Tag: 2024 ECCP

Categories
Blog

Why the 2024 ECCP Update is a Game-Changer for Compliance

In the DOJ’s 2024 update to the Evaluation of Corporate Compliance Programs (2024 ECCP), compliance professionals face new expectations that could reshape how we approach compliance programs. In this latest update, the DOJ strongly emphasizes data-driven insights, focusing on compliance culture, employee engagement, and organizational trust. This means that compliance programs must now focus on policies and procedures and prove that these practices are embedded into the company culture and yield measurable outcomes.

The implications of these new standards extend across every aspect of compliance, from audits to employee training and risk assessments. In this post, we’ll explore the key areas of the 2024 ECCP, discussing why the DOJ’s new focus on data and culture is significant and how compliance professionals can adjust their strategies to align with these expectations.

A New Focus on Data: The Backbone of Modern Compliance

One of the most critical shifts in the 2024 ECCP is the DOJ’s call for data-backed evidence of a company’s compliance culture. The DOJ now expects organizations to establish a culture of compliance and document and track its effectiveness over time. Compliance professionals are no longer tasked with simply implementing policies; they must now demonstrate that these policies have a real impact.

For example, it is no longer enough to state that employees are encouraged to report misconduct. Now, organizations must gather data to prove employees feel safe and supported when they report issues. This could include metrics such as hotline usage rates, anonymous survey responses, and feedback on trust in leadership. By collecting data on these and other elements, compliance teams clearly understand how well the compliance culture is functioning.

The DOJ’s new data-driven approach means compliance professionals must focus on metrics that reflect the health of their programs. This might include engagement levels, response times for reports of misconduct, and employee feedback on how accessible and transparent compliance processes are. Tracking these metrics not only helps compliance teams spot trends and identify areas of improvement but also provides concrete evidence of a commitment to compliance that can be shared with regulators.

The Role of Culture Audits: A Window into Organizational Health

With the DOJ’s increased focus on culture, culture audits have become an indispensable tool for compliance professionals. A culture audit goes beyond policy checks and evaluates the organizational attitudes and behaviors that define the company’s ethical framework. This includes measuring employee engagement, trust in leadership, and perceptions around compliance practices. By regularly conducting culture audits, compliance teams can identify weaknesses, reinforce strengths, and monitor shifts in compliance culture over time.

A robust culture audit can answer the DOJ’s fundamental questions: Are employees engaged in compliance efforts? Do they feel comfortable reporting concerns? Do they trust that their leaders are committed to ethical behavior? For instance, if a culture audit reveals that only 60% of employees feel confident using the company’s whistleblower hotline, it clearly indicates that improvements are needed to make employees feel safe in reporting issues.

The data gathered from culture audits provides compliance officers with actionable insights that can be used to enhance training programs, increase communication around compliance expectations, and address gaps in trust or engagement. Additionally, regular culture audits help to create a benchmark, enabling organizations to track changes over time and prove to the DOJ that their compliance culture is consistently improving.

Practical Steps for Compliance Professionals

The 2024 ECCP serves as a roadmap for compliance professionals, outlining practical ways to elevate their compliance programs to meet new expectations. Here are some key steps that can help compliance teams align with these enhanced standards:

  1. Implement Regular Culture Audits. Regular culture audits provide a structured way to assess compliance culture and identify trends in employee engagement, trust, and ethical behavior. Compliance teams can establish a baseline and track improvements over time by conducting these audits at least annually. Regular audits also help identify areas where further training or communication may be necessary, ensuring that compliance culture remains dynamic and responsive.
  2. Prioritize Data Collection and Analysis. In the era of data-driven compliance, tracking and analyzing metrics is essential. Compliance teams should focus on data points that reveal insights into the effectiveness of their programs. This could include metrics on employee trust in reporting mechanisms, hotline usage rates, participation in compliance training, and overall engagement in compliance initiatives. By collecting and analyzing this data, compliance professionals can comprehensively view their program’s impact.
  3. Enhance Transparency and Communication. One of the DOJ’s central themes in the 2024 ECCP is transparency. Compliance professionals should ensure that employees at all levels understand the company’s commitment to ethical behavior and know how to access compliance resources. Regular communication on compliance issues, successes, and updates from leadership reinforces the importance of compliance culture and can help build trust among employees.
  4. Integrate Compliance with Performance and Incentives. Companies should align performance reviews and incentive structures with compliance goals to truly embed compliance into the organizational culture. For instance, recognizing and rewarding employees who demonstrate a commitment to compliance reinforces the message that ethical behavior is valued. This alignment also signals to employees that compliance is part of the path to career advancement and success within the organization.
  5. Document, Document, Document. If there’s one takeaway from the DOJ’s update, it’s the importance of documentation. In the DOJ’s eyes, if it’s not documented, it didn’t happen. Compliance teams should maintain thorough records of all culture audits, data findings, responses to feedback, and improvements over time. This documentation provides a clear data trail demonstrating ongoing efforts to strengthen compliance culture, which can be invaluable in a regulatory review or investigation.

