Tribute to Sir Christopher Lee and Release of New Book for CCOs

Sir Christopher Lee died yesterday. For several generations of horror movie fans, he was simply Dracula, having starred in the role for Hammer Films in the 1950s through the 1980s. Yet for another couple of generations of movie aficionados, he was known for his work in the later Star Wars series as Count Dooku in both Star Wars: Episode II — Attack of the Clones and in Star Wars: Episode III — Revenge of the Sith. He was also the wizard Saruman in Peter Jackson’s Lord of the Rings films.

His characterization of Dracula may have been closer to what Dracula’s creator, Bram Stoker, had envisioned. According to his obituary in The Telegraph, Lee “imbued the character with a dynamic, feral quality that had been lacking in earlier portrayals.” The first Hammer Dracula film was the most successful. The Telegraph stated, “With Cushing cast this time as the vampire hunter, Dracula (retitled Horror of Dracula in America) was a box-office success for Hammer and horror aficionados at the time labelled it “the greatest horror movie ever made”. Lee also regarded it as the best of the series of Dracula films that he made with Hammer. “It’s the only one I’ve done that’s any good,” he recalled. “It’s the only one that remotely resembles the book.””

Lee’s creativeness and greatness in the roles he has played lead-in to my topic today. I am extremely pleased to announce that my latest book CCO 2.0 | Internal Marketer and Soft Skills Required has been published and is now available from Compliance Week. CCO 2.0 provides the Chief Compliance Officer (CCO) and compliance practitioner with some of the most current ideas on the types of skills that a compliance officer might need and how to market the compliance function within the corporate environment.

In the Internal Marketer section, I take on such topics as The Five Golden Rules of Internal Marketing Compliance; Internal Marketing of a Compliance Program; Getting Employees to Care about a Compliance Program; Getting Your Employees to Internally Market Your Compliance Program; Internal Advertising of Your Compliance Program and Funding Your Compliance Program.

In the sections of soft skills I discuss skills the CCO or compliance practitioner can use to move forward the compliance agenda in a company. I discuss such topics as the use of influence by a CCO; Four Keys to Compliance Leadership; the CCO as Chief Persuasion Officer; the CCO as Chief Collaboration Officer; Communications tips for the compliance professional; putting compliance at the center of strategy and why compliance is different than legal function.

The book is available in paperback and eBook formats and you can find both by clicking here.

While you are on the Compliance Week site, I would also suggest that you take at look at my seminal work on creation, implementation and enhancement of an anti-corruption compliance program, Doing Compliance. If there is one book in your library on how to do compliance, this book is it. In this book I discuss the requirements to build, and execute, a modern compliance program. With a focus on anti-bribery and anti-corruption issues, the book first reviews the basic building blocks a compliance officer needs (code of conduct, policies and procedures, internal controls), moves on to address the proper role and autonomy of a CCO, delves into the most important CCO duties (risk assessment, training, investigations), and always offers practical examples and advice for how a compliance program should work.

Best of all, the paperback and eBook both have newly reduced pricing which should make it a ‘must have’ for every member of your compliance team. The book is available by clicking here.

Finally, if you have not yet checked out my podcasts, after you check out my latest two books, published by Compliance Week, you should head over to the FCPA Compliance and Ethics Report or iTunes to check out the latest editions. Some of the highlights are:

Episodes 163 and 166 deal with the FIFA indictments.

Episode 164 – MissionLogPodcast.com co-host John Champion returns to discuss Star Trek – The Next Generation (TNG) and the leadership lessons from Season One of TNG.

Episode 165 – I discuss the BHP FCPA enforcement action and its implications for the compliance practitioner as a strict liability standard because there was no evidence of bribery presented by the Securities and Exchange Commission (SEC).

Episode 167 – Mara Senn returns to share her top ten practices for cross-border investigations. Senn has some important and useful tips to help the CCO or compliance practitioner think through an approach for an international FCPA investigation.

Episode 168 – Noted criminal defense attorney Dan Cogdell discusses criminal procedure and funding your defense costs, in the defense of an individual Foreign Corrupt Practices Act (FCPA) enforcement action. With all the talk coming about the Department of Justice (DOJ) and FCPA commentariat about the need for individual prosecutions, this episode is timely.

