Johan LomuJonah Lomu died this week. If you have more than a passing interest in sports, you will recognize Lomu as one of the very few game-changers in a sport, his being rugby. I do not pretend to understand the sport very well (except that it involves running, blocking, hitting and tackling – which I do understand), yet I could even tell that he was a true original, a 6 foot 5 inch, 265 lb. behemoth who could run a 4.4 forty. He played for the New Zealand All-Blacks but not in middle as you might expect for a man his size but as winger, really just a wide-out for those who want it translated into American-football.

If you saw the movie Invictus about South Africa’s 1995 Rugby World Cup championship, you will remember the clips of a 20-year old Lomu single handedly destroying England with four tries (read: touchdowns) in the Semi-Finals. Yet South Africa was able to keep him under control to win one of the greatest finals upsets in Rugby World Cup history. Yet even at that youthful age, he had been diagnosed with a rare kidney disease that would eventually lead to his death at the age of 40. Here’s to you Jonah Lomu, to your true greatness and a true original.

I thought about Lomu when reading the comments from the Department of Justice (DOJ) and Assistant Attorney General Leslie R. Caldwell about how the DOJ will consider a company’s actions in any decision on whether or not to prosecute. These comments, changes and clarifications would appear to bookend the process that began with the Yates Memo, released back in September. Earlier this week, Deputy Attorney General Sally Quillian Yates clarified how the DOJ would be evaluating companies going forward.

Stephen Dockery, writing in the Wall Street Journal (WSJ) online publication, Risk and Compliance Report, in an article entitled “U.S. Justice Dept. Changes Corporate Credit Process in Prosecutions”, said that the DOJ explained how the process laid out in the Yates Memo would go into effect. He wrote there “will be two factors prosecutors can use in giving more favorable treatment” when making decisions on whether or not to prosecute. He quoted Yates as saying, “one focused solely on the company’s timely and voluntary disclosure and the second on its cooperation. We made this change to emphasize that while the concepts of voluntary disclosure and cooperation are related, they are distinct factors to be given separate consideration in charging decisions. In recognition of the significant value early reporting holds for us, prompt voluntary disclosure by a company will be treated as an independent factor weighing in the company’s favor.”

Dockery also noted that Yates clarified what might be considered “all relevant facts” from an investigation. Once again he quoted Yates directly, “There is nothing in the new policy that requires companies to waive attorney-client privilege or in any way rolls back the protections that were built into the prior factors. But to earn cooperation credit, the corporation does need to produce all relevant facts – including the facts learned through those interviews.” Dockery also said that Yates noted, “the Justice Department wouldn’t look favorably on companies trying to twist privilege to shield information from investigators.”

Caldwell expanded on these remarks in a speech made on Tuesday of this week, when she said, “In our view, a company that wishes to be eligible for the maximum mitigation credit in an FCPA case must do three things: (1) voluntarily self-disclose, (2) fully cooperate and (3) timely and appropriately remediate.” Regarding point 1, self-disclosure, Caldwell went on to say, “I mean that within a reasonably prompt time after becoming aware of an FCPA violation, the company discloses the relevant facts known to it, including all relevant facts about the individuals involved in the conduct.” Moreover, “To qualify, this disclosure must occur before an investigation—including a regulatory investigation by an agency such as the SEC (U.S. Securities and Exchange Commission)—is underway or imminent. And disclosures that the company is already required to make by law, agreement or contract do not qualify.”

Caldwell also expanded on Yates second prong, ongoing cooperation, she said, “Second, in line with the focus on individual accountability for corporate criminal conduct…companies seeking credit must affirmatively work to identify and discover relevant information about the individuals involved through independent, thorough investigations. Companies cannot just disclose facts relating to general corporate misconduct and withhold facts about the individuals involved. And internal investigations cannot end with a conclusion of corporate liability, while stopping short of identifying those who committed the underlying conduct.” But it means more than simply doing an investigation and turning over the results of the investigation. Full cooperation also “includes providing timely updates on the status of the internal investigation, making officers and employees available for interviews—to the extent that is within the company’s control—and proactive document production, especially for evidence located in foreign countries.”

Finally Caldwell added a third prong which Yates did not discuss, that being remediation. She noted that remediation includes a “company’s overall compliance program as well as its disciplinary efforts related to the specific wrongdoing at issue. For example, when examining remediation we consider whether and how the company has disciplined the employees involved in the misconduct. We also examine the company’s culture of compliance including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

This is where the new DOJ Compliance Counsel comes into the picture. Caldwell said, “We look forward to her insights on issues such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks and whether proposed remedial measures are realistic and sufficient.” I was interested to read that Caldwell also said this new person would also “be interacting with the compliance community to seek input about ways we can work together to advance our mutual interest in strong corporate compliance programs.” While her remarks this week did not go into the detail she did in her previous speech outlining the metrics the new Compliance Counsel will use in evaluating corporate compliance programs, Caldwell clearly referenced those standards as well.