Data Is a Game-Changer for Compliance Programs

The 2024 ECCP update is a milestone for compliance programs, marking a shift toward a more holistic, data-focused approach. By placing emphasis on data, the DOJ effectively requires companies to provide concrete proof of their compliance efforts, making it clear that ethical behavior is no longer just a set of policies—it’s a measurable, evolving part of the corporate culture. This represents a major change for compliance professionals, as they must now develop skills in data analysis, culture assessment, and strategic planning.

The DOJ’s increased focus on compliance culture and data-backed metrics aligns with the broader trend toward accountability and transparency in corporate governance. Compliance professionals who embrace this shift will be able to strengthen their programs, foster a more ethical workplace, and reduce their organization’s risk of regulatory scrutiny. By taking proactive steps to meet these new standards, compliance teams can also build trust with employees, investors, and regulators, creating a foundation of integrity that benefits the entire organization.

Turning Compliance into a Competitive Advantage

The DOJ’s 2024 ECCP update is not simply a set of new requirements but an opportunity for compliance professionals to elevate their programs, demonstrate value, and create a culture where ethical behavior is embedded into the organizational DNA. By focusing on data, conducting regular culture audits, and aligning compliance with incentives, compliance professionals can turn these new standards into a competitive advantage.

For compliance professionals, the ECCP update provides a clear framework for fostering a dynamic, responsive compliance culture that meets and exceeds regulatory expectations. By staying ahead of these changes, compliance professionals protect their organizations and position themselves as strategic leaders who understand the evolving nature of compliance. In an era where regulators demand proof of ethical culture, data is no longer just a tool; it is the future of compliance, and those who embrace it are setting their organizations up for long-term success.

Categories
FCPA Compliance Report

FCPA Compliance Report – The 2024 ECCP on Data-Driven Culture and Engagement

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this edition, Tom Fox visits with Sam Silverstein on how compliance professionals should view the new DOJ mandate on using data to assess, manage, and improve corporate culture through data-driven compliance. The Culture Audit sponsors this podcast.

In this comprehensive discussion, Tom Fox and Sam Silverstein delve into the 2024 Update to the Evaluation of Corporate Compliance Programs (ECCP) by the DOJ. Released in September, this latest update emphasizes the importance of data analytics, culture, engagement, and trust in compliance programs. With a detailed breakdown of over 250 questions posed by the ECCP, Tom and Sam provide valuable insights on how companies can benchmark their compliance programs and prepare for potential investigations. They highlight the role of a culture audit in addressing the DOJ’s requirements, offering a detailed look into how organizations can measure and improve their compliance culture. This webinar educates compliance professionals on the latest DOJ expectations and provides practical tools and methodologies to enhance corporate compliance efforts.

Highlights in this episode:

  • Importance of Culture and Data Analytics
  • Leveraging Data for Compliance
  • Measuring and Improving Culture
  • Data-Driven Culture of Compliance
  • Understanding and Utilizing Culture Audit Data
  • Forward Steps for a Stronger Culture

Resources:

Culture Audit

Set up a call to discuss the Culture Audit, click here

Sam Silverstein and the Accountability Institute

Sam Silverstein on LinkedIn 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Supporting Whistleblowers: Lessons from Lon Chaney’s The Wolfman

Ed. Note: This week, leading up to Halloween, I will examine lessons for compliance professionals through the lens of the great Universal Movie Monsters: Frankenstein, Wolfman, Dracula, and The Mummy. Today, we use Lon Chaney’s original film version of The Wolfman. 

===========================================================

Of all the great Universal movie monsters, my favorite is found in the 1941 film The Wolfman. Lon Chaney’s portrayal of Larry Talbot offers more than just a classic horror story about a man who becomes a werewolf. It’s a tale of isolation, fear, and a struggle for survival in the face of an overwhelming and terrifying transformation. In short, it is the most psychological of all the Universal movie monsters. Much like a corporate whistleblower, Talbot finds himself caught in a situation where the truth is a burden, and no one wants to listen. Instead of being understood and supported, he is feared, rejected, and left to fend for himself.

For compliance professionals, The Wolfman provides a vivid metaphor for the journey of whistleblowers. Whistleblowers often find themselves isolated, facing potential retaliation, and struggling to navigate the consequences of their decision to report wrongdoing. In this post, we’ll explore how to create a culture that encourages whistleblowers to come forward, keeps them informed throughout the process, and protects them from retaliation, all through the lens of The Wolfman. We will also assess the 2024 Evaluation of Corporate Compliance Programs (2024 ECCP) and Nicole Argentieri’s commentary on these issues.