Lastly, after you have purchased my two latest books and checked out my podcasts, I would urge you to head on over to Netflix and settle in with Sir Christopher Lee and his great Hammer films. They are the top of 1950s horror movies.

A happy weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Code of Conduct, Compliance Policies and Procedures-Part II

This week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

I recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

More Lessons From Workplace Safety for the Compliance Practitioner

I have long believed that the compliance discipline has quite a bit to learn from the area of safety in the workplace. This is not only because I believe that the changes in corporate attitudes about safety presage many of the current debates about how to ‘do compliance’ but also because many of the processes and procedures that a safety professional utilizes can be translated into a process for the compliance professional. In a recent Compliance Week article, entitled, “Risk-Management Lessons From The Depths” Richard M. Steinberg reviewed the newly released book Trapped Under the Sea, by Neil Swidey, which is about a catastrophic accident that occurred during the construction of a waste treatment plant in Boston Harbor.

Steinberg’s article focused on the risk management issues, which led to the deaths of men working on a tunnel, dug far beneath Boston Harbor that transported waste out to sea before its release. Steinberg began by looking at the pre-operation factors which laid the “seeds of disaster” leading to the tragedy. (1) There were tight deadlines to be met, “with a federal judge ready to impose huge fines and penalties if they were not”; (2) An inexperienced executive director of the governmental water resources authority overseeing the project, who was suffering from a stress condition his doctor said was off the charts, who was most critically “clearly intimidated by the prime contractor’s chief executive”; and (3) The prime contractor was already in the red on the project, behind schedule and incurring millions of dollars in penalties, rising every day.

With the project, and many jobs on the line, the stress level on the management team grew. Swidey noted that as “organizational behavior research shows that, “As trust levels go down within a group, group members’ creativity and willingness to seek new options also decreases. When intense time pressures are added to the mix, opposing sides tend to become even more fixed in their positions, relying more on cognitive shortcuts. They’re unable to work collaboratively to solve a problem because they have become locked in an adversarial contest: if you win, I lose.”” The actual planning of the key event which led to the catastrophic failure “fell to sub-contractors, with two men calling the shots: Roger Rouleau, who relied on the technical capability of the other man he was to oversee, Harald Grob. The subs needed to please the prime contractor, or risk ruin. Ultimately, those overseeing the project ended up relying on these two men to make some critical final decisions.” As Steinberg noted, “although there was a major general contractor, several sub-contractors, the governmental water resources authority, and the Occupational Safety and Health Administration involved, with a number of smart and seasoned people, the key decisions were left to one sub-contractor, who wasn’t even properly supervised by his boss.”

Steinberg said that the post accident analysis discovered the following:

• There were a series of small, bad decisions, none of which on its own would have been enough to produce a disaster, but together elevated risk to new heights.
• There was a dangerous cocktail of time, money, stubbornness, and frustration near the end of an over-budget, long-delayed project. The major players desperately needed the project to be concluded. They closed their eyes and hoped the plan made sense.
• Serious failings tend to happen late in projects, when confidence runs high and tolerance for delay dips especially low.
• Another factor at play here is EQ, or emotional quotient, which is differentiated from IQ. EQ is the ability to read, process, and manage the emotions of people around you, as well as your own.
• Executives with real authority put a higher value on Grob’s “fresh eyes and can-do attitude” than on their own intimate knowledge of the project and common sense. And doing so afforded them distance from the risks associated with the project.
• It turns out there was a much safer and better approach that wasn’t even considered until much later. Why? The battling parties became so fixed in their positions they could no longer trust the other side’s intentions. They fell prey to the “availability bias” where decisions are based on what was most available to them—in this case, Grob’s plan.

For the anti-corruption practitioner, the lessons from this disaster and Swidley’s book are myriad. Beyond the simple ‘just get it done’ prescription that a Chief Compliance Officer (CCO) often hears about business deals are some clear and direct markers. The first and foremost is that when something is high reward, there is generally a high risk involved. In the case of the Boston Harbor disaster, the high risk was the technology used to supply air to the men working in the tunnel that collapsed, however it had never been adequately tested. In fact the technology was not even understood.

From this the next lesson is to always understand the complete parameters of the transaction. If a party’s role is not set out or well explained, you must make the appropriate inquiries to determine the role. If you have a third party, you should know its role and that role should be specified in its contractual duties so that any compensation payable to the third party can be assessed against some type of standard.

