In this episode of the CONGERGE18 Preview Podcasts series, I visit with Keturah Pestel, Program Manager, Business Ethic and Legal Support Office at Thrivent. We discuss her company’s innovative use of internal reporting. Some of the issues we tackle in this podcast are:

  • Why internal reporting is more than simply whistleblowing?
  • What types of data can you interpret from internal reporting?
  • By using data from internal reporting to upgrade your compliance program you engage in continuous improvement.

In what is fast becoming one of the top ethics and compliance conferences around, I hope you can join me at CONVERGE18, hosted by Convercent. (I perform consulting work for Convercent.) This year’s event will be October 8-11 at the Omni in Bloomfield, Colorado. The line-up of this year’s event is simply first rate with some of the top ethics and compliance practitioners around.

With the acceleration of the speak up culture and organizational accountability that social media is enabling and amplifying, companies need to incorporate integrity into every level of the organization. CONVERGE18 will help you do just that by addressing this ethical transformation head-on. Get the insights, information and solutions you need to put ethics into action. Join compliance executives from Salesforce, Kimberly Clark, Avis, U.S. Bank, AARP, Wells Fargo, Cheesecake Factory and many others to:

  • Network with 300 of your peers, including C-suite executives, legal professionals, HR leaders and ethics and compliance visionaries.
  • Gain insights from 35 speakers including Ethics and Compliance advocate Hui Chen, ECI’s CEO Pat Harned, NBA’s Deputy Chief Compliance Officer Steph Vogel, President at OCEG Carole Switzer and more.
  • Bring actionable takeaways back to your program from various session types including 2 keynotes, 5 general sessions, 12 discussion-based roundtables, 18 interactive breakout sessions for you to listen, learn and share.
  • The goal of CONVERGE18 is to arm you with information, strategy and tactics to transform your organization and your career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to readers of this blog, CONVERGE18 is offering a 50% discount off the registration price. Enter discount code TOMFOXVIP.

CONVERGE18 is a production of Convercent, which is the sponsor of this podcast series.


I have been visiting with Eric Feldman, Senior Vice President, Don Stern, Managing Director of Corporate Monitoring & Consulting Services, and Rod Grandon, Managing Director of Government Services, from Affiliated Monitors, Inc., (AMI) who is the sponsor of this series. In it, we explore how to go about assessing ethics and compliance in the mergers and acquisition (M&A) context. In this fourth episode I visit with Grandon about the types of things a monitor would review to determine if a company adequately considered ethics and compliance during the M&A process.

Grandon sees two distinct phases in the M&A process; pre- and post-acquisition. In each phase an independent monitor would look at different aspects of it. The first is the planning, the negotiation and the due diligence. This review goes up to the point at which the transaction is completed. From there is the post-acquisition phase, the integration phase. Grandon sees a distinct role in both the pre and post-acquisition phases for an independent monitoring. During the pre-acquisition transaction phase an “independent monitor can come in without preconceived notions, without shackles, as to any corporate expectations and do that deep dive that is really necessary for the parties if that information is shared or at least one of the parties to gain an understanding of what is being purchased or what is missing.”

Moving over to what Grandon would expect to see in the integration phase, he noted the type of culture which exists through working with the respective workforces to understand what are their cultures. Are these cultures compatible in terms of bringing together a program to promote ethics and compliance? This requires, in many cases, deep dives, particularly the use of focus groups to get down to the workforce to get a true understanding of what some of the cultural elements that are in play. And in many cases, this is just a critical and complicated piece. From there, Grandon advocates moving into the controls area to literally put an independent set of eyes on the internal compliance controls. This is to help the parties understand the risk environment they find themselves in and the culture that is in play for the post-acquisition phase.

Moving to the post-acquisition phase Grandon noted that the independent monitor can also provide a key piece to help the integration phase. It can be a critical asset in this process of coming in helping management understand what it has acquired. This is the point there are no limitations on getting in and doing that deep dive with the workforce which already knows it’s been merged or acquired. Also the public already knows so no excuses for not getting in and getting a very good understanding the culture and how the workforce sees the ethics and compliance structure of the company.