Creating a Safe Space: Encouraging Whistleblowers to Come Forward

In The Wolfman, Larry Talbot is plagued by the knowledge of his transformation, but he finds no one willing to help or believe him. He is trapped in his new reality, just as whistleblowers can feel trapped by the knowledge of corporate misconduct. The first step in supporting whistleblowers is creating an environment where they feel safe and encouraged to speak up.

The 2024 ECCP underscores the importance of building a culture where employees feel empowered to raise concerns without fear. It emphasizes the need for companies to proactively encourage internal reporting mechanisms, making it clear that the company values integrity and transparency. Compliance professionals must ensure that reporting channels are available, actively promoted, and trusted.

In her commentary on the 2024 ECCP, Nicole Argentieri highlights that one key element in encouraging whistleblowers is leadership’s tone from the top. Executives and senior management must demonstrate a commitment to ethical behavior, ensuring that whistleblowing is accepted and valued. Whistleblowers need to know that their reports will be taken seriously and their concerns will be addressed.

Talbot’s cries for help go unheard in The Wolfman, leading to disastrous consequences. In the corporate world, businesses must avoid this fate by ensuring whistleblowers are not ignored or dismissed. The 2024 ECCP recommends that companies provide multiple, accessible channels for reporting, including anonymous options so that employees feel comfortable coming forward regardless of their circumstances.

Transparency Throughout the Process: Keeping Whistleblowers Informed

Just as Larry Talbot struggles with the unknown and is left in the dark about his fate, whistleblowers often find themselves cut off after making a report. They may need clarification about what’s happening with their complaint, whether it’s being investigated, and the next steps. This lack of communication can discourage future whistleblowers and lead to feelings of abandonment.

The 2024 ECCP stresses the importance of maintaining open lines of communication with whistleblowers throughout the investigation process. Once a report has been made, it is critical to keep whistleblowers informed about the status of their complaint. This does not mean sharing sensitive investigation details but providing regular updates so that the whistleblower knows their concerns are being taken seriously.

Argentieri has echoed this sentiment, noting that one of the most common frustrations whistleblowers face is a lack of transparency after they come forward. She argues that compliance teams must ensure whistleblowers are not wondering what will happen next. A well-managed whistleblower program includes clear communication protocols that keep whistleblowers engaged and reassured.

In The Wolfman, Talbot’s inability to find answers drives him to despair. Businesses must avoid this by ensuring whistleblowers feel supported and heard throughout the process. Compliance officers should regularly touch base with whistleblowers, letting them know that their concerns are being addressed, that their identity is being protected and that appropriate actions are being taken.

Protection from Retaliation: Safeguarding Whistleblowers

One of the central themes in The Wolfman is Larry Talbot’s fear of being hunted and rejected. Similarly, whistleblowers often fear retaliation, whether in the form of termination, demotion, or ostracization. Protecting whistleblowers from retaliation is a legal obligation and a moral imperative that helps foster a culture of compliance and trust.

The 2024 ECCP strongly emphasizes retaliation protections. It advises that companies must have robust policies to prevent retaliation and provide clear avenues for whistleblowers to report any retaliatory behavior. This means more than just having a policy on paper—compliance teams must actively enforce these protections and monitor for any signs of retaliation.

Nicole Argentieri has weighed in on this issue, noting that while many companies claim anti-retaliation policies, enforcement can be lacking. She emphasizes the need for companies to create a system of checks and balances to ensure that retaliation does not occur, particularly in the form of subtle, indirect actions that might otherwise go unnoticed. Retaliation doesn’t always come as a formal firing—it can be a change in duties, exclusion from meetings, or a negative shift in workplace relationships.

In The Wolfman, Talbot becomes a hunted figure, chased down by those who fear and misunderstand him. In the corporate world, whistleblowers must never feel like they are being hunted or targeted for their decision to report misconduct. The ECCP advises companies to protect whistleblowers and offer additional support services, such as counseling, if needed, to help them navigate the emotional strain of coming forward.

Building a Culture of Trust and Integrity

The most important lesson from The Wolfman is the need for trust. Larry Talbot finds himself abandoned and isolated because the people around him refuse to trust his warnings. A strong compliance program must avoid this trap by building a culture of trust and integrity. Employees need to believe that they will be treated fairly, protected, and supported if they come forward with a report.

