Key highlights:

• Integrating Root Cause Analysis into Solutions
• Regulatory Expectations and Internal Controls
• Performing Effective Root Cause Analysis
• Developing and Implementing Solutions

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Filling the Gap in Anti-Corruption Laws
• Key Features and Implications of FEPA
• Challenges in Implementing FEPA
• The Name and Shame List

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Challenges in Traditional Compliance Reporting
• The Role of Reg Ops in Compliance
• Integrating Tools for Real-Time Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• The Role of Data Governance in Compliance and Cybersecurity
• Data Governance and ESG
• Understanding Data Privacy Laws

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• DOJ’s Expectations for Compliance Programs
• Funding and Resources for Compliance
• Compliance Program Structure and Authority

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Key Inquiries Around the CCO and Compliance Function
• Importance of CCO Certification and Court Decisions
• Critical Takeaways for Compliance Professionals

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• The Impact of Investigations on Compliance
• Communicating Costs and Risks
• Ensuring Effective Communication

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Guidelines for Effective Compliance Programs
• Jonathan Marks’ Five-Step Process for Early Assessment
• Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Key Questions for Internal Investigations
• Detailed Procedures for Handling Complaints
• Steps in the Investigative Process
• Importance of Consistency in Investigations

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• What are the levels of Due Diligence?
• When is each level appropriate?
• Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Strategic Approach to Third-Party Relationships
• Auditing and Ongoing Management
• Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Introduction to Third-Party Risk Management
• The Five Steps of Third-Party Risk Management
• Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Understanding Risk Profiles
• Evaluating Risk Management Processes
• Risk Matrix and Heat Maps

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• The Importance of Regular Risk Assessments
• Methodologies for Risk Assessment
• Steps in Conducting a Risk Assessment

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Podcast Storytelling: A New Approach
• Branded Podcast Series for Compliance
• The Benefits of Podcasting for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Evolution of Compliance Training Standards
• Measuring Training Effectiveness
• Tailoring Training to Audience Needs

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Understanding Control Overrides
• Continuous Monitoring and Improvement
• Assessing and Updating Controls

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Defining Internal Controls
• Key Components of Internal Controls
• Internal Controls in Compliance Programs

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Importance of Compliance Policies
• Key Elements of Compliance Policies
• Assessment and Evolution of Policies

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key Highlights

·      Introduction to Code of Conduct

·      Regulatory Expectations and Guidelines

·      Crafting an Effective Code of Conduct

Resources

Listeners to this podcast can receive a 20% discount to The Compliance Handbook, 6th edition by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Embedding Compliance Culture
• Role of Middle Management
• Tone at the Bottom

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• The Importance of Corporate Culture
• DOJ’s Expectations for Senior Management
• Five Factors for Effective Leadership

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Understanding Changes in Company Risks
• Continuous Monitoring and Improvement
• External Information Sources for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Payroll should be at the forefront of any effort to prevent, detect, and remediate anti-corruption compliance issues.
• Key compliance program components for payroll.
• Watch for Offshore payments.

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Integrating Compliance into Compensation
• Financial Accountability Emphasis
• DOJ’s Commitment to Individual Accountability
• Continuous Evaluation and Improvement

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• DOJ Mergers and Acquisitions Safe Harbor Policy
• Key Requirements and Deadlines
• Historical Context and Clarifications

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Challenges in Traditional Compliance Reporting
• Integrating Tools for Real-Time Compliance
• Balancing Real-Time Reporting with Data Security

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Defining and Identifying Risks
• Innovative Data Capture and Internal Collaboration
• Demonstrating Value to Senior Management

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Messaging Apps and Compliance
• Internal Controls and Risk Management
• Adequate Compensation for Compliance Teams

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Starting with Incentives and Consequences
• Incentive Program Breakdown
• Consequence Management Deep Dive

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key highlights:

• Importance of Data Analytics in Compliance
• Implementing Data-Driven Compliance
• Challenges and Solutions in Data-Driven Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this final episode of our 31-day series, we dive into the importance of using root cause analysis for remediation in compliance programs. Emphasized by the ECCP and DOJ, an effective compliance program includes thorough root cause analysis to address misconduct and implement corrective actions. The process involves understanding who should perform the remediation, emphasizing independence and objectivity, integrating the information into solutions, and addressing deficiencies in internal controls. Key takeaways include using objective root cause analysis, effectively utilizing the information gathered, and implementing data-driven, repeatable solutions to prevent future issues. This episode provides valuable insights for compliance officers aiming to enhance their programs by focusing on root causes rather than just symptoms.

Key highlights:

• Integrating Root Cause Analysis into Solutions
• Regulatory Expectations and Internal Controls
• Performing Effective Root Cause Analysis
• Developing and Implementing Solutions

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 30, we discuss the Foreign Extortion Prevention Act (FEPA), a significant piece of legislation that fills a critical gap in the FCPA. FEPA criminalizes not only the payment of bribes but also the solicitation and acceptance of bribes by foreign officials, thereby providing a more comprehensive framework for combating global corruption. This law protects American workers abroad, promotes fair business competition, and upholds ethical practices internationally. However, it also introduces challenges, such as the complexity of extraditing foreign officials and potential impacts on international relations and companies operating overseas. Compliance officers must reassess internal controls and develop response plans to navigate the implications of FEPA effectively.

Key highlights:

• Filling the Gap in Anti-Corruption Laws
• Key Features and Implications of FEPA
• Challenges in Implementing FEPA
• The Name and Shame List

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Traditional compliance reporting methods, often reliant on manual processes like Excel spreadsheets, are time-consuming and prone to errors. This episode explores how Chief Compliance Officers and compliance professionals can enhance their programs through automation. By adopting data-driven solutions and leveraging regulatory operations (Reg Ops), it’s possible to provide near real-time reporting and improve decision-making efficiency. The focus is on integrating existing security and compliance tools, gathering real-time evidence, automating compliance gap tickets, and generating comprehensive reports for stakeholders. However, challenges like balancing data accuracy and security and the cultural transformation required for adopting these new practices are critical considerations. Embracing data-driven compliance can help organizations modernize and keep pace with the evolving regulatory landscape.

Key highlights:

• Challenges in Traditional Compliance Reporting
• The Role of Reg Ops in Compliance
• Integrating Tools for Real-Time Compliance

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 28, we look into the crucial importance of data governance in compliance and cybersecurity. As data generation increases, businesses must enhance their efforts in managing, organizing, and preserving data to meet regulatory obligations and ensure accuracy, accessibility, and adherence to legal standards. We discuss the growing trend of converging compliance, data governance, and cyber security and the necessity of breaking down organizational silos for effective collaboration. Business and legal teams rely on well-managed data to make informed decisions, analyze trends, and measure key performance indicators.

The episode also covers the challenges in gaining buy-in from the ELT and the vital process of transforming corporate culture to prioritize data governance and cybersecurity. We touch on the complexities of regional data privacy laws inspired by GDPR and emphasize the importance of understanding specific regulations for compliance. With key takeaways, including the significance of data preservation, the intertwined nature of compliance, data governance, and cybersecurity, and the urgency for organizations to prioritize data governance, this episode is packed with essential insights for compliance professionals.

Key highlights:

• The Role of Data Governance in Compliance and Cybersecurity
• Data Governance and ESG
• Understanding Data Privacy Laws

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 27, we explore the growing importance and responsibilities of the compliance function within corporations, emphasizing the need for adequate staffing, resources, and independence. The 2020 FCPA Resource Guide outlines key factors that the DOJ considers indicative of an effective compliance program, including the quality of personnel, authority, compensation, and reporting structure. We delve into the necessity of properly funding compliance initiatives and ensuring the organization empowers and sufficiently supports compliance professionals. The updated Corporate Enforcement Policy emphasizes the prevention of retaliation against compliance investigators and the need for a robust structure supporting the compliance program. We conclude with three key takeaways for enhancing compliance functions: evaluating their treatment in the budget process, ensuring management respects compliance decisions, and considering the implications of outsourced compliance services.

Key highlights:

• DOJ’s Expectations for Compliance Programs
• Funding and Resources for Compliance
• Compliance Program Structure and Authority

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 26, we ponder the evolving stature and authority of the CCO within organizations, as highlighted by recent guidelines and regulations. The 2020 FCPA Resource Guide emphasizes the importance of the CCO’s direct reporting line to the board and senior management status. The DOJ’s updated Corporate Enforcement Policy has further enhanced the prestige and role of the CCO, introducing key factors like the quality, experience, authority, independence, compensation, and reporting structure of the CCO. The episode also touches on the significance of the Delaware Court of Chancery’s decision in the McDonald’s case, which formalized the oversight duties of corporate officers, positioning the CCO as the second-most important role in an organization. Key takeaways include demonstrating real authority for the CCO, evaluating their professional qualifications, and assessing their actual status within your company.

Key highlights:

• Key Inquiries Around the CCO and Compliance Function
• Importance of CCO Certification and Court Decisions
• Critical Takeaways for Compliance Professionals

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 25, we consider the critical importance of addressing investigative findings within a corporate compliance framework. When a whistleblower report, DOJ subpoena, or SEC notice brings compliance violations to light, it commands the board’s and senior management’s attention. The initial outrage and ethical proclamations that follow are often a prelude to the need for a serious reality check regarding costs and time outlays for remediation. The key is maintaining transparency and solid communication between those investigating and those responsible for remediation, ensuring compliance gaps are effectively identified and addressed. Today’s takeaways emphasize using the heightened attention for compliance improvement, recognizing the interplay between investigation and remediation, and being ready to answer the ‘where else’ question effectively. Join us tomorrow as we explore the authority and independence of Chief Compliance Officers.

Key highlights:

• The Impact of Investigations on Compliance
• Communicating Costs and Risks
• Ensuring Effective Communication

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 24, we look into the critical internal reporting process and triaging of FCPA claims. As the CCO, you will oversee the initial steps when suspicious activities are reported. Jonathan Marks’ five-step process on early assessment of incoming information is explored, providing a structured approach for evaluating the severity of allegations from low-threat level to crisis management mode. Moreover, this episode emphasizes the necessity of effective hotlines, trained managers, and a culture of listening to employees to foster a safe reporting environment. Key takeaways include the DOJ and SEC’s emphasis on internal reporting lines, regularly testing hotlines, and the triage of claims to ensure appropriate investigation levels.

Key highlights:

• Guidelines for Effective Compliance Programs
• Jonathan Marks' Five-Step Process for Early Assessment
• Key Takeaways

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 23, we delve into the essential steps for conducting a thorough and effective internal investigation following an internal report. The discussion is grounded in the ECCP’s guidelines, emphasizing the necessity of properly scoping investigations with competent personnel and adequate resources. A detailed written procedure is crucial for handling complaints or allegations of bribery and corruption, regardless of their origins. The episode outlines a five-component investigative protocol: opening and categorizing the case, planning the investigation, executing the investigative plan, determining appropriate follow-up, and closing the case. Emphasis is placed on maintaining transparency, consistency, and thorough documentation throughout the process. Three key takeaways are highlighted: the importance of a written protocol, the need for transparency and documentation, and the critical role of consistency across the organization.

Key highlights:

• Key Questions for Internal Investigations
• Detailed Procedures for Handling Complaints
• Steps in the Investigative Process
• Importance of Consistency in Investigations

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 22, we consider the levels of due diligence you should use when investigating third parties. Tom outlines the three due diligence levels necessary to manage corruption risk effectively. With insights from Candice Tal, founder and CEO of Infortal, Tom breaks down each level in detail, from initial screenings in level one to comprehensive, on-the-ground investigations in level three. He emphasizes the need for tailored approaches based on the risks associated with different business transactions and the importance of thorough documentation throughout the process.

Key highlights:

• What are the levels of Due Diligence?
• When is each level appropriate?
• Key Takeaways

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 21 of our series, we dive into the essential strategies for managing third-party relationships in a compliance program. We consider the significance of a structured and strategic approach in handling third parties to mitigate anti-corruption risks. As companies mature, the operationalization of compliance through third-party management becomes crucial. Key areas explored include the importance of dual and diversified sourcing, monitoring subcontractors, legal protections, and financial stability checks. Additionally, we cover the necessity of integrating performance-based compensation and regular auditing to uphold compliance standards. Join us tomorrow as we explore levels of due diligence on Day 22.

Key highlights:

• Strategic Approach to Third-Party Relationships
• Auditing and Ongoing Management
• Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

On Day 20, we delve into the third-party risk management process, a crucial aspect of corporate compliance under the FCPA. Third parties continue to pose the highest risk, necessitating an integrated and operational approach throughout the company. The episode outlines the five essential steps in the third-party risk management life cycle, as mandated by the DOJ in the 2020 FCPA Resource Guide. These steps include business justification, third-party questionnaires, due diligence, compliance terms and conditions, and post-contract management and oversight. Each step is explored in detail, emphasizing the importance of documenting business cases, performing thorough due diligence, and maintaining diligent oversight to mitigate potential FCPA violations. Key takeaways include the necessity of using the full five-step process, involving business development and ensuring all steps are operationalized with business unit representatives. Join us tomorrow for Day 21 to discuss managing your third parties.

Key highlights:

• Introduction to Third Party Risk Management
• The Five Steps of Third-Party Risk Management
• Key Takeaways 

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's episode, we review the critical process of evaluating and translating risk assessments into actionable risk profiles. The discussion highlights the importance of prioritizing risks based on their significance and likelihood using risk matrices and heat maps. Expert insights from Ben Locwin and Bill Anathas emphasize focusing resources on high-risk employees and maintaining a robust compliance program aligned with FCPA guidelines. The episode also covers the Treasury Department's OFAC compliance framework and offers concrete steps for continuous risk monitoring and remediation. Key takeaways include the necessity of a well-reasoned approach to risk evaluation, thorough documentation, and the implementation of a dynamic risk matrix to guide compliance efforts.

Key highlights:

·      Understanding Risk Profiles

·      Evaluating Risk Management Processes

·      Risk Matrix and Heat Maps

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we discuss the essential role of risk assessments in anti-corruption compliance programs. A well-structured risk assessment forms the foundation of every corporate compliance program. We explore how organizations should identify, assess, and define their risk profiles, emphasizing the need for annual risk assessments whenever business risks change. The focus then shifts to geopolitical issues, supply chain dynamics, and evolving work environments and how these should be factored into compliance risk assessments. Historical perspectives from DOJ guidelines and the importance of a robust risk identification, analysis, and management methodology are also discussed. As highlighted, documenting these processes is crucial for developing an effective compliance strategy that evolves with the company’s risk landscape. Finally, the episode outlines the steps to create a comprehensive risk management strategy post-assessment, including policy development, training, monitoring, and updating protocols.

Key highlights:

• The Importance of Regular Risk Assessments
• Methodologies for Risk Assessment
• Steps in Conducting a Risk Assessment

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we explore the transformative potential of podcasting in compliance training and fostering corporate culture. Harnessing the power of imaginative communication methods, we discuss the effectiveness of delivering compliance messages and training through various podcast formats. We revisit the 2012 Morgan Stanley declination to underscore the impact of consistent compliance reminders and venture into how short ethics and compliance video clips and storytelling podcasts can enhance employee engagement and regulatory satisfaction. 

These podcasts are standalone training tools and can be broadcast through social media, creating a larger reach and providing valuable feedback through listener engagement metrics. Additional formats discussed include a branded podcast series featuring longer episodes that humanize compliance topics through interviews and a daily compliance news show to keep employees informed and engaged. This episode emphasizes the importance of innovative storytelling in making compliance communications memorable and effective.

Key highlights:

·      Podcast Storytelling: A New Approach

·      Branded Podcast Series for Compliance

·      The Benefits of Podcasting for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In today’s episode, we delve into the evolution and importance of employee compliance training, focusing on fostering a culture of compliance within organizations. We discuss key guidelines from the FCPA Resource Guide 2nd Edition and subsequent updates from the DOJ and SEC, emphasizing the necessity of effectively communicating and tailoring training programs to an organization’s specific audience. Critical aspects include the importance of training in local languages, assessing the risk profile of employees, and ensuring senior management’s participation. Furthermore, we explore the concept of ‘espresso shots’ or concise training segments to enhance learning and retention. Metrics such as increased hotline use and survey feedback are essential for evaluating the effectiveness of compliance programs.

Key highlights:

• Evolution of Compliance Training Standards
• Measuring Training Effectiveness
• Tailoring Training to Audience Needs

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we look at the ongoing process of monitoring and improving company internal controls. Christina Ravelo starts by posing fundamental questions about the frequency of manual approvals and control overrides, emphasizing the importance of continuous evaluation and recalibration. This episode highlights the misperception among many compliance professionals and lawyers that controls are static and unchanging once implemented. Instead, internal controls should be dynamic, requiring regular reviews and updates based on collected data, such as the frequency of overrides. Proper documentation is crucial, and companies should engage in periodic self-reviews as part of their continuous monitoring efforts. Ravello also stresses the necessity of identifying issues and remedying them to prevent further complications. Today’s key takeaways include the idea that control overrides are not inherently problematic if appropriately managed, the dynamic nature of internal controls, and the importance of a comprehensive monitoring process incorporating feedback from every line of defense.

Key highlights:

• Understanding Control Overrides
• Continuous Monitoring and Improvement
• Assessing and Updating Controls

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Today, the focus is on internal controls and their critical role in compliance frameworks. The episode provides a comprehensive definition of internal controls, emphasizing their importance for achieving operational efficiency, reliable financial reporting, compliance with laws and policies, and the reduction of risks such as fraud and waste. The discussion highlights the requirements outlined in the FCPA for internal controls, including the authorization and documentation of transactions and the protection and accountability of assets. Moreover, four significant internal controls for compliance practitioners are identified: delegation of authority, maintenance of the vendor master file, contracts with third parties, and management of cash and currency transfers. The episode underscores that effective internal controls are essential and mandated by the FCPA, forming a cornerstone of any robust compliance program.

Key highlights:

• Defining Internal Controls
• Key Components of Internal Controls
• Internal Controls in Compliance Programs

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we review the importance of having well-crafted compliance policies and procedures as the foundation of a robust compliance program. As highlighted by the 2024 ECCP and 2020 FCPA Resource Guide, such policies and procedures are crucial for addressing and mitigating risks identified during a company’s risk assessment. Regulators emphasize having articulated anti-bribery and anti-corruption policies regularly reviewed and updated to reflect evolving risks. We discuss the five general elements of a compliance policy and underscore the need for consistent implementation to maintain the credibility and effectiveness of the compliance program. Key takeaways include the necessity of written policies, expectations from the DOJ and SEC, and the critical role of institutional fairness.

Key highlights:

• Importance of Compliance Policies
• Key Elements of Compliance Policies
• Assessment and Evolution of Policies

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This episode explores the critical value and construction of a corporate Code of Conduct, explaining its evolution from a legalistic document to a cornerstone of compliance programs. The discussion includes an analysis of the 2016 SEC Enforcement Action against United Airlines, highlighting how violations of the Code of Conduct can lead to severe consequences, including substantial penalties and executive resignations. Key takeaways emphasize that a Code of Conduct should be tailored to a company’s specific culture and industry, must be accessible to all employees, and needs to be regularly updated and documented to ensure its effectiveness. Tune in to learn why a robust Code of Conduct is foundational for any compliance program.

