Today I begin a series of Star Wars themed blog posts to celebrate the upcoming release of the next entry in the Star Wars franchise, Episode VIII – The Last Jedi. Please note that I will only use the first three movies, now known as Episodes IV-VI and then Episode VII – The Force Awakens, for the themes this week. If you are a millennial and the prequels are your Star Wars sorry but you can write about them. The original three came out in 1977 – A New Hope, 1980 – The Empire Strikes Back and 1983 – Return of the Jedi, and these are my Star Wars movies. In conjunction with this series of blog posts, Jay Rosen and I are doing five-days of Star Wars themed podcasts next week, monikered May the Podcast Be With You. In each podcast, we review the theme of the movie and tie it to a compliance concept. In today’s posting, we consider risk which might be unique to your business model.

I will begin with Episode IV – A New Hope. One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and has blueprints detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, is told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate compliance risk under the Foreign Corrupt Practices Act (FCPA) or an economic sanctions regime. Failure to appreciate risk can lead to some very serious and perhaps lethal consequences.

Whether you utilize one approach or another, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course, for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

I thought about risk when I read a recent article in the New York Times (NYT) by Liz Alderman, entitled “Biggest cement maker a focus in an inquiry on ISIS finances. This is a matter involving the world’s largest cement manufacturer, LafargeHolcim (LHN) and whether “the company helped finance the Islamic State militant group and other armed factions while operating a factory in Syria.” It drove home the issue of risk and how your business risks can morph in war-torn regions.

The company has been under investigation relating to its former operations in Syria. An internal investigation found “managers of Lafarge’s Syrian plant had paid armed groups to allow employees to move to and from the factory so that it could continue operating.” This led to the resignation of the Chief Executive Officer (CEO), Eric Olsen. French authorities now have him under investigation, examining if he and other senior executives knew about the payments and, more ominously, “whether the company may have bought oil linked to the Islamic State.”

When the Syrian Civil War broke out every other western company eventually left their facilities in the country. However, LHN kept its plant open. Alderman reported, “In 2012, Lafarge’s local managers started using intermediaries to pay the armed groups to ease the passage of employees and suppliers, the company’s internal inquiry found. Lafarge has said it saw little choice if it wanted to keep its operations running, and sought to avoid direct contact with the groups to minimize potential risks that could arise with the Syrian government or other militants.”

The company said in a statement in April 2017, “Very simply, chaos reigned and it was the task of local management to ensure that the intermediaries did whatever was necessary to secure its supply chain and the free movement of its employees.” That seems like an admission of payments to either criminal gangs or terrorist organizations in violation of at least US sanctions laws.

While the LHN situation may seem like an extreme one, with the company possibly making payments to ISIS; the same situation may be faced by US companies on a much smaller scale, much closer to home. In Mexico, many swaths of the country are under the sway of large criminal enterprises. The Zetas, Colima Cartel, Guadalajara Cartel, Juárez Cartel, Sinaloa Cartel, Sonora Cartel and Tijuana Cartel are to name only a few. What if a US company makes a payment so that its trucks can transport through their territory? Does such payment violate any US laws on making payments to those entities on sanctioned lists?

What does the geographic area you conduct business in mean for your company’s risk? This is beyond the Transparency International-Corruption Perceptions Index (TI-CPI) for payments to corrupt local officials, although that could certainly come into play. What if you have to make payments to criminals to, as LHN did, “secure its supply chain and the free movement of its employees.” What is the liability for a company which puts its employees in such a high-risk environment?

If you do not ask questions about risk and then pay attention to the answers, you may find yourself in the same position as Grand Moff Tarkin.

May the Force be with you.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

It has taken most of the day for me to sort out everything that has rushed through my mind since about 11:48 PM last night when the Houston Astros recorded the final out to win their first World Series. For probably everyone outside of Houston and Los Angeles, Game Seven was an anti-climactic finish to a great series. The Astros scored five runs off Dodger starter Yu Darvish by the second inning and Darvish headed to the showers. The game was basically over at that point but it did not make things any less tense watching it through.

What did it mean to the City of Houston? Probably more than I can articulate. Of course, this summer’s disaster of Hurricane Harvey is foremost in everyone’s mind. But as I heard fan after fan talk about going to Astros games as young boys with their fathers and grandfathers, I thought about my grandfather who was a season ticket holder when the original Colt 45’s opened for play back in 1962. It was my grandfather who gave me the lifelong joy of scoring each game as he made me learn to keep score so I would not ask him too many questions and it focused my attention on the field. I would practice by keeping score at home listening to the radio play at night before bed in the summer. My father grew up a Cardinals fan but quickly adopted the Colts and Astros. It was my father’s love for the Cardinals which took us to see Stan Musial when he came to Houston during his final season and he took me to see Mickey Mantle hit the first home run in the Astrodome in an exhibition game in 1965.