The 2024 ECCP highlights that trust is the foundation of a successful compliance program. Companies must work to build an environment where whistleblowers are seen as vital contributors to the company’s ethical health. This includes recognizing the courage it takes to come forward and offering praise or acknowledgment for whistleblowers who help protect the company from greater risks.

Argentieri has noted that companies should integrate their whistleblower programs into the broader corporate culture, making whistleblowing a routine and accepted part of the business rather than an extraordinary act of bravery. This normalization of whistleblowing helps to remove the stigma and encourages more employees to speak up when they see something wrong.

Creating a Supportive Whistleblower Program

The Wolfman offers us a powerful analogy for the journey of whistleblowers within a company. Like Larry Talbot, whistleblowers often face fear, isolation, and a lack of support. However, the lessons from The Wolfman, coupled with the guidance from the 2024 ECCP and Nicole Argentieri’s commentary, provide a roadmap for how companies can create a more supportive environment for whistleblowers.

Encouraging whistleblowers starts with creating a culture where employees feel safe and empowered to report misconduct. Keeping them informed throughout the process is essential for maintaining their trust and confidence. Finally, protecting whistleblowers from retaliation ensures that they—and others—continue to feel comfortable raising concerns.

By building a robust and transparent whistleblower program, compliance professionals can help their organizations navigate the complexities of corporate risk, protect their employees, and safeguard the company’s reputation. In doing so, they avoid the tragic fate of The Wolfman and create an environment where the truth is not a burden but a pathway to a stronger, more ethical company.

Join us tomorrow for our final consideration of compliance through the classic Universal Movie Monsters lens as we consider corporate culture and Boris Karloff’s version of The Mummy.

Categories
Blog

When New Business Risks Emerge: Lessons for Compliance from The Creature from the Black Lagoon

Ed. Note: This week, leading up to Halloween, I will examine lessons for compliance professionals through the lens of the great Universal Movie Monsters: Frankenstein, Wolfman, Dracula, and The Mummy. Today, we consider what compliance needs to do when new business risks emerge through the lens of the 1954 monster movie classic The Creature from the Black Lagoon. 

============================================================

We move from the 1930s to the 1950s to look at the classic horror film The Creature from the Black Lagoon. In this movie, a team of scientists stumbles upon an uncharted and dangerous lagoon in the Amazon rainforest, only to discover the terrifying Gill-man. What starts as a routine scientific expedition quickly becomes a struggle for survival as the group faces an unexpected threat from an unknown entity. As compliance professionals, this scenario is an apt metaphor for when new business risks emerge or your business model changes unexpectedly.

The film offers valuable lessons on preparedness, adaptability, and vigilance in the face of the unknown lessons echoed in the latest guidance from the 2024 Evaluation of Corporate Compliance Programs(2024 ECCP) and commentary from industry experts like Nicole Argentieri. In this post, we will explore what *The Creature from the Black Lagoon* teaches us about managing new business risks, assess the 2024 ECCP’s guidance on this issue, and consider how Principal Deputy Assistant Attorney General Lisa Argentieri’s views on the 2024 ECCP further inform our approach to compliance in a changing business landscape.

Identifying the Uncharted Waters: Recognizing New Risks

The scientists in The Creature from the Black Lagoon ventured into unknown territory, unaware of the dangers lurking beneath the surface. Similarly, when a business undergoes a shift in its business model, whether through entering new markets, launching new products, or facing changes in regulatory environments, new risks can emerge that were previously uncharted. The first step in managing these risks is recognizing them.

The 2024 ECCP stresses the importance of continuously assessing and identifying new risks as part of an effective compliance program. The ECCP notes that businesses should engage in ongoing risk assessments, particularly when significant changes in business operations occur. Compliance officers must have a mechanism to detect these changes early and respond accordingly.

Nicole Argentieri emphasizes this point, highlighting the need for businesses to be proactive rather than reactive. In her commentary on the ECCP, Argentieri notes that one of the key elements of a robust compliance program is its ability to evolve with the business. Companies must quickly recalibrate their risk assessments and compliance strategies when new risks appear. As the film illustrates, failing to anticipate or identify new threats can leave you vulnerable, just as the scientists were unprepared for the dangers in the lagoon.

 Assessing the Threat: The Need for a Swift and Comprehensive Risk Evaluation

Once the scientists in the film realize that the Gill-man is a threat, they must quickly reassess their entire situation. In the corporate world, the appearance of a new risk demands a similar response: swift and comprehensive evaluation. Businesses must assess the immediate risk and its broader implications on the company’s operations, reputation, and compliance obligations.

The 2024 ECCP strongly emphasizes the need for businesses to adapt their risk assessments to reflect changes in operations or the external environment. Whether the company is expanding into a new geographic area, introducing new products, or dealing with changing regulations, the risk landscape will shift. Compliance officers must ensure their risk management frameworks are flexible enough to incorporate these new threats.