The Yates remarks clarifying how “businesses will get an extra shot at favorable treatment based on their disclosure of wrongdoing to the government” and Caldwell’s speech further laying out the parameters and what will be expected in the form of a corporate compliance programs should be welcome news to every Chief Compliance Officer (CCO) and compliance practitioner. These two pieces of information, coupled with Caldwell’s earlier remarks on the Compliance Counsel metrics, lay out for you, with the most precision yet, how to move forward towards obtaining the best possible outcome if you are embroiled in a Foreign Corrupt Practices Act (FCPA) investigation. If your management wants to know what credit it will receive and the roadmap of how to get the best possible result, the DOJ has laid it out for you.

I further believe these series of remarks serve as a bookend to the information announced in the Yates Memo in September. That Memo set forth the expectations for prosecutors in white-collar cases, including FCPA matters, to prosecute more individuals. You see what substantive cooperation means and how your compliance program will be evaluated. The DOJ has laid it out for you in plain back and white.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015


Third BirthdayYesterday the FCPA Professor reminded us that the joint Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance came out three years ago this month. As a commentator focusing the doing of compliance, I think it should give us pause to once again thank the government regulators and prosecutors who had a part in drafting this most remarkable of documents. I submit it is the best government generated source regarding what constituted at the time (and probably still does) a best practices compliance program. So for anyone interested in exploring the lessons learned about Foreign Corrupt Practices Act (FCPA) compliance programs and what the government expects to see, the FCPA Guidance is the best document you can review.

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, denominated the “Ten Hallmarks of an Effective Compliance Program”, as the most useful part of the FCPA Guidance. While the Guidance cautions that there is no “one-size-fits-all” compliance program, it recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a FCPA compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
  3. Oversight, Autonomy, and Resources. This section begins with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
  7. Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  1. Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spell out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

What is the significance of these Ten Hallmarks today? Last week, Assistant Attorney General Leslie R. Caldwell laid out the metrics under which the DOJ’s new Compliance Counsel would evaluate a company’s compliance program. They are still working off these Ten Hallmarks. Then yesterday, Caldwell laid out the three key factors that a company must sustain to hope for a Declination. (I will explore all three points in full in a further blog post). Point three was the remediation steps that a company takes during the pendency of the investigation. Obviously, taking disciplinary action against the culpable individuals is a critical component but I also believe that upgrading the part of your compliance regime which may have caused, contributed to or allowed the compliance failure to occur, must be remediated. This is where the Ten Hallmarks can provide you solid advice on what you should do going forward.

While others have leveled a variety of criticism about the FCPA Guidance, I think they miss the essential point that for the compliance practitioner, it is an excellent resource about doing compliance. So here’s to the Guidance at the ripe of age of 3. Thanks for coming into all of our (compliance) lives.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

IMG_3310Today, I conclude my exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. The metrics for today’s consideration are around the source of the greatest risk under the Foreign Corrupt Practices Act (FCPA); that being third parties. The metrics laid about by Caldwell are as follows:

  • Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the managment of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, has noted, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.” But as Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so.

 Relationship Manager for Third Parties

I believe that as a starting point for the management of a third party, your company should have a Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the Relationship Manager to provide advice, training and communications to the third party.

 Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.


A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Tying it all Together

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Diana Lutz and her colleague Marjorie Doyle, in an article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, gave a checklist to test companies on their relationships with their third parties, which is as follows:

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out in this series, you need to fully document all steps you have taken so that any regulator, and specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics reviewed in this series may not have been anything new but she has laid out what the new Compliance Counsel will be reviewing and evaluating so you understand what will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.

Caldwell’s short mention of managing third parties is one of the most important metrics of any best practices FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at


© Thomas R. Fox, 2015

AristotleOne of my favorite weekly reads is the Texas Lawyer Candid Mentor column by Michael P. Maslanka. He recently did an article, entitled “Applying Ancient Wisdom to Modern Problems”, where he channeled some very ancient wisdom for lawyers. I thought it provided some excellent guidance for any Chief philosopher (and adapted from Maslanka) to come up with an application of some ancient wisdom for the modern day Chief Compliance Officer (CCO), compliance practitioner and the greater compliance function.

