IMG_0834Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R Caldwell who called for her review of compliance programs. Today we review the first criteria and tie it to one specifically made applicable to financial institution but to which I believe both should and will soon apply to non-financial institutions. These metrics are:

  • Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
  • Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Stephen Martin, the head of Baker and McKenzie’s Compliance Consulting Practice, and his former law partner Paul McNulty, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally, express its ethical principles. But simply having a Code of Conduct is not enough so a second step mandates that every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are executed, followed and enforced.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Aiken Gump, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

John Allen, in an article in the Houston Business Journal (HBJ), entitled “Company policies are source and structure of stability”, said that written policies and procedures “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen identified five key elements to any well-constructed policy. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee, Garth Peterson, for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” This means that policies are applied fairly and consistently across your company. If there is not consistent application, Allen notes, “there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

These metrics also specifically set out that policies and procedures need to be translated into appropriate local language. This follows clear input from the FCPA Guidance, which says “it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” This means that training should also be in an appropriate local language so that your employees can understand their obligations under the FCPA and your company’s expectations around ethics and compliance.

Communication of Written Program

The communication of your anti-corruption compliance program is something that must be done on a regular basis to help ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

“Conducting effective training programs” is listed in the 2011 US Sentencing Guidelines as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The US Sentencing Guidelines mandate, “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

One of the key goals of any FCPA compliance program is to train the company. But more than simply training, I believe these new metrics mandate that you demonstrate the effectiveness of your compliance training. The testing and evaluation of your FCPA compliance training program is an important aspect not to overlook. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook”, authors Martin and Daniel Biegelman explore some techniques, which can be used evaluate FCPA compliance training. They believe a general assessment of those trained on the FCPA and your company’s compliance program is only a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics that can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

While many companies have focused on the written components of a best practices compliance program, I believe these new Compliance Counsel metrics require that company’s work to ensure the training is effective. It must be communicated in a manner designed to make an impression. This includes appropriate translations of the written documents and translations of your oral training presentations as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at


© Thomas R. Fox, 2015

7K0A0246As Houston, TX, is the epicenter of Foreign Corrupt Practices Act (FCPA) enforcement, most energy companies in my hometown have mature compliance programs or at least more mature than in other industries, which have not gone through a full FCPA sweep. This has brought much knowledge about the doing of compliance into these organizations. But just as compliance programs can become more mature and compliance practitioners more sophisticated in their approaches to FCPA compliance, the FCPA regulators can be more sophisticated in their knowledge and understanding of what constitutes a best practices FCPA compliance program.

Most interestingly, one of those areas is training on a FCPA compliance program as there has recently been renewed discussion by Department of Justice (DOJ) and Securities and Exchange Commission (SEC) representatives on the issue of training and testing the effectiveness of a best practices FCPA compliance program. Chief Compliance Officers (CCOs), compliance practitioners and corporate compliance functions need to understand that the DOJ and SEC are clearly signally that simply testing and having employees sign a certification they took the training is no longer sufficient. The regulators want companies to demonstrate the effectiveness of their FCPA anti-corruption training.

I was therefore interested to see a recent article on training in the MIT Sloan Management Review, entitled, “Aligning Corporate Learning with Strategy, by Shlomo Ben-Hur, Bernard Jaworski and David Gray. While noting that there has been an explosion of training options available in the corporate world and advances around the science of learning relating to the emotional centers of our brains; it is the emphasis on the “strategic alignment of learning rather on how learning is delivered” which is the key differentiator for effective employee development.

The authors believe there should be a more strategic business view of training and a more proactive stance on the delivered value of training and development. For the CCO or compliance practitioner they present some solid suggestions for ways to make FCPA compliance training more effective. Since we know the regulators are watching and may well look at the effectiveness of your FCPA training, now may be a good time for you to consider it. The authors present four learning practices that they believe can serve as a model for implementing a corporate learning strategy. I have adapted them for a FCPA compliance program.

Mapping the [CEO] agenda

Here the authors believe that it all starts with a strong emphasis from the very top of the organization that training is “mission-critical”. Something as simple and straightforward as “We will do business ethically and in compliance with the FCPA” stated by the Chief Executive Officer (CEO) can be used to cultivate the desired behavior. If leaders know they will be graded, evaluated and assessed on how they do business within the constraints of the company’s compliance program, they will be more apt to embrace learning it going forward. As the CCO you need to have such principles clearly articulated and even an opening line or opening video to your training.

But the CCO and compliance practitioner have a role in delivering the right type of training. You need to understand that to bridge what might be a compliance skills gaps in your training group your compliance training needs to go through an assessment. You could think of something along the lines of a risk assessment but in the compliance training assessments you determine what issues employees want and need addressed. By using these tools you can map the compliance training agenda and then move to “operationalize the [compliance] learning agenda through the portfolio of [compliance] learning and development activities.”