Argentieri has noted that when new risks emerge, companies must act swiftly to integrate them into their compliance programs. This involves conducting fresh risk assessments and ensuring that any changes in the business model are reflected in compliance policies, training, and monitoring systems. Like the characters in the film, who adapt their strategies as they learn more about the Gill-man, compliance teams must evolve their strategies based on a full understanding of the new risk landscape.

Adapting Your Strategy: Revising Policies, Procedures, and Controls

The central characters in The Creature from the Black Lagoon must quickly adapt their approach to survive. Similarly, when new business risks arise, compliance officers must reevaluate and adjust existing policies, procedures, and internal controls. The 2024 ECCP clearly states that policies and controls should not remain static. Instead, they must be revised to reflect the changing nature of business operations and risks.

When your business model changes, you cannot assume that your existing compliance framework will continue to be effective. For example, expanding into new geographic regions may introduce new risks related to anti-bribery and corruption (ABAC), data privacy, or supply chain integrity. New product offerings bring consumer protection, product safety, or intellectual property risks to the forefront. The ECCP recommends reviewing and updating your internal controls, third-party risk management processes, and compliance training to ensure that all aspects of your compliance program remain relevant.

Argentieri’s analysis of the 2024 ECCP reinforces this point. She has argued that businesses must build dynamic and agile compliance programs. The compliance function should be involved in key decision-making processes as the business grows and changes. When new risks emerge, the compliance department must be ready to overhaul procedures and policies swiftly. This could mean expanding due diligence efforts, revising conflict-of-interest policies, or rolling out new training programs to address the specific nature of the risk.

Vigilance and Monitoring: Ongoing Risk Management

In The Creature from the Black Lagoon, the characters must always stay vigilant to avoid the creature’s attacks. When new risks emerge, businesses must maintain a heightened level of vigilance through ongoing monitoring and testing of their compliance programs. The 2024 ECCP underscores the importance of regular monitoring to ensure compliance programs work as intended, especially in the face of new business risks.

The ECCP recommends incorporating data analytics and other technological tools to monitor compliance activities in real-time. For example, if your business is expanding into new regions, you may want to enhance monitoring of third-party relationships in those areas to ensure compliance with local laws and regulations. Continuous monitoring allows businesses to spot emerging risks early and respond before they become critical issues.

Argentieri has highlighted the need for compliance professionals to stay engaged with the business as it evolves. She suggests that compliance officers must work closely with business leaders to understand the company’s strategic direction and anticipate new risks before they fully materialize. Compliance professionals can avoid potential threats by actively participating in business discussions and decision-making and adjusting their monitoring programs accordingly.

Training and Communication: Keeping Everyone in the Loop

In the film, survival depends on everyone being aware of the danger and working together to manage it. Similarly, once new risks have been identified, ensuring that all employees, from the C-suite to the front lines, are informed and equipped to handle them is essential. The 2024 ECCP stresses the importance of communication and training as key components of an effective compliance program, especially when new risks are introduced.

When a business model changes or a new risk emerges, compliance officers must update training programs to reflect these developments. Employees should understand the nature of the new risks and how to navigate them within the company’s compliance framework. Regular communication from leadership about the importance of compliance and the role employees play in managing risk is critical for building a culture of compliance.

Argentieri has noted that training should be tailored to address the risks that have arisen. For example, if a company is entering a market with heightened anti-corruption risks, the compliance training should focus on identifying red flags for bribery and navigating local regulatory requirements. Just as the characters in The Creature from the Black Lagoon needed to work as a team to survive, businesses must ensure everyone is on the same page when managing new risks.

The lessons from The Creature from the Black Lagoon offer valuable insights for today’s compliance professionals. When faced with new and unforeseen threats, quickly adapting and responding is crucial for survival. The 2024 ECCP reinforces this need for agility, emphasizing the importance of ongoing risk assessments, the revision of policies and procedures, and vigilant monitoring.

Nicole Argentieri’s commentary on the ECCP provides further guidance, urging companies to build compliance programs that can evolve in real-time with the business. Just as the characters in the film had to adapt to survive, compliance officers must ensure their programs are flexible enough to respond to new risks and changing business models. By staying alert, adapting quickly, and fostering a culture of compliance, businesses can navigate uncharted waters and emerge stronger on the other side.

Join us tomorrow, where we will consider the 1954 movie version of The Creature from the Black Lagoon and how companies must assess and manage new and emerging risks.