Key highlights:

• Introduction to Code of Conduct
• Regulatory Expectations and Guidelines
• Crafting an Effective Code of Conduct

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Tom Fox discusses the importance of embedding a culture of compliance throughout all levels of an organization. Mike Volkov emphasizes that having senior management committed to compliance is not enough; the culture must permeate middle and lower management for a program to be effective. The 2024 ECCP underscores the necessity for ethical values to be embedded throughout the company’s hierarchy. This involves senior and middle management actively demonstrating their commitment to compliance, even in the face of competing business interests. Middle management plays a critical role, as they are the primary interface between most employees and upper management. The script highlights practical steps such as assembling compliance focus groups, training managers in effective listening, and ensuring organizational justice to operationalize a compliance program effectively. We also consider how to assess the real-world application of compliance measures within the company and the need for consistent and fair disciplinary actions across different regions and business units to reinforce a culture of compliance.

Key highlights:

• Embedding Compliance Culture
• Role of Middle Management
• Tone at the Bottom

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In today’s episode, we dive into the critical role of senior management in fostering a strong corporate culture of compliance, as highlighted by the 2022 Monaco Memo and the 2020 FCPA Resource Guide, 2nd edition. Emphasizing that corporate culture is vital to a company’s success, we discuss how the DOJ assesses ethical cultures and the importance of senior management’s active participation in compliance efforts. The episode outlines five key factors to guide senior leadership in setting, modeling, and monitoring the right tone at the top. These include clear communication of values, personal commitment to those values, supportive systems, integration into decision-making, and empowering managers to make ethically sound decisions. We conclude with three takeaways: senior management must engage in compliance, the DOJ evaluates corporate culture during investigations, and CEOs should be seen as chief compliance ambassadors.

Key highlights:

• The Importance of Corporate Culture
• DOJ’s Expectations for Senior Management
• Five Factors for Effective Leadership

Resources

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Continuous monitoring and improvement are essential in developing effective compliance programs, serving as a dynamic approach to addressing and adapting to evolving risks. This underscores the critical nature of these concepts, particularly highlighted in the 2023 update to evaluating corporate compliance programs, and emphasizes the necessity for organizations to integrate real-time data and maintain comprehensive documentation in their decision-making processes. This approach ensures compliance and fosters agility and resilience in navigating the complexities of modern business landscapes.

Key highlights:

• Understanding Changes in Company Risks
• Continuous Monitoring and Improvement
• External Information Sources for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Operationalizing a compliance program through payroll is a vital component of a company’s risk management strategy, serving as both a control mechanism and a crucial link to the broader compliance function. Payroll is instrumental in identifying potential red flags, such as offshore payments, which require meticulous documentation and enhanced internal controls to prevent compliance violations. Tom Fox, a noted expert in compliance, underscores the significant role payroll plays in fortifying compliance programs by aligning with FCPA requirements and preventing fraudulent activities. He advocates for implementing demonstrable controls like Approval Certification processes, segregation of duties, and regular review procedures to mitigate compliance risks effectively. According to Tom, by embedding robust controls within payroll operations, companies deter potential violations and ensure compliance is woven into the organizational fabric, thus operationalizing their compliance programs seamlessly.

Key highlights:

• Payroll should be on the front lines of any attempt to prevent, detect, and remediate anti-corruption compliance.
• Key compliance program components for payroll.
• Watch for offshore payments.

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we explore the critical insights from the DOJ Clawback Program for compliance professionals. It emphasizes integrating compliance into the compensation structure as an effective strategy to promote ethical behavior and prevent misconduct. We also delve into the significance of financial accountability, noting the DOJ’s practice of reducing fines for firms that reclaim compensation from responsible employees. Finally, the episode highlights the necessity of continuously evaluating and enhancing compliance-linked compensation systems, urging companies to regularly assess their effectiveness, gather feedback, and make necessary adjustments. This iterative process reinforces the idea that compliance programs must be dynamic and proactive rather than static operational checklists.

Key highlights:

• Integrating Compliance into Compensation
• Financial Accountability Emphasis
• DOJ’s Commitment to Individual Accountability
• Continuous Evaluation and Improvement

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This episode delves into the Department of Justice’s mergers and acquisitions (M&A) Safe Harbor Policy, as Deputy Attorney General Lisa Monaco explained. This policy encourages companies to voluntarily self-disclose criminal conduct discovered during acquisition. If a company promptly discloses such misconduct, cooperates with the ensuing investigation, and engages in appropriate remediation, restitution, and disgorgement, it can receive a presumption of a criminal declination. Key deadlines include disclosing misconduct within six months of the closing date and fully remediating within one year. The DOJ aims to incentivize acquiring companies to perform robust pre- and post-acquisition due diligence and self-disclosure to mitigate risks and de-risk transactions effectively.

Key highlights:

• New DOJ Mergers and Acquisitions Safe Harbor Policy
• Key Requirements and Deadlines
• Historical Context and Clarifications

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's business environment, compliance professionals leverage data analytics to adhere to regulatory requirements and ethical standards. This episode focuses on the importance of defining specific risks an organization wants to monitor, capturing relevant data creatively, and utilizing internal expertise to build effective data analytics programs. By starting small and focusing on one risk at a time, compliance officers can demonstrate their dedication to improving compliance despite limited resources. Additionally, a data-driven approach helps shift focus from individual policy violations to identifying systemic issues, enhancing overall organizational compliance. Key takeaways include understanding multiple factors in creating data-driven compliance programs, recognizing the value of shifting focus to systemic issues, and gradually building analytics capabilities.

Key Highlights

·       Defining and Identifying Risks

·       Innovative Data Capture and Internal Collaboration

·       Demonstrating Value to Senior Management

Resources

Listeners to this podcast can receive a 20% discount to The Compliance Handbook, 5th edition by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's episode, we delve into the significant updates in the evaluation of corporate compliance programs, focusing on messaging apps, internal controls, and adequate compensation. The revised language in the ECCP highlights the DOJ's increased scrutiny on the use of messaging apps, emphasizing the need for tailored policies that align with a company's specific risks and business needs. We also discuss the critical importance of internal controls as minimum expectations set by the DOJ, and the necessity of continuous monitoring to manage these risks effectively. Lastly, we examine the newly added provisions related to adequate compensation, ensuring that compliance teams are empowered and protected against retaliation. The episode concludes by summarizing three key takeaways for compliance professionals: the growing importance of communications compliance, the need for robust and functional internal controls, and the imperative of adequately compensating compliance personnel. 

Key Highlights

·       Messaging Apps and Compliance

·       Internal Controls and Risk Management

·       Adequate Compensation for Compliance Teams

Resources

Listeners to this podcast can receive a 20% discount to The Compliance Handbook, 5th edition by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, we discuss how the Department of Justice (DOJ) has emphasized the importance of designing and implementing compliance-based compensation schemes. Financial incentives, such as deferred or escrowed compensation tied to conduct, play a critical role in fostering a culture of compliance. The episode also explores the necessary continuum of assessment, analysis, implementation, and monitoring that companies must follow for effective compliance incentive programs. Additionally, Tom covers the DOJ’s rigorous approach to consequence management, particularly concerning clawback provisions in executive contracts. The episode guides compliance professionals on the essential steps and analyses required to adhere to the enhanced DOJ expectations. Key takeaways include the importance of financial incentive analysis and the distinct yet related roles of clawbacks and consequence management within a compliance program.

Key Highlights

·      Starting with Incentives and Consequences

·      Incentive Program Breakdown

·      Consequence Management Deep Dive

Resources

Listeners to this podcast can receive a 20% discount to The Compliance Handbook, 5th edition by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days series in January 2025, I will post a key part a best practices compliance program each day. By the end of January, you will have enough information to create, design or enhancement a compliance program. Each podcast will be short, at 6-8 minutes with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will plan to join each day in January for this exploration of best practices in compliance. 

In the first episode of 'One Month to a More Effective Compliance Program', host Tom Fox, the Compliance Evangelist, emphasizes the increasing importance of data analytics and monitoring in the realm of compliance. Highlighting insights from the DOJ, this episode illustrates how data-driven compliance can significantly improve decision-making, business efficiency, and risk management. By leveraging technology and effective data analysis, companies can uncover hidden issues such as improper payments and improve overall corporate transparency. Tom Fox discusses the necessity for compliance programs to have quick and easy access to data to ensure informed decision-making and proactive compliance management.

Key Highlights

·      Importance of Data Analytics in Compliance

·      Implementing Data-Driven Compliance

·      Challenges and Solutions in Data-Driven Compliance

Resources

Listeners to this podcast can receive a 20% discount to The Compliance Handbook, 5th edition by clicking here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

 Three key takeaways:

1. The key to using a root cause analysis is objectivity and independence.

2. The critical element is how did you use the information you developed in the root cause analysis?

3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Sam Rubenfeld, cited Scott Greytak, the director of advocacy for Transparency International US, for the following: “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.”

Three key takeaways:

1. FEPA changes the game for ABC.

2. Make sure your policies and procedures capture any extortion attempts made illegal under FEPA.

3. Determine your external reporting for FEPA violations.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Three key takeaways: 

1. What are the key factors that impact these strategic considerations for implementing AI in compliance?

2. Compliance professionals need to stay updated with the latest AI developments and trends, which requires continuous learning and keeping abreast of industry news and insights.

3. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

Three key takeaways:

1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said, “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks.

3. Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

 Three key takeaways:

1. How is compliance treated in the budget process?

2. Has your compliance function had any decisions over-ridden by senior management?

3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the 2023 Update to the FCPA Corporate Enforcement Policy, the DOJ lists these factors as follows:

1) The quality and experience of the CCO, such that they can understand and identify the transactions and activities that pose a potential risk; 2) The authority and independence of the CCO; 3) The compensation and promotion of the CCO, in view of their role, responsibilities, performance, and other appropriate factors; and 4) The reporting structure of any CCO employed or contracted by the company.

All of these factors are enhanced by the CCO Certification requirement, as announced by Kenneth Polite back in 2022. A CCO must certify the effectiveness of a compliance program after a DPA or NPA has been concluded. This requirement will only become more important moving into 2023 and beyond. In addition to CCO Certification, the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst, formally recognized the oversight duties of officers of Delaware corporations for the first time.

Three key takeaways:

1. How can you show the CCO really has a seat at the senior executive table?

2. What are the professional qualifications of your CCO?

3. Delaware says the CCO is Number 2 in an organization, behind the CEO.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

You may find yourself in a position where you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

Finally, there should be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Three key takeaways:

1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.

2. Be aware of how your investigation can impact and even inform your remediation efforts.

3. Be prepared to deal with the dreaded “where else” question.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline on a regular basis to make sure it is working.

3. Every claim should be triaged before starting an investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Indeed, there are a variety of factors around giving credit to corporate investigations, including: Did management, the board, or committees consisting solely of outside directors oversee the review? Did company employees or outside parties perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

 Three key takeaways:

1. A written protocol, created before an investigation, is a key starting point.

2. Create specific steps to follow so there will be full transparency and documentation going forward.

3. Consistency in approach is critical.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. A Level I due diligence should only be used when there is a low risk of corruption.

2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.

3. Level III due diligence is a deep-dive, boots-on-the-ground investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

 Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, coupled with audits and monitoring going forward. A variety of tools can be used to continuously monitor risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Three key takeaways:

1. Even after you complete your risk assessment, you must evaluate those risks for your company.

2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.

3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

 Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Now take these same concepts of audience engagement and apply them internally to an organization. What do you potentially have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Think again about all the advantages podcasting has in place already.

A major US consumer product company started a podcast and had corporate executives on it. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Since you are only limited by your imagination in compliance, why not use some of that imagination to be creative in your compliance training and communications?

Three key takeaways:

1. Using podcast storytelling to tell longer, more involved stories about compliance.

2. You can use compliance department-branded podcasts to have ongoing communications about compliance.

3. A Daily Compliance News show will drive engagement.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The importance of determining the effectiveness of your compliance program has been enshrined by the DOJ. The 2023 Update confirmed that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein and the more robust assessment and results provide you with a start to fulfilling the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three key takeaways:

1. How and why have you tailored your compliance training and how do you determine its effectiveness?

2. Try an “espresso” shot of training

3. Present your training in both local languages and a variety of media.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

Revelo emphasized that it is not simply identifying the issues but remedying them as well, “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there, you can conduct a root cause analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “You need to really do that in an in-depth manner and then remediate.”

 Three key takeaways:

1. An internal control override is not necessarily a bad thing if proper procedure is followed.

2. Internal controls are not set in stone.

3. The key is to have a process for monitoring the controls and taking input, literally from each line of defense.

To obtain a free White Paper from our sponsor, Ethico on key compliance issues from 2023, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring, and training, reasonably assures:

• The achievement of the process objectives linked to the organization’s objectives;

• Operational effectiveness and efficiency;

• Reliable (complete and accurate) books and records (financial reporting);

• Compliance with laws, regulations and policies; and

• The reduction of risk fraud, waste, and abuse, which aids in the decline of process and policy variation, leading to more predictive outcomes.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you determine whether adequate internal compliance controls are present in your company. From there, you can move on to see if they are working in practice.

Three key takeaways:

1. Effective internal controls are required under the FCPA

2. Internal controls are a critical part of any best practices compliance program

3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash or currency

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Three key takeaways:

1. Written compliance policies and procedures, together the Code of Conduct, with form the backbone of your compliance program.

2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.

3. Institutional fairness for the application of policies and procedures demands consistent application of your policies and procedures across the globe.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of large, multi-national organizations may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

 Three key takeaways:

1. Tone at the top—direct supervisors become the most important influence on people in the company

2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance

3. Organizational justice is an additional way to help operationalize compliance

Learn more about your ad choices. Visit megaphone.fm/adchoices

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

 Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Continuous improvement runs the gamut in a best practices compliance program, from risk assessments to policies and procedures to periodic testing and review.

Three key takeaways:

1. How have your company’s risks changed over the past year, and how will they change in 2024?

2. What is your process for continuous monitoring and improvement?

3. What sources of information do you use that come from outside your organization?

Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Three key takeaways:

1. Payroll can be a key to preventing and detecting control
2. The 2020 Update specified the tie between the corporate compliance function and the corporate payroll function.
3. Offshore payments remain a key indicator of a red flag.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The DOJ's increasing use of data analytics for proactive enforcement signifies a significant shift in their approach to combating white-collar crime. Companies must embrace this data-driven approach to compliance, continuously monitor high-risk transactions, and invest in the necessary resources and technology. By doing so, they can demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency.

 Three key takeaways:

1. This also means that data analytics in the compliance function has moved from cutting edge to best practice. It soon may simply mean table stakes for compliance.

2. The DOJ is seeking to incentivize an acquiring company to timely disclose misconduct uncovered during the M&A process.

3. The DOJ has made clear that under this new Mergers & Acquisition Safe Harbor Policy organizations that do not perform effective due diligence or self-disclose misconduct at an acquired entity will be subject to full successor liability.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Under this new Mergers & Acquisitions Safe Harbor, which applies across the Department of Justice, companies that promptly and voluntarily disclose criminal misconduct with the Safe Harbor period, and then cooperate with the resulting investigation, engage in timely and appropriate remediation and pay applicable restitution and disgorgement, will receive a presumption of a declination. Once again, the key deadlines are as follows:

• Companies must disclose misconduct discovered (whether pre-or post-acquisition) at the acquired entity within six (6) months from the date of closing.
• Companies will then have one year from the date of closing to fully remediate the misconduct.

The 6 month and one-year deadlines are subject to modification depending on the specific circumstances and complexity of the transaction. The acquired company can also qualify under the Mergers & Acquisition Safe Harbor Policy for voluntary self-disclosure benefits. Interestingly, DOJ clarified that any misconduct disclosed under the Safe Harbor Policy will not implicate or be counted in any future potential recidivist analysis. 

 Three key takeaways:

1. The DOJ Mergers & Acquisitions Safe Harbor policy encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company.

2. The DOJ is seeking to incentivize an acquiring company to timely disclose misconduct uncovered during the M&A process.

3. The DOJ has made clear that under this new Mergers & Acquisition Safe Harbor Policy organizations that do not perform effective due diligence or self-disclose misconduct at an acquired entity will be subject to full successor liability.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The clawback initiative has two parts. “First, every corporate resolution involving the Criminal Division will now include a requirement that the resolving company develop compliance-promoting criteria within its compensation and bonus system. Second is the creation of a 3-year pilot program under which the “Criminal Division will provide fine reductions to companies who seek to claw back compensation from corporate wrongdoers.”

 Three key takeaways:

1. The clawback policy was developed to promote “innovative approaches to compensation.

2. Clawbacks will include those who had supervisory authority over the employees or business area engaged in the misconduct and knew of, or were willfully blind to, the misconduct.

3. How far will the DOJ push companies to move for clawbacks, and how far down the chain will it go?

Learn more about your ad choices. Visit megaphone.fm/adchoices

Monaco set the tone for the week by identifying five general areas of DOJ focus. (1) Inspiring a Culture of Compliance; (2) Voluntary Self-Disclosure Programs; (3) Promoting Compliance through Compensation and Clawback Programs; (4) Resource Commitments to Corporate Criminal Enforcement; and (5 ) Individual Accountability. 

Three key takeaways:

1. A culture of compliance continues to be the most important component of DOJ review.  

2. Self-disclosure will be the number one factor for reducing a potential fine and penalty. 

3. Expect more individual accountability.   

Learn more about your ad choices. Visit megaphone.fm/adchoices

There was a significant addition to the language around messaging apps. The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a FCPA enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.”

Internal Compliance Controls

Under Section II, entitled Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?  We find the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a punch as it requires both appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment.

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, there is a significant new addition to the ECCP. It forces a company to adequately compensate those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation, as it also requires a company not to retaliate via low salaries, limited raises, or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance, that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ review the entire corporate organization on these issues.

Three key takeaways:

1. Communications compliance will be a key issue for compliance professionals going forward in 2024.

2. You must have both appropriate internal controls and ensure they are functioning.

3. In addition to adequate resources, a compliance function must be shown to adequately pay, promote, and protect those involved in compliance investigations.

Learn more about your ad choices. Visit megaphone.fm/adchoices

I.               Incentives

This section begins with a new introduction that makes clear the seriousness in which the DOJ views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture."

The ECCP also added a new section on financial incentives, which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

II.             Consequence Management

The DOJ has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor into what the DOJ is now mandating.

 a.         Clawbacks

The DOJ has made it clear that companies need to seek to recover amounts paid out to executives that were illegally received as corporate compensation. This could include both salary, stock options, similar payments, or discretionary bonuses. All of this means every compliance program will need to analyze each of these components as set out.

b.         Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program—both incentives and disincentives. While there is some overlap with the clawback language, there is quite a bit of newness in these areas. The DOJ's hotline and speak-up reports directly relate to a company’s culture of compliance.

Three key takeaways:

1. The 2023 EECP brought significant changes to both financial incentives and negative consequences as well.

2. The new financial incentives analysis is: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

3. Clawbacks and Consequence Manage are related but separate parts of a best practices compliance program.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The first came in January, and it was an update to the Evaluation of Corporate Compliance Programs (2023 ECCP). Next, we heard speeches about the increased focus on clawbacks and other areas of consequence management. In October, Deputy Attorney General (DAG) Lisa Monaco introduced a new Mergers & Acquisitions Safe Harbor Policy in October. Finally, in late November, Acting Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivered remarks at the 39th International Conference on the Foreign Corrupt Practices Act (FCPA) on the use of data analytics in a compliance program and DOJ expectations going forward.