If someone will not answer the direct questions that you pose, you need to have the authority to get those answers. The sub-contractor involved, Grob, refused to brook any criticism of his clearly outlandish plan by refusing to even answer questions about it. Steinberg wrote, “Grob’s bristling when the men raised concerns about his plan, and stressing his rank in the organization chart, made matters much worse.” This means, as a compliance professional, if you cannot get the necessary answers, you have to be able to say No.

As a project moves towards its end, it sometimes takes on a life of its own, which seems to have happened here. This is the time that a compliance professional must remain ever vigilant; dotting every ‘i’ and crossing every ‘t’, to make certain that the company’s internal compliance protocols are followed. As Steinberg noted, “The more people do something without suffering a bad outcome, the harder it becomes for them to remain aware of the risks associated with that behavior.”

I have previously written that there are many lessons to be learned by the compliance discipline from the field of workplace safety. While I still believe that the biggest lesson is that an entire corporate culture can change, just as I have seen safety now become priority Number 1 in the energy industry; there are significant process lessons to be garnered from the study of catastrophic safety system failures. Steinberg’s article and Swidey’s book make an excellent starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Board Responsibility under the FCPA – A Herculean Task?

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of a national newspaper for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times (NYT), in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

I.                   Legal Standard

What are the obligations of a Board member regarding the US Foreign Corrupt Practices Act (FCPA)? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.

Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.

II.                When Things Get Bad

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water.

In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

• Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.

• Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
• Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
• Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
• How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
• How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may be more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

III.             What the Board wants to know from compliance

In an article in the May issue of Compliance Week Magazine, entitled “What the Board Wants to Know from Compliance”, author Joe Mont explored some of the issues he believes that a Board will want to know about their company’s compliance program. Mont quoted Michael Bramnick, senior knowledge leader for LRN, who said, “Boards really only want an answer to the question: ‘How do we know it is working?’ In other words, is a company’s compliance program living “up to the hallmarks of an effective compliance program in the eyes of the government.”

A.     Questions About Process

Mont believes that Boards should “want more information on the processes to carry out the compliance function, rather than details on specific compliance issues”. He quotes Dennis Beresford, professor of accounting at the University of Georgia’s Terry College of Business, for the following “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly. They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”

B. Questions About Internal Reporting

Another area of Board interest is compliance hotlines. In this area, Mont believes that Boards desire “to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?” If the company hotline is used, this may show that “employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them.”

C. Questions About Accountability

Responsibility is yet another topic that Mont believes Boards need to stay abreast on as “directors want more details on who’s responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability.” He quotes Bramnick who stated that “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”

D.  Questions About Strategic Planning

Jaclyn Jaeger, writing in the December 2011 issue of Compliance Week Magazine, in an article entitled “Board Checklist: What Every Director Should Know”, wrote about a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. In the article she quoted panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, on the need for strategic planning by the Board. Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” Similarly, Stephen Martin, a partner at Baker and McKenzie, suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”  Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

Mont quoted Bramnick that “Boards have really a Herculean task in today’s regulatory climate.” But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Board members. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Getting Employees to Care About a Compliance Policy

Putting a compliance policy into practice is not something that most companies do very well. How do you get buy-in for a new or amended compliance policy? How do you determine if a new compliance policy contradicts anything that you currently have in your compliance policy portfolio?

When thinking about such questions regarding compliance policies I am reminded of four questions posed by Stephen Page, in his book “Achieving 100% Compliance Of Policies and Procedures”, wherein he poses the following questions: (1) What is the nature of the policies owner’s function? As these are compliance policies, they are critical to a company doing business in compliance with relevant anti-corruption/anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. (2) What is your organization’s overall vision and mission? This question speaks to management’s commitment to doing business ethically and in compliance with legal requirements. (3) What is the content of the policies? This speaks to the connection of the policy goals with other incentives, such as compensation and promotion. (4) What is your company’s receptivity to the policy? This question speaks to training and communication so that employees will understand not only the underlying reason for the policy but drive adherence to the policy.

These and other questions were explored at the recently concluded Compliance Week 2013 event in a session entitled “Case Study: Putting Policies into Practice at Dell”. Kristi Kevern, Director of Operational Compliance and Page Motes, Director, Strategic Programs Office – Global Ethics & Compliance from Dell Corporation, were the two panelists for the event. Kristi discussed how Dell overhauled its entire compliance policy management program and I will discuss her remarks in a later blog. Motes does not come from a compliance background but came from business development. I found her perspective quite different from the usual compliance perspective. From where she sits, she recognizes the need to internally market a new compliance policy; however this marketing plan must begin at the inception of a compliance policy and not after it has been drafted.