I also thought about my three friends who I attended the 2005 playoff run and first Astros World Series appearance with, now all lost to cancer. As always, I was designated as the official scorer of our quartet so I could keep everyone informed on immediate past performance of all players in the game. I still miss you guys. Here’s to all the Astros fans from over the past 50+ years, who watched from the great beyond, this one was for you as well as the rest of us in a more temporal status.

The 2017 World Series gave us many compliance lessons to consider going forward. We considered the role of data analytics in baseball and in compliance. The clear conclusion is that data is a tool which every compliance practitioner needs to use but it is only a tool. Even if data analytics can see patterns in raked leaves, it still takes a compliance professional to understand not only what that means but to put the information to use, whether it be actionable or requiring more of a deep dive investigation.

We saw Satan call a Press Conference during the ALCS when he heard (allegedly for the first time) that the Astros might not only make it to the World Series but perhaps win it; thereby threatening that Hell would freeze over. Satan ended the Press Conference with an enigmatic comment about ‘fiddling with the equipment’. It turned out to be not so ethereal as Major League Baseball (MLB) changed the texture on the baseballs so they were much slicker and those Dodger sinker-meisters could not grip the ball and throw their normally nasty to wicked sinkers. Darvish was the primary victim of this equipment fiddling, crashing out of the World Series with two spectacular losses. I am not sure that is what Satan had in mind to protect his real estate empire. (Calls to Satan for comment on the reported snowfall in Hades last night were not returned.) Of course, MLB continues to deny they have done anything to the equipment.

We learned how the Astros’ deliberate tanking plans from the early part of the decade, which saw three straight years of 100+ losses, was actually a brilliant use of strategic risk. The teams used the risk management process of forecasting, risk assessment and risk management as a way to retool the focus of their teams and we considered how you could do so in the context of your compliance program. By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.

Yet it was all about what Jay Martin continually calls the most important aspect of a compliance program; execution. You must use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a feedback loop. From this, you will develop continuous feedback and continuous improvement for your compliance program.

In addition to MLB’s (cough, cough) equipment issue, they seriously dropped the ball on a disciplinary issue around race baiting. It involved Astro Yuli Gurriel, who after hitting a home run off Dodger pitcher Darvish pulled his eyes back to mock a slant-eyed facial expression. MLB Commissioner Rob Manfred properly condemned the racial gesture and suspended Gurriel but then completely dropped the ball when he delayed the suspension until the 2018 season. This complete lack of follow through rendered the discipline ineffective. There is no place for such actions by Gurriel in baseball and such inexcusable application of discipline by the commissioner.

We saw Carlos Beltran finally win a World Series ring. Beltran had no hits during the Series in three pinch hit appearances yet his steady leadership, particularly after the Astros lost Game Six; helped turn the tide to a win in Game Seven. Astros fans still remember Beltran from his magical season in 2004 when he hit nearly .450 in National League (NL) playoffs. His empathetic leadership will be missed next year.

For me, this magical run was about the joy and passion of baseball. The Astros are a young team and their infectious joy was a sight to behold. I am very passionate about compliance and the Astros demonstrated you can be professional yet joyful in your chosen profession. At this point, I am going to take the advice of Jay Rosen and Charlie Nugent, both (formerly suffering) long-time Boston Red Sox fans, and just enjoy it.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

In honor of fellow Houstonians, fellow Texans and now our neighbors to the east in Louisiana, who have been impacted by Hurricane Harvey, I continue my weather themed week by considering how Shakespeare used weather as a metaphor and what the compliance practitioner can learn from this going forward. It occurred to me that if weather is a metaphor in fiction, it is based on some reality which I think can be used to instruct on a best practices compliance program. Today I consider the use of weather in Macbeth “the Scottish play” where Shakespeare uses utilizes the weather to create an ominous dark mood throughout much of the play.

One commentator has noted, as with other Shakespearean tragedies, “Macbeth’s grotesque murder spree is accompanied by a number of unnatural occurrences in the natural realm. From the thunder and lightning that accompany the witches’ appearances to the terrible storms that rage on the night of Duncan’s murder, these violations of the natural order reflect corruption in the moral and political orders.” Yenised Ramirez-Ajete, writing for Prezi, has noted several weather themes in Macbeth. Through the use of fog, Shakespeare “creates a sense of mystery and suspense and shows that things are going to turn around. The fog first starts off in the play when King Duncan says he’s going to kill the Thane of Cawdor.” Shakespeare makes abundant use of rain throughout the tragedy. At the beginning of the play, “the sky is sunny, and then when something bad starts to happen the rain starts to pour. Or another thing that occurs, is the sun will be out yet it will be raining. All the storms at beginning of the play will foreshadow all the bad things that will happen in the future.”