The 2023 ECCP brought forward several new initiatives laid out in the 2020 Update to the Evaluation of Corporate Compliance Programs, including additions and deletions.

In October 2023, Deputy Attorney General Lisa Monaco announced a new policy regarding M&A. It is a Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company.

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its own use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC are increasingly focusing on data analytics for corporate compliance, signaling higher expectations for larger companies. Both agencies have successfully utilized data analytics in various areas, such as securities and healthcare fraud, and are actively improving their own capabilities in this field. She made several important points for all compliance professionals, which will be significant going forward into 2024 and beyond.

Three key takeaways:

1. 2023 was a key year for the DOJ's evolution in its views on compliance programs.

2. Clawbacks, incentives, and consequence management have become more important.

3. The new DOJ safe harbor initiative for M&A raises many questions.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Key Considerations

1.     Understand the impact of AI on the company. 

2.     Maintain an inventory of all tools used. 

3.     Understand the tools for cost efficiency and risk avoidance. 

4.     Involve all business sectors in AI discussions. 

5.     Utilize AI for better data usage in compliance.

While implementing AI in compliance brings numerous benefits, there are tradeoffs and challenges to consider. One tradeoff is the need to balance exploration and innovation with rules and regulations. Another challenge is the selection of AI tools. 

Implementing AI in compliance requires strategic considerations and decision-making. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. Balancing exploration and rules, as well as selecting the right AI tools, are challenges that need to be addressed. By carefully navigating these considerations and challenges, companies can leverage AI to enhance their compliance programs and stay ahead in an ever-evolving regulatory landscape.

 Three key takeaways:

1. What are the key factors that impact these strategic considerations for implementing AI in compliance?

2. Compliance professionals need to stay updated with the latest AI developments and trends, which requires continuous learning and keeping abreast of industry news and insights.

3. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider.

For More information on KonaAI, click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

The Covid-19 brought changes that are still being felt today in the business world. Some changes were temporary, but some have become permanent and remote work is one of them. It is clearly here to stay. The change has underscored the importance of AI and data in compliance across various industries. The shift to remote work has resulted in an increased amount of data that compliance teams must proactively monitor. AI-powered data cleansing capabilities help sift through content and focus on relevant and risky information, while AI algorithms and machine learning models aid in risk detection. By leveraging AI and data, compliance teams can enhance their prevention, detection, and remediation efforts, ultimately promoting a culture of ethical behavior and ensuring compliance with data protection laws.

 Three key takeaways:

1. The pandemic changed the corporate world in many ways. One of the permanent ones was moving to remote work.
2. Remote work generates much more data because messaging apps and online communication tools require new and innovative compliance solutions.
3. AI and data-driven compliance around data generated from remote work can move a company from detection to prevention.

For more information on KonaAI, click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Data analytics is of utmost importance in the field of law and compliance. It provides valuable insights, enhances effectiveness, and drives compliance programs. Compliance professionals must strive to become better businesspeople and understand the role of data analytics as the fuel that moves the compliance engine. By leveraging data analytics, law firms like Thinkeen can offer innovative solutions for complex transactions. However, education and awareness about the importance of data analytics are still needed to fully harness its potential. Balancing tradeoffs and addressing challenges associated with data analytics are crucial for successful implementation. Ultimately, data analytics is a powerful tool that can transform the way laws and compliance are approached, leading to more effective and efficient outcomes.

 Three key takeaways:

1. Data analytics is often referred to as the fuel that moves the compliance engine.

2. We need more education and awareness about the importance of understanding data so that you can extract the right information

3. Data analytics is a powerful tool that can transform the way law and compliance are approached, leading to more effective and efficient outcomes.

For more information on KonaAI, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the key requirements impacting this new approach is the need to bridge the gap between these functions from both a data and human perspective. These concepts serve as a translator, helping organizations navigate the complex landscape of compliance, security, and risk management. By speaking the language of these three functions, Converged Continuous Compliance brings them together and facilitates collaboration.

Corporate compliance needs to promote new approaches to compliance and risk management by challenging misconceptions, reuniting compliance, security, and risk management, emphasizing data governance oversight, and advocating for automation. These approaches aim to enhance efficiency, increase trust in compliance reports, and ultimately drive a greater return on investment. As organizations navigate the ever-evolving landscape of compliance, it is crucial to consider the impact of new approaches and strike a balance between different factors to achieve effective compliance and risk management.

 Three key takeaways:

1. The DOJ has stated that a chief compliance officer and a corporate compliance function must have visibility across all data sets in an organization. Converged Continuous Compliance aligns with this message.
2. The bottom line is that we have accepted certain models of how compliance is done, what compliance means, what it delivers to the enterprise, and what it fails to deliver to the enterprise.
3. It is crucial to consider the impact of new approaches and strike a balance between different factors to achieve effective compliance and risk management.

For more information on KonaAI, click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

The importance of automation for data analysis in compliance programs cannot be overstated. Organizations need to have visibility into their data at their fingertips to ensure regulatory compliance and mitigate risks. Automation streamlines the compliance process, provides transparency, and allows for adaptability in the face of evolving regulations and risks. By leveraging data analysis, organizations can identify deviations, improve cycle times, enhance training effectiveness, and make informed decisions. Board-level involvement is crucial in overseeing the automation and data analysis process, recognizing its strategic value, and ensuring its effective implementation. With the advent of AI and intelligent approaches, organizations that do not embrace automation and data analysis may suffer in the long run. Trust but verify, and always prioritize visibility and transparency in compliance programs.

 Three key takeaways:

1. 
   
2. Automation not only streamlines the compliance process but also provides transparency and visibility into the decision-making process.
3. 
   
4. There is a need for board-level involvement in overseeing the automation and data analysis processes.
5. 
   
6. Through analyzing deviations from the expected path, compliance officers can identify areas that require additional process controls or adjustments.
7. 
   

Check out KonaAI here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

It is important to have a Master Data Plan in place with acts to provide a centralized and consistent view of data. A Master Data Plan also enables organizations to have a holistic understanding of their data, leading to better decision-making and improved business efficiency. This Master Data Plan will help drive good data governance, which plays a vital role in compliance program visibility and effective data management. A Master Data Plan involves establishing policies, procedures, and controls to ensure data quality, accuracy, consistency, and trustworthiness. Data quality is essential for data to be fit for purpose and used efficiently in business operations and analytics.

Three key takeaways:

1. Companies should implement a Master Data Plan in place to effectively manage data going forward.
2. A Master Data Plan involves establishing policies, procedures, and controls to ensure data quality, accuracy, consistency, and trustworthiness
3. By embracing data-driven practices and addressing privacy concerns, businesses can enhance compliance programs, drive efficiency, and achieve better ROI.

For more information on KonaAI click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Data governance involves managing and organizing data for accuracy, accessibility, and compliance. With the increasing amount of data being generated for compliance and other corporate functions, it has become crucial for organizations to have effective data governance and legal technology services in place to ensure compliance with regulatory obligations. It plays a significant role in both the business and legal aspects of an organization. CCOs and compliance professionals rely on data to make informed decisions, analyze trends, and measure key performance indicators. From a legal perspective, data governance is essential for providing legal advice and meeting regulatory obligations.

 Three key takeaways:

1. Data preservation and credibility are crucial for effective compliance representation if a regulator comes knocking.

2. Compliance, data governance, and cybersecurity are intertwined in today's business landscape.

3. As the digital landscape continues to evolve, organizations must prioritize data governance and stay compliant and competitive in the business world.

For more information on KonaAI, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This is one of the drivers for key trends shaping compliance technology in 2025 and beyond. The RegTech market is growing rapidly, and there is increased regulatory focus on cryptocurrency activities, ESG, and information security and cybersecurity. These trends indicate the evolving landscape of compliance and the need for organizations to stay updated and adapt their compliance strategies accordingly. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

 Three key takeaways:

1. 
   
2. CCOs and compliance professionals must have a compliance program that provides visibility into their data.
3. 
   
4. ESG regulations affect not only regulated industries but also any company holding private customer data or involved in large supply chains.
5. 
   
6. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.
7. 
   

For more on KonaAI, click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

The goal is to integrate existing security and compliance tools to gather evidence in near real-time, automate the creation of compliance gap tickets, generate real-time reports, and provide a comprehensive view of an organization's compliance state. By leveraging the power of APIs and customer-centric design, the compliance process can be more effective and efficient.

 Three key takeaways:

 Three key takeaways:

1. Enhancing compliance programs through automation is a critical step for compliance functions and businesses to improve decision-making, efficiency, and overall compliance effectiveness.

2. Automation can help compliance functions meet the need for near real-time reporting for a variety of different stakeholders.

3. Balancing the need for real-time reporting with data accuracy and security is crucial.

For more information on our sponsor, KonaAI, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

A key in this process is the implementation of data warehouses and cloud data warehousing solutions. The goal is to eliminate data silos and enable easy data access and analysis. By implementing a modern data stack, companies centralize their data, making it compliance-friendly as mandated by the DOJ (in the 2020 Evaluation of Corporate Compliance Programs) and more generally accessible to employees across the organization.

AI-driven data analysis and compliance solutions are revolutionizing the way organizations approach compliance and data utilization. By leveraging AI technology, these companies enable businesses to make fact-based decisions, identify risks, and ensure regulatory compliance. Investing in data governance and business intelligence tools is crucial for extracting value from data and driving business success. With the democratization of data access, organizations can empower employees to be data-informed and achieve greater efficiency. 

 Three key takeaways:

1. Data analysis is not simply about having the data but also accessing it and then using it.
2. Data democratization recognizes that effective data utilization is linked to compliance and good business practices.
3. With the democratization of data access, organizations can empower employees to be data-informed and achieve greater business efficiencies.

For more on KonaAI, click here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

Anselmo Guevara, manager at VMware, has emphasized the need for companies to have a compliance program that provides visibility into their data at their fingertips. It is no longer sufficient to simply collect data and have someone review and reconcile it. Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks. This proactive approach allows companies to identify and address compliance issues before they escalate.

Data-driven compliance programs have moved from cutting-edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. Compliance professionals must stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

 Three key takeaways:

1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said,  “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.” 

2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks.

3. Data-driven compliance programs have moved from cutting-edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The importance of compliance, EPM systems, and data analytics in business decision-making cannot be overstated. Compliance program visibility and documentation are crucial for managing data and ensuring regulatory compliance. EPM systems provide the tools for financial planning and analysis, supporting strategic long-range planning and informed decision-making. Data analytics allows businesses to uncover patterns and gain insights, but overcoming data silos is necessary to maximize its potential. By adopting cloud-based solutions and integrating systems, organizations can make the most of their data and drive informed decision-making. Balancing different factors and considering the impact on decision-making processes is key to successfully leveraging compliance, EPM systems, and data analytics in business.

 Three key takeaways:

1. Compliance program visibility and proper documentation are essential for managing data and ensuring regulatory compliance across companies of all sizes.

2. Having data is important, it is equally crucial to focus on how that data is being used. 

3. Overcoming data silos is key to maximizing the potential of data analytics.

For more information on KonaAI, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

ESG integration in business processes is crucial for organizations aiming to enhance their compliance programs and make informed decisions. By leveraging data analytics, companies can identify and address ESG risks and opportunities more effectively. Collaboration and information sharing among companies also play a significant role in improving compliance efforts. As the compliance landscape continues to evolve, staying informed and adapting to new evaluation processes will be key for compliance professionals.

Three key takeaways:

1. ESG integration in business processes is crucial for organizations aiming to enhance their compliance programs and make informed decisions.
2. By leveraging data analytics, companies can identify and address ESG risks and opportunities more effectively.
3. Collaboration and information sharing among companies also play a significant role in improving compliance efforts.

For more information on KonaAI, check out their website here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Building effective data analytics programs for compliance enhancement requires careful consideration of various factors. Compliance officers must define the risks they want to monitor, identify valuable data sources, and think innovatively to capture relevant data. Leveraging internal expertise and fostering collaboration between different departments is essential for successful implementation. By starting small and gradually expanding their capabilities, organizations can demonstrate their commitment to using data analytics and gain compliance expertise. Ultimately, these programs enable companies to enhance their compliance effectiveness and mitigate risks effectively.

 Three key takeaways:

1. There are multiple factors in the design, creation, and implementation of a data-driven compliance program.

2. A data-driven approach will allow a shift of the focus from individual policy violations to identifying systemic issues.

3. Compliance officers should focus on how to begin and gradually build their capabilities.

Check out the month's sponsor, KonaAI here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

AI and data-driven solutions have the potential to revolutionize compliance and risk management practices. By leveraging advanced analytics, machine learning, and automation, organizations can enhance decision-making processes, improve efficiency, and proactively address compliance risks. However, it is essential to prioritize user adoption, consider the impact on user experience, and strike a balance between automation and human judgment. With the right approach, AI and data-driven solutions can become valuable assets in the pursuit of effective compliance and risk management.

 Three key takeaways:

1. Compliance, risk management and corporate legal can all benefit from a data-driven approach to risk management.  

2. By setting up alerts, compliance officers can be notified in real-time about potential risks or non-compliant activities.

3. There will always be the need for a balance between automation and human judgment.

For more information on this month's sponsor KonaAI, check out their website, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the Albemarle FCPA enforcement, the DOJ said for the first time that data-driven compliance is now a part of the requirements of an effective compliance program. By leveraging data and data analytics, compliance professionals more effectively manage risks, improve compliance culture, investigate issues, and ultimately keep companies out of trouble. Additionally, a robust data analytics platform will also contribute to making the business better by identifying hidden money, stopping improper payments, and enhancing overall business efficiency.

By leveraging data analytics, companies can identify hidden money, prevent improper payments, and enhance overall business efficiency. In today's regulatory environment, the risk of not adopting data-driven compliance approaches is high, making solutions essential for companies seeking to stay compliant and improve their business practices.

 Three key takeaways:

1. The DOJ identified data analytics as a part of a best practices compliance program in the Albemarle FCPA enforcement action. 

2. Data-driven compliance allows companies to access their data, search vendors, analyze transactions, run corruption and fraud tests, and even evaluate predictive models.

3. Data-driven compliance should be designed to identify hidden money, prevent improper payments, and improve business efficiency.

For more information on KonaAi, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Now take these same concepts of audience engagement and apply them internally to an organization. What do you potentially have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Think again about all the advantages podcasting has in place already.

A major US consumer product company started a podcast and had corporate executives on it. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Podcasting is a powerful tool that corporate compliance programs can use to connect with their audience on a more personal level. By investing in podcasting, corporations can create engaging and informative audio content that will help build their ethical brand (culture) and drive employee engagement. If you want a new and different way to talk to your employees, why not try podcasting?

Since you are only limited by your imagination in compliance, why not use some of that to be creative in your compliance training and communications? Podcasting has become an essential tool for businesses to connect with their employees, establish themselves as thought leaders, and promote their values and culture. By investing in the right podcast equipment and software, corporate compliance functions can create high-quality audio content that engages their audience helps to achieve their ethical goals, and improves the culture of any organization.

 Three key takeaways:

1. You can improve employee trust and corporate culture through employee trust.

2. Communicating through a podcast can increase your brand promise with employees and other stakeholders.

3. An internal podcast can humanize your leadership to your employees.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Empowered Employees. When employees feel empowered to contribute their ideas, it can lead to significant positive outcomes for the organization. However, fostering a speak-up culture goes beyond just listening. Retaliation should never be tolerated, and organizations must make it clear that it will not be accepted under any circumstances.

Role of Middle Managers. Middle managers play a vital role in fostering a speak-up culture. They need to be trained to listen, accept information, and report it to the appropriate channels.

Consistency and transparency. Consistency and transparency in the investigation process are also key components of a speak-up culture. Organizations must have a clear process in place for investigating concerns, and employees should be aware of this process.

Fostering a speak-up culture in the workplace is crucial for building trust, encouraging engagement, and enhancing the overall organizational culture. It requires leadership that values listening and employee involvement, as well as policies and procedures to protect employees from retaliation. Middle managers play a vital role in supporting employees and facilitating open communication. Consistency and transparency in the investigation process are essential for building trust and ensuring that employees feel comfortable bringing forward their concerns. By fostering a speak-up culture, organizations can create a culture where employees feel empowered to contribute their ideas and make a positive impact on the workplace.

 Three key takeaways:

1. Having a reporting system is important but listening is equally critical.

2. Employees must be protected from retaliation.

3. Fostering a speak-up culture can create a culture where employees feel empowered to contribute their ideas and make a positive impact on the workplace.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? Check out the new tool, The Culture Audit For more information click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

For 15 years, Ethisphere has been collecting data around its World’s Most Ethical Company awards. Companies which receive this designation have been found to outperform their peers on various stock indices. Ethisphere calls this the “Ethics Premium.” Ethisphere Executive Vice President (EVP) Erica Salmon Byrne has noted, “In tracking how the stock prices of publicly traded honorees compare to the U.S. Large Cap Index, we found that listed World’s Most Ethical Companies outperformed the large cap sector.” In 2010 that number was a delta of 4.5%. Yet by 2020 that number had skyrocketed to 13.5%. Clearly Ethisphere has been on to something.

Academic research has also shown the efficacy of ethics and compliance programs. George Serafeim and Paul M. Healy demonstrated in their paper, An Analysis of Firm’s Self-Reported Anti-Corruption Efforts, that companies with robust compliance programs do better financially in countries prone to corruption than companies with less effective compliance programs. Without a robust compliance program, even with high sales in a high-risk country, the sales will drop off and lead to a negative Return on Equity (ROE) of between 24% to 30%.

Dr. Kyle Welch, Assistant Professor at George Washington University (GWU), in his paper, co-authored with Stephen Stubben, Associate Professor from The University of Utah, entitled “Evidence on the Use and Efficacy of Internal Whistleblowing Systems” (Report). In this paper, Welch and Stubben reviewed some 15 years of anonymized data from NAVEX Global, Inc. This data was from the company’s hotline reporting systems. Some of the key findings included that companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets (ROA) and there were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur. Finally, there were fewer external whistleblower reports to regulatory agencies and other authorities.

 Three key takeaways:

1. It’s not simply speaking up, it's a culture of speak up.

2. Companies with speak up culture, have a material reduction in legal fines and penalties.

3. Use Companies with speak up culture, have a higher ROI.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? Check out this great new tool, The Culture Audit. For more information, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Obviously a triage process is particularly important for multinational companies that operate across different regions. With varying compliance programs and regulations in different countries, having a well-documented process becomes essential. It allows compliance departments to navigate the complexities of compliance programs and investigations, ensuring consistency and adherence to local laws.

The triage process and technology play a vital role in promoting a corporate culture and. By proactively assessing and triaging complaints and allegations, organizations can increase response time and set realistic expectations for stakeholders. It is important to consider the impact on employee rights and the need for thorough investigations when making decisions about the importance of triage process and technology in organizational compliance.

 Three key takeaways:

1. Think about how your triage process can be used to foster culture.

2. Set Service Level Agreements, make them public and adhere to them to engender trust in your organization.

3. However, it is important to recognize the tradeoffs involved in balancing different factors when implementing a triage process.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom

Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Non-retaliation protocols must be in place to encourage reporting. The fear of retaliation is deeply rooted in the perception of being a whistleblower or complainant. Every compliance must have strong policies, consequences for violators, and open workplace conversations to empower bystanders. Bystanders play a crucial role in identifying and reporting harassment, but they often fear retaliation or loyalty conflicts.

