Third BirthdayYesterday the FCPA Professor reminded us that the joint Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance came out three years ago this month. As a commentator focusing the doing of compliance, I think it should give us pause to once again thank the government regulators and prosecutors who had a part in drafting this most remarkable of documents. I submit it is the best government generated source regarding what constituted at the time (and probably still does) a best practices compliance program. So for anyone interested in exploring the lessons learned about Foreign Corrupt Practices Act (FCPA) compliance programs and what the government expects to see, the FCPA Guidance is the best document you can review.

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, denominated the “Ten Hallmarks of an Effective Compliance Program”, as the most useful part of the FCPA Guidance. While the Guidance cautions that there is no “one-size-fits-all” compliance program, it recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a FCPA compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
  3. Oversight, Autonomy, and Resources. This section begins with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
  7. Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  1. Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spell out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

What is the significance of these Ten Hallmarks today? Last week, Assistant Attorney General Leslie R. Caldwell laid out the metrics under which the DOJ’s new Compliance Counsel would evaluate a company’s compliance program. They are still working off these Ten Hallmarks. Then yesterday, Caldwell laid out the three key factors that a company must sustain to hope for a Declination. (I will explore all three points in full in a further blog post). Point three was the remediation steps that a company takes during the pendency of the investigation. Obviously, taking disciplinary action against the culpable individuals is a critical component but I also believe that upgrading the part of your compliance regime which may have caused, contributed to or allowed the compliance failure to occur, must be remediated. This is where the Ten Hallmarks can provide you solid advice on what you should do going forward.

While others have leveled a variety of criticism about the FCPA Guidance, I think they miss the essential point that for the compliance practitioner, it is an excellent resource about doing compliance. So here’s to the Guidance at the ripe of age of 3. Thanks for coming into all of our (compliance) lives.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

7K0A0223Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. These metrics for today’s consideration are:

  • Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
  • Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations.

I think most compliance practitioners understand how a risk assessment fits into the design and creation of a compliance program. Yet Caldwell’s remarks drive home that risk assessments are not a one-time exercise and while she did not remark on the frequency of how often they should be performed, I think the more often the better. However, as a Chief Compliance Officer (CCO) or compliance practitioner, you do not need to perform a full forensic risk assessment to meet the metrics Caldwell has articulated.

Nonetheless, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination and the same is true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

Caldwell’s second metric, that we are also exploring today, is around compliance discipline and incentives. In her remarks Caldwell further inquired, “Is discipline even handed?” and then went on to add, “The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.”

I think most folks understand the need to discipline employees who may have violated the Foreign Corrupt Practices Act (FCPA) or otherwise engaged in bribery and corruption. However, many CCOs and compliance practitioners do not focus as much attention to compliance incentives. I have developed six core principles for incentives, adapted from an article in the Spring 2014 issue of the MIT Sloan Management Review entitled “Combining Purpose with Profits”, and reformulated them for the compliance function in an anti-corruption compliance program.

  • Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  • Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  • Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives is to make the incentives visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  • Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”, that is any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his numbers for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  • Compliance incentive alignment works in an oblique, not linear, way. If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  • Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.

Obviously this list is not exhaustive. Yet it is now more important than ever that you demonstrate tangible incentives for your employees to gain benefits, both financial and hierarchical, thorough doing business ethically, in compliance with your own Code of Conduct and most certainly in compliance with the FCPA. It is also a requirement that such actions must be documented so they can be demonstrated to the DOJ Compliance Counsel if they come knocking and look to employ the metrics which Caldwell has laid out for us all.

Ongoing risks assessments and incentivizing your compliance program are two of the most under-used tools to move forward your compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at


© Thomas R. Fox, 2015

AristotleOne of my favorite weekly reads is the Texas Lawyer Candid Mentor column by Michael P. Maslanka. He recently did an article, entitled “Applying Ancient Wisdom to Modern Problems”, where he channeled some very ancient wisdom for lawyers. I thought it provided some excellent guidance for any Chief philosopher (and adapted from Maslanka) to come up with an application of some ancient wisdom for the modern day Chief Compliance Officer (CCO), compliance practitioner and the greater compliance function.

Aristotle: Fake it until you make it

Many commentators exclaim compliance is too hard or they cannot understand the requirements of the Foreign Corrupt Practices Act (FCPA). While I believe it is quite easy to comply with the FCPA, i.e. you simply do not pay bribes; for those who think such a position is too hard, Aristotle has the answer for you when he said, “We are what we repeatedly do. Excellence, then, is not an act but a habit.” That bit of ancient wisdom translates into the modern day parlance that if you repeatedly do something, you can not only master it but it will become a habit. For athletes out there, or in my case former athletes, you need only consider why you practiced for so many long hours. It was not only to learn and then perfect your craft but it was also so that your actions would become habits and when the game was on the line, your habits would take over and you would not have to think to do the right thing.