Grandon made two interesting observations. The first was the unintended consequences of rapid growth, not taking the time to digest and integrate, leaving a gap and lack of understanding of what was expected of the workforce. The second was the problem of completely unforeseen events popping up through complaints to lawsuits to further discovery events.

The first area focuses on the unintended consequences of rapid growth. Grandon said, “many times I have seen companies, particularly smaller companies that have tried to grow very rapidly through acquisitions and mergers. In doing so, the focus was always on the finance and really never on the people’s side or human element. The acquiring entity never takes the time to get it right in terms of ethics and compliance. A cultural compatibility is absolutely critical for the success of the successor entity. Without that what frequently happens or the workforce is demoralized because they do not feel like they’ve been part of the process.”

Grandon continued, “the fact is no one from the acquiring entity listened to them so they really don’t understand the corporate direction. Suddenly many of the employees find themselves in a much more permissive environment than they had before. Maybe in the lack of appropriate leadership and guidance. The risk factors really tend to spin out of control very quickly if there’s not a good plan and a good understanding of what is going on in that transaction and that’s what leads to these unintended consequences.”

The second issue is the ‘pop-up problem’, “which is something, even with reasonably effective diligence, the parties missed. Now you are months down the road post transaction or perhaps even years down the road and a lawsuit pops up. These pop-up problems in many cases have been identified. If the companies would have taken the time to do that deeper dive into that ethics and compliance realm and to understand what the workforce has seen and experienced,  these issues may well have been forestalled. It just simply has never surfaced up to senior management or senior leadership levels.”

We concluded with some warning signs or red flags which may appear at points throughout the M&A process that may show problems exist or are on the horizon. Grandon said one clear such indicator was a “breakdown in transparency”. He expanded on this to note that there are “Suddenly little fiefdoms are permitted to exist within the successor, a corporate structure and there’s really no way of knowing what’s going on.” This can lead to small-ish problems becoming much bigger ones. Another key indicator is favoritism to certain people or groups within an organization. This can easily work to demoralize a workforce. If unethical or even questionable conduct is tolerated, this can also work to destroy employee morale. Grandon added that if management is disengaged from compliance and ethics and more is rather 100% focused on revenue and finances, this is a problem which needs to be addressed.

Tomorrow, we conclude with how M&A can benefit from an independent assessment.

Welcome to the only roundtable podcast in compliance. Inspired by our UK colleague, Jonathan Armstrong who inquired if we could explore the guilty plea of Michael Cohen and the guilty verdict against Paul Manafort, we dedicated two episodes to issues surrounding, raised by or related to these two events. In this episode we have commentary by Jay Rosen and Jonathan Armstrong (last week was Mike Volkov and Matt Kelly). After the commentary we follow with rants.

  1. Jay Rosen-begins with the Tom Fox mantra of Document Document Document to consider the use of documents in both cases. The Cohen case was built on the paper trail. He explains how prosecutors used it to uncover the fraud and why companies must properly record documents. Jay gives a shout out to John McCain for his services to our country.
  1. Jonathan Armstrong-There is much discussion in the US about whether prosecutors should or even can investigate the President, his team and family for their actions. He uses this as a jumping off point to consider if a UK PM and his team engaged in such blatant corruption, would UK prosecutors have the ability to engage in such investigations? What is the relationship of the CPS & SFO to the party in power for criminal investigations? Armstrong rants on curse of the enthusiastic amateur.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.


During this series, I am visiting with Eric Feldman, Senior Vice President, Don Stern, Managing Director of Corporate Monitoring & Consulting Services, and Rod Grandon, Managing Director of Government Services, from Affiliated Monitors, Inc., (AMI) who is the sponsor of this series. In it, we explore how to go about assessing ethics and compliance in the mergers and acquisition (M&A) context. In this third episode I visit with Feldman about planning out your post-acquisition merger strategy.

