Tag: ECCP

Categories
Blog

House of Atreus Week: Part 2 – Pelops and Myrtilus – Corruption in the Bidding Process

The curse of the House of Atreus did not begin and end with Tantalus. Like many toxic corporate cultures, it passed from one generation to the next a legacy of moral shortcuts disguised as clever strategy.

We continue our look at lessons from the House of Atreus for the 21st-century compliance profession, focusing on the key stories and mining them for valuable insights. In today’s Part 2, we consider the myth of Pelops and Myrtilus, an ancient fable about corruption, betrayal, and the fatal cost of winning the wrong way. In this story, we look at Pelops, who was Tantalus’s son. Having been literally restored to life by the gods, he had the chance to rebuild his house on a foundation of integrity. Instead, he reached for the easy win, and in doing so, repeated his father’s error: he traded ethics for expedience.

For modern compliance professionals, it is a reminder that bribery and ethical compromise never end where you think they will. They will always come back to haunt you.

The Chariot Race for a Kingdom

According to Greek legend, King Oenomaus of Pisa received a prophecy that he would die at the hands of his son-in-law. To prevent this, he devised a deadly test for any man seeking to marry his daughter, Hippodamia, a chariot race from Pisa to Corinth. If the suitor won, he gained Hippodamia’s hand. If he lost, he died. Pelops, ambitious and determined, entered the race. But he knew Oenomaus’ horses were divine and unbeatable. So he sought an advantage, not through skill or preparation, but through corruption.

He approached the king’s charioteer, Myrtilus, and offered a bribe: riches, favor, and a promise of reward. Myrtilus agreed to sabotage Oenomaus’ chariot by replacing the bronze linchpins with wax. During the race, the wax melted, the chariot crashed, and the king was killed.

But when Myrtilus came to claim his reward, Pelops betrayed him, either pushing him off a cliff or ordering his death. As he fell, Myrtilus cursed Pelops and his descendants, ensuring the family’s cycle of corruption and vengeance would continue.

The First Procurement Fraud

Strip away the mythic trappings, and Pelops’ race looks remarkably modern.

This was a procurement process, a competition for something of value (in this case, marriage and a kingdom), corrupted by bribery and fraud. Pelops did not win on merit; he won by manipulating a key insider in the process.

That’s the same dynamic at play in so many real-world scandals:

  • A contractor bribing a government official for an unfair advantage.
  • A vendor is rigging bids through inside information.
  • A company turning a blind eye to its agents’ actions abroad, so long as they deliver results.

In each case, the underlying temptation is the same as Pelops’: the belief that “winning is what matters.”

The Illusion of a “Victimless” Bribe

Pelops might have rationalized his actions. He could have told himself that everyone cheats in such races or that Oenomaus’ divine horses made the contest unfair to begin with, that the ends justified the means.

Modern compliance officers hear versions of this rationalization every day:

  • “It’s just a facilitation payment.”
  • “That’s how business is done in this region.”
  • “We’re not bribing; we’re just showing appreciation.”

But as Pelops learned, there is no such thing as a victimless bribe. His corruption did not end with a single race; unfortunately, it defined generations. Myrtilus’ curse became symbolic of the reputational and ethical taint that lingers long after the bribe is paid.

Third-Party Risk: Myrtilus as the First “Agent”

In compliance terms, Myrtilus represents the classic third-party intermediary, the local fixer, the consultant, the distributor. He was not a direct employee, but his actions became Pelops’ liability. When Pelops bribed Myrtilus, he created not just moral exposure, but third-party risk. Once you involve a third party in your scheme, you lose control over the outcome. Myrtilus could expose him, blackmail him, or turn witness.

Modern compliance programs have learned this lesson the hard way. Nearly every major FCPA enforcement action, from Siemens to Petrobras to Deere, involves third-party intermediaries. These individuals promise results, grease local wheels, and leave the company holding the bag when the investigation begins. Pelops thought he could control Myrtilus. He could not. No one ever can.

The Cost of Betrayal: When Corruption Destroys Trust

After the race, Pelops killed Myrtilus to eliminate a liability. But in doing so, he destroyed something even more valuable: trust.

Once an organization uses deception as a tool, it cannot sustain authentic relationships with employees, partners, regulators, or the public. Each act of concealment breeds another, until deception becomes standard operating procedure.

We’ve seen this pattern again and again:

  • A company that falsifies quality reports must falsify safety audits next.
  • A firm that manipulates bid data must suppress whistleblowers who question it.
  • A leader who lies externally must eventually lie internally.

In the end, Pelops did not just kill a man; he killed his organization’s capacity for integrity. That’s the same fate that awaits companies that treat compliance as expendable.

Culture Eats Compliance for Breakfast

The myth of Pelops is not about one race or one bribe; it is about the cultural rot that follows. Once Pelops normalized deceit, his descendants followed suit.

In corporate life, this manifests as a culture of winning at any cost, the most dangerous culture there is. It’s what drives salespeople to falsify data, procurement officers to overlook red flags, and executives to manipulate books.