Yet for me it is the storms that form the central motif in Macbeth. When the witches (or three sisters) appear both thunder and lightning appear to foreshadow that something bad is going to happen or that something unnatural is going to occur. In Act 1 the first witch asks Macbeth when they will meet again, noting whenever they meet up, there is always thunder, lighting, or rain or all three at the same time. She makes this clear when they all meet in Act I when she says, When shall we three meet again? In thunder, lightning, or in rain? Of course, the murder of Duncan is in the midst of a terrible storm as well.

How does this relate to the compliance practitioner and more importantly, a best practices compliance program? If weather is a risk that you face, it needs to be put through your risk management process. Even in the Foreign Corrupt Practices Act (FCPA) arena weather can be a factor you need to reflect in your risk management process. Consider if your company is an agriculture based business where your suppliers require rain or even allocated irrigation waters to grow the plants which go into your products, such as grain for ethanol products. If your supplier-farmers must rely on a governmental water district for their irrigation water allocations, what could be the risk they might pay bribes to increase their allocations? What happens if there are bribes paid by suppliers in your supply chain to produce any part of your final product?

Now consider building permits and other government licenses which are necessary in a large construction project, such as a major hotel and gaming complex at or near a seashore with a gorgeous vista. What if your company directly makes what it believes are facilitation payments to obtain permits to build in low-lying areas which are prone to flooding? Now consider if these facilitation payments were actually bribes to get around local zoning or other flood control ordinances? Does any of this sound far-fetched? Perhaps but the point is these are clearly risks which must be assessed and then managed through your risk management protocol.

The Department of Justice’s (DOJ) clearly expects such risks to be evaluation, properly assessed and then managed. In its Evaluation of Corporate Compliance Programs (Evaluation) under Prong 9, Risk Assessment, the DOJ posed the following questions: Risk Management Process What methodology has the company used to identify, analyze, and address the particular risks it faced? Information Gathering and Analysis What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance programManifested Risks How has the company’s risk assessment process accounted for manifested risks?

Working backward from that list, consider manifested risks. Any reading of Shakespeare will inform you of the manifested risk of bad events during harsh weather conditions. The same can be said for weather related events which are known to occur. In Houston, we are now in the middle of the 1000-year flood event, having exceeded the 500-year flood event that happened way back two days ago. Is this a manifested risk? Is it a known risk? Right now many Houstonians are finding out that several commentators had predicted this type of flooding in Houston could occur.

These types of questions also point out how integrated compliance should be in your overall business processes. These are the types of questions you should be considered in your business operations for a variety of reasons. Just as clearly, if there is a risk of a compliance perspective, it needs to be assessed and managed. Continuing to reverse up the question chain, the DOJ wants to know how you have used the information. If your suppliers are farmers, have you provided them any training your company’s expectations that no bribes be paid? Is that training in their local language? Was it documented? For the facilitation payment example, when was the most recent full review and assessment of all facilitation payments, including the documentation of to whom, the amount and method of payment.

Finally, at the first two questions under Risk Management Process, what is your entire process? Does your organization even have a fully document process to do so and integrate it into your ongoing business process? What was your methodology, as did you even assess events such as the weather, geographical consideration or geopolitical events?

We are reminded that Shakespeare is our greatest playwright and greatest author of the English word. Although he wrote in fiction, most of his plays were based on prior stories built around historical events. The use of weather may have been a motif but as most fellow Texas can attest, it is real and the effects can be catastrophic. I hope you can use the lessons from Macbeth to consider your compliance program going forward.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.


The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017.  The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren’t being reported back into the process of how does that affect the estimate of cheap revenue going forward.

Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There’s always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”

Three Key Takeaways

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, their determination and their management changes over time so be cognizant of changes in business practices on the ground.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at



Next, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.    

One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The Securities and Exchange Commission FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents.

The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented?

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company.

The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal control over financial reporting, and could be useful for companies complying with compliance internal controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Controlwhich provides templates that may be used to support an assessment of internal control and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.

Three Key Takeaways

  1. Third party risks are still your highest risks under the FCPA so use your internal controls appropriately to help prevent this risk from becoming a violation.
  2. Use mapping and a gap analysis to collate risks to existing controls.
  3. Always consider the regional and geographic variances.


For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at