Addressing retaliation and encouraging reporting in workplaces requires a multifaceted approach. Strong non-retaliation protocols, open workplace conversations, and the empowerment of bystanders are key factors in creating a safe and inclusive work environment. By prioritizing the well-being of employees and fostering a culture of trust, organizations can effectively combat sexual harassment and ensure compliance with legal and regulatory requirements.

Three key takeaways:

1. You must have robust policies and procedures against retaliation.

2. A lack of confidential reports will have an impact on culture.

3. Bystanders are the key to a robust culture.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom

Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The authors basically state the obvious when they write, “It makes intuitive sense that being in a work environment where unethical behavior is prevalent might diminish psychological safety.” Put another way “people are most reluctant to speak up in ethically troubled environments, where we most need them to do so.” This is an important issue for every CCO and business leader. To overcome such a deficiency, they found that “several other factors correlated with strong speak-up behavior, keeping everything else constant: moral engagement, moral attentiveness, and organizational justice combined with clarity of expectations.”

Moral engagement. As a CCO you should endeavor to create an atmosphere where ethical conduct matters, “so that when employees recognize a potentially unethical situation, they will be motivated to do what’s right.”

Moral attentiveness. You can educate employees to recognize the ethical dimensions of situations. You can have managers highlight examples of ethical and unethical behavior with their teams and encourage dialogue on workplace ethics.

Organizational justice. Obviously, talk is cheap and it is actions, not deeds, that matter. The DOJ has made clear in the 2023 Evaluation of Corporate Compliance Programs that the keeper and responsibility of institutional justice sits with the CCO and the authors find that this same concept “is vital to building a reputation of organizational justice.”

Clarity of expectations. CCOs must communicate a clear message to employees so that employees will have “an understanding of organizational standards and are clear about expectations.”

Unethical conduct can remain hidden for a time but is likely to be discovered eventually, causing far more harm than if it were caught and corrected early. Psychological safety thus can help organizations respond and improve quickly instead of allowing misconduct and unethical behavior to fester and further degrade workplace psychological safety, thus triggering a vicious cycle.”

Three key takeaways:

1. Without psychological safety, corporate culture with suffer.

2. When your CEO engages in illegal behavior what is the impact on culture?

3. Use moral engagement, moral attentiveness, and organizational justice to foster an improved culture.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There is a non-siloed nature of psychological safety at the workplace. Ethics, risk management, legal and compliance functions, plus HR all share an interest in fostering such an environment. This mandates a cross-functional approach as an essential requirement of molding an organization’s culture to include psychological safety. The authors believe, “Managers throughout a company must become aware of the blind spots created by a psychologically unsafe environment, along with the associated risk of underreported misconduct.” They also caution that a formal program such as a reporting hotline “may capture only a fraction of the problematic behaviors that occur.” This leads the authors to posit that gauging psychological safety “may help companies determine whether misconduct is being reported and, in turn, enhance the effectiveness of their formal speak-up programs.”

The authors also confirmed a greater problem which is that “in a global context, psychological safety is not uniform across nations.” Survey respondents from “the Americas and Europe tended to score higher on psychological safety than respondents from Asia.” This suggests to the authors that “the potential effectiveness of tailoring interventions that promote speaking up in order to address the specific circumstances of different groups of employees.” Moreover, “global organizations that seek to build psychological safety must assess its various region-specific drivers and derailers to adjust their activities to specific seniorities and cultures.”

 Three key takeaways:

1. How can you determine the state of psychological safety in your organization?

2. Psychologically safety at the workplace is non-siloed.

3. Middle managers are critical.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the key points raised by Bloch is the importance of making speaking up meaningful and credible. He pointed out that companies often fail to clearly communicate what should be reported, leading to confusion among employees. Another challenge highlighted by Bloch is the lack of follow-up interviews and education for reporters. He stressed the need for organizations to engage with reporters and gather additional information to gain a better understanding of the context and potential gaps in the initial report. Bloch also discussed the importance of addressing friction points within organizations. He mentioned that employees often hesitate to speak up due to concerns about the involvement of headquarters or fear of retaliation. Organizations need to actively address these concerns and create an environment where employees feel safe and supported when reporting issues.

In order to create a culture of speaking up, organizations must move beyond passive measures such as hotlines and policies. They need to actively engage with employees, educate them about their role in the process, and provide clear guidance on what should be reported. By doing so, organizations can foster a culture of compliance where employees feel empowered to speak up and contribute to maintaining ethical standards.

In order to create a culture of speaking up, organizations must move beyond passive measures such as hotlines and policies. They need to actively engage with employees, educate them about their role in the process, and provide clear guidance on what should be reported. By doing so, organizations can foster a culture of compliance where employees feel empowered to speak up and contribute to maintaining ethical standards.

 Three key takeaways:

1. Your investigation process must go beyond simply policies and procedures.

2. Seeking additional information from a reporter will enhance both the investigative process and your culture.

3. Remove friction points in the speak-up and investigative process. 

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The authors believe today, “it is more essential than ever that when misconduct happens or difficult problems arise, there is a strong ethical climate for surfacing information so leaders can respond quickly and appropriately. An environment in which employees feel comfortable reporting such issues is also vital to preventing future misconduct.”

The authors believe that a “healthy organizational culture is one in which speaking up and listening go hand in hand, reinforcing ethical standards. If concerns are expressed, changes can be made promptly.” This is important because it moves from the detect prong to the prevent prong, which is by far the most important and effective prong in any compliance regime. Further ideas or innovations, rather than simply reporting untoward actions, can make a company more efficient and more profitable. This means a company can receive far more benefits than monetary fines or penalty avoidance if psychological safety exists.

 Three key takeaways:

1. How a speak-up culture improves your culture.

2. What is the role of psychological safety in improving culture?

3. What is the role of externals in your corporate culture? 

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

A.    Engagement

Start off by meeting as many compliance stakeholders as possible. You can use town hall settings or go smaller, meeting with key employee leaders, key stakeholders, and employees identified as high-risk who you can meet with individually or in smaller groups. Listen to their compliance concerns and take their compliance ideas back to the home office. After returning to your office, winnow down their ideas and suggestions to form the basis of enhancements to your culture. This employee engagement will lead to greater stakeholder buy-in for your culture.

B.    Education

But during the town hall meetings, and the smaller more informal group meetings, you can do more than listen, you can also train. This training is on ethics and how the employees could use compliance as a business tool. Moreover, this lays the groundwork for enhancing your culture and the training that will occur as the enhancement is rolled out.

C.    Risk Assessment

Now, think about this same approach from the risk assessment perspective. Listen to your employee's concerns and listen to the compliance issues raised. From there you can begin to ask questions about what was done and why. This approach is not adversarial or an interrogation. Still, it is ferreting out the employee's concerns while having the employees educate your compliance team on the actual procedures that are used. By listening, and gently questioning, you should be able to garner enough information to create a risk assessment profile that can inform and even become the basis of compliance program enhancements.

 Three key takeaways:

1. A listening tour can be used to improve your culture.

2. Listening improves engagement, which improves culture.

3. Culture lessens if employees think you don’t care.

Do you want to improve your culture? How can you assess your culture and develop a strategy to improve it going forward? In this free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Not surprisingly, trust is the number 1 factor in engagement and resilience. Astoundingly, the author found that “employees who said they completely trust their team leader were 14 times more likely to be fully engaged.” Moreover, those employees who completely trusted their colleagues, team leader, and senior leaders “were 42 times more likely to be highly resilient.” The reason should seem obvious as it is undoubtedly “easier to engage in our best work when we don’t have to expend mental resources looking over our shoulders or protecting ourselves against dysfunctional workplace practices that erode trust, like bullying or micromanaging. When it comes to building engagement and resilience, trust is everything.”

Teamwork is also a key factor. Although this is not something I have experienced over the past 12 years of working alone, the author found, “Those who said they are on a team were 2.6 times more likely to be fully engaged and 2.7 times more likely to be highly resilient than those who didn’t identify as team members. For millennia, humans have experienced psychological well-being only when they feel connected to and supported by a small group of people around them.” When the pandemic hit, working from home was not new to me as I had been doing it since 2010, but even in the WFH or Hybrid Work era, most employees need to feel like they are part of a team.

Every CCO and compliance professional must work to lessen or dissolve the disconnect between senior leadership and front-line workers. Your front-line business folks will make or break your compliance program. Getting your senior management more engaged will create and establish the trust your employees will need to show resilience in the face of the following primary business location, whether a pandemic or military invasion.

 Three key takeaways:

1. The concepts from Design Thinking can improve your culture.

2. A key factor in culture is engagement.

3. You can improve culture by dissolving the disconnect between senior leadership and front-line workers. 

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 20, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Moreover, the Chief Compliance Officer and corporate compliance function were identified in the 2023 3 Evaluation of Corporate Compliance Programs as the keepers of institutional justice and institutional fairness. This means recognizing and then preventing a toxic culture from spreading and infecting your entire organization squarely in the compliance wheelhouse. The article lays out key red flags for every CCO and compliance professional to look for in assessing culture. Finally, for any company with a toxic culture, the chances are much greater to be defrauded by its own employees or to defraud others through bribery and corruption by violating such laws as the Foreign Corrupt Practices Act (FCPA). 

The authors identify behaviors that they call “the Toxic Five attributes”, being “disrespectful, noninclusive, unethical, cutthroat, and abusive - poison corporate culture in the eyes of employees. While organizational culture can disappoint employees in many ways, these five elements have by far the largest negative impact on how employees rate their corporate culture and have contributed most to employee attrition throughout the Great Resignation.” As a CCO or compliance professional you need to be on the watch for them and take steps to remedy them if you see or hear about them. 

 Three key takeaways:

1. Are the attributes of a toxic culture present in your organization?

2. The 2020 Update to the Evaluation of Corporate Compliance Programs mandated the compliance lead this effort.

3. Does your organization have abusive behavior? 

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 20, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Understand What Matters

Reimagine new ways of operating

Model and test new ways of working

Act and create

Gratton ended her piece by challenging leaders to ask themselves three questions: “Where are you now on the journey of redesigning work? Are there steps you need to reengage in a more purposeful manner? Are you clear about what your biggest priorities are? The actions you take now will create your signature model of work and define the deal that you are making with your employees and your customers.” The same is even more so for a Chief Compliance Officer, the corporate compliance function and culture. 

 Three key takeaways:

1. How to think through redesigning your culture.

2. Understand what matters to your employees.

3. Listen, listen, listen. 

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Monday, November 20, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

We begin with assessing your corporate values and then aligning them within your organization. In a recent Harvard Business Review (HBR) article, entitled What Does Your Company Really Stand For?, authors Paul Ingram and Yoonjin Choi explored these and other issues. The authors believe that corporate values are more critical than ever. I have adapted their work for the compliance professional. 

The authors developed a five-step approach for values alignment. 

1.     Identify the values within your employee base and create a values structure.

2.     Identify key priorities from strategy to determine what is the most important thing the organization can do to achieve its strategy.

3.     Wed values that serve both the organization and its employees. 

4.     Begin the assessment process. 

5.     Generate a final list of organizational values. 

From the compliance perspective, the protocol. Recognizing that values are but one part of an overall corporate culture, gives you a mechanism to think through how to begin an overall assessment of your organization. Values do make up a portion of an overall culture. Through the engagement advocated herein, you can not only get a good reading on such key values as trust and respect but, more importantly, learn how to incorporate them as overall assets into your corporate culture. 

 Three key takeaways:

1. The Monaco Memo enshrined the concept that the DOJ will assess culture.

2. What does your company stand for?

3. When properly aligned, values can be a powerful part of corporate culture.

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 20, 12 CT. For more information and registration, click here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

How can compliance help a company navigate through all of this? To make and implement the best strategic choices in this environment, leaders will have to

1. develop principles to guide strategic choices,
2. address ethical issues early on,
3. consistently communicate and implement their choices,
4. engage beyond the industry to shape the context and
5. learn from mistakes to make better choices in the future.

This is a process that the corporate compliance function can facilitate. If you work through these steps, you should be able to prepare your organization for the next major shock.

Three key takeaways:

1. Why a company can no longer simply ‘stay in its lane’.

2. Compliance should lead the way to develop robust principles to guide cultural choices.

3. Even in culture, continuous improvement is a mandate. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the most recent MIT Sloan Management Review issue, Donald Sull and Charles Sull penned an article entitled “10 Things Your Corporate Culture Needs to Get Right”, in which they posited that “knowing what elements of culture matter most to employees can help leaders foster engagement as they transition to a new reality that will include more remote and hybrid work.” It is an excellent review of some of the key elements of corporate culture and how CCOs can move forward to lay the foundation of one.

CCOs and compliance functions face challenges while navigating the post-COVID-19 return to work. Through corporate culture, companies must maintain a healthy culture, as mandated by the DOJ. The authors conclude, “Understanding the elements of culture that matter most to employees can help leaders maintain employee engagement and a vibrant culture as they transition to the new normal.”

Three key takeaways:

1. What distinguishes a good corporate culture from a bad one in the eyes of employees?

2. A good corporate culture forms the basis of a good compliance program.

3. How many elements of a good corporate culture are in your organization?

Learn more about your ad choices. Visit megaphone.fm/adchoices

What does all this mean for compliance professionals going forward? DOJ officials have emphasized that the changes laid out in the Monaco Memo and the requirements around CCO Certification are to empower compliance professionals. In the Monaco Speech, DAG Monaco stated, “Companies should feel empowered to do the right thing—to invest in compliance and culture and to step up and own up when misconduct occurs. Companies that do so will welcome the announcements today. For those who don’t, however, our Department prosecutors will be empowered, too—to hold accountable those who don’t follow the law.” However you may characterize it, I will channel my inner Glenn Fry (with a nod to Miami Vice) and simply say to CCOs and compliance professionals, “The Heat is On.”

Three Key Takeaway:

1. The DOJ will now evaluate corporate culture in an enforcement action.
2. You must assess, manage, monitor, and improve your culture.
3. Corporate culture is now a key metric for regulators.

Learn more about your ad choices. Visit megaphone.fm/adchoices

All of this is particularly significant in light of the industry research that shows many compliance investigations today are unsubstantiated and can take over 40 days from start to finish. The ability of AI to find and analyze data from the web and social media in this automated fashion will be able to overcome some of those challenges in terms of length of time and overall scope of the investigation. Finally, always remember data preservation. The regulators always want to know if you have the documents and data tied down. This allows a company to have confidence in its papers and, in turn, can make such representations to regulators and prosecutors that the documents are secure. In other words, Document, Document, and Document. 

Three key takeaways:

1. AI is an appropriate tool for supplementing investigations.
2. AI can look at large bodies of social media data.
3. AI can help you decrease your investigation length.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

A methodical review of the 2023 ECCP to identify the different areas where a company could establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they comply with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But it is now the barest minimum of what compliance professionals must do. For instance, they could consider Quote To Cash (QTC) lifecycles or Procure To Pay (P2P). The key starts with a documented process that can be audited and built from there.

Three key takeaways:

1. Create an inventory of compliance metrics.
2. Create your metrics based on the 2023 ECCP.
3. Use these metrics for continuous monitoring and improvement.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one that has been around for some time: Root Cause Analysis (RCA). It is familiar because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017.

The focus on consistency is insightful and instructive as a key element of a best practices compliance program. Consistency forms the basis of both institutional justice and institutional fairness. That, in turn, facilitates a speak-up culture, which is the role of the compliance department to foster.

Three key takeaways:

1. Consistency is a key part of any compliance program.
2. Consistency forms the basis of both institutional justice and institutional fairness.
3. Consistency facilitates a speak-up culture.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This is because as significant (and costly) as these regulatory fines and penalties have been, it is the intangible reputational damage that, in the long run, maybe even more expensive. Multiple stakeholders who might not desire to play out on the risk curve might be at higher risk, located in higher jurisdictions, or operating in higher-risk industries. Further, there are other consequential impacts if compliance does not have a seat at the table. Suppose compliance has a seat at the table. In that case, there can be some leeway for compliance officers and firms to figure out how best to roll out a compliance program that is commensurate with the organization’s risk and compliant with the regulations. If compliance is relegated to the back of the (corporate) bus, there will be little chance to do so.

Three key takeaways:

1. It will be even more important for compliance to sit at the table in the future.
2. Look for synergies with other types of compliance.
3. Such synergies can be a big cost savings.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

KPIs provide yet another mechanism for you to monitor and update your compliance program almost continuously. KPIs can be extremely low in cost and, therefore, something you can put in place without much approval from higher-ups in your organization that you might have to go to for budget approval. Finally, innovation can come in many ways. ComTech can be a huge jump forward. But sometimes innovation can occur at much less cost and a much more granular level. KPIs can be such a mechanism for you.

Three key takeaways:

1. KPIs will be critical to assess a compliance program going forward.
2. Set your KPIs.
3. Decide on how to use KPIs and the blueprint for going forward.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

All of this is what the DOJ has articulated as operationalizing compliance. It first garnered attention in the February 2017 release of the original Evaluation of Corporate Compliance Programs and has only increased with the 2023 ECCP. Since that time, compliance practitioners have steadily worked to move their compliance programs forward onto the front lines of their business units. Connected compliance is one way to do so, but it clearly requires a human element to not only interpret data but to impart the appropriate or required compliance solution. Operationalizing compliance means that you cannot have an annual or even quarterly update on what’s going on in the program. It must be operationalized in such a way that you are sharing information not only with the regional business units of floating up to the corporate compliance folks but also sharing information back and forth with the other business units, procurement, finance, and reacting in real-time.

Three key takeaways:

1. Connected compliance moves you towards continuous monitoring.
2. Compliance under one roof.
3. Never forget the human element.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The bottom line is that it is not if but when you begin to incorporate corporate information into your compliance program to make your compliance program more efficient, and your business process run more effectively. Let's start now to identify the data you have access to and the data to which you currently do not have access. Find a way to bridge that gap.

Three key takeaways:

1. DOJ pronouncements mandate CCO availability to and use of data.
2. Data can be an actionable solution across geographic and business lines.
3. Use data as a business strategy.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance Convergence. In 2019, there were three significant releases of information by the federal government, which directly impacted compliance professionals.

Public/private partnership in the anti-corruption fight. Over the past few years, the DOJ has gone far toward laying out real incentives for corporations to help in the fight against the international scourge against bribery and corruption.

Data, Data, Data. The DOJ has made it clear that it expects companies to be more robust in their use of data analytics in compliance programs.

Compliance as the Ethical Edge. We have known for many years that companies with more robust compliance programs were most generally better-run companies.

This academic research and other case studies demonstrate that effective compliance programs equate to more efficient business processes and lead to greater profitability. As senior business leaders come to understand this message, they will (properly) see compliance as a business process that can be analyzed and improved through continuous improvement to make companies run more efficiently and, at the end of the day, more profitably. These companies do not make money because they have a better heart. They are more profitable because they are better run. Finally, all of this ties back to a requirement from the DOJ for continuous improvement of your compliance program.