Motes said that it is incumbent to obtain buy-in from the business units before a compliance policy is drafted because, after all, it is the business units which will implement a compliance policy. This begins with a business unit sponsor who should have ownership of any new compliance policy. After the initial draft is made, it should be circulated to make sure that the compliance policy is workable and that it is translated from legalese (or accounting-ese) or other technical jargon into plain English. She said that is one of her key roles.

The next step is the internal market. Here Motes believes that a key is to move away from words such as ‘ethics’ to words that denote behaviors. She said that her group would talk about trust, honesty, respect, judgment and responsibility. After rollout the compliance group must train on the new policy and then monitor to ensure that it is followed. Finally, there must be some consequences to an employee if they are trained but fail after multiple warnings to follow a policy.

I thought about Motes’ ideas when I read a recent article in the June issue of Fast Company magazine, entitled “Starbucks’s Leap of Faith” which discussed the company’s rollout and approach to innovation. One of the examples in the article was when Starbucks rolled out its mobile application to allow customers to pay through their smart phones. The company worked with staff on proto-types, then trained and followed up with interviews to determine how the new system was working. Recognizing that there were technical glitches to overcome, the company persevered. Ryan Records, Vice President of Payments, was quoted as saying “it became seamless and flawless and an elegant way to pay” and that payment method now accounts for roughly 10% of the company’s total pay each day.

The Starbucks story drove home to me the key message from Motes. You must work with the business units to operationalize any policy. While it is true that a compliance professional will be the subject matter expert on the requirements of what should go into a compliance policy, but it is equally important on how that information is imparted and getting employees to care about the policy. Page puts it in a slightly different light. He said “From a systems viewpoint, it is often the organization’s infrastructure, and not its people, which is rigid and inflexible, often leading to angry and frustrated employees. If people cannot approach problems, talk openly, or give opinions, then this prevailing attitude can cause withdrawal and people who do not care. The clearer the tie between what an organization is doing and the results, the more energy, commitment, and excitement they will generate during a change process.” I think the latter sentence is what you need to strive for in the realm of compliance policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Edgar Allen Poe and Innovation in the Compliance Function

Tomorrow, April 20 is the anniversary of a truly innovative work of literature. On April 20, 1841, Edgar Allen Poe’s story, The Murders in the Rue Morgue, first appeared in Graham’s Lady’s and Gentleman’s Magazine. The tale is generally considered to be the first detective story. The genre is distinctive from a general mystery story in that the focus is on analysis. The story describes the extraordinary analytical powers used by Monsieur C. Auguste Dupin to solve a series of murders in Paris. The character of Dupin became the prototype for many future fictional detectives, including Arthur Conan Doyle’s Sherlock Holmes and Agatha Christie’s Hercule Poirot. Like the later Sherlock Holmes stories, the tale is narrated by the detective’s roommate. Poe biographer Jeffrey Meyers sums up the significance of “The Murders in the Rue Morgue“: “[it] changed the history of world literature.” Poe’s role in the creation of the detective story is reflected in the Edgar Awards, given annually by the Mystery Writers of America. For both myself and the many worldwide fans of Sherlock Holmes, we owe a tip of the hat to Poe for inventing the genre.

As Poe demonstrated, innovation can come in many forms. Earlier this week I wrote about some of the innovative ways that Joel Katz, of CA Technologies, had improved his company’s compliance function. In this post, I will discuss how Katz was able to increase the participation of business leaders into the doing of compliance. He did so by the creation of ‘Regional Business Ethics Councils.’ I found the CA Technology creation and use of these Regional Business Ethics Councils as an innovative approach to help move compliance into the company’s DNA in a robust manner.

The Regional Business Ethics Councils are designed to “largely serve as a communication vehicle between our corporate compliance team in the United States, business leaders, and employees.” These Regional Business Ethics Councils were created in the company’s three major geographic regions which consisted of the Americas, Europe and the Middle East (EMEA) and Asia-Pacific (APAC). Each Regional Business Ethics Council is comprised of six to eight senior business leaders from each part of the company’s functional business, including legal, finance, HR, sales, development, administration, and others. The Regional Business Ethics Councils meet quarterly.