Feldman starts with the Department of Justice (DOJ) and the information contained in various resolution documents for the past eight years or so. These documents stressed that an acquiring entity apply or ascertain that its Code of Conduct, policies and procedures regarding corruption are consistent with the acquired company’s policies and processes. If they are not consistent, the acquiring company should apply it’s Code of Conduct and anti-corruption policies and procedures to the newly acquired company within 18 months or “as quickly as is practicable”. Employees from the newly acquired entity must be trained on their new Code of Conduct and policy and procedure. There must also be a forensic audit to see if any FCPA issues pop up. This same language was brought forward into the 2012 FCPA Guidance.

All of these requirements were made more clear in the 2017 Evaluation of Corporate Compliance Programs (Evaluation), which laid out the following manner to think through the issues involved:

  • Due Diligence Process –Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally?
  • Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
  • Process Connecting Due Diligence to Implementation –What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?

The clear import is that there is a continuum from pre-acquisition into post-closing and that they build on the prior steps. From the pre-acquisition phase, you should be in position to develop your post-closing plan. Moreover, under the recent addendum to the FCPA Corporate Enforcement Policy, the safe harbor advocated by practitioners such as Michael Volkov have now been memorialized in the US Attorney’s Manual. This now memorialized safe harbor makes your planning literally from the time you identify a target, through pre-acquisition to closing and into integration, investigation and reporting even more critical. The DOJ is looking for robustness of process and, of course, how you documented that process through the tenure of events.

I asked Feldman for some examples of what the DOJ expects to see in a such a process. He explained that if pre-acquisition due diligence is done correctly, it will identify risks associated with the target and a risk assessment of that company should follow as a part of your pre-acquisition due diligence along the line to your post-acquisition, to give you a roadmap of what areas of risk need to be addressed immediately. Some of the things you would specifically look for in an integration plan are around internal controls. So, “Are you going to use the acquired entities internal controls or are you going to put your company’s internal controls regime in place? If so, how are you going to integrate them? How are you going to address any training and awareness gaps as it relates to ethics and compliance responsibilities of the employees, of the new company that are coming into your company? Do people understand the acquiring company’s anti-corruption posture and their ABC policies and procedures and all of that needs to be well documented into an integration plan.”

I asked Feldman why the documentation component is so important. He replied if no plan is followed, “it’s very hard to be able to demonstrate the pre and post-acquisition due diligence to an external entity like the Department of Justice. Then necessarily the outcome, but the real issue has to do with how can you demonstrate to a government regulator that you have done everything that you can do as a company to identify risk associated with corruption and misconduct. And then if you do identify the misconduct, that you have taken the right steps to inform the government and make that disclosure.”

I concluded by asking Feldman why an independent monitor can be useful in this process. He said, “One of the ways that AMI has seen work it extremely well to help allay some of the concerns around an acquisition, is if a company utilizes an independent monitor to do an assessment proactively after that acquisition has taken place.” Such a third party can come in and conduct the same or similar kind of an assessment as you would do under a government requirement. “It allows a determination of whether there has in fact been full integration, whether employees understand their responsibilities and are comfortable reporting issues to their new managers under the new company and the new structure, whether there have been any training gaps and whether those gaps have been completely filled, whether the company has done an adequate risk assessment of where the post-acquisition risks might lie.” This can be used to  demonstrate to the “DOJ or anyone else that might be looking, that the company has done adequate due diligence, which is exactly what they are looking for.”

Tomorrow, we consider the some of the issues for merged companies and how oversight can assist.

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive into the recent SEC whistleblower award of $54MM to two separate individuals.

Some of the highlights from this podcast are:

  1. What does all this mean for the new proposed SEC whistleblower award basis revisions under consideration?
  2. Apparently there is flexibility in the standards for whistleblower awards.
  3. More information on requirement waivers would assist corporations and compliance practitioners.

We unpack of all these points and consider strategies going forward.

For more reading: see Matt’s piece $54M SEC Whistleblower Award