Three key takeaways:

1. It’s all about compliance now.
2. Compliance connectedness.
3. It’s all about the data.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Being a compliance professional in the coming decade will be one of the most challenging, rewarding and exciting professions for anyone to engage in. You have the opportunity to help lead not only your organization but also your profession. To paraphrase Alyson Van Hooser, will you put your (compliance) stake in the ground and own it? For your sake and the sake of the compliance profession going forward, I hope you will do so. 

Three key takeaways:

1. Adapt to thrive as you are only limited by your imagination.
2. Build your brand and deliver.
3. Be creative.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance training needs to get to the point where managers and leaders drive compliance training based on how they perceive the risks in their organizations. In other words, an awareness of risks can permeate the organization to such a degree that managers will be able to recognize when their employees need training and can call on the compliance function to provide custom training opportunities.

Three key takeaways:

1. Business crises almost always begin with a culture failure.
2. Focus your most detailed training on those employees who are truly high-risk.
3. This is the “just-in-time” training model that provides training exactly when and where the employee needs the information.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Using such an approach to communications allows a CCO to “see around corners” and can be one of the greatest strengths of a best practices compliance program. The reason is listening. Listening is a key leadership component, and there are certainly many ways to listen. You can sit in your office and wait for a call or report on the hotline, or you can go out into the field and find out what challenges employees are facing. From this, you can work with them to craft a solution that works for the company and holds to the company’s ethical and compliance values.

Using social media tools, a CCO can move towards Thomas’ next key ingredient of a successful corporate culture, which is trust. Thomas said, “I’m obsessive about the culture that we create specifically around trust, and this is an adjustment for some people when they come here. If you join our team, there’s trust by default here. That means you trust in the competence of your teammates. You trust in their intentions and what they’re saying. At some companies, the culture is that trust is earned over time, but that means if everyone in the organization says you have to earn trust, the amount of energy that actually goes into the trust-earning process is a distraction from our mission.”

Three key takeaways:

1. A company can fail if it does not get its culture right.
2. Using communications to “see around corners.”
3. Trust works as a business strategy.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The data and information you collect, which might initially begin as a compliance solution or project, can be used to improve business process efficiency. The delivery of a compliance solution can enhance an overall business process. When you start to consider the compliance data points in every organization, from the Quote To Cash (QTC) sales cycle to the procure-to-pay (P2P) procurement cycle, you begin to see how compliance can be used to improve business efficiency and lead to greater profitability.

Three key takeaways:

1. The World’s Most Ethical companies had 13.5% delta about the S&P 500 average in 2020.
2. Companies with robust compliance programs do better financially in countries prone to corruption than companies with less effective compliance programs.
3. What does the data tell you?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the great things about the compliance world is that we are only limited by our own imaginations. If you can imagine a better way for your company to comply fully, it is at your disposal to do so. Yet, rarely do we think about the structure of how compliance activates as a way to operationalize compliance more fully. By identifying and bringing in the skills needed to move forward with compliance innovation, you can help kick-start the compliance operationalize process through a digital transformation of your compliance regime. By doing so, you may make all the difference between success and failure coming out of the Coronavirus health crisis as the world reopens for business.

Three key takeaways:

1. Have you considered a generational team approach to a digital transformation in compliance?
2. Have non-compliance professionals aid in compliance program development.
3. In compliance, you are only limited by your imagination.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance is now in an era of brisk innovation and evolution. It is prone to technological change and rapid obsolescence of the lawyer-driven, spreadsheets, and word document-based compliance programs. As we advance, the compliance professional needs to understand that a “package of resilience, adaptability, coordination, and inimitability becomes more attractive than the package of efficiency, understandability, manageability, and predictability.” The key is to learn how to harness complexity on a sustainable basis.

Three key takeaways:

1. Not all complexity is bad.
2. If you cannot figure out how a foreigner does business, you have a problem.
3. Compliance is now properly seen as a business process.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance is undergoing a paradigm shift as a result of technological and digital innovation. CCOs who cannot interpret the data from their own systems will likely find themselves consigned to the dustbin of corporate luddites. Compliance will be moving into a new era of collaboration and connection to more fully operationalize compliance to make all business stakeholders more efficient and at the end of the day more profitable.

Three Key Takeaways:

1. Compliance is undergoing a paradigm shift as a result of technological and digital innovation.
2. To be the orchestrator and prime mover of a compliance ecosystem, you need a superior service that is hard to replicate.
3. Compliance should help other corporate functions.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Some of the situations your employees might face are along the lines of the following:

• Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
• Employees are stopped at the airport by customs or passport control personnel or military personnel and a payment is demanded for entry or exit of persons or property; or
• Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records, so you will not be suspected with hiding them by describing them as something else. The key is to train your employees specifically on the actions to take. In your policy, state that if there is a threat to health, safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three key takeaways:

1. Extortion payments are not illegal under the FCPA.
2. Was the action an extortion or some other type of situation?
3. “Document, Document, and Document” your extortion payments, both the financial component and a description of the underlying events.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance program must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party management: 1) business justification; 2) questionnaire to third-party; 3) due diligence on third-party; 4) compliance terms and conditions, including payment terms; and 5) management and oversight of third parties after contract signing.

I continually give my mantra of compliance, which is “Document, Document, and Document”. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three key takeaways:

1. Use the full five-step process for third-party management.
2. Make sure you have Business Development involvement and buy-in.
3. Operationalize all steps going forward by including business unit representatives.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There may be emergency situations when it will be difficult or impossible for employees to obtain approvals before having to decide whether or not to pay a facilitation payment. If the facilitation payment is made in an emergency, the employee reports the facilitating payment to the compliance department and explains the emergency as soon as practical after making the facilitation payment.

Three key takeaways:

1. What was the amount of the facilitation payment?
2. Was the action truly routine?
3. How high up was the government official who received the facilitation payment? Was his or her decision discretionary?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The U.K. Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every U.K. Company or subsidiary from the policy. Further, if your company employs any U.K. citizens, they are subject to the U.K. Bribery Act no matter who they work for and where they may work in the world, so they must also be exempted. Finally, if your U.S. Company does business with a U.K. or other company subject to the U.K. Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

Three key takeaways:

1. Do not forget the administrative nightmare of facilitation payments for international organizations.
2. The Kay decision made clear how narrow the “routine government action” exception is.
3. Facilitation payments will usually be an add-on as they are symptomatic of an ineffective compliance program.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. Many companies still struggle with facilitation payments.
2. What are the five listed purposes for facilitation payments?
3. The facilitation payment exception is narrowly construed by both the courts and the Justice Department.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Most international businesses have strategy to engage in the political process with a view to the long-term interests of the company and to promote and protect its interests. All political contributions and expenditures on behalf of the Company and management reports on these political contributions and expenditures should be reported to the Board of Directors annually. No political contributions may be made or promised unless written pre-approval has been obtained from the corporate compliance function

Three key takeaways:

1. Political candidates are covered by the FCPA.
2. What is the business purpose for the contribution?
3. Do not make contributions towards candidates who can award your company business.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1.What are the basic inquiries to make around charitable donations?

2.Use all of the communication tools the DOJ has provided; written guidance, enforcement actions and Opinion Releases to inform your charitable donation policy.

3. Document, Document, and Document the basis of your charitable donations risk assessment.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. Every compliance practitioner should study both the Lilly and Schering-Plough enforcement actions.
2. What is the purpose of the charitable entity you are making a donation to?
3. “Document, Document, and Document” your due diligence around donors.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2020 FCPA Resource Guide clearly stated the FCPA does not ban gifts and entertainment. Indeed, it specified, “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”

These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.

And, as always, do not forget the gut check test.

Three key takeaways:

1. Gifts and business entertainment continue to plague companies for compliance violations.
2. The key is not the amount but of having a policy and procedure and following it.
3. Always remember to record gifts and business entertainment expenses correctly.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This concept is most appropriate in the compliance arena in the area of risk management. As your risks change, your management of those risks should adapt to the new reality. This is why the DOJ intoned in the 2023 Evaluation of Corporate Compliance Programs (ECCP) that you should assess your risks as they change, modify your risk protocols, monitor your risk management strategy and then update your compliance programs through continuous monitoring. 

This dynamic policy process can build dynamic rules to enhance your company’s ability to anticipate and cope with risk changes. When the corporate compliance function embraces experimentation and learning in the creation and reformulation of policies, it builds flexibility into the organization’s structure, processes, and practices. This type of flexibility is essential as we have moved from disaster recovery to business resiliency to business as usual, especially in the field of risk management. 

Three key takeaways:

1. After Covid-19, your policies must be as dynamic as your business.

2. There are three general areas to improve the dynamic features of policy creation and improvement; transparency, experimentation and innovation.

3. Garner feedback from your users on the effectiveness of your compliance policies.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

After considering these issues, you should benchmark your current policies and procedures against those of other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures. These points are a useful guide to not only thinking through how to determine if your policies and procedures need updating but also taking practical steps to tackle the problem. You should begin the process now if it has been more than five years since the last update. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

Three key takeaways:

1. You should do so now if you have not revised your compliance policies and procedures in the past five years.
2. Set a timeline and budget and stick to it in the compliance policy and procedure revision process.
3. Document your process of revision to demonstrate a more complete operationalization of your compliance program.

Check out The Compliance Handbook, 4th edition, here for more information.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This statement made clear that the regulators will take a strong view against a company that does not have well-thought-out and articulated policies and procedures against bribery and corruption, which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital communication layer and acts as an internal control. Together with a signed acknowledgment, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well-known and long-established. According to the 2020 FCPA Resources Guide 2nd edition, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials), use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.

Three key takeaways:

1. Written compliance policies and procedures, together with the Code of Conduct, form the backbone of your compliance program.

2. The DOJ and SEC expected well-thought-out and articulated compliance policies and procedures to be adequately communicated throughout your organization.

3. Institutional fairness for the application of policies and procedures demands the consistent application of your policies and procedures across the globe.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The Code of Conduct design and implementation process enshrine your company’s values. Those are set by senior management and their input and support for any code project, whether initial draft or update, is critical. This gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First, diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the DOJ questions from the 2023 ECCP in a manner consistent to support operationalization.

All of these requirements point to getting out and making your Code of Conduct a part of the very fabric of your organization. By using some or all of these strategies, you will have a good starting point. But it is more than simply rollout and training. There must be ongoing communications as well.

Three key takeaways:

1. What has been the role of senior management in the creation or update of your Code of Conduct?
2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your Code of Conduct?
3. How have you measured the effectiveness of your Code of Conduct training?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Beginning with the DOJ’s 2017 Evaluation and continuing into the 2019 Guidance, is the DOJ’s emphasis in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the corporate office, which can often provide employees with the opportunity to have confidential in-person discussions.

However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the code and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct lesson, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

 Three key takeaways:

1. Consider a video message from your CEO to help roll out your Code of Conduct initiation or update.
2. Tailor your Code of Conduct training to your workforce.
3. Consider interactive and modular approaches to Code of Conduct training.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There are two factors that a company should consider in the structure of a Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use it. These stakeholders can include such diverse groups as employees, shareholders, and third parties on both the sales and supply side of your business. This may require multiple approaches.

Be sure to make your code readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your workforce. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.

Three key takeaways:

1. Companies have moved past having a Code of Conduct written by lawyers for lawyers to a fully interactive code for all employees.
2. Consider how information is distributed at your organization as a basis for communication in your Code of Conduct.
3. Your Code of Conduct must be readable, in both in English and native language for non-English speaking employees.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Indeed violation of your Code of Conduct can form the basis of a domestic FCPA enforcement action. In an enforcement action involving United Airlines, Inc., a breach of the Code of Conduct by the Company CEO was determined to be an FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.

Your Code of Conduct should be tailored to your company’s culture, industry, and corporate identity. It should provide a mechanism by which employees trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company’s Code should emphasize it will comply with all applicable laws and regulations wherever it does business. The code must be written in plain English and translated into other languages so all applicable persons can understand it.

Three key takeaways:

1 A Code of Conduct is a foundational document in any compliance regime.

2 The substance of your Code of Conduct should be tailored to the company’s culture, industry, and corporate identity.

3 “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.

Three key takeaways:

1. A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
2. Each level of written standards builds upon one another, so consider this integration step.
3. The Fair Process Doctrine applies to your written standards.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Effective communication of policies and procedures for compliance is a critical aspect of any successful organization. It is the backbone of a robust Code of Conduct, which serves as a written representation of a company's ethical principles. Tom Fox, a renowned expert in the field, offers unique insights into this topic. He emphasizes the importance of written standards, including codes of conduct, policies, and procedures, as the cornerstone of any best practices compliance program. Fox's perspective is informed by the Department of Justice's Evaluation of Corporate Compliance Programs, which provides a framework for companies to assess the effectiveness of their policies and procedures. He underscores the need for comprehensive, accessible, and well-communicated written protocols to prevent, detect, and remediate compliance issues. Join Tom Fox on this episode of the 31 Days to a More Effective Compliance Program podcast to delve deeper into this crucial topic.

Three key takeaways: 

1. The cornerstone of any best practices compliance program is its written protocols.
2. Written standards work to prevent, detect and remediate.
3. What are the specific written protocols you should have in your compliance program?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

1. How are compliance goals cascaded down to individual workers?
2. Does anyone complain that your compliance targets are too complex?
3. How do you deal with repeated compliance failures in a specific business segment or compliance program area?
4. How does your company show that attracting and developing talent who will engage in ethical business conduct is a top priority?
5. How long is compliance underperforming tolerated?
6. What makes it distinctive to work at your company?
7. How do compliance programs that are not working typically get exposed and remediated?
8. What key compliance indicators do you use for compliance tracking?
9. For a given compliance problem, how do you identify the root cause?
10. What are you doing to retain your top employees from the compliance perspective?

Compliance practitioners continually face the challenge of keeping up with the ever-evolving compliance best practices with little or no budget increase. By asking yourself and of your compliance program these questions you may create a road map to more fully operationalize your compliance regime.

Three key takeaways:

1. What are the unique compliance targets you have set and how interconnected are they to your business unit goals?
2. Use a root cause analysis to determine why compliance initiatives are not successful.
3. Retraining employees in compliance is an under-utilized tool.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of HR in implementing compliance programs is a critical aspect of maintaining best practices within an organization. Traditional HR functions can serve as compliance internal controls, and that every touch point in the employment relationship can serve as a control for compliance. Fox's insights are derived from his extensive experience and deep understanding of the compliance and HR environment. He emphasizes the importance of conducting a comprehensive gap analysis and fostering collaboration between HR and business units to enhance the compliance program.

Finally, work with HR to create a consolidated Human Resources Compliance Audit Checklist that can be used to audit (and document) the company’s HR Compliance Program. The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and “Document, Document, and Document”.

 Three key takeaways:

1. A gap analysis is a key component in the risk assessment process.
2. The ultimate responsibility should lie with the business units and functional discipline to fully operationalize compliance.
3. The role of the compliance department is to oversee, provide subject matter expertise and coordinate.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Culture of Compliance – How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has the company taken in response to its measurement of the compliance culture?

These questions point to a CCO or compliance practitioner demonstrating how a culture of compliance is being burned into the very fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the 2019 Evaluation has also crystalized thinking around compliance culture throughout the organization, including at the bottom

Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization.

Three key takeaways:

1. While tone at the top is critical, the tone at the bottom can work to more fully operationalize compliance.
2. 95% of the work is done at this bottom level.
3. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The DOJ expects compliance to be operationalized down to the middle management level. Further experience has shown that employees prefer to speak to their direct supervisors about issues or potential compliance violations they become aware of. The question is: how can a corporate compliance function reach middle management? This is a key area of assistance that Human Resources can provide, as one of the ways that HR can help to operationalize compliance is to assist each level of an organization to have a proper tone, specifically the middle of an organization.

You must think about your communication lines and communication skills when conveying your message of compliance from the top into the middle of your organization.

Three key takeaways:

1. While the tone at the top is critical, the tone in the middle can work more fully to operationalize compliance.
2. How do you train middle managers?
3. What compliance tool kit do you provide to middle managers?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of HR in corporate compliance programs should be more recognized. Suppose your company has a culture where compliance is perceived to compete or, worse yet, antithetical to HR. In that case, the company must hit all cylinders and may be moving towards dysfunction. Another way you can operationalize compliance is through HR’s involvement in employee promotion. Such compliance embedded into the promotion process can also be considered an internal compliance control. By doing so, your compliance may work to create an effective internal controls regime as mandated by the FCPA and other anti-corruption laws.

Three key takeaways:

1. Denying a promotion or award due to an employee’s ethical lapses.
2. Use promotions to reinforce your company’s commitment to compliance and ethics.
3. Should you wait for great?

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The exit interview can be a further mechanism to operationalize compliance. This type of interview is used when someone voluntarily departs from a company, as opposed to a lay-off or reduction in force exercise. Typically departing employees are more willing to share about their experiences, concerns and issues which led to their employment departure.

Exit interviews are a powerful tool for fully operationalizing a best practices compliance program. They provide organizations with invaluable insights into employee perceptions, job design, and culture. By treating departing employees with dignity and respect, organizations can transform them into lifelong advocates, defending the organization's reputation and recommending it to potential employees. Compliance ambassadors play a crucial role in strengthening compliance efforts, providing additional resources and support in regulatory issues. By asking detailed questions and fostering collaboration between compliance and HR, organizations can harness the power of exit interviews to enhance motivation, efficiency, and effectiveness in their compliance programs.

Three key takeaways:

1. The exit interview is an excellent opportunity to obtain information to inform your compliance program.
2. Use the exit interview to create advocates from departing employees.
3. Use the exit interview for probing and insightful questions around compliance.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The reasons for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However, it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you lay off the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also, if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Three key takeaways:

1. Treat departing employees with dignity.
2. Make sure your separation documents meet SEC requirements regarding disclosures re: whistleblowing.
3. You must check your hotline and anonymous reporting systems to make sure you do not lay off a whistleblower.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Tom highlights the importance of developing a comprehensive job profile. Maurice Gilbert provides insights on the topic, emphasizing the need for companies to understand their specific needs and risks when creating a job profile for the CCO position. The podcast also discusses the importance of involving key stakeholders, setting realistic expectations, and considering professional growth opportunities and an attractive package for potential candidates. By involving key stakeholders in defining the role of the CCO and seeking the assistance of a professional executive recruiter, companies can find the right fit for their compliance program's success.

Three key takeaways:

1. Bring in your key stakeholders to flesh out the job description.
2. Consider the top four things you would like a new CCO to accomplish in the first year.
3. For a new CCO to succeed, the company must have a realistic expectation developed before the process begins.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Incentive System…Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

Most HR experts will opine that properly executed performance appraisals are crucial to organizational productivity as well as the development of employee skills and employee morale. Moreover, they can serve a couple of different functions for a best practices compliance program. First, and foremost, they communicate to each employee their job performance from a compliance perspective.

Tom emphasizes the vital role of human resources in incorporating compliance into performance reviews and appraisals, ensuring it becomes ingrained in an organization's DNA. He discusses the need for concrete examples of actions taken as a result of compliance considerations to demonstrate the seriousness of compliance. Fox provides practical tips for conducting effective compliance employee appraisals, including giving constructive feedback and addressing compliance shortcomings. The episodes stress the continuous nature of performance appraisals and their impact on compensation and incentives within a compliance program. By conducting multiple appraisals throughout the year, compliance can be embedded into the company culture and compliance failures can be promptly addressed.