For the compliance practitioner this means that if your company does business in compliance, while it may be different the first few times you go through a process, the more you do it, the more it becomes how you do business. It is through this doing of compliance that a company burns it into the very fabric of its organization. Put another way, if you do compliance every day in business, your company becomes an entity that does business in compliance. Finally, if any individual then goes outside the norm of doing business in compliance, it should be detected and prevented more quickly and efficiently.

Boethius: All fortune is good fortune

While in prison awaiting execution, Boethius has an imagined conversation that goes along the lines of the following, “All fortune is good fortune; for it either awards, disciplines, amends, punishes, and so is useful or just.” As Maslanka wrote, “In other words, for fortune’s purpose is either the reward of the good, or the correction or punishment of the bad.” News and information allows you to know where you stand and that helps you to know what you need to do.

In the FCPA world, what you do not know can hurt you as demonstrated by the criminal conviction of Frederic Bourke around the concept of conscious avoidance in not knowing that his business partners were bad actors and prone to engage in corruption, prior to the time they engaged in corruption. This means that putting your head in the sand is the worst thing you can do. All of the information inside your company is your data; there is no reason not to mine it to find out where you stand. If there is one thing I have learned in my own FCPA journey, it is that there will be violations of a company’s compliance program. This is largely because humans are involved, so you need to have a system in place that allows you to respond if something askance pops up. But you will not know about it if you bury your head in the sand.

Epictetus: It is not things which trouble us, but the judgments we bring to bear upon things

Here the message is “see reality in the moment, and not be held hostage to the done and gone past or evolving and ever shifting future.” The clear message is to see events for what they are; then take the lessons to be learned and move forward. You can whine and moan all you want about how unfair something may be but if you have to comply with it, you had better figure out a way to do so. For the CCO or compliance practitioner this reality is what drives the initial implementation of many corporate compliance programs. Yet as these compliance programs mature they become a part of how a company does business, largely through implementation of the internal controls requirements of the FCPA.

This step leads to a better-run company, which leads many organizations to be named by Ethisphere as a winner of the ‘World’s Most Ethical Company’ awards. As I have previously noted, companies that win this award tend to do better financially than the Standard & Poor’s average and the reason they tend to do so, is that they are better run through more robust internal controls. Yet it is through having robust internal controls which allows the prevention and detection of issues before they become full-blown FCPA violations or as Maslanka quoted the Buddha, “Pain is inevitable; suffering is optional” and that suffering is your company’s suffering for not doing anything around compliance.

Ecclesiastes: A living dog is better than a dead lion

Since Maslanka is writing a column for lawyers and not compliance practitioners he says that because lawyers are warriors and a warrior’s true purpose is “To serve something greater than themselves”. A CCO, compliance practitioner and compliance function is there to help make sure a company does the right thing. The recent Volkswagen (VW) emissions-testing scandal continues to resonate across the globe, the German national brand of quality and honesty continues to come under pressure. This is even true for some of VW’s competitors who have all faced scrutiny or criticism going forward.

Yet it is compliance that is the key for the German national brand going forward. Ulrich Grillo, president of the BDI (the German global industry association), who, quoted in the Financial Times (FT), insisted that the German national brand would not be damaged by “the unacceptable behavior of one company.” Further, Grillo recognized that compliance is the answer. He urged companies to check their “management processes, including compliance and control systems.” He suggested the question to ask should be, “Are we doing everything right?”

Maslanka ended his piece with a quote from Ryan Holiday’s book The Obstacle is the Way: The Timeless Art of Turning Trials into Triumphs, which read, “Philosophy…(is) a set of lessons from the battlefield of life…Not something you read once and put on your shelf…you are a philosopher and a person of action…And that is not a contradiction.” This would seem to be me to be a pretty good description of a compliance practitioner.

Compliance, like philosophy is designed to mined for the lessons you can use going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

Royals World Series ChampsCongratulations to the Kansas City Royals for winning the World Series on Sunday night. Watching a franchise that has never won such a championship, I can certainly understand the elation of a team that had not been to a World Series in 30 years. There were a couple of things in the 9th inning that I found interesting. The first was Mets Manager Terry Collins decision to keep starting pitcher Matt Harvey in the game. Actually what I found interesting was that anyone would think Collins would bring Harvey out of the game. Any starting pitcher who had gone 8 innings and was winning the game, would not only want to stay in the game but has earned that right in my book. However after an open batter walk, Collins should have done his best Captain Hook imitation and pulled Harvey immediately. Read More