Involvement

VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel LLC (Unitel), as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the VimpelCom Deferred Prosecution Agreement (DPA), “regularly pay Foreign Officials millions of dollars”.

As discussed yesterday with the acquisition of Unitel VimpelCom acquired another entity LLC Barkie Uzbekistan Telecom (Butzel), that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60MM for Buztel.

As laid out in the VimpleCom’s Information, its senior management was well aware of the potential FCPA risk. The Information stated, “From the beginning of VIMPELCOM’s deliberations concerning its entry into Uzbekistan, there was an acknowledgment of the serious FCPA risks associated with certain VIMPELCOM management’s recommendation to purchase Buztel in addition to Unitel… Documents prepared for the December 13, 2005 Finance Committee meeting explained that Buztel was owned by a Russian company “and a partner” without further detailing the identity of the “partner.” The materials documented that “[t]hrough a local partner, [VIMPELCOM was] in a preferred position to purchase both assets . . . .”” The Finance Committee “identified the likelihood of corruption and expressed concerns.” Even with these reservations, the Finance Committee failed to identify the local partners.

But there was even more specific cautions around a FCPA violation when one Finance Committee member ““expressed concern on the structure of the deal and FCPA issues” and noted “that if [VIMPELCOM] goes into this deal under this structure and if the structure violates the FCPA picture, [VIMPELCOM’s] name could be damaged.”” The Finance Committee voted to move forward with the Buztel portion of the transaction “provided that all issues related to the FCPA should be resolved.”

These concerns moved up to the VimpelCom Board of Directors. In a December, 2005 Board meeting, “the likelihood of corruption was further discussed” and that “there was a recognition that a thorough analysis was needed to ensure that the Buztel payment was not merely a corrupt pretext for other services and favors. There were also numerous requests to ensure that the deal complied with the FCPA. Ultimately, VIMPELCOM’s board approved the Buztel and Unitel acquisitions, with a condition that FCPA analysis from an international law firm be provided to VIMPELCOM.”

Here VimpelCom management defrauded its own Board of Directors. The Information states, “VIMPELCOM’s management then sought FCPA advice that could be used to satisfy the board’s requirement while allowing VIMPELCOM to proceed with a knowingly corrupt deal. Despite the known risks of Foreign Official’s involvement in Buztel, certain VIMPELCOM management obtained FCPA legal opinions from an international law firm supporting the acquisition of Unitel and Buztel; however, certain VIMPELCOM management did not disclose to the law firm Foreign Official’s known association with Buztel. As a result, the legal opinion did not address the critical issue identified by the VIMPELCOM board as a prerequisite to the acquisition. Management limited the law firm’s FCPA review of the transaction to ensure that the legal opinion would be favorable. Having obtained a limited FCPA legal opinion designed to ostensibly satisfy the board’s requirement, certain VIMPELCOM management then proceeded with the Buztel acquisition and corrupt entry into the Uzbek market.”

Fraudulent Stock Transfer

But that was only the start as VimpelCom then entered into a partnership with the foreign official who was given an ownership interest in Unitel, through the shell corporation. The shell company held an option to sell this interest back to VimpelCom in 2009. It would appear that the owner of the shell corporation was well known within both VimpelCom and Unitel but both entities referred to this person as the “partner” or “local partner”. VimpelCom set up partnership where, “Shell Company obtained an indirect interest of approximately 7% in Unitel for $20 million, and Shell Company received an option to sell its shares back to Unitel in 2009 for between $57.5 million and $60 million for a guaranteed net profit of at least $37.5 million.”

VimpelCom’s Board was required to and did approve the partnership but as with the original acquisition, “approval again was conditioned on “FCPA analysis by an international law firm” and required that the “the identity of the Partner . . . [be] presented to and approved by the Finance Committee.” VIMPELCOM received an FCPA opinion on the sale of the indirect interest in Unitel to Shell Company on or about August 30, 2006. The FCPA advice VIMPELCOM received was not based on important details that were known to certain VIMPELCOM management and that certain VIMPELCOM management failed to provide to outside counsel, including Foreign Official’s control of Shell Company. In addition, documents, including minutes from the Finance Committee’s meeting on August 28, 2006, failed to identify the true identity of the local partner by name while noting the “extremely sensitive” nature of the issue.”

Some three years later, the shell company exercised its option to be bought out of the partnership for $57.5MM, after having invested $20MM. This netted a profit of $37.5MM. Unfortunately for all involved, they routed the payments for the transaction through financial institutions in the US, thereby creating FCPA jurisdiction.


Under the facts presented in the settlement documents, VimpelCom would probably have done these transactions regardless of their criminal and civil exposure. The Board was told point blank that VimpelCom would have a very difficult time breaking into the Uzbekistan telecom market without the additional acquisition of Buztel and if did not do so, “would be “in opposition to a very powerful opponent and bring [the] threat of revocation of licenses after the acquisition of Unitel [as a] stand-alone.””

Yet this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business no amount of doing compliance is going to help. If senior management is ready, willing and able to lie, cheat and steal from its own Board, there is not much even a best practices compliance program can do.

This is why enforcement plays a key role in the fight against corruption. Even with the recognized risk, specifically under the FCPA, VimpelCom was willing to pay bribes to get business in Uzbekistan. Someone, somewhere at sometime in the company had to stand up and say ‘stop’ we are not going to break the law to do business.

It also points out the interconnected nature of a business solution to the legal problem of bribery and corruption. As reported in the FCPA Blog, “VimpelCom is part of Norway’s Telenor. Norway’s government owns 54 percent of Telenor. Telenor’s chairman Svein Aaser resigned in October 2015 because of the investigation. Norway’s industry minister Monica Maeland complained that Telenor had withheld information about the investigation from her and parliament.”

Telenor has a business responsibility to monitor and keep an eye out on its assets. This is not the situation where you and I might buy stock in a US company. Telenor was the majority shareholder and certainly would have been able to check on its substantial investment. There is a reason that lenders are now requiring their customers to have a best practices compliance program in their loan covenants. It is to protect their investments. The more corporate owners inquire into compliance programs of their entitles, the more compliance we will have going forward.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016