Katz believes that the Regional Business Ethics Council members play a critical role with compliance messaging to employees in their respective regions. Their meetings are used to “discuss current compliance issues and internal and external trends, significant legal or regulatory changes that impact the business, and upcoming compliance initiatives.” This structure allows the company to be more nimble and be in a position to respond more quickly to different external issues that may arise and impact the compliance function.

CA Technologies also uses the Regional Business Ethics Councils as a mechanism to “solicit feedback from the business on the current business environment, any concerns the business leaders may have about our business or our compliance program, and any other issues they wish to discuss.” One of the constant challenges for employees is getting foreign employees to trust and communicate with the compliance function. The Regional Business Ethics Council can provide another route by which information and concerns can be conversed up to the compliance function.

Katz acknowledged that the level of engagement of the individual council members varies from both person to person and Regional Business Ethics Council to Regional Business Ethics Council. Nevertheless, the company has found that the Regional Business Ethics Council initiative “has succeeded in creating more visibility into the compliance function for company business leaders and more visibility into the global business for our compliance team.” Additionally, the Regional Business Ethics Councils can assist the compliance group by focusing on issue-spotting and awareness-raising within their specific region. Katz believes that this is helpful because it “is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

Katz ended his article by explaining that at CA Technology “compliance training and communication plan is and will always be a work in progress” which he believes is appropriate for “every organization, as such organizations and legal and regulatory landscapes will undoubtedly evolve and change over time.” His article helps to drive home the message that a company “should examine its plan at least annually to ensure it is still viable and continually look for opportunities to improve it. This iterative approach to training and communication will help ensure that messages are being heard, understood, acted upon and appreciated by your employees.”

I have often written about the need for some type of management oversight above the compliance function which sits below a company’s Board of Directors. The CA Technology approach of using the Regional Business Ethics Council provides another level of engagement by corporate functions. But just as a Regional Business Ethics Council can be used to communicate from areas outside the US back to the corporate headquarters, the Council structure allows the compliance function to communicate back into the regions. I believe that this can help companies to communicate the importance of compliance more thoroughly and more effectively throughout an organization.

Lastly, one of Katz’s themes is to help the company employees understand that compliance is there to help them do work business more efficiently and at the end of the day in a manner more consistent with the company’s overall ethical values. I believe that the use of the Regional Business Ethics Council program can be a key way to demonstrate this commitment to employees. I would suggest that this type of program may be something that you should consider for your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Got 20 Minutes? Spicing Up Compliance Training

How can you create or revise your compliance program? One of the first steps you should take is to devise an action plan. A recent article in the March edition of the Compliance Week magazine, entitled “Putting Together an Action Plan for Compliance”, Joel Katz, the Chief Ethics and Compliance Officer (CECO) for CA Technologies, wrote about his experiences in updating the company’s compliance training program.

He said that after the company had gone through a compliance investigation, it created a “best-in-class” compliance program. However, after a few years of intensive training and continued corporate reminders about compliance, the employees began to suffer from ‘compliance fatigue’. Katz decided it was time to come up with a way to determine what was working and what was not working regarding the company’s compliance program in the “eyes of the employees”. To facilitate this Katz literally went around the CA Technology world listening to employees, both in focus groups and individually, about what they thought was working and what they thought did not work. He found that the company’s managers and employees generally had the same four critiques, which were:

1. The compliance training was ineffective; it was too long, often too esoteric, and very often not helpful to employees because it did not relate to their core job responsibilities. Employees expressed a strong desire for training that was more engaging and relevant to their jobs.
2. Employees wanted live training but in their local language. Although most employees are fluent in English, many expressed the desire to be trained in the local language to ensure that nothing was getting “lost in translation.”
3. There was a lack of understanding regarding the role of the compliance group within the company. Both employees and managers at all levels felt that the compliance organization was a bit of a mystery to them – they did not fully understand what the compliance organization did on a day-to-day basis and felt that they lacked any real visibility into the types of compliance issues that the company was encountering.
4. At times compliance seemed liked the ivory tower as employees also felt that messaging around compliance was, at times, either condescending or written in a way that made it appear that the company did not trust its employees.

