In honor of fellow Houstonians, fellow Texans and now our neighbors to the east in Louisiana, who have been impacted by Hurricane Harvey, I continue my weather themed week by considering how Shakespeare used weather as a metaphor and what the compliance practitioner can learn from this going forward. It occurred to me that if weather is a metaphor in fiction, it is based on some reality which I think can be used to instruct on a best practices compliance program. Today I consider the use of weather in Macbeth “the Scottish play” where Shakespeare uses utilizes the weather to create an ominous dark mood throughout much of the play.

One commentator has noted, as with other Shakespearean tragedies, “Macbeth’s grotesque murder spree is accompanied by a number of unnatural occurrences in the natural realm. From the thunder and lightning that accompany the witches’ appearances to the terrible storms that rage on the night of Duncan’s murder, these violations of the natural order reflect corruption in the moral and political orders.” Yenised Ramirez-Ajete, writing for Prezi, has noted several weather themes in Macbeth. Through the use of fog, Shakespeare “creates a sense of mystery and suspense and shows that things are going to turn around. The fog first starts off in the play when King Duncan says he’s going to kill the Thane of Cawdor.” Shakespeare makes abundant use of rain throughout the tragedy. At the beginning of the play, “the sky is sunny, and then when something bad starts to happen the rain starts to pour. Or another thing that occurs, is the sun will be out yet it will be raining. All the storms at beginning of the play will foreshadow all the bad things that will happen in the future.”

Yet for me it is the storms that form the central motif in Macbeth. When the witches (or three sisters) appear both thunder and lightning appear to foreshadow that something bad is going to happen or that something unnatural is going to occur. In Act 1 the first witch asks Macbeth when they will meet again, noting whenever they meet up, there is always thunder, lighting, or rain or all three at the same time. She makes this clear when they all meet in Act I when she says, When shall we three meet again? In thunder, lightning, or in rain? Of course, the murder of Duncan is in the midst of a terrible storm as well.

How does this relate to the compliance practitioner and more importantly, a best practices compliance program? If weather is a risk that you face, it needs to be put through your risk management process. Even in the Foreign Corrupt Practices Act (FCPA) arena weather can be a factor you need to reflect in your risk management process. Consider if your company is an agriculture based business where your suppliers require rain or even allocated irrigation waters to grow the plants which go into your products, such as grain for ethanol products. If your supplier-farmers must rely on a governmental water district for their irrigation water allocations, what could be the risk they might pay bribes to increase their allocations? What happens if there are bribes paid by suppliers in your supply chain to produce any part of your final product?

Now consider building permits and other government licenses which are necessary in a large construction project, such as a major hotel and gaming complex at or near a seashore with a gorgeous vista. What if your company directly makes what it believes are facilitation payments to obtain permits to build in low-lying areas which are prone to flooding? Now consider if these facilitation payments were actually bribes to get around local zoning or other flood control ordinances? Does any of this sound far-fetched? Perhaps but the point is these are clearly risks which must be assessed and then managed through your risk management protocol.

The Department of Justice’s (DOJ) clearly expects such risks to be evaluation, properly assessed and then managed. In its Evaluation of Corporate Compliance Programs (Evaluation) under Prong 9, Risk Assessment, the DOJ posed the following questions: Risk Management Process What methodology has the company used to identify, analyze, and address the particular risks it faced? Information Gathering and Analysis What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance programManifested Risks How has the company’s risk assessment process accounted for manifested risks?

Working backward from that list, consider manifested risks. Any reading of Shakespeare will inform you of the manifested risk of bad events during harsh weather conditions. The same can be said for weather related events which are known to occur. In Houston, we are now in the middle of the 1000-year flood event, having exceeded the 500-year flood event that happened way back two days ago. Is this a manifested risk? Is it a known risk? Right now many Houstonians are finding out that several commentators had predicted this type of flooding in Houston could occur.

These types of questions also point out how integrated compliance should be in your overall business processes. These are the types of questions you should be considered in your business operations for a variety of reasons. Just as clearly, if there is a risk of a compliance perspective, it needs to be assessed and managed. Continuing to reverse up the question chain, the DOJ wants to know how you have used the information. If your suppliers are farmers, have you provided them any training your company’s expectations that no bribes be paid? Is that training in their local language? Was it documented? For the facilitation payment example, when was the most recent full review and assessment of all facilitation payments, including the documentation of to whom, the amount and method of payment.

Finally, at the first two questions under Risk Management Process, what is your entire process? Does your organization even have a fully document process to do so and integrate it into your ongoing business process? What was your methodology, as did you even assess events such as the weather, geographical consideration or geopolitical events?

We are reminded that Shakespeare is our greatest playwright and greatest author of the English word. Although he wrote in fiction, most of his plays were based on prior stories built around historical events. The use of weather may have been a motif but as most fellow Texas can attest, it is real and the effects can be catastrophic. I hope you can use the lessons from Macbeth to consider your compliance program going forward.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.


The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017.  The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren’t being reported back into the process of how does that affect the estimate of cheap revenue going forward.

Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There’s always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”

Three Key Takeaways

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, their determination and their management changes over time so be cognizant of changes in business practices on the ground.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at



Next, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.    

One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The Securities and Exchange Commission FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents.

The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented?

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company.

The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal control over financial reporting, and could be useful for companies complying with compliance internal controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Controlwhich provides templates that may be used to support an assessment of internal control and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.

Three Key Takeaways

  1. Third party risks are still your highest risks under the FCPA so use your internal controls appropriately to help prevent this risk from becoming a violation.
  2. Use mapping and a gap analysis to collate risks to existing controls.
  3. Always consider the regional and geographic variances.


For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at

In addition to prolific writing about compliance another area I committed to as the Compliance Evangelist is to speak about compliance in a variety of forums. In May, I have several speaking events and a webinar which I am excited to relate to you today.

On Tuesday May 16th I will be joined by Jonathan Marks, a partner at Marcum LLC to present a conference on Operationalizing Compliance. The schedule is Registration and Continental Breakfast : 7:45 am – 8:15 am and the Program: 8:15 am – 4:00 pm. Highlights include:

  • What are the leading practices of an operationalized compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • The new global anti-corruption enforcement paradigm;
  • Internal investigations and;
  • Negotiating with the government.

You will be able to walk away from the Operationalization Class with a clear understanding of how to operationalize a compliance program; an overview of international corruption initiatives and how they all relate to FCPA compliance, if it applies to you; how to deal with third parties, from initial introduction through contracting and managing the relationship, internal investigations, negotiating with the government, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

The Venue will be:

Marcum LLC

1600 Market Street

Philadelphia , PA  19103

Best of all, the event is complimentary. For registration and additional details, click here.

On May 18, I will be joined by Ben Locwin,   PhD, MBA, MS, President, Healthcare Science Advisors for a session on Pharmaceutical compliance issues and risk management at the CPhl North America, which will also be held in Philadelphia. If you are in pharma this is the conference for you. 

This session is centered directly on the diametrically-opposed viewpoints of strategic drug pricing. How are prices set? How should they be set? What’s the balance between capitalism, good economics, corporate interests, and altruism? Do these paradigms apply to both established and emerging markets? What are the legal frameworks surrounding these decisions? What are the ethical debates underpinning these decisions? What are the legal ramifications of approaching it incorrectly?

Legal and Policy Strategies for Drug Companies in Today’s Global Market
I. Drug pricing:
i. How is it set?
ii. Is it set accurately?
iii. Is it set appropriately?
iv. What do those even mean?

II. Why does levothyroxine matter? Reimbursement.
i. What’s happening with reimbursement in 2017?
ii. What does a new presidential administration mean for drug prices?

III. The Heinz Dilemma
i. Separating ethics and morals from business, enterprise, and economics

IV. Interactive Exercise
Develop regionally-specific pricing models to create a visual worldwide market that encourages competition, growth, and sustainability.

For Registration and Information, click here.

From May 22-24, I will be participating in Compliance Week 2017. I am chairing a panel with two of my favorite folks in compliance; Ren McEachern from the FBI and the recently retired Head of the Security and Exchange Commission’s FCPA Unit, Kara Brockmeyer. Our session will be a celebration, entitled, “Happy Birthday FCPA! A Toast to the Next 40”

Session Description:

The FCPA was enacted back in 1977, but its real time to shine has been over the last decade. There is no denying its impact on anti-corruption laws around the globe or the headline-making status due to increased enforcement in the United States. In this session we’ll discuss what companies need to know about the FCPA moving forward, including the impacts of increased cross-border law enforcement cooperation, the importance of third party risk management, and industry’s increasingly sophisticated understanding of what an effective anti-corruption compliance program should be.

Readers of this blog can receive a discount of $300, by entering discount code CW17TOMFOX for the payment page. For more information and registration details, click here.

Finally if you are not going to be in Philadelphia or Washington in May or your travel budget is light for the month, I  will be participating in a Compliance Week webinar, on Operationalizing Your Compliance Program, with Patrick Taylor of Oversight Systems on May 4.  As you are well aware, the Justice Department has mandated that companies operationalize compliance within the organization to drive effectiveness. Review and analysis of corporate data is one way to do so. Reviewing gifts, travel and entertainment expense data can benefit compliance, accounts payable and sales functions, just to name a few. How can a compliance professional develop and implement such a plan? In this webinar you will take away:

  • An understanding of the types of data each company owns;
  • Why operationalization of compliance is an imperative;
  • How to cut across silos to increase operationalization; and
  • How to partner with other corporate functions.

For more details and registration, click here.

The DOJ Evaluation of Corporate Compliance Programs states:

  • Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced?
  • Information Gathering and Analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program?

I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment.

We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.”

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”

An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You’re absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.”

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”

Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”

Three Key Takeaways

  1. The Evaluation put renewed emphasis on risk assessments.
  2. Risk assessments logically follow and are complimentary to forecasting.
  3. The risk assessment output allows you to prioritize your response with plan funding and deliver resources in a risk management solution.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to