Categories
All Things Investigations

All Things Investigations: Mike Huneke’s Top 5 Takeaways from The 2024 ECCP

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox joins Mike Huneke as we explore the recently released 2024 ECCP

In this discussion, Tom and the speaker examine the extent to which the government issues detailed guidance, advice, and settlement documents in areas of law like the Foreign Corrupt Practices Act (FCPA). The conversation reflects on historical perspectives, including a statement by an SEC commissioner from the 1980s who compared issuing guidance on the FCPA to advising on committing murders. The dialogue also touches on lessons from the Enron collapse and the dissolution of Arthur Andersen, noting the government’s cautious approach to putting corporations, employees, and shareholders at risk. The speaker argues that while this guidance can be seen as helping companies avoid misconduct, ignoring or rejecting it can lead to significant legal trouble.

Key Highlights:

  • Introduction to ECCP
  • Government’s Approach to Corporate Risk
  • Mike’s Top 5 Takeaways
  • What does it all mean?

Resources:

Hughes Hubbard & Reed website

Mike Huneke

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance: Episode 39 – The TD Bank Edition

What happens when two top compliance commentators get together? They talk compliance of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

In this episode, co-hosts Kristy Grant-Hart and Tom Fox tackle several high-profile compliance issues. They start with TD Bank’s $3 billion money laundering scandal, exploring how inadequate compliance measures and lack of investment enabled a decade-long operation involving $18.3 trillion in questionable transactions. The discussion critiques the penalties imposed on TD Bank and reflects on the broader industry implications. The hosts then shift focus to collateral damage from fentanyl, human trafficking, modern slavery, and terrorist financing, spotlighting the OCC’s novel restrictive actions and an SEC enforcement case involving Indian bribery schemes by Moog.

Transitioning to corporate compliance dynamics, the podcast covers the Texas incident involving Deloitte’s mishandling of a convicted felon’s loan application, raising significant questions about due diligence. Frances Haugen’s advocacy for stronger whistleblower protections, particularly in the AI sector, gets highlighted. The episode concludes by addressing the legal ramifications of anti-boycott provisions, the complexities of election season in the workplace, and recent developments in the Boeing case, encapsulating these serious discussions with a humorous note on a bizarre Florida man incident.

Stories Include:

  • TD Bank Money Laundering Scandal
  • Caremark Claims and Broader Implications
  • Indian Bribery Case and SEC Enforcement
  • Debating the ECCP Guidance
  • Texas’ $5 Billion Power Plant Scandal
  • Facebook Whistleblower Frances Haugen Speaks Out
  • Understanding Anti-Boycott Provisions
  • Managing Politics in the Workplace
  • Boeing’s Legal Troubles and DEI Concerns
  • Florida Man’s Unusual Drug Complaint

 Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI: Navigating AI Compliance: The EC Gang Reviews The 2024 ECCP

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These questions are but three of the many questions we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance.

In this episode, Matt Kelly leads the Everything Compliance quartet of Susan Divers, Jonathan Marks, Karen Moore and Tom Fox through a look at Compliance and AI from the prism of the 2024 Evaluation of Corporate Compliance Programs (ECCP).

Kelly examines the complexities of integrating artificial intelligence into corporate compliance frameworks, highlighting the DOJ’s recent guidance on managing AI risks as laid out in the 2024 ECCP. In Deputy Attorney General Nicole Argentieri’s SCCE speech, she noted the overlooked AI risks and compliance requirements and emphasized the need for businesses to assess both internal AI applications and external threats from malicious uses by scammers or fraudsters.

The gang then delved into the dual aspect of AI risk—its creation and reception—and underlining the importance of comprehensive risk assessment and control measures in AI deployment, such as developing bug bounty programs and ensuring anti-fraud mechanisms are robust. We explored the role of compliance officers in AI oversight, focusing on the challenges in governing AI-generated decisions compared to human actions. With various insights on the legal and operational aspects of AI compliance, the discussion urges companies to evaluate the implications of AI use, both in risk management and ethical execution.

Key Highlights:

  • Understanding AI Risks
  • Compliance Guidelines for AI
  • AI in Fraud Prevention
  • Challenges in AI Oversight
  • Compliance Officers and AI
  • Model Validation and AI

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report: From Inputs to Outputs – Roxanne Petraeus and Susan Divers on Rethinking Compliance

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, host Tom Fox is joined by Roxanne Petraeus and Susan Divers from Ethena to discuss innovative perspectives on compliance training, specifically focusing on the 2024 update to the Evaluation of Corporate Compliance Programs.

Roxanne, drawing from her military background, emphasizes the importance of practical and effective compliance training that resonates with employees rather than traditional ‘check-the-box’ methods. Susan highlights the shift towards emphasizing outputs over inputs, urging for compliance programs that are not just on paper but practiced and understood by all employees.

