FCPA Compliance and Ethics Blog

January 19, 2011

Being a Great (Compliance) Leader

Filed under: Leadership — tfoxlaw @ 9:03 pm
Tags: ,

In the most recent issue of the Harvard Business Review, writers Linda Hill and Kent Lineback posed the question, “Are You a Good Boss – Or a Great One?” In this article they explore what they believe to be some of the imperatives of going from a good boss to a great boss. Recognizing that the focus of the article is to help people grow as leaders within their businesses; we believe that their ideas have application in the compliance arena. We will therefore review the article with a emphasis on helping employees to become great compliance leaders – whether you measure compliance through the US Foreign Corrupt Practices Act (FCPA); UK Bribery Act or any other standard.

Hill and Lineback begin with the thesis that most managers underestimate the transformational nature of the challenge of their roles as company leaders. To be a great leader a person must be dynamic and not complacent. If a leader stops growing and improving they run the risk of becoming a terrible boss. The authors believe that most managers stop working on themselves at some point in their career. Many managers are afraid of failure and this leads to a fear of change. Others do not receive proper training or support from their companies. Whatever the cause, the authors believe that most managers stop making progress because “they simply don’t know how to.” Even when there is adequate company support for change, it is sometimes difficult to know what is required to become an effective manager.

To aid such persons, the authors have developed what they term the “3 imperatives” to help managers on their “journey to becoming great bosses.” These imperatives are (1) Manage Yourself; (2) Manage Your Network; and (3) Manage Your Team. We will review  these and reference how they apply to being a great compliance leader.

Manage Yourself

The authors believe that most employees ask “Can I trust this person?” Leadership results, in large part, by the answer to this question. The authors state that trust has two components; the first is that the leader has confidence in his or her own competence; and the second is that employees have trust in the manager’s character. This means that your motives are good and that you want people to do well. If these characteristics are present a manager should be able to influence others.

Manage Your Network

The authors believe that building key relationships throughout an organization leads to the road for success. This means nurturing a broad network of company employees who can influence specific areas and the departments within a company. As scarce resources must be reckoned with on any project, the person who can show the interdependence of seemingly disparate groups, which may have conflicting goals and priorities, is the manager who achieves the most. This relationship building can be a key way to influence others within an organization over which a manager does not have direct control.

Manage Your Team

The authors believe that managing a team is a different dynamic than managing one-on-one. If a manager can influence a team, they have a greater chance of success as employees tend to be more creative and productive when working in groups. Accountability to other team members and a genuine convict that they are all in it together can lead to a group coalescing into a team. The culture of any team is important: values, standards and norms guide employees in what is expected of them. Attention must be paid to all team members and recognition for individual efforts within the team can bring greater effectiveness as well.

To be a great compliance leader, the compliance professional must use all of these techniques. To achieve many compliance goals within a company requires a manager to exert a great amount of influence. The techniques set out by the authors provide direct tools for the compliance professional to utilize in this task. Managing employees within any compliance department is the first step. A compliance professional must reach out across an organization to all groups and departments to develop relationships which can be used in furthering a company’s compliance goals. The foundation of this strong network is created by a compelling team. A strong network will allow your compliance team a path to achieve its goals within the company. But knowing where you are going is only half of the journey. The authors end with the admonition that “you need to know at all times where you are on the journey and what you must do to make progress.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011


Jonathan Marks 13-Step FCPA Compliance Action Plan-the details

Ed. Note-we recently blogged about Jonathan Marks 13 Step FCPA Compliance Action Plan. Jonathan received numerous requests for more information on the plan and so he fleshed it out in a blog posting yesterday on his blog site, the FCPAExpert. He graciously allowed us to repost the details of his plan today. Jonathan Marks can be reached via email at jonathantmarks@verizon.net and phone at 267-261-4947.

On January 11, 2011, Tom Fox (see the Blog post below) was kind enough to post the “13 Step FCPA Compliance Action Plan” that I cobbled together.  Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice.  My goal is to continuously tweak the plan.  Your suggestions and comments are always welcome.

13 Step FCPA Compliance Action Plan

Note:  The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide by a company when implementing their own anti-bribery compliance programs.


The audit committee is responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).

In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.

Source: Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action

1. Top level commitment – “Tone from The Top”

  • Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable.  They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company.  The draft guidance provides examples of what top-level commitment should include:
  • a “zero tolerance policy” toward bribery in all parts of the company’s operation;
  • clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
  • personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
  • appointing a senior manager to oversee the development of an effective anti-bribery program.
  • “Top level commitment” is another commonly identified element of an effective compliance program.  This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.

2. Corruption and Bribery Risk Assessment

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment.

Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.

The risk assessment can serve as the documented rationale for the compliance program.

Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate.  The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets.  But company’s are generally advised to consider the following:

Whether those performing the risk assessment are “adequately skilled“; and,

What data sources should inform the risk assessment.  The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).

For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise.  Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program.  And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies.  Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.

3. Internal Controls

  • Most companies struggle with implementing mitigating controls to support their internal anti-bribery and anti-corruption policies.
  • Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
  • Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
  • Gifts and entertainment controls.  Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.

4. Structuring and Defining Roles & Responsibilities

  • Anti-corruption director (See Daimler)
  • Chief Compliance Officer or Other Senior Corporate Official
  • The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
  • Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors.  The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.

5. Risk-based Third Party Due Diligence

  • Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
  • The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
  • The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
  • Types or Levels of Due diligence
  • Basic: simple database checks
  • Medium: more in-depth review
  • High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US

6. Clear, Practical, Current, And Accessible Policies And Procedures

  • There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
  • Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.

7. Documenting a Detailed Multi-year Compliance Plan

Companies must embed anti-bribery policies and procedures throughout the business.  “Paper compliance” is insufficient.  Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:

  • Who bears responsibility for program implementation;
  • How to communicate the policies and procedures internally and externally;
  • The content and nature of anti-bribery training and how to roll it out effectively;
  • How senior management will monitor the program’s implementation;
  • Whether and how the company will use external assurance processes;
  • The processes for monitoring compliance;
  • The implementation timetable;
  • An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
  • The date of the program’s next review; and
  • A decision on whether to require or suggest that business partners take part in anti-corruption training courses.

Warning!  “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials.  Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.

8. Appropriate Disciplinary Procedures To Address Violations

Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.

9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit)

  • Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
  • Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.

10. Training

Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.

Training should be provided regularly to senior management and key compliance and business personnel.

11. An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.

Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations.

12. Other Risk Mitigation Procedures

  • Standard provisions in contracts and agreements that include at a minimum:
  • Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
  • Rights to conduct audits of the books and records; and
  • Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.

13. Annual Testing of The Compliance Program

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.

The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.

In a recent speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.

Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.

Blog at WordPress.com.