Aristotle: Fake it until you make it

Many commentators exclaim compliance is too hard or they cannot understand the requirements of the Foreign Corrupt Practices Act (FCPA). While I believe it is quite easy to comply with the FCPA, i.e. you simply do not pay bribes; for those who think such a position is too hard, Aristotle has the answer for you when he said, “We are what we repeatedly do. Excellence, then, is not an act but a habit.” That bit of ancient wisdom translates into the modern day parlance that if you repeatedly do something, you can not only master it but it will become a habit. For athletes out there, or in my case former athletes, you need only consider why you practiced for so many long hours. It was not only to learn and then perfect your craft but it was also so that your actions would become habits and when the game was on the line, your habits would take over and you would not have to think to do the right thing.

For the compliance practitioner this means that if your company does business in compliance, while it may be different the first few times you go through a process, the more you do it, the more it becomes how you do business. It is through this doing of compliance that a company burns it into the very fabric of its organization. Put another way, if you do compliance every day in business, your company becomes an entity that does business in compliance. Finally, if any individual then goes outside the norm of doing business in compliance, it should be detected and prevented more quickly and efficiently.

Boethius: All fortune is good fortune

While in prison awaiting execution, Boethius has an imagined conversation that goes along the lines of the following, “All fortune is good fortune; for it either awards, disciplines, amends, punishes, and so is useful or just.” As Maslanka wrote, “In other words, for fortune’s purpose is either the reward of the good, or the correction or punishment of the bad.” News and information allows you to know where you stand and that helps you to know what you need to do.

In the FCPA world, what you do not know can hurt you as demonstrated by the criminal conviction of Frederic Bourke around the concept of conscious avoidance in not knowing that his business partners were bad actors and prone to engage in corruption, prior to the time they engaged in corruption. This means that putting your head in the sand is the worst thing you can do. All of the information inside your company is your data; there is no reason not to mine it to find out where you stand. If there is one thing I have learned in my own FCPA journey, it is that there will be violations of a company’s compliance program. This is largely because humans are involved, so you need to have a system in place that allows you to respond if something askance pops up. But you will not know about it if you bury your head in the sand.

Epictetus: It is not things which trouble us, but the judgments we bring to bear upon things

Here the message is “see reality in the moment, and not be held hostage to the done and gone past or evolving and ever shifting future.” The clear message is to see events for what they are; then take the lessons to be learned and move forward. You can whine and moan all you want about how unfair something may be but if you have to comply with it, you had better figure out a way to do so. For the CCO or compliance practitioner this reality is what drives the initial implementation of many corporate compliance programs. Yet as these compliance programs mature they become a part of how a company does business, largely through implementation of the internal controls requirements of the FCPA.

This step leads to a better-run company, which leads many organizations to be named by Ethisphere as a winner of the ‘World’s Most Ethical Company’ awards. As I have previously noted, companies that win this award tend to do better financially than the Standard & Poor’s average and the reason they tend to do so, is that they are better run through more robust internal controls. Yet it is through having robust internal controls which allows the prevention and detection of issues before they become full-blown FCPA violations or as Maslanka quoted the Buddha, “Pain is inevitable; suffering is optional” and that suffering is your company’s suffering for not doing anything around compliance.

Ecclesiastes: A living dog is better than a dead lion

Since Maslanka is writing a column for lawyers and not compliance practitioners he says that because lawyers are warriors and a warrior’s true purpose is “To serve something greater than themselves”. A CCO, compliance practitioner and compliance function is there to help make sure a company does the right thing. The recent Volkswagen (VW) emissions-testing scandal continues to resonate across the globe, the German national brand of quality and honesty continues to come under pressure. This is even true for some of VW’s competitors who have all faced scrutiny or criticism going forward.

Yet it is compliance that is the key for the German national brand going forward. Ulrich Grillo, president of the BDI (the German global industry association), who, quoted in the Financial Times (FT), insisted that the German national brand would not be damaged by “the unacceptable behavior of one company.” Further, Grillo recognized that compliance is the answer. He urged companies to check their “management processes, including compliance and control systems.” He suggested the question to ask should be, “Are we doing everything right?”

Maslanka ended his piece with a quote from Ryan Holiday’s book The Obstacle is the Way: The Timeless Art of Turning Trials into Triumphs, which read, “Philosophy…(is) a set of lessons from the battlefield of life…Not something you read once and put on your shelf…you are a philosopher and a person of action…And that is not a contradiction.” This would seem to be me to be a pretty good description of a compliance practitioner.

Compliance, like philosophy is designed to mined for the lessons you can use going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015