The discussion delves into the new expectations from the DOJ regarding the use of AI and data analytics in compliance, positioning compliance officers as pivotal to maintaining organizational justice and fairness. They also explore strategies for persuading senior management to prioritize compliance through emphasizing organizational culture and reputation. The conversation concludes with the role of leadership in fostering a compliant culture and practical steps for reaching out to Ethena for further insights.

Highlights in this Episode:

  • Deep Dive into the 2024 Compliance Program Update
  • Roxanne’s Journey and Ethena’s Mission
  • Susan’s Transition to Ethena
  • Outputs Over Inputs: A New Compliance Focus
  • The Role of AI in Compliance
  • Leadership and Compliance Strategy

 Resources:

Roxanne Petraeus on LinkedIn

Susan Divers on LinkedIn

Ethena

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Categories
Everything Compliance

Everything Compliance: Episode 142, The 2024 ECCP Episode

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we are joined by Susan Divers, Consultant at Ethena as our Special Guest and we take up the 2024 Update to the Evaluation of Corporate Compliance Programs (2024 ECCP).

This week we have the quartet of Matt Kelly, Jonathan Marks, Special Guest Susan Divers and Karen Moore; all hosted by Tom Fox.

  1. Special Guest Susan Divers says the key to the 2024 is that it focuses on outputs rather than inputs or processes. She shouts out to Washington Commanders.
  1. Jonathan Marks considers continuous controls monitoring mandates in the 2024 ECCP. He shouts out to Philadelphia Phillies for making the NL Playoffs and rants about TSA.
  1. Karen Moore takes a deep dive into new information on whistleblowers, reporting functions and whistleblower protections in the 2024 ECCP. She is sad because of the increased threat of violence during the Jewish High Holy Days.
  1. Matt Kelly looks at the intersection of AI and compliance found in the 2024 ECCP. He rants about Trump appointed US district judge Kathryn Mizelle who ruled the False Claims Act unconstitutional.
  1. Tom Fox shouts out to Colorado District Judge Matthew Barrett for his sentencing of convicted election tamperor Tina Peters.

The members of the Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

Categories
Blog

Deere’s FCPA Enforcement Action: Performing a Root Cause Analysis to Inform Remediation

We recently had a Foreign Corrupt Practices Act (FCPA) enforcement action that reminded me that everything old is new again in anti-corruption compliance. The Securities and Exchange Commission (SEC) FCPA enforcement action involving Deere and Company (Deere) has bribery schemes torn literally from the first decade of the 21st century as they involved gifts, travel, and entertainment. In other words, it was about a low set of hanging fruit that any compliance officer would see. Today, I want to take a multipart look at the case and see what lessons the enforcement action can provide to the 2024 compliance professional.

Compliance Professionals all know the pressure to act swiftly when misconduct is discovered. It is often tempting to jump straight into remediation to address the problem, protect the company, and appease regulators. However, the case of Deere’s recent FCPA enforcement action reminds us that acting without first understanding the root cause of the misconduct can lead to superficial fixes that fail to prevent future violations.

In the Deere enforcement action, the company faced significant penalties due to bribes paid by subsidiaries of Wirtgen Group, which Deere acquired in 2017. Between 2011 and 2017, Wirtgen subsidiaries engaged in corrupt practices, paying bribes to government officials in several countries, including China and India. While Deere eventually addressed the misconduct post-acquisition, its failure to perform robust due diligence and root cause analysis before remediation exposed it to regulatory and reputational damage.

This case highlights the critical need for companies to conduct a thorough root cause analysis before embarking on remediation efforts. In this blog post, we will detail why a root cause analysis should always precede remediation, what the process entails, and how it can protect your company from future enforcement actions and compliance failures.

Understanding the True Nature of the Problem

The first and most obvious reason to conduct a root cause analysis before remediation is to ensure you address the correct problem. In the Deere case, the misconduct stemmed from bribery by Wirtgen subsidiaries, but the real issue wasn’t just the bribery itself—it was the company’s failure to identify and prevent this behavior in the first place. Simply punishing the employees involved or updating internal policies would have been insufficient without understanding why these bribes were paid.

Before designing an effective remediation plan, you must understand why the misconduct occurred. Was it due to weak internal controls? A culture that tolerated unethical behavior? Inadequate training? A failure to perform due diligence on third parties? Each of these potential causes requires a different remediation strategy. If you do not identify the true cause of the problem, your remediation efforts will be superficial and may not prevent future violations. Root cause analysis allows compliance officers to uncover the underlying reasons for misconduct, enabling them to design targeted solutions that address the actual problem—not just the symptoms.