Three key takeaways:

1. To incentivize compliance, you must be able to accurately appraise senior managers and employees around compliance.
2. Clearly communicate your compliance expectations, then fairly evaluate employees on them.
3. Consider conducting an ongoing review.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Succession planning in compliance is a critical and ongoing process that should not be left until the last minute, according to Tom Fox in this podcast episode. With a focus on prevention, detection, and response to compliance issues, evaluation and engagement of the Board of Directors are crucial. The importance of transparency, communication, and fully operationalizing compliance into the business unit is emphasized. HR's role in assessing candidates' views on business ethics and inculcating compliance values is highlighted. Continuous controls monitoring and sophisticated tools can help ensure compliance programs evolve effectively. Overall, these episodes provide valuable insights into the importance of succession planning and continuous evaluation in maintaining a successful organization.

Three key takeaways:

1. Succession planning is just as important as governance, enterprise risk and strategic oversight.
2. Do not begin your succession planning when a senior manager announces their retirement.
3. You are always being evaluated (or you should be).

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

One key aspect discussed is the need for a robust whistleblower reporting system that encourages employees to come forward with concerns without fear of retaliation. Discipline and clear disciplinary procedures are also highlighted as crucial for maintaining credibility and preventing compliance violations. The fair process doctrine is discussed, emphasizing the importance of consistent and fair administration of discipline and the inclusion of compliance in employee evaluations and promotions. The episodes also emphasize the need for fair and impartial internal investigations to maintain employee trust. Overall, HR is shown to be instrumental in promoting a culture of compliance and ethical behavior.

Three key takeaways:

1. The DOJ and SEC have long called for appropriate and consistent application of both incentives and discipline.
2. The Fair Process Doctrine will help set institutional justice as the norm in your organization.
3. Inconsistent application of discipline will destroy your compliance program credibility.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Incentive System – Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

In this podcast episode titled "Sales Incentives and Compliance," Tom Fox explores the risks and consequences of misaligned sales incentives. Using the Wells Fargo scandal as an example, Fox discusses how a flawed incentive program can lead to compliance failures. He emphasizes the importance of aligning incentives with compliance goals and highlights the role of human resources in implementing effective compliance programs. The podcast warns that sales incentive programs can become high risk or even illegal if not properly designed and monitored. It concludes by emphasizing the significance of HR's involvement in creating a more effective compliance program and its impact on overall organizational success.

Three key takeaways:

1. Even a benign sales incentive program came become skewed.
2. A sales incentive program can become high risk or illegal if not properly monitored.
3. If there is alignment between the strategy, purpose and structure of an incentive system, it often makes the difference between a good and a bad one.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Three key takeaways:

1. The DOJ now mandates clawbacks in a compliance program.

2. The SEC has passed a clawback rule apart from the Monaco Memo.

3. Your clawback program should be well-documented. 

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. Perverse incentives are named that for a reason; they really are bad.

2. How can you create positive incentives in your organization?

3. There is a business response to this legal issue. Employ it.

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. The DOJ and SEC have long advocated compensation to motivate employees into ethical and compliant behaviors.
2. Keep the compliance aspects of your compensation structure simple and easy for your employees to understand.
3. Have full transparency in the frame of your compensation structure.

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

1.     Compliance incentives don’t have to be elaborate or novel. 

2.     Compliance incentives need supporting systems if they are to stick.

3.     Support systems are needed to reinforce compliance incentives.

4.     Compliance incentives need a “counterweight” to endure.

5.     Compliance incentive alignment works in an oblique, not linear, way.

6.     Compliance incentive initiatives can be implemented at all levels.

Obviously, this list is not exhaustive. Yet it is now more important than ever that you demonstrate tangible incentives for your employees to gain benefits, both financial and hierarchical, through doing business ethically, in compliance with your own Code of Conduct and most certainly in compliance with relevant anti-bribery laws. It is also a requirement that such actions be documented so they can be demonstrated to the regulators, if they come knocking. 

Three key takeaways:

1. Compliance incentives do not have to be elaborate or novel.
2. You must create support systems for your compliance incentives. 
3. Compliance incentives should be implemented at all levels. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Tom Fox explores the role of HR in implementing effective compliance programs within companies. The episode focuses on the importance of incentivizing compliance and ethical behavior through both financial and non-financial incentives. The Department of Justice's guidance emphasizes the need for positive incentives, such as personal evaluations, promotions, and rewards for ethics and compliance leadership. The podcast discusses various avenues for implementing incentives, including cash bonuses and non-compensation rewards like t-shirts or ethical awards. It emphasizes the role of HR in driving the right behavior through incentive structures and warns against solely promoting based on financial targets. Overall, the podcast highlights the significance of HR in creating a fully operationalized compliance program that fosters an ethical work environment.

 Three key takeaways:

1. The DOJ 2023 ECCP specifically calls out incentives for doing business ethically and in compliance.
2. HR can lead the efforts around incentives.
3. Incentives go beyond financial rewards.

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The hiring of someone who will perform business activities in compliance with anti-corruption laws such as the FCPA will continue to be as much art as science because the hiring of quality employees for senior management positions is similarly situated. But that does not mean a company cannot work to not hire those persons who might have a propensity to engage in bribery and corruption if the situation presented itself. The hiring process is just one more tool that can be utilized to build an effective and operationalized compliance program. 

Three key takeaways:

1. The hiring process is the first step in operationalizing your compliance program.
2. The DOJ spoke to hiring as part of a best practices compliance program as far back as 2004.
3. Reference checks are an underutilized part of the hiring process and a key internal HR control. 

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This is where your HR function has a dual role, with both their traditional hiring role and in a compliance function. They can work to help weed out such miscreants and to communicate your corporate values of doing business ethically, in compliance and aligned with your corporate values of integrity.

Through a structured series of questions, however, a properly trained HR professional can begin to assess whether an employee might have a propensity to engage in bribery and corruption. By adding information about your company’s values towards doing business ethically and in compliance, you can introduce this topic at either the interview evaluating process or in the promotion process. While true sociopaths will most certainly lie to you, perhaps even convincingly, by introducing the topic at such a pre-employment stage, they may be encouraged to take their skills elsewhere

Three key takeaways:

1. Use the interview process to determine who will be an ethical and compliance fit for your organization.
2. Consider the skill, will and fit approach.
3. Ask open-ended questions.

For more information, check out The Compliance Handbook, 4th edition, available on LexisNexis.com.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Ethics and compliance blend together in the corporate world. It is not just the responsibility of CCOs and compliance practitioners but of HR to support those employees who want to do the right thing. While written protocols are significant in both detection and prevention, one should never lose sight of a corporate culture as a way to positively impact your workforce and company going forward.

Three key takeaways:

1. Beware of the three obstacles to creating an ethical culture.
2. What really matters in your company?
3. A speak up culture will improve the operational performance of your business.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Even more important is the operationalization of compliance into the fabric of the business. One of the key indicia of compliance program effectiveness is how thoroughly each separate corporate discipline incorporates compliance into its everyday job functions. An active and functioning compliance program will literally be alive in each department in an organization.

HR has as many touchpoints as any other corporation function with employees. From interviews to onboarding, through evaluations and performance appraisals, even to the separation process; HR leads many of the corporate touchpoints. Each one of these touchpoints can be used to teach, educate and reinforce the message of doing business ethically and in compliance with anti-corruption laws

Three key takeaways:

1. What are the HR-employee touchpoints at your company?
2. HR professionals can bring new, dynamic and innovative techniques to compliance
3. Go down and have a cup of coffee with the head of your corporate HR department. Find out what they do and how they do it.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

1.  A client is seeking legal advice or a lawyer’s services;
2. The person to whom the communication is made is a lawyer or his or her representative;
3. The communication relates to a fact disclosed from a client (a representative) to a lawyer (a representative);
4. Strangers are not present;
5. A client requires confidentiality.

In addition to the attorney-client privilege there is another privilege which can come into play around internal investigations. It is the attorney work-product doctrine. Keltner noted, “The attorney-client privilege and the attorney work-product doctrine are often asserted interchangeably. While there is some overlap between the two, the attorney-client privilege is significantly different than the attorney work-product doctrine.” Moreover as “codified in Fed R.Civ. P. 26(b)(3), [the attorney/work product] provides a qualified protection to materials prepared by party’s counsel or other representative in the anticipation of litigation.” The doctrine exists “because it permits lawyers to “work with a certain degree of privacy, free from unnecessary intrusion by opposing parties . . .””

Three key takeaways:

1. Note the differences in the attorney-client privilege and attorney work-product doctrine.
2. Both can be waived intentionally or through inadvertent conduct.
3. Take care on attorney work-product outside the U.S., where there may be no privilege at all.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many U.S. businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.” Moreover, such a corporate policy may permit a company to claim to the government a spirit of cooperation in the hopes of avoiding prosecution in addition to increasing the chances of earning meaningful credit under the U.S. Sentencing Guidelines or the FCPA Corporate Enforcement Policy.

Three key takeaways:

1. Make sure you provide an Upjohn warning.
2. If an employee demands counsel to represent them during an internal investigation, who bears the cost?
3. Always check state law requirements around internal investigations.

Learn more about your ad choices. Visit megaphone.fm/adchoices

• Consider whether you need independent outside counsel. 
• Consider hiring an experienced investigator to lead the internal investigation. 
• Consider the need to retain outside experts. 
• Analyze potential conflicts of interest at the outset and during the investigation. 
• Carefully evaluate whistleblower allegations. 
• Request regular updates from outside counsel, without limiting the investigation. 
• Consider whether an oral report at the conclusion of the investigation is sufficient. 

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the Board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the Board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”

Three key takeaways:

1. Retain the right counsel. Consider conflicts and appearance.
2. Carefully evaluate all whistleblower allegations and reject retaliation.
3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Dan Chapman has said this is the time for a very frank conversation with your Board about what such an investigation will entail. Costs must be adequately discussed to set proper expectations. These include both direct costs and, what Chapman believes may be even more important, a discussion of indirect costs to the company. He noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time to the investigation, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

Finally, Jonathan Marks has noted after notification of serious allegations, Boards should take the following steps:

• Consider creating a Special Committee to conduct the investigation;

• Establish a committee charter;

• Preserve the electronic and hardcopy documentation environment;

• Communicate with external auditors; and

• Plan potential communication with the SEC, DOJ, and the relevant stock exchange.

Marks also notes that while a special committee might be necessary in certain rare circumstances, the Board should try to avoid forming a special investigative committee to oversee the investigation if the Audit Committee is composed of independent and disinterested directors that are suited for the task. A special committee must be disbanded at some point (usually once the investigation is completed and before the restatement process begins), and the disbanding could become a complicated news item. Conversely, if the Audit Committee oversees the investigation, then, once the investigation is complete, they can pivot back to their normal role, which would include overseeing the actual restatement process. Investigations overseen by the Audit Committee also benefit from the positive relationship that the committee chair usually has with the audit partner of the company’s external auditor.

 Three key takeaways:

1. The Board should have a written protocol for investigations prepared in advance.

2. Any Board led investigation must be both credible and objective.

3. The investigation must be thorough but the Board can be cost effective.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In addition to robust investigation, a company must engage in remediation of the offending conduct. The 2020 Update to the Evaluation of Corporate Compliance Programs mandated the additional significance of this by providing that this process must be considered “both at the time of the offense and at the time of the charging decision and resolution”. When you consider the strictures around continuous monitoring and continuous improvement in compliance programs it is clear why this analysis is so important. Obviously, a key test of any compliance program is when a deficiency is found and a violation occurs. The question then becomes, what did you do about it.

But from the DOJ (and Securities and Exchange Commission) perspective, the key is to use the information to both fix the problem so that it does not occur again but also improve your compliance regime.

Three key takeaways:

1. How does your investigation inform your remediation plan?
2. A compliance program failure offers a way to upgrade your regime.
3. Your investigative team must inform your remediation team.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Offer interview translations.

Avoid cultural pitfalls.

Observe data privacy restrictions.

Comply with labor requirements.

Be aware of other local requirements.

Put forms in native translations.

Preserve the attorney-client privilege.

Prepare for local enforcement actions.

Prepare for security risks.

Protect whistleblowers.

Three key takeaways:

1. Use translators and translations of key documents in witness interviews.
2. Use local counsel to facilitate the investigation and to help navigate any local anti-corruption investigation issues.
3. Never, never, never retaliate. The SEC will pay whistleblower bounties for non-U.S. citizens.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There is no one right way to prepare for and conduct an interview. What is important is that you have a plan and execute on that plan. Begin by obtaining an understanding of what the various stakeholders want answers to. This could include the Board of Directors, C-Suite executives, the GC and legal department, the CCO and compliance function or up to government regulators such as the SEC or DOJ.

Three key takeaways:

1. There is no one right way to prepare and do an interview.
2. The interview should not be confrontational.
3. The interview, like the entire investigation process, is a chess match.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Planning your investigation, having the right team members involved and meeting the challenges which inevitably arise during an investigation can be difficult. However, beginning with the DOJ’s 2015 Yates Memo, the 2016 FCPA Pilot Program, and the 2017 and 2019 versions Evaluation of Corporate Compliance Programs, together with the 2020 Update, 2023 ECCP and FCPA Corporate Enforcement Policy, the pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, right is even greater now. Marks has laid out a concrete way for you to think through how to plan an investigation, staff it properly and meet the inevitable challenges.

Three key takeaways:

1. The intake process may seem the most straight-forward but many companies drop the ball at this initial step.
2. You must never retaliate against employees who come forward in good faith.
3. Always think several steps ahead.

Learn more about your ad choices. Visit megaphone.fm/adchoices

As data collection, retention and preservation are critical elements of any significant internal investigation you will need to have the involvement of your IT function. IT can help put a litigation hold on documents that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known.

HR is often an underutilized function for an internal investigator. HR can provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also give the investigator some insight regarding the credibility of the individual who might be making the allegation. For example, are they good and trusted employees? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?

Forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward.

Obviously, the GC would be involved to help protect the attorney-client privilege if for no other reason. Further, an investigation needs to have compliance involved, to understand what compliance program was in place at the time of the incident in question, what procedures submission had, and understand if this truly was a gap in the compliance function or maybe there was an area within the compliance function that was not operating as prescribed, or maybe it was a little bit weak.

Three key takeaways:

1. HR plays a key but often underused role in internal investigations.

2. The Board of Directors and senior management have different roles.

3. Use your legal department to protect the privilege.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There are three reasons for a company to retain independent counsel for internal investigations of severe whistleblower complaints. First, André Agassi was right, perception is reality. Secondly, if regular outside counsel investigates their own prior legal work or legal advice, a very large and potentially messy number of loyalty and privilege issues can arise in the internal investigation. The third reason is the relationship of the regular outside counsel or law firm with regulatory authorities. If a company’s regular outside counsel performs the internal investigation and the results turn out favorably for the company, the regulators may ask if the investigation was a whitewash or at the very least, less than robust. If the SEC or DOJ cannot rely on a company’s own internal investigation, it may perform the investigation all over again with its own personnel. Further, these regulators may believe that the company, and its law firm, have engaged in a cover-up. This is certainly not the way to buy credibility.

Three key takeaways:

1. Serious allegations demand a serious response, with seriously good lawyers leading the investigation.
2. Credibility is the biggest thing that any person or company brings to the table when sitting across from the DOJ or SEC.
3. The use of regular corporate counsel can negatively impact your investigation because of the issues of loyalty and privilege.

For more information, check out The Compliance Handbook, 4th edition.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Jonathan Marks began by cautioning that when considering any well-run internal investigation, a CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner, or legal team have the skills and capabilities to handle the matter which has arisen. Obviously, if there are esoteric accounting issues or significant internal control workarounds and overrides, a CCO may not have the skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.”

Three key takeaways:

1. Always remember your ultimate audience may be the government.
2. You must understand both the business environment and extended business enterprise.
3. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation.
4. 
   

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

In a presentation, Jay Martin, and Jacki Trevino discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.

Three key takeaways:

1. A written protocol, created before an investigation, is a key starting point.
2. Create specific steps to follow so there will be full transparency and documentation going forward.
3. Consistency in approach is critical.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Appropriate triage of allegations has several different impacts for any matter which comes to the attention of compliance. Obviously, it will help you to initially determine the seriousness of the matter. From there you can allocate an appropriate level of resources. It will also aid in your discussion with the DOJ if you must go that route. Finally, in the situation where facts come in, it provides the required documented evidence that a process was followed that you can show the government that a claim was properly scoped, as required under the Evaluation. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before an allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing.

Three key takeaways:

1. Compliance can learn from M*A*S*H about the need for triage.
2. Initial triage allows you to separate the wheat of serious allegations from the chaff of more inconsequential allegations.
3. A robust triage process allows for greater credibility with government regulators.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Three Key Takeaways

1. An employment separation is a critical time if an internal report has been made.
2. Have appropriate language in your separation agreement.
3. Treat terminated employees with dignity and respect.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This was expanded in the DOJ’s 2020 Guidance, in the section entitled “D. Confidential Reporting Structure and Investigation Process,” with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for submitting complaints, and processes to protect whistleblowers.”

Three Key Takeaways:

1. Internal reporting systems indicate a working, operationalized compliance program.
2. There must be a solid communication line between the people doing the investigation and those leading the remediation.
3. Your internal reporting mechanism must be trusted.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
2. Train your employees on the use of the hotline.
3. Use data from your hotline to continually update and improve your compliance program.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The favoritism problem. HR led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. 

Manipulation of data for bonuses. The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question.” It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. 

Basic tenets of an effective hotline. This case study provided three key tenets of an effective internal reporting system:

• First, a helpline is of no value if the workforce is not aware of it. 

• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) which likely influenced the success of the training and communications delivered by the ethics and compliance staff.

• Third, the awareness of the helpline is not sufficient to ensure success as you must make sure that issues and allegations are addressed and investigated. 

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. 

 Three key takeaways:

1. Hotlines can be powerful tools for the compliance professional.

2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues which need review and resolution.

3. Adequate follow up is a key part of overall hotline effectiveness.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Conversely, companies which were observed to be a more limited user of whistleblower reporting systems are companies that were seen to have poor governance. They are more prone to financial accounting issues, such as discretionary accruals, which could prove problematic. These tend to be smaller and less mature firms. Their overall compliance programs were generally not seen as robust or as effective as those in larger, more mature organizations. Finally, these firms, probably because they were smaller and less mature, are more prone to extreme growth and the problems associated with trying to scale up quickly.

All of this points to one unmistakable conclusion, a robust whistleblower reporting system facilitates a company’s resolution of problems before they become major problems or legal violations bringing the Securities and Exchange Commission (SEC) or DOJ calling.

Three Key Takeaways

1. Companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets.
2. There were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur.
3. There were fewer external whistleblower reports to regulatory agencies and other authorities.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline, or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

Three key takeaways:

1. A robust internal reporting system will be one of the key indicia the DOJ considers.
2. Hotline reporting can bring a visibility to problems.
3. Hotline reports must be treated fairly and justly.

Learn more about your ad choices. Visit megaphone.fm/adchoices

1. What compliance expertise has been available on the Board of Directors?

2. Have the Board of Directors held executive or private sessions with the compliance function?

3. What types of information has the Board of Directors examined in their exercise of oversight in the area in which the misconduct occurred?