I found Katz’s responses to the training critiques very interesting and had some components that you may wish to incorporate into your program. CA Technologies decided to ditch all outside vendors for training and put it on using internal resources. The company also “made a conscious choice to focus our compliance training energies on issue spotting and awareness-raising, rather than on in-depth subject matter expertise” which was done for two reasons. First, the company did not believe that employees were retaining the information being covered in courses that attempted to deliver in-depth learning. Second, by “Focusing on issue-spotting and awareness-raising is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

To make the training more real and more entertaining, the company began to use examples of “compliance related transgressions” demonstrated by the fictional character “Griffin Peabody” in courses and awareness campaigns. The company also used this character in company training videos that its employees starred in as participants. To help with the logistics of training, the compliance department enlisted the CA Technology law and HR departments to assist in putting on the training. Interestingly, compliance did not specify to the trainers how to put on the training, instead they gave them the flexibility to put on training in variety of ways such as ‘lunch-n-learns’ or other less formal training. But here is the real kicker – Katz “issued a mandate that no compliance course would take longer than 25 minutes to complete. We would rather have two 20 minute courses than one 40 minute course. Our experience has been that even the most interested audience begins to fade after about 20 minutes.”

To help de-mystify the role that the compliance function had in CA Technology, the group published “a quarterly newsletter called “Walk the Talk.” Each newsletter includes profiles of real-life, company compliance cases and quarterly compliance statistics (including the number of compliance cases by geographic region with a comparison from the prior year, as well as a breakdown of the types of compliance issues we are addressing, such as fraud, conflicts of interest, and others).” Katz noted that the names were removed to protect the innocent and guilty but that the company did “provide comprehensive descriptions of the compliance issues and how the issues were resolved (in many instances, employees were either disciplined or dismissed).” What Katz found was that CA Technology employees said that “they particularly liked reading the real-life cases and learning about how the company resolved these cases. Not all compliance officers agree with providing this level of transparency to employees, but our experience has been, thus far, very positive.”

In the article, Katz admitted that the compliance group “might, on occasion, come off as sounding a bit “preachy” to employees when discussing certain compliance issues”. To address this issue, the compliance team worked with the company communications team and the company’s global leadership team to “help ensure that our messaging has the right tone to effectively resonate with our employees. We strive to create communications that are engaging and easily understood by all employees.” With this assistance, Katz believes that the compliance group ensures “that we take the time to focus on how we are messaging things to our employees and this has helped improve employee perception about the compliance function.”

Katz’s article had several salient points around training for the compliance practitioner. His change in focus of the company’s compliance training from the subject matter expertness to issue raising awareness is something that certainly resonates with me. Employees can be your first and, many times, best line of defense from a compliance issue becoming a full bore Foreign Corrupt Practices Act (FCPA) or other legal violation. Giving them to tools to know when and how to raise their hand when something does not make sense is more important than droning on about the elements of a FCPA violation. Also the CA Technology methods for delivering compliance training are quite innovative but in many ways very cost effective. By moving the training in-house and allowing the trainers to determine how to deliver the training, you can obtain greater buy-in and participation. Lastly, how many of you out there put on training for only 20 minutes? Do you think that would make your employees sit up and take notice, if not smile, if they could get their compliance training in 20 minute increments?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Compliance Week Needs Your Help!

Calling all FCPA and anti-corruption enthusiasts, Compliance Week needs your help! Compliance Week and Kroll Advisory have teamed up to undertake a major survey on corporate anti-corruption programs, and are asking compliance executives to participate.

The survey itself—the 2013 ‘Global Anti-Bribery Benchmarking Report’—can be found here:

http://surveys.harveyresearch.com/se.ashx?s=0D146E2D11F8D225

The survey should take no more than 20 minutes to complete. It asks about the bribery risks you have, procedures you use to train employees and vet third parties, the size of  your compliance team, and more. Rest assured, all submissions will be secure and anonymous (even Compliance Week won’t know who submits what specific results). The deadline to submit information is end of business on Friday, March 15.

Results of the survey will first be presented at the Compliance Week 2013 annual conference in Washington, May 20-22 (www.ComplianceWeek.com/conference), and later published in a special supplement of the Compliance Week magazine.

It’s no secret that finding good, reliable benchmarking data on compliance programs is no easy task, so do please help by participating. Anyone with questions can contact Compliance Week editor Matt Kelly at mkelly@complianceweek.com.