Aligning learning and development resources

Your next step is to take stock of your training resources by taking a “learning inventory”. What tools do you have in place for compliance training? From here the next step is to review your learning infrastructure; how do you deliver the training? Do you use live training? If so who puts on the training? Is it internally outsourced to your Human Resources (HR) function or does the compliance department perform compliance training? Do you outsource to a third-party provider? If the training is not live, in what media do you employ? Has the training been translated into local languages? If so has that translation been vetted to ensure accurateness?

Another set of inquiries should be made into the efficacy of your current compliance training. Is it aligned with your current compliance initiatives? Have there been changes to your program or updated/new risks since your last compliance training was developed and deployed? How have you tested the effectiveness of your compliance training in the past, if at all? What have you done to validate your training under the COSO 2013 Framework Update?

Gaining buy-in for the learning agenda

The days of FCPA training being a slow recitation of the law, written by lawyers for lawyers, have long since passed. Here the authors advocate buy-in on the training from a wide variety of sources but specifically including the CEO. The reason is so that vision will be shared during the training. Making the training business specific is obviously an important factor. The authors provided a quote from Eivind Slaaen, Senior Vice President (VP) for HR at Hilti AG, which I thought summarized this approach quite well. She said, “We’ve stopped treating learning as stand-alone and see this more as a journey,” says Slaaen. “Rather than thinking you can teach people what they’re supposed to know in a couple weeks of training, we’re pulling the line [management] in as a partner — so you need to convince others to be a part of that journey.”

The authors also suggested some clear goals for the agenda. They suggested (1) does the learning agenda support the compliance goals going forward as they apply to the business unit?; (2) is the training clear on how doing compliance will affect the business unit going forward?; (3) did compliance involve the key influencers and key stakeholders in championing the agenda?; and (4) is the learning linked to and does it respond to changing compliance and business needs?

Activating the learning agenda

Continuous improvement is not simply a by-word in compliance but is now mandatory. The same should be true for your compliance learning portfolio. This means that as your compliance program matures or your organization develops new risks, your training needs to reflect this as well. The authors said, “Programs and learning initiatives that do not advance the ball toward business goals should be eliminated or brought into line with business needs. Sometimes this requires bringing in different learning personnel with the relevant expertise and instructional design skills to meet the new objectives. The company’s learning agenda should be the “North Star” for all corporate learning and development — the set of orienting principles against which program design choices are tested.”

I found this article very interesting and provided a different manner in which the compliance professional could think about training and learning. Even if such bespoke training is not rolled out on a company wide basis, it could certainly be used for management or high-risk employees to provide more focused and useful FCPA compliance training. Moreover, it is developing a mind set from the very top levels of the company on down about the expected behaviors. I certainly see such learning as something the DOJ and SEC will see as innovative in the compliance space.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

TrainingI am pleased to announce the initiation of my FCPA Master Class training sessions. I will put on a two-day Foreign Corrupt Practices Act (FCPA) training class, which will be unlike any other class currently being offered. The focus of the FCPA Master Class will be on the doing of compliance. For it is only in the doing of compliance that companies have a real chance of avoiding FCPA liability.

The FCPA Master Class will provide a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) to the practitioner who is new to the compliance profession. If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a FCPA compliance program going forward, this is the class for you to attend.

As one of the leading commentators in the FCPA compliance space for several years, I will bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled me to put together a unique educational opportunity for any person interested in FCPA compliance. Simply stated, there is no other FCPA training on the market quite like it. Armed with this information, at the conclusion of the FCPA Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The FCPA Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Using the Ten Hallmarks of an Effective Compliance as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the will include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the FCPA Master Class with a clear understanding of what the FCPA is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

The FCPA Master Class will be based around my book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which focuses on the creation, implementation and enhancement of a best practices compliance program. Each participant will receive a copy of my book, as well as all training materials to keep and use for reference purposes going forward.

The first FCPA Master Class will be held in Houston, TX on September 10 and 11 at the offices of Merrill Brink International, 315 Capitol St #210, Houston, TX 77002. A Certificate of Completion will be provided to all who attend in addition to the continuing education credits that each state approves. The cost to attend is $1,195 per person. Group pricing is available. Breakfast, lunch and refreshments will be provided both days. For more information or a copy of the agenda, contact Tom Fox via email at or telephone at 1-832-744-0264. Additional information and registration details are available on my website, Advanced Compliance Solutions.

There will be additional FCPA Master Class training sessions at other locations across the US later this year. I hope that you can join me for one of them.







To find out what type of student you are, please take this Quiz by clicking here.

Chris BauerEd. Note-today we have a guest post from noted ethics and compliance expert, as well as steel guitar player, Chris Bauer.

Okay, you know that you need to have effective compliance training but do you really know what will actually make it effective? The reality is that far too many compliance training program fail on multiple counts. With compliance as critical as it is, that is unacceptable. Thankfully, there are a few areas which, if attended to well, can correct many of the most-frequently seen problems with the development and execution of these programs.

Here are five of the areas I see getting missed time after time in compliance training programs.