To facilitate the answers to these questions, consider this list of 20 questions to reflect the oversight role of directors. These are questions the Board should ask of both senior management and the Board should ask itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the Board?

2. How can the Compliance Committee help the Board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company? How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

8. How long should directors serve on the Compliance Committee?

9. How can the Compliance Committee assist directors in retiring from the Board?

Part IV: Enhancing the Board’s Performance Effectiveness

10. How can the Compliance Committee assist in director development?

11. How can the Compliance Committee help the Board chair sharpen the Board’s overall performance focus?

12. What is the Compliance Committee’s role in Board evaluation and feedback?

13. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

14. Should the Compliance Committee have a role in chair succession?

15. How can the Compliance Committee help the Board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committee

16. How can the Compliance Committee enhance the Board’s relationship with institutional shareholders and other stakeholders?

17. What is the Compliance Committee role in CCO succession?

18. How can the Compliance Committee foster great technical impact for compliance function?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the Board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

 Three key takeaways:

1. The DOJ Evaluation requires active Board of Director engagement around compliance.

2. Board communication on compliance is a two-way street; both inbound and outbound.

3. Has the Board built an effective Compliance Committee for itself?

Learn more about your ad choices. Visit megaphone.fm/adchoices

A white paper by Deloitte & Touche LLP, entitled, Risk Intelligence Governance—A Practical Guide for Boards, laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

• Define the Board’s role. There must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.

• Foster a culture of risk management. All stakeholders should understand the risks involved and manage such risks accordingly.

• Incorporate risk management directly into a strategy. Oversee the design and implementation of risk evaluation and analysis.

• Help define the company’s appetite for risk. All stakeholders need to understand the company’s appetite or lack thereof for risk.

• How to execute the risk management process. Maintain an approach that is continually monitored and has continuing accountability.

• How to benchmark and evaluate the process. Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue.

 Three key takeaways:

1. The Board’s role is to keep really bad things from happening to a company.

2. There are six general areas the point can inquire into and lead from.

3. A Board should have direct access to information on the company’s compliance program.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Structural questions. This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action.

Cultural questions. This area of inquiry should focus on the culture of the organization regarding compliance. Board members should understand what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company.

Risk management questions. Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.

Three key takeaways:

1. A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
2. Cultural questions should be asked to garner an understanding of what message is being communicated not only from senior management but also middle management.
3. Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation and management.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The starting point for a Board of Directors is to develop a framework for incorporating compliance into your long-term strategy. To set up the framework for evaluating compliance into your Board’s long-term strategy is a three-step process, which you can use to determine how comprehensive the Board’s role in your compliance program is as a starting point.

1. Has the company identified the compliance issues relevant to the Board?

2. Has the company assessed and incorporated those compliance issues into its long-term strategy?

3. Has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry, you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First, a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance-related KPIs, which a Board should prioritize to elevate their impact on compliance. A Board should consider these through the life cycle of a business line or geographic sales area. Next, the Board should work to move compliance into the company’s long-term strategy and have the CCO detail the long-term strategy for the compliance function.

The Board should oversee incorporating KPIs into senior management performance evaluations and compensation. Once again building upon the 2020 Update, which asks how the company monitors its senior leadership’s behavior and how senior leadership models proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management must achieve and report on the actual performance against established goals to justify compensation payouts.

Finally, the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation, but it is also, as the 2020 Update makes clear, what the government expects is the operationalization of compliance going forward.

Three key takeaways:

1. Having a long-term strategy is critical.

2. What is the Board’s framework for assessing compliance?

3. Create KPIs to measure senior management’s actions around compliance.

Learn more about your ad choices. Visit megaphone.fm/adchoices

It went on to pose the following questions about the “sufficiency of the personnel” in the following manner. Under the topic, Seniority and Stature, are the following questions:

How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? and What role has compliance played in the company’s strategic and operational decisions?.

Under the topic Experience and Qualifications are the following questions:

Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

All of this leads to the inescapable conclusion that the Board of Directors needs to be involved in not only the hiring process for a CCO but also the succession planning. Yet many yet many Board’s fall short on that score. In a Chapman and Cutler LLP quarterly update, entitled, Advancing Board Refreshment Through the Director Succession Planning Process, William Libit and Todd Freier laid out a framework for Boards to use which I have adapted for CCO succession. There are some key traits you should consider in succession planning for any senior management position, including a CCO.

1. Examine the key corporate documents. 
2. Use an assessment framework. 
3. Conduct due diligence. 
4. Maintain a pipeline. 
5. Assess Board policies. 
6. Disclose your succession strategy. 
7. Benchmark your succession strategy. 

 Three key takeaways:

1. Refreshment is a hot topic in corporate governance.

2. Review your Board policies to understand what your company will need going forward.

3. Transparency in succession planning.

Learn more about your ad choices. Visit megaphone.fm/adchoices

She pointed to the example of Yahoo! and its hire of Scott Thompson. It turned out that Thompson had incorrect information on his online biography regarding his academic credentials. The “implications went beyond the activist shareholder accusations to reflect on the Board of Directors for not vetting his background more carefully. The company may have been exposed to claims of providing false information to the SEC and potential stockholder law suits. Thompson’s 120-day tenure at Yahoo! cost the company over $7 million and seriously tarnished the company’s reputation in the business community.”

The key is that a company engages in an executive due diligence investigation rather than simply a routine or even executive-level background investigation. Tal explained that an executive background search, is “typically limited to a five-component review of: criminal records, employment verification, degree or education verification, social security validation, address verification and sometimes credit history.” Such searches are “very limited searches.”

Conversely, executive due diligence, “looks in-depth at all available public records sources: criminal history, civil litigation issues, financial and legal issues, relationships with other companies and board advisory positions, reputation, misrepresented education and overstated work history, behavioral history (for example litigiousness), and, in particular, undisclosed or adverse issues.” While it is generally “more costly than executive background checks and takes more time, the information gathered is extremely valuable and can save a company substantially more. A high quality due diligence review can find important information which would not be returned in a routine executive background check.”

Infortal has found that up to 20% of executive search candidates fail a deep-level due diligence investigation. Now consider how many senior executive slots your company has and add to that Board of Directors seats and you can quickly see the risk of failure to consider an executive due diligence search when promoting or hiring. Moreover, you need an executive level due diligence in other business situations as well, including the senior management of new business acquisitions brought into your organization through a merger or other acquisition, selecting new Board members, screening corporate Board of Directors and of course, for third party business partners and other agents in the sales and supply chain channels. 

Three key takeaways:

1. The costs of a bad executive hire can far exceed the dollar loss.
2. Do not forget the differences between an executive background check and executive level due diligence.
3. 20% of all senior executives fail an executive level due diligence check.

For more information, check out The Compliance Handbook, 4th edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In a NACD Directorship article, entitled “Corruption in China and Elsewhere Demands Board Oversight”, Eric V. Zwisler and Dean A. Yoost note, “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? From 2010-2019, over 25% of all FCPA enforcement actions derived from China, that’s why.

FCPA enforcement actions have made clear that numerous Chinese businesses have proven adept at appearing compliant while hiding unacceptable business practices. A Board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just a paper compliance program. This means that both monitoring and auditing should be visible to the Board.

Three key takeaways:

1. China presents the highest FCPA risk and after GSK, domestic law corruption risk as well.
2. Chinese companies have been adept at hiding corrupt business practices from their western owners.
3. A Board must be cognizant of these risks and enhance their risk management process in China and other high-risk jurisdictions.

For more information, check out The Compliance Handbook, 4th edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

VimpelCom Ltd. In 2015 (now Veon Ltd.), the DOJ alleged that Dutch telecom VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel, as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the DPA, “regularly pay Foreign Officials millions of dollars” to Gulnara Karimova, the daughter of the then President of the country. VimpelCom also acquired another entity Butzel, that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60 million for Buztel.

Ultimately, VimpelCom agreed to pay approximately $800 million in fines for these activities in 2016. 

BizJet. Another FCPA enforcement action involved the Tulsa-based company BizJet International Sales and Support Inc. (BizJet), which had four senior executives convicted for their participation in a bribery scheme. But this case also involved the Board of Directions. In the Criminal Information it stated that in November 2005:

…at a Board of Directors meeting of the BizJet Board, Executive A and Executive B discussed with the Board that the decision of where an aircraft is sent for maintenance work is generally made by the potential customer’s director of maintenance or chief pilot, that these individuals are demanding $30,000 to $40,000 in commissions, and that BizJet would pay referral fees in order to gain market share.

In both cases, this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business, no amount of doing compliance is going to help. If senior management is ready, willing and able to lie, cheat and steal, the Board is the final backstop to prevent such conduct. Both the VimpelCom and BizJet Boards sorely failed in their compliance duties.

Three key takeaways:

1. Board liability will be severe based upon similar conduct going forward.
2. Board members must critically challenge management on its conduct.
3. The Board is the ultimate backstop against bribery and corruption.

For more information, check out The Compliance Handbook, 4th edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

• Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
• Does the Board maintain a material role in overseeing a company’s overall compliance framework?

These requirements move beyond simply having the correct tone at the top, which every Board should articulate. The 2020 Update to the Evaluation of Corporate Compliance Programs added the following, under Oversight by posing the following questions: What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

Based on the foregoing, when determining the Board’s role, begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?

Three key takeaways:

1. The DOJ expects active engagement by a Board around compliance.
2. Does the Board exercise independent review of the compliance program?
3. The convergence of the Yates Memo, Caldwell’s metrics, the Evaluation and FCPA Corporate Enforcement Policy mandate Board metrics around compliance.

For more information, check out The Compliance Handbook, 4th edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In an article in the Corporate Board magazine, entitled “Successful Board Investigations”; David Bayless and Tammy Albarrán, wrote about five key goals that any investigation led by a Board of Directors must meet.

• Consider whether you need independent outside counsel.
• Consider hiring an experienced investigator to lead the internal investigation.
• Consider the need to retain outside experts.
• Analyze potential conflicts of interest at the outset and during the investigation.
• Carefully evaluate whistleblower allegations.
• Request regular updates from outside counsel, without limiting the investigation.
• Consider whether an oral report at the conclusion of the investigation is sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the Board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the Board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”

Three key takeaways:

1. Retain the right counsel. Consider conflicts and appearance.
2. Carefully evaluate all whistleblower allegations and reject retaliation.
3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.

For more information, check out The Compliance Handbook, 4th edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In an article in the Corporate Board magazine, entitled “Successful Board Investigations”; David Bayless and Tammy Albarrán, wrote about five key goals that any investigation led by a Board of Directors must meet. They are:

• Thoroughness - The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without hav­ing to repeat the investigation themselves.
• Objectivity - Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the conse­quences.
• Accuracy - As in any part of a best practices anti-corruption compliance program, the three most important things are Document, Document and Document. This means that the factual findings of an investiga­tion must be well supported.
• Timeliness - Certainly in the world of FCPA enforcement, an internal investigation should be done quickly. So timeliness is crucial.
• Credibility - One of the realities of any FCPA investigation is that a Board of Directors led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation.

Three Key Takeaways

1. The Board should have a written protocol for investigations prepared in advance.
2. This gives cover to a Board when regulators come knocking or other third parties seek review.
3. Remember the 5 goals of any Board led investigation.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong,” can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer is putting a little bit of sand in the shoe to make sure you’re thinking about things carefully can cause you to step back and focus your resources where they’re needed.”

Howell noted that the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “One perfect example is the reputation of those stakeholders involved in the company, and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell stated, “It’s essential as we go through some ways the Board can help management in that role. I think the things that make a difference to management is when the Board can be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their underlying assumptions and biases.”

A Board is more than just there to be a rubber stamp for senior management. It must exercise independent judgment, action, and oversight. Further, it is the Board’s role to ask hard, difficult, and probing questions to ensure management is doing its job and has considered other risk possibilities.

Three Key Takeaways:

1. Boards should force management to open up the company to itself.
2. Boards should be a grain of sand in the shoe of management.
3. Boards should ensure senior management is aware of and planning for known and unknown risks.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

Three Key Takeaways:

1. GTE compliance internal controls are low-hanging fruit. Pick them.
2. Compliance with internal controls can be both detected and prevented controls.
3. Good compliance with internal controls is good for business.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the FCPA Resource Guide, 2nd edition, in the Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first is in Hallmark No. 1, which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board.

Three Key Takeaways

1. A Board must engage in active oversight.
2. A Board should review the design of internal controls on a regular basis.
3. Failure to do so could form the basis for an independent legal violation under SOX.

Learn more about your ad choices. Visit megaphone.fm/adchoices

These factors can be easily adapted to compliance and ethics risk management oversight. Initially, it must be necessary that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s CCO to either the Audit Committee or the Compliance Committee. Every Board should create a Compliance Committee to deal with compliance issues, as an Audit Committee may more appropriately deal with financial audit issues. A Board Compliance Committee can devote itself exclusively to non-financial compliance. The Board’s oversight role should be to receive regular reports on the company’s compliance program’s structure, actions, and self-evaluations. From this information, the Board can oversee any modifications to managing FCPA risk that should be implemented.

Three key takeaways:

1. A Board Compliance Committee should provide oversight, not management.
2. A CCO should use multiple reports to communicate with the Board Compliance Committee.
3. Board Compliance Committee oversight makes companies more efficient and profitable.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The OIG Guidance sets out four areas of Board oversight and review of a compliance function:

1. Roles of, and relationships between, the organization’s audit, compliance, and legal departments;
2. Mechanism and process for issue-reporting within an organization;
3. Approach to identifying regulatory risk; and
4. Methods of encouraging enterprise-wide accountability for the achievement of compliance goals and objectives.

The OIG Guidance is an excellent review for not only compliance professionals and others in the healthcare industry but a good primer for Boards around their duties under a best practices compliance program. The U.S. Sentencing Guidelines, the Hallmarks of an Effective Compliance Program, the OIG Guidance, and OIG Corporate Integrity Agreements can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program.

Three key takeaways:

1. Information flow up to the Board is critical.
2. Compliance should be institutionalized in your company as a way of life.
3. A Board needs to consider all risks.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This requirement was set out in 2017 in the FCPA Corporate Enforcement Policy, where one of the criteria to be evaluated in a compliance program is “the availability of compliance expertise to the board.” Finally, the 2020 Update to the Evaluation of Corporate Compliance Programs, under the section entitled Oversight, posed the following questions What compliance expertise has been available on the Board of Directors?

The DOJ and Securities and Exchange Commission introduced this concept to the FCPA Resource Guide, 2nd edition. It means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and the FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific SME on the Board and on that committee.

Three key takeaways:

1. Boards must have compliance expertise.
2. Government regulators and shareholder groups have both called for greater compliance expertise on the Board.
3. Compliance expertise at the Board works up and down as such expertise can be a resource to both the CCO and Compliance Department.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

This requirement was brought forward in 2017 in the FCPA Corporate Enforcement Policy. Finally, nn the 2020 Update to the Evaluation of Corporate Compliance Programs, under the section entitled Oversight, it posed the following questions What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?

Today’s regulatory climate and hyper-transparency in social media make a Board Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start.

Three key takeaways:

1. The Board Compliance Committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO.
2. The Board Compliance Committee should work to hold the CCO accountable to hit appropriate metrics.
3. The Board Compliance Committee is ideal for leading the efforts around strategic planning.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling.

There is no reference to prudent discharge in the FCPA itself. However, a Board member might think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might wish to look into a Board’s prudent discharge of duties under the FCPA.

Three key takeaways:

1. What is prudent discharge?
2. What is your process for doing compliance at the Board level?
3. A Board must have active rather than passive engagement around compliance.

For more information, check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case), Clovis Oncology, Hughes, and Boeing.

From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation. Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.

As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

1. The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.
2. Boards must have compliance expertise and exercise it.
3. In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

I have urged compliance practitioners to bring more storytelling into their compliance messaging. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their lives. Havener noted that the training experience would last “exponentially longer than if you just go over a written policy or show a PowerPoint.” He called it “expanding your classroom.” The next time they see George Clooney, they’re going to remember the training, the next time they watch that movie that you showed a clip from, they’re going to be reminded of the training, and so it becomes a great drift method of training.”

Three key takeaways:

1. Storytelling is another form of communication.
2. Movie clips in compliance training can provide useful touchstones that employees can relate to for compliance lessons.
3. The Morgan Stanley declination gave credit for annual compliance reminders.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The DOJ enshrined the importance of determining the effectiveness of your compliance program in its 2020 Evaluation. The 2020 Evaluation demonstrates that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still need help to determine. Both the simple guidelines suggested herein, the more robust assessment, and the results provide you with a start to fulfill the precepts set out in the 2020 Evaluation, but you will eventually need to demonstrate the effectiveness of your compliance training in the future.

Three key takeaways:

1. You must demonstrate that you have measured the effectiveness of your compliance training.
2. The DOJ is moving into requiring a demonstration of the effectiveness of compliance training.
3. You should be moving towards a model of demonstrating compliance training ROI to validate the full operationalization of your compliance training.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Often compliance professionals think that compliance training needs to be conducted very frequently, even if it means repeating the same training courses every year. Compliance training expert Shawn Rogers analogizes compliance training to an automobile’s windshield wiper system in a discussion of how frequently compliance training should be administered. He went on to explain that “it would not make any sense to run your wipers constantly, even when it is not raining. First, it would be extremely annoying to the passengers. And second, eventually it would wear out both the wiper blades and the wiper motor. It would simply be nonsensical.” Requiring overly repetitive training is like running your windshield wipers in clear weather. The learners are going to be annoyed, the training will be viewed as a waste of time and energy and finally your employees will not take training as seriously when it is really needed to address a specific situation as the compliance training will be viewed literally and figuratively as a “check-the-box” exercise.

 Three key takeaways: 

1. Have a well-reasoned approach to training frequency.
2. Lengthier more full-bodied training can be given once every three years or so.
3. Shorter more frequent compliance refreshers or reminders can be used to keep the risk top-of-mind.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Every multinational organization will have a broad risk portfolio typically owned across the organization. Consider compliance risk, fraud risk, reputational risk, financial accounting risk, and discrimination risk. These are a small sample of risks; many will not be “owned” by the corporate compliance function. This presents a real challenge when creating a comprehensive compliance training program covering a company’s legal, regulatory, compliance, and reputational risks. Well-know compliance training maven Shawn Rogers suggests “establishing a corporate Compliance Training Governance Committee that looks at the company’s overall risk profile and builds a cross-functional and comprehensive multi-year training plan that effectively addresses all of the risks in a company’s risk portfolio.”

A Compliance Training Governance Committee will allow your organization to effectively establish a multi-year training plan, help in vendor selection and engage in course creation. Rogers said, “One of the biggest benefits has been its predictability to the compliance training program. Every stakeholder from a risk-owning organization knows exactly when their function will have their course deployed over the three-year calendar. They can plan resources, they have a long lead-time to develop the courses, and during their off-years, they can do communications campaigns and events to keep their risk top-of-mind.”

Three key takeaways: 

1. Why your organization should create a Compliance Training Governance Committee.
2. Who should be on the Compliance Training Governance Committee?
3. How should the Compliance Training Governance Committee work going forward?

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways: 

1. What are your design objectives?
2. They should be dynamic, not static.
3. You should use them as touchpoints going forward.

Learn more about your ad choices. Visit megaphone.fm/adchoices

You should develop some principles on what your compliance training will look like. A key way to start is by reference to the Training and Communications section of the 2023 ECCP, which states, “Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.

Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on obtaining ethics advice on a case-by-case basis as needs arise.” Some of these principles include the following, What are the Guiding Principles of your compliance training? What are you trying to communicate? Is it a broad set of values you want to speak to every employee about what your organization stands for? As noted in the 2023 ECCP, a company should “examine whether the compliance program is being disseminated to, and understood by, employees in practice to decide whether the compliance program is “truly effective.”

Three key takeaways:

1. The 2023 ECCP has a strong emphasis on compliance training.
2. Create a set of Principles for your compliance training programs.
3. You should always use the Guiding Principles of your compliance training program to make decisions.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The key concept for the compliance profession is the roles of Idea Scout and Idea Connector. An “idea scout is an employee who looks outside the organization to bring in new ideas. An idea connector is someone who can assimilate external ideas and find opportunities within the organization to implement these new concepts.” It is the ability to identify, assimilate and exploit new compliance ideas, which makes this concept so powerful. However, to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.”

Twitter can be a powerful tool for the compliance practitioner. It is one of the only tools that can work both inbounds for you to obtain information and insight and in an outbound manner, where you can communicate with your compliance customer base and your employees. It would be best if you worked to incorporate one or more of the techniques to help you burn compliance into the DNA fabric of your organization.

Three key takeaways:

1. Twitter can be a powerful tool for the compliance practitioner.
2. Data mine Twitter for best practices and see what the regulators may be saying.
3. Curiosity may have killed the cat, but it makes for a far better and more effective compliance practitioner.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Grazer is a well-known and successful Hollywood director who has directed such movies as Splash, A Beautiful Mind, and Cinderella Man. He believes that much of his success is because he asks many questions, and “Questions are a great management tool.” This is because “Asking questions elicits information” also “creates the space for people to raise issues they are worried about that a boss, or colleagues, may not know about.” By asking questions, you allow “people to tell a different story than the one you expect.” Finally, and perhaps most significantly, “asking questions means people have to make their case for the way they want a decision to go.”

You, too, can use this simple and straightforward technique to improve your leadership qualities in the compliance function. The reason that asking questions is so much better than simply giving orders is that you have a vast talented workforce to tap into to help you do business in compliance. But the how of doing a business process that is, or should be, burned into your company can be facilitated by possibilities that are out there in your employees’ minds. 360 degrees of communication allows you to create an atmosphere where nobody is afraid to ask questions. Perhaps equally importantly, no one is afraid to answer a question.

Three key takeaways:

1. Asking questions is a great technique to elicit information.
2. Asking questions creates the authority in people to come up with ideas, coupled with the responsibility for moving things forward.
3. Create an atmosphere where employees are confident to ask or answer a question.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Initially look for as many cultural bridges as you can find as it will help you understand what your international audience is communicating to you, in both verbal and non-verbal formats, during a wide variety of activities familiar to any compliance professional such as training, investigations or simple meetings where the compliance perspective must be articulated in any business setting. If you fail to have an understanding or even a person who can navigate these signs for you, here are five steps to help you out: 1) Adapt the way you express disagreement; 2) Know when to bottle it up and let it all pour out; 3) Learn how the other culture builds trust; 4) Avoid yes or no questions; and 5) Be careful about putting it in writing.

Three key takeaways:

1. Communications in compliance must be largely drawn around trust.
2. Look for as many cultural bridges as you can find as it will help you understand what your international audience is communicating to you.
3. One of the things most critical issues to a compliance function is breaking through a company’s internal cultural boundaries.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Liz Wiseman is the co-author with Greg McKeown of “Multipliers: How the Best Leaders Make Everyone Smarter,” a book about the various types of leaders. They focus on two different types of leaders, Diminishers and Multipliers. Multipliers are leaders who encourage their workers’ growth and creativity, while Diminishers hinder and otherwise keep their employees’ productivity at a minimum.

Now imagine applying this leadership technique as you are trying to operationalize your compliance program fully. If you take this approach of leading by asking questions, you not only guide the functional unit but you get greater buy-in to the entire concept and process as it becomes their process. The non-compliance team may design it and have ownership over it.

Wiseman concluded by challenging each of us to multiply our influence to make those we work with work even better. You can use these skills to operationalize your compliance program more fully. If you do so, you will not only fulfill the requirements of the DOJ, as laid out in the Evaluation, but you will integrate compliance into the DNA of your company by making it a part of how you conduct your business.

Three key takeaways:

1. Multipliers are leaders who encourage growth and creativity from their workers.
2. Diminishers hinder and otherwise keep their employees’ productivity at a minimum.
3. Multiply the influence of the compliance function inside and outside the company in this manner.

Learn more about your ad choices. Visit megaphone.fm/adchoices

I cannot say enough about this skill for a CCO. If you hear any long-term CCO speak about their job, they will tell you it is largely about listening to people; whether those people are employees, senior management or the Chief Executive Officer (CEO) and Board members. By listening to others you not only hear, and hopefully will come to understand their concerns, but you allow them to come to decisions themselves and you are not in the position of telling them what to do. It is a skill that has served many CCOs very well for many years.

Three key takeaways:

1. A little can mean a lot.
2. One of the primary keys to influencing people is to listen to them.
3. A CCO can enhance their communications by using the six principals of persuasion.

Learn more about your ad choices. Visit megaphone.fm/adchoices

However, Patterson and Baldacci discussed brand in a manner that was very different from how I think about brand and branding. They said your brand is not an image but is about your relationship with your stakeholders. For an author, that means your readers. For these writers, it means that you deliver what your readers expect, and if you are going to go in a different direction, it is important to let your readers know that you are doing something different so that if you pick up a Baldacci or a Patterson, the book will be something other than the thriller or murder mystery you are expecting.

While there are other groups you may have a relationship with as a compliance professional, looking at this from the perspective of Baldacci and Patterson, you begin to see the corporate compliance brand and your personal brand in a very different light. It can help you be both more effective as a compliance professional and lead to more professional opportunities for you as well.

Three key takeaways:

1. How do you define your compliance brand?
2. What is your relationship with your stakeholders?
3. As a CCO or compliance professional, you can draw lessons from various disciplines.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Why do many compliance professionals find it so difficult to use compliance communications to help move the ball forward on driving a speak up culture? It begins because many conflate such communications with training. Training tends to be viewed as something that happens once per year or on a similar cadence. Yet even the DOJ has seen through the fallacy of this argument in its 2020 Update to the Evaluation of Corporate Compliance Programs when it stated, “companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

The 2020 Update also leads to the following questions, what resources have been available to employees to provide guidance relating to raising an issue? And, has your company assessed whether its employees know when to seek advice and whether they would be willing to speak up? Can you answer these to satisfaction of the DOJ? If not, you may have a gap in your speak up communications program.

The bottom line to all is that in compliance, you are only limited by your imagination. When you overlay creativity on your imagination, you can create something very special. And you can use compliance communications to drive a speak up culture.

 Three key takeaways:

1. How can communications improve a speak up culture?
2. Use communications to foster trust.
3. A speak up culture only works when paired with a ‘listen-up’ culture.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three Key Takeaways

1. Use the tools of social media to help tell your story of compliance.
2. You are only limited by your imagination.
3. Converging text, pictures and data can be a powerful tool in compliance.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In the compliance space this clash of cultures is often seen. One company may have a robust compliance program, with a commitment from top management to have a best practices compliance program. The other company may put profits before compliance. Whichever company comes out the winner in the merger, it can certainly mean not only conflict but if the winning entity is not seen as valuing compliance, it may mean investigations and possibly even violations going forward.

Learning how your employees in other countries will approach decision-making and leadership will give you, as the CCO, insight into how they will approach compliance. It will require you to get out into the field to talk with folks. If your company grows organically or through M&A or the JV route, it will need to understand how your new employees will not only think through issues but how they will relate to instructions from the home office in America.

Three key takeaways:

1. Culture clash through a merger can be extremely negative for a company.
2. What are the cultures of leadership in your organization?
3. Learning how your employees approach decision making can provide insight into how the will approach compliance.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This means that you will need to work to hone your message and continue to plug away to send that message out. The Morgan Stanley declination will always be instructional as one of the reasons the DOJ did not prosecute the company, as they sent out 35 compliance reminders to its workforce over seven years. Social media can be used in the same cost-effective way to get the message of compliance out and to receive information and communications back from your customer base, the company employees.

Three key takeaways:

1. What makes your employees want to share information?
2. Facilitate mechanisms that allow sharing with the compliance function.
3. The Morgan Stanley declination still resonates.

For more information, check out The Compliance Handbook, 4th edition, here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

If your goal in the compliance function is to create awareness and publicize your compliance program and initiatives, social media can be a powerful tool. This is so paramount that it should become a core activity of your compliance function. Using social media tools, your compliance function can tell the story of compliance, communicate expectations, and even train. Yet again, it is simply more than a one-way tool. Just as employees are more apt to tell you about a concern immediately or soon after being trained on that issue, they may well communicate directly with you after receiving social media communication on subjects such as managing third-party relationships.

CCOs and compliance practitioners must develop a dedicated compliance strategy around social media in the context of their corporate objectives. It allows you a 360-degree view of compliance, through which you can take input from your employee base and create a compliance experience that your employees will embrace.

 Three key takeaways:

• Never forget that social media is a two-way communication.
• Company employees are the customers of the compliance department.
• As with all compliance issues, assess what works for your company and appropriately tailor your social media approach.

For more information, check out The Compliance Handbook, 4th edition here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Louis Sapirman, Vice President and Chief Ethics & Compliance Officer for Panasonic Corporation of North America – Panasonic USA, often talks about the integration of social media into compliance. You should start with the tech-savvy nature of the today’s workforce. It is not simply about having a younger workforce but a workforce whose primary tool for communication is social media. If your company is in the services business, it probably means your employee base is using technological tools to deliver business solutions. Finally, consider the data-driven nature of business today so using technological tools to deliver products and solutions is something your company most probably does now. Facebook, LinkedIn, Twitter and even TikTok can all be utilized. 

Finally, never forget the social part of social media. Social media is a more holistic, multiple-sided communication. Not only are you setting out expectations but also these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

Another approach is to use audio as a part of your compliance communications. Podcasts are a great way to tell a long form story about your compliance successes and challenges. Ronnie Feldman, founder of L&E Entertainment continually reminds us that the engagement of your compliance audience is through the entertainment of your compliance communications. But the key is the audio format can be a powerful tool for you and a way to reach your employee base that you are not taking advantage. It can be as simple as interviewing employees on the importance of culture and how they use culture to guide their decision-making process in their daily work. You are only limited by your imagination.

 Three key takeaways:

1. Incorporation of social media into your compliance communications can pay big dividends.

2. Focus on the ‘social’ part of social media.

3. Consider incorporating podcasts and other audio clips into your compliance communications and training.

For more information, check The Compliance Handbook, 3rd Edition available here. 

Learn more about your ad choices. Visit megaphone.fm/adchoices

As we advance, these tools can go a long way toward enhancing your compliance program. Recall the declination to prosecute Morgan Stanley received from the DOJ when one of its managing directors had engaged in FCPA violations. One of the reasons cited by the DOJ was 35 email compliance reminders sent over seven years, bolsters the annual FCPA training the recalcitrant managing director received. You can use your archived social media communications as evidence that you have continually communicated your company's expectations around compliance. It is equally important that these expectations are documented.

Finally, always remember the social part of social media. Social media is a two-way communication. Not only are you setting out expectations, but also, these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. If you have several concerns expressed, it could alert you earlier to begin some detection and move toward prevention in your compliance program.

Three key takeaways:

1. How do 360 degrees of communication work in compliance?
2. Focus on the ‘social’ part of social media.
3. Use internal corporate social media to have a conversation.

For more information, check The Compliance Handbook, 3rd Edition available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is always in touch with and visible to your employees. It is about creating a distinctive brand philosophy of compliance centered on the customers of your compliance program (i.e., your employees). It helps to anticipate all the aspects of your employee's needs around compliance, especially when compliance is perceived as new, something that comes out of the home office, or as the Land of No. It allows you to build a new brand image for your compliance program.

The objective is to build trust for the 360-degree process by determining if the goal was achieved. You can utilize surveys or focus groups to assess the impact on your target audience. Focusing on your customers of compliance allows you to identify gaps and improve the communication process for your compliance program.

Three key takeaways:

1. Remember the definition of 360 degrees of compliance communications. It is an effort that moves the compliance identity into a holistic approach so compliance is always in touch and visible to your employees.
2. What is your objective? What are you trying to do with your 360-degree view of compliance communications, and how are you using that mechanism to deliver the objective your compliance program desires?
3. You need to evaluate if the message has been delivered, has been heard, and is being implemented.

For more information, check The Compliance Handbook, 3rd Edition, available here.

Learn more about your ad choices. Visit megaphone.fm/adchoices

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including such factors as whether the supplier is (1) located or will operate in a high-risk country; (2) associated, or recommended, or required by, a government official; (3) currently under corruption investigation, or has been recently convicted of any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls; or (5) a provider of widely available services and products that are not industry specific. You should note that any supplier with foreign government touchpoints should move up to a higher level of scrutiny.

I suggest that you create a three-tiered risk matrix consisting of (1) high-risk suppliers, (2) low-risk suppliers, and (3) minimal-risk suppliers. Below this final category is another category for providers of goods that are commonly available and pose almost no corruption risk.

It would be best to risk ranking the third parties your supply chain might engage with for FCPA exposure. It should be based on your company’s experience and risk going forward. As with all third-party risk management issues, you must “Document, Document, and Document.”

Three key takeaways:

1. Risk rank your supply chain based on well-conceived strata.
2. Consider not only the compliance risk but also your business risk.
3. Only manage those suppliers who present a corruption risk.

Learn more about your ad choices. Visit megaphone.fm/adchoices

If you utilize the services of a third-party for as a freight forwarders, brokers and agents in the shipping and express delivery arena, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three key takeaways:

1. Express delivery services and freight forwarders present unique compliance risks.
2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
3. Consider constructing a risk matrix in this area.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The FCPA Resource Guide, 2nd edition, noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors.” When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the company instructs the distributor to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company, to gain some business advantage.

Three key takeaways:

1. Creating a well-thought-out process that operationalizes your compliance program around distributor compensation in a manner that documents your decision-making calculus is key.
2. Require multiple levels of approval for an out-of-range distributor discount.
3. Tracking distributor discounts globally make your company more efficient.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The key theme in termination is planning. The Office of Comptroller of the Currency (OCC), OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

 Three key takeaways:

1. Termination of third parties is an oft-neglected part of the third-party risk management process.

2. Make certain you have the contractual right to terminate third parties written into your compliance terms and conditions.

3. Have a strategy in place for termination before a crisis arises.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Don’t settle for the status quo. This means that you should not settle for simply the status quo in compliance.

Hit the road in order to hit your metrics. To truly understand your compliance risk from third-parties, you must get out of the ivory tower and hit the road.

Send prospectors, not auditors. While an audit clause is critical in any third-party contract, both from a commercial and FCPA compliance perspective; you can establish a “point of contact as an innovation manager for your third-parties.”

Show and tell. As with all relationships, trust plays an important role in third-party compliance innovation, as “Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.”

Who’s running the show? This means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.”

Three key takeaways:

1. Use your third-parties as innovators to assist your compliance program.
2. Change your thinking about third-parties and make them your partners.
3. Do not settle for the status quo.

Learn more about your ad choices. Visit megaphone.fm/adchoices

There are a wide variety of other factors that could increase your ROI, as detailed in the Forrester report, which include renewal assessments, ongoing monitoring, increase in business efficiencies for both your organization and the third parties, which would all work to increase ROI. Most critically, you would demonstrate the operationalization of your compliance program into the very fabric of your organization.

 Three key takeaways:

1. Why is it important to demonstrate ROI on your third-party risk management program?

2. Determining ROI helps to demonstrate operationalizing your compliance program.

3. Determining third-party management program ROI can help to tear down compliance siloes.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 All of these questions make clear that the DOJ expects data analytics to be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third-parties. A clear majority of FCPA violations and related enforcement actions have come from the use of third-parties. While sham contracting (i.e., using a third-party to channel the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third-party is likely performing legitimate services for your company and is not a sham. There are several more complex analytics that can be run in combination to identify suspicious third-parties, and some of the simplest can be to look for duplicate or erroneous payments. This final concept of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allowing you to follow the money. It can be a part of your third-party ongoing monitoring as well by allowing you to partner the information on third-parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three key takeaways:

1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
3. Do not forget to check names against known PEP and SDN lists.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Three key takeaways:

1. Be prepared.

2. It is not an investigative interview but an audit interview.

3. Listen, listen, and listen.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.
2. Rank third parties based on a variety of factors including compliance and business performance, length of the relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.
3. Managing the relationship is where the real work begins.

Learn more about your ad choices. Visit megaphone.fm/adchoices

 Three key takeaways:

1. It all starts with a Relationship Manager.

2. Have company oversight of all third parties.

3. Audit, monitor, and remediate on an ongoing basis.

Learn more about your ad choices. Visit megaphone.fm/adchoices

How does a third party perform its services with or for your company? If it is on the sales side of things, how can a third party help you make sales? If a third party comes through the supply chain, how do their products or services meet the needs of your company? If the third party has a closer business relationship, such as a JV, teaming agreement or other similar arrangement, you may well need a much deeper understand of how this third party does business because the relationship may well become so close you will be intertwined with the party. It may mean more than simply how does their product work but how does this third party conduct themselves and their business?

 Three key takeaways:

1. The how question can be as critical as the who question.

2. The more integrated a third party is into your operations the more important this question becomes.

3. Incorporate a how question into not only your due diligence but also your ongoing monitoring and auditing, after the contract is signed.

Learn more about your ad choices. Visit megaphone.fm/adchoices

You should incorporate appropriate compliance terms and conditions into every contract with third parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several, and they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer; and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

Many do not believe they will get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third party to agree to these or similar terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms, many third parties will not fight such a position. There is some flexibility, but the DOJ will require minimum compliance terms and conditions. But the best position I have found is that if a third party agrees with these terms and conditions, they can use that as a market differentiator. 

Three key takeaways:

1. Compliance terms and conditions are mandatory for any best practices compliance program.
2. A key clause is a right-to-audit clause.
3. Third parties can favor robust compliance terms and conditions as a market differentiator.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Three key takeaways:

1. There is no set formula for clearing of red flags or the evaluation of due diligence.
2. Know when to say enough has been done.
3. You must “Document, Document, and Document” your evaluation of any red flags.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions of your program. The Level I, II, and III trichotomy appear to have the greatest favor and one that you should be able to implement straightforwardly. But the key is to assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. Level I due diligence should only be used where there is a low risk of corruption.
2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
3. Level III due diligence is deep dive, boots-on-the-ground investigation.

Learn more about your ad choices. Visit megaphone.fm/adchoices

It is stated in the 2023 ECCP that: “Risk-Based and Integrated Processes—How has the management of the company’s third-party process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?”

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide you with the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”

 Three key takeaways:

1. Risk rank your third parties and use this as a basis to begin with an adequate level of due diligence.

2. Any red flags which appear must be cleared and there must be documented evidence of such clearance.

3. There must be documented evidence of review of the due diligence.

Learn more about your ad choices. Visit megaphone.fm/adchoices