Root Cause Analysis Helps Identify Systemic Issues

One of the biggest risks when dealing with FCPA violations or corporate misconduct is that the issue may not be isolated to one event or individual. Corruption or compliance failures are often systemic, indicating deeper issues within the company’s culture, policies, or risk management framework. If Deere had conducted a more thorough root cause analysis post-acquisition, it could have uncovered broader issues in Wirtgen’s compliance program and taken proactive steps to address those weaknesses company-wide.

Root cause analysis forces you to ask tough questions about your company’s broader compliance infrastructure. Are certain business units, regions, or third-party relationships more misconduct-prone? Are there patterns of behavior that suggest systemic problems? You can implement more effective, company-wide remediation efforts by identifying these systemic issues beyond addressing a single incident.

Regulators Expect a Root Cause Analysis

Regulators, including the DOJ and the Securities and Exchange Commission (SEC), expect companies to conduct thorough root-cause analyses when investigating FCPA violations. The DOJ’s 2024 ECCP explicitly states that prosecutors will consider whether a company has adequately identified and remediated the root causes of misconduct when determining penalties. Additionally, this was specifically called out in the SAP Deferred Prosecution Agreement (DPA) earlier this year, where the DOJ stated, “5. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;”.

In the Deere enforcement action, part of the company’s challenge was showing regulators that it had addressed the bribes themselves and the underlying reasons that allowed the misconduct to occur. Companies that skip the root cause analysis and rush into remediation without clearly understanding what went wrong will likely face harsher penalties.

Performing a root cause analysis is more than good practice; it has moved to a regulatory expectation. The more comprehensive your analysis, the more likely regulators (DOJ and SEC) are to view your remediation efforts as credible. A company that can demonstrate it understands the root cause of its compliance failures—and has taken meaningful steps to address those causes—is more likely to receive leniency during enforcement actions.

Preventing Recurrence: Moving Beyond Quick Fixes

One of the major pitfalls of jumping into remediation without a root cause analysis is the risk of implementing quick fixes that don’t address the root problem. For example, in the Deere case, if the company had updated its anti-corruption policy without addressing the broader cultural or systemic issues, it would have left the door open for future violations.

Root cause analysis ensures that your remediation efforts are comprehensive and designed to prevent future violations. Instead of focusing solely on policies or individuals, you’re addressing the broader systems and processes that allowed the misconduct to occur. This might involve rethinking your company’s approach to third-party due diligence, improving internal reporting mechanisms, or enhancing employee training programs to emphasize ethical behavior. A quick fix might resolve the immediate problem, but a comprehensive root cause analysis will prevent recurrence and protect your company long-term.

Improving Your Compliance Program Over Time

Root cause analysis is not a reactive tool; it is a mechanism to continuously improve your company’s compliance program. By regularly performing root cause analyses in response to compliance failures or near misses, you can identify trends, weaknesses, and gaps in your existing program. This allows you to make proactive adjustments and improvements, ensuring that your compliance program evolves to meet new risks and challenges.

Compliance is an ongoing process, and root cause analysis is key. By taking the time to understand why compliance failures happen, you can strengthen and improve your program over time. Don’t wait for a major enforcement action to identify weaknesses in your compliance program—use root cause analysis as a tool for continuous improvement.

Building a Culture of Accountability

Finally, one of the most important benefits of conducting a root cause analysis before remediation is that it fosters a culture of accountability. When employees see that the company is taking a thoughtful, thorough approach to addressing misconduct, they’re more likely to trust the compliance function and adhere to ethical standards.

In the Deere case, the company’s failure to identify and address the root causes of Wirtgen’s corrupt practices could have contributed to a culture where employees felt that bribery was tolerated or encouraged. By contrast, companies emphasizing accountability and transparency in their root cause analyses send a clear message: misconduct will be thoroughly investigated, and systemic issues will be addressed.

Building a strong culture of compliance starts with holding people—and processes—accountable. Root cause analysis helps you identify the individuals responsible for misconduct and the broader systems and structures that allowed it to happen. This accountability, in turn, strengthens your compliance culture and reinforces your company’s commitment to ethical behavior.

The Deere FCPA enforcement action powerfully reminds us of the importance of conducting a root cause analysis before proceeding with remediation. Companies need to understand why misconduct occurred before implementing superficial fixes. By taking the time to perform a thorough root cause analysis, compliance professionals can ensure that their remediation efforts are comprehensive, effective, and designed to prevent future violations.

Remember, root cause analysis isn’t just a best practice, as the DOJ has now noted several times in several places and through several different media; it is a regulatory expectation. It’s also a critical tool for improving your compliance program, building a culture of accountability, and protecting your company from future compliance failures. This means that before you rush to fix the problem, ensure you understand it first. Only then can you design a remediation plan that addresses the cause of misconduct and sets your company up for long-term success.