Fcpa Compliance Report

Day 1- The Third-Party Risk Management Process This month, I will consider the risk management of third parties in an operationalized compliance program. As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:  Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?  This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management

I conclude my One Month to Operationalizing your Compliance Program series by discussing how you can put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.”  This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that mus

Show Notes for Episode 46, for the week ending March 31, the On the Road to Prague Edition  In this episode, Jay and I have a wide-ranging discussion on operationalizing compliance through business processes. We discuss:  Why powerful people fail to stop bad behavior by their underlings. Click here for the article. Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance. Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog. Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog. Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here. What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here. Jay previews his weekend report.  Jay Rosen new contact information:

The Evaluation of Corporate Compliance Programs, Prong 6, Incentives and Disciplinary Measures states:  Incentive System – How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? How can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. An article entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives, addressed these issues and concerns.  The article was built around a case study of the Sorin Group, a healthcare multinational, and the company’s incentive program for its compliance regime. The co

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon's blog post on the topic on Linkedin, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. In an article in the Spring 2012 Issue of the MIT Sloan Management Review, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors explored the “often overlooked, critical source of differentiation is [a] company’s beliefs” and provided techniques on how to tap into these beliefs. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows:  Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitor

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward.  For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?Learn more abo

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move it down through the organization from senior management down to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. Adam Bryant, writing in the NYT in an article entitled, “If the Supervisors Respect Values, So Will Everyone Else”; explored this topic when he interviewed Victoria Ransom, the Chief Executive Officer (CEO) of Wildfire, a company which provides social media marketing software. Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes

In this episode, we take a look at a recent speech given by NY Fed Chairman William Dudley in London where he addressed improving corporate culture. Dudley provided three recommended steps. First, a bank must decide on its purpose and core values—or, as Dudley put it, “What are you for?” Second, after this identification of purposes and values, you can measure how well the workforce is striving to achieve that purpose. Third a bank can set its incentives so employees work harder to achieve those goals. As usual, Matt and I take a deep dive into the issue of enhancing corporate culture. For more on the speech, see Matt's blog post on Radical Compliance entitled, "Great Speech About Improving Corporate Culture".Learn more about your ad choices. Visit megaphone.fm/adchoices

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states: Senior and Middle Management Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates? This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as here the Justice Department wants to see a company’s senior leadership actually doing compliance. How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Larry Thompson, former PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Profe

In  this episode, I visit with Erica Salmon Bryne, EVP at Ethisphere on the 2017 World's Most Ethical Companies honorees. Erica goes into how the corporate compliance programs are evaluated, what the companies disclose to Ethisphere and how the winners consistently demonstrate compliance is good for business. Check out more information on Ethisphere's site by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices

  In this episode, Jay and I have a wide-ranging discussion on why good compliance and is good for business. We discuss:  LRN Ethics and Compliance Program Effectiveness Report. Click here for Report. Ethisphere’s 2017 World’s Most Ethical Companies. Click here for Report. Why good compliance is good for business. See Tom’s blog post. Women in compliance: A key to organizational diversity. See article in the FCPA Blog. ECI Podcast: Engaging With Your Monitor: Best Practices from ECI’s Independent Monitor Benchmarking Group. To listen to the podcast, click here. Jay previews his weekend report. Tom previews a presentation he will give with Jenny O’Brien and Roy Snell at the SCCE European Ethics and Compliance Institute in April. Jay previews a presentation at the same event by Eric Feldman of Affiliated Monitors. For more information on the event, check it out by clicking here.  Jay Rosen new contact information: Jay Rosen, CCEP Vice President, Business Development Monitoring Specialist  Affiliated Monitors

The Department of Justice Evaluation of Corporate Compliance Programs states, in Prong 10, Third Party Relationships:  Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?  If you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program. There are several different ways that you should manage your post-contract relationship.  Relationship Manager  There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relat

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third party risk management process.  It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party representing your company. This concept is enshrined in the FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.”  The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best

This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Jay Rosen and Jonathan Armstrong provide next insight. Listen to last week’s Episode 8 for commentary from Matt Kelly and Mike Volkov.    Jay Rosen, reporting from the ABA White Collar Conference in Miami, considers the view from the vendor perspective and whether the Evaluation changes a conversation about doing compliance. He reviews the requirements for ongoing monitoring, risk assessments and root cause analysis and the need for companies to explain how something might have fallen through the cracks, leading to a FCPA incident. He points out how CCOs can test a company’s compliance systems. For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs Jonathan Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU cou

From the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs:  Autonomy and Resources  Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?   Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?   While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, the DOJ woul

In this episode I visit with Susan Divers from LRN on the firm's 2016 Ethics and Compliance Program Effectiveness Report. Highlights include:Why did LRN do the report? What did it hope to determine? A summarization of its key findings. Why a focus on structural elements of a compliance program is no longer sufficient. Why a check the box analysis not adequate for judging program effectiveness. Finally the new focus on on ethical culture and behavior and why answering questions around “level of trust” is so critical. For a full copy of the report, you can download it here.   Learn more about your ad choices. Visit megaphone.fm/adchoices

Prong 6, Training and Communication, of the Justice Department’s Evaluation of Corporate Compliance Programs reads, in part:  Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?  Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.  O

In this inaugural episode of the FCPA Compliance Report-International Edition, I have Carlos Ayres, a partner in Madea, Ayres and Sarubbi in Sao Paulo. We discuss an  interesting development from the Odebrecht corruption scandal, federal prosecutors in Brazil and ten other countries recently announced they had agreed to cooperate in ongoing investigations surrounding the company. The Odebrecht case involved bribery and corruption allegations reaching multiple countries throughout the Americas. Now reports indicate that officials from Brazil, Argentina, Chile, Colombia, the Dominican Republic, Panama, Mexico, Peru and even the notoriously corrupt Venezuela, along with the European nation of Portugal, have agreed to “start a combined task force with bilateral and multilateral investigative teams to coordinate a probe” of the company. We also discuss recent reports which indicate show companies in Brazil are taking this approach in response to the country’s more aggressive enforcement against endemic corruption

The Justice Department Evaluation of Corporate Compliance Programs states the following around training: Training and Communications Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects? I thought about the requirement for tailored training and how this leads to operationalizing your compliance program. Consider the current best practices to tailor your compliance training. It is through a risk ranking system of employee job duties or positions which is usually done by someone from the corporate compliance function reviewing lists of employees and then matching up their job duties, focusing on those involved in international operations which have foreign government or state owned enterprise touchpoints. Most usually it targets emp