Do you actually have a solid, working definition of what compliance is? I see ethics, compliance, and accountability as being ‘cross-defined’ all the time. Do they inter-relate? Absolutely and it’s even a great idea to inter-relate them in your training. However, until you are clear about what you mean by all three of those terms, your training will leave employees confused and confusion is never good for compliance training…

To Do – Find or create definitions for all three of these terms that are clear, concise and, above all, practical. The moment these terms become hazy or academic you have already lost too many of your employees’ ability to build your ideas into their minute-to-minute, day-to-day practices. Also, be sure to use language that fits the culture of your organization. Just because something sounds good in another organization – or another part of your organization – doesn’t mean that it will work for anyone, let alone everyone, in every corner of your company. This is one of the many reasons that ‘one size fits all’ training is rarely effective. Different parts of your organization are likely to need things said and demonstrated in different ways. You have the choice; you can whine about the inconvenience of that or go about creating a great compliance training program.

Is your training practical? An awful lot of compliance training is little more than a coma-inducing parade of Powerpoint slides with the rules, regulations, and, perhaps, a few key updates. Is that information critical? Perhaps so. However, for starters be sure that the information really is critical before overwhelming employees with so much information that they can’t actually retain it.

To Do – Always build in opportunities for employees to ask how your training really applies to what they do on the job. If they can’t fully see the behaviors in which they are and are not to engage – or if they don’t believe those behaviors are possible in their circumstances – your training has missed the mark. Also, remember that employees are unlikely to tell you spontaneously that they don’t think they can do what you’re asking of them. Be active in seeking out feedback on not only their level of understanding of the material but, as importantly, their confidence that they can do what you’re asking of them. If they don’t think they can do it, it is your job to help them figure out how to deal with any roadblocks – real or perceived – they might see.

Are you simply transferring information or are you providing employees with solid ideas and tools to put the rules and regulations into practice? If you want a culture where compliance is topmost in your employees’ minds, they had better be able to first mentally retain and then apply the mandated rules and regulations. If you aren’t helping them apply what you’re telling them, it will have been an entirely academic exercise.

To Do – Here again, everything you train on needs to have clear, ‘do-able’ behaviors attached. Employees have to know exactly what they need to be doing to bring your compliance program to life. It’s not enough for you to believe that they ought to be able to figure it out; they really need to know and they need to hear it from you. (Mind you, they may also have ideas you haven’t thought of yet. Great! Just don’t pretend it isn’t your job to help them figure it out.)

Are you creating information overload? True, there’s a lot out there that your employees will need to know about compliance. However, are you giving so much in each sitting that it simply can’t be retained? Again, if they can’t retain the information – or, at least, find it easily – they certainly can’t put it into practice. Consider providing training in smaller, on-going chunks. Less time-efficient? Maybe. However, that will more than pay off in having your employees actually recall and apply what they’ve been trained on.

To Do – Remember that smaller chunks of information ‘stick’ better. Further, information that clearly has practical applications does the same. Work to avoid simply smothering employees with regulatory and oversight information. Make it real for them by providing it in digestible, easily recalled, practical chunks. Here again, whine if you like about this being inconvenient but the facts remain; you need to attend to this if you really want your compliance training to be effective.

Are you making compliance a tool for your employees’ personal success? I see a lot of organizations doing a fine job of conveying to employees how their bottom line can be wildly, adversely affected by compliance problems. However, they fail to show employees how compliance is important to them personally. Sure, we all want our employees to put our organization first but, really, is that realistic? If your goal is to motivate employees to attend to compliance – and that had better be one of your goals – you’ll get far more bang for your buck if you can help them see how their lives and careers will be easier/better if they keep their mind on compliance.

To Do – Without your employees, your organization would quite literally be nothing. They are already contributing all day, every day, to the success of your organization. Make compliance training – along with every other training your provide – a tool that they can use for their personal success as well. Maybe that success has to do with advancement, maybe it has to do with some kind of incentive. At the rock bottom, it has to do with them keeping their job. The point is that there will always be ways you can think of to help them see that a focus on compliance is as much for their personal benefit as the company’s. Do your homework and figure out what those motivations are for your employees. It will not only make your training a whole lot more effective, it’s a nice thing to help your employees be successful, yes?

It is all-too-easy to overlook all five of the above requirements for effective compliance training. In fact, by ignoring them, it will be far easier for you to create your training program; just throw a bunch of regulatory requirements onto a Powerpoint presentation or webinar and slam through it for as long as it takes. You will, in fact, be telling your employees what they are required to hear. If, however, your goal is to not sabotage your training and actually get employees to take action and create a culture where compliance is top-of-mind, ignore any of the above five concerns at your own risk.

Christopher Bauer is an expert on creating cultures of ethics, compliance, and accountability. Information on his programs as well as his Trust Foundry blog can be found at Information specific to his programs on professional ethics can be found at In addition to speaking, training, and consulting on creating cultures ethics, compliance, and accountability, he publishes a Weekly Ethics Thought seen by thousands or readers worldwide. Free subscriptions are available by visiting either of his websites.