JANUARY 16, 2020 2019 BY TOM FOX

In today’s edition of the Daily Compliance News:

  • We always knew he believed in bribery but Trump tried to unilaterally repeal the FCPA. (NYT)
  • Goldman stock falls as 1MDB settlement nears. (WSJ)
  • Red Sox fire Alex Cora, wait for MLB to drop the hammer. (WSJ)
  • What’s wrong with keeping petty cash at home? (Daily Mail)

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:

Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.

The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) only provides the barest of discussion on the evaluation stating: “Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces?… How have the information or metrics informed the company’s compliance program?” Another section states, “Updates and Revisions– Is the risk assessment current and subject to periodic review?  Have there been any updates to policies and procedures in light of lessons learned?”

In the Framework for OFAC Compliance Commitments (OFAC Framework), it provides greater clarity by stating in the section entitled ‘Risk Assessments” the following,The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

There are several ways to look at ‘Likelihood’ factors. An Event can be highly likely if it is expected to occur. An Event can be likely with a strong possibility than an event will occur Event may occur at some point, even if there is no history to support it. It can be possible and there is sufficient historical incidence to support it. Finally, an Event can be unlikely and not expected, with only a slight possibility that it may occur. Responses to likelihood factors to consider include the existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs.

The priority rating is the likelihood rating and ratings that reflect the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with  audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

In this episode of GWIC, Lisa speaks with Kim Yapchai, who is the Chief Ethics and Compliance Officer for Tenneco.  Kim did not start in the ethics and compliance field by choice – she became responsible for ethics and compliance during the 2008-2009 recession as part of a large staff reduction.

Kim went from an involuntary compliance officer to a leader in the ethics and compliance community by developing a program based on “transformational leadership” – developing a holistic program, working with her team and achieving results in both her prior and current role, both in E&C and in corporate social responsibility.

A great deal of Kim’s career has been in the automotive and manufacturing industries, two  male-dominated industries.  She discusses how she has thrived in these industries as a woman, and a person with a blended heritage.

Kim is also a great supporter of ethics and compliance professionals and discusses how she uses LinkedIn and building her network to help others…and how that is something she enjoys.

Join the Great Women in Compliance community on LinkedIn here.

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Welcome to the first Into the Weeds podcast of the new decade and the new year. In this Part 2 of a two-part podcast series, Matt Kelly and I take a look at ten issues that we think will be significant for the compliance professional in the upcoming year.

Some of the highlights include:

  • The Institutional Shareholder Services lawsuit against the SEC. What will this and other court cases against the Trump Administration’s attempt to gut shareholder protects by the SEC?
  • Effective sanctions compliance programs. Will there be congruity or discrepancies in the interpretation of what constitutes a best practices compliance program by the DOJ and OFAC.
  • Compliance convergence. We are moving to do away with anti-corruption compliance, trade sanction and export control compliance, AML compliance to a role which is simply compliance.
  • Data, data and more data. Regulators now expect data analytics, continuous monitoring and continuous improvement in your compliance program.
  • The ethical edge. How more effective compliance creates more efficient business process equating to greater profitability.


Matt’s blog post 7 Compliance Items to Watch in 2020 in Radical Compliance.

Tom’s blog post 4 Compliance Insights for 2020 and Beyond in the FCPA Compliance and Ethics Blog.

JANUARY 15, 2020 2019 BY TOM FOX


In today’s edition of the Daily Compliance News:

  • Businesses take the lead in response to climate change. (NYC)
  • Wells Fargo CEO admits he doesn’t have the answers yet. (Washington Post)
  • Trump Administration orders no discussion of climate change in allowing drilling in national forests. (Houston Chronicle)
  • Will Supreme Court further gut domestic corruption law? (Politico)