Culture eats compliance for breakfast because if the unspoken rule of your organization is “get the deal,” no policy manual will save you. Pelops’ court would have had a Code of Ethics printed in gold, and it still wouldn’t have mattered. The only antidote is integrity built into incentives, recognition, and leadership behavior.

Lessons for Modern Compliance Professionals

What can we learn from Pelops’ fall? Quite a lot. His story offers five timeless lessons for those charged with safeguarding ethics and integrity in complex organizations.

1. Corruption Always Starts Small

The first step down the wrong path rarely looks like a scandal. It seems like a shortcut. A “favor.” A small gift. Pelops’ race was just one event, yet it came to define an entire dynasty. The concept of broken windows has demonstrated that you should treat every minor ethical compromise as a potential precedent. Small acts of misconduct become cultural habits faster than anyone realizes.

2. Third-Party Due Diligence Is Non-Negotiable

Myrtilus’ betrayal highlights why vetting, monitoring, and auditing third parties is critical. Companies must know who they’re partnering with and what incentives drive their actions. This means that compliance must have a robust third-party risk management process in place. You should require a business justification, a questionnaire, documented due diligence, risk-based screening, compliance terms and conditions in your contract, and ongoing monitoring for all third parties after the contract is signed.  Finally, transparency is not optional; it is mandatory.

3. Ethical Procurement Builds Long-Term Value

In the rush to “win” contracts, companies often forget that ethical procurement protects more than reputation; it protects relationships. A tainted bid can lead to debarment, litigation, and loss of trust from clients and governments alike. For the compliance professional, you must embed integrity in procurement policy. Make ethics a competitive advantage, not a compliance burden.

4. Retaliation Destroys Cultures

Pelops’ murder of Myrtilus was the ancient equivalent of whistleblower retaliation. Myrtilus knew too much, and instead of managing the risk ethically, Pelops eliminated the witness. The result? A curse or, in modern terms, a scandal that never dies. Every compliance professional must work diligently to protect those who speak up. Encourage reporting. Make it clear that retaliation is a firing offense, not a survival tactic.

5. Integrity Outlasts Every Shortcut

Pelops won his race but lost his legacy. The true measure of success for individuals and organizations alike is sustainability. Ethical wins last; corrupt ones collapse. This requires corporate cultures where ethical behavior and business success are aligned. When values drive results, not the other way around, compliance becomes self-sustaining.

The Curse of the Easy Win

Every compliance professional has faced their “Pelops moment”; that pressure to deliver results faster, cheaper, or more impressively than the rules allow. The temptation is powerful because it is wrapped in the language of success. But as Pelops shows, every unethical win carries a hidden invoice. The ancient Greeks would call it nemesis, the inescapable reckoning that follows hubris. We call it enforcement. Whether through regulators, prosecutors, or public outrage, the bill always comes due.

The challenge for modern compliance leaders is to help their organizations see beyond the race. Winning today is not worth cursing tomorrow.

Join us tomorrow for Part 3 — Atreus and Thyestes: Internal Rivalry and the Dangers of Retaliation. We will explore how infighting, revenge, and the weaponization of leadership destroyed the next generation and how modern organizations can prevent internal culture wars from becoming compliance catastrophes.

 

Categories
Blog

House of Atreus Week: Part 1 – Tantalus’ Transgression – The Birth of a Toxic Culture

I have long been fascinated by the Greek myths around the House of Atreus. It is the most cursed House in all Greek myth. I have also long wanted to blog post series on the compliance lessons for the modern-day compliance professional. This week, I am going to take a deep dive into the most doomed House and explore some of the key stories to mine them for lessons learned for the 21st-century compliance professional. We begin our series with the founder of the House of Atreus, Tantalus, and how one leader’s moral failure can poison the entire culture of an organization. His story is a cautionary tale about hubris, accountability, and the long shadow of tone from the top.

Every great compliance failure begins somewhere. Sometimes it is a single decision, a moment of arrogance, or the quiet belief that the rules apply to everyone else but not to you. In the myths of ancient Greece, that moment came with Tantalus, patriarch of the cursed House of Atreus. His name lives on in infamy, not because of power lost, but because of ethics abandoned.

The Feast of Deception

Tantalus was a favorite of the gods. He dined with them on Mount Olympus, enjoying privileges no mortal ever had. But instead of gratitude, he showed contempt. To test their omniscience, Tantalus served the gods a horrific meal, the cooked flesh of his own son, Pelops. The gods recoiled in horror, restored Pelops to life, and condemned Tantalus to eternal punishment: forever hungry and thirsty, standing in a pool of water beneath fruit-laden branches that receded whenever he reached for them.

This is where we get the word tantalize to tempt with what is always just out of reach. But for compliance professionals, the story isn’t about temptation; it’s about transgression.

Tantalus’ sin was not merely moral or criminal. It was cultural. It revealed a belief that he was above consequence, that his proximity to power made him immune to accountability. Sound familiar? It’s the same psychology that drives corporate misconduct today: the executive who hides risk, manipulates reporting lines, or treats compliance as a box to check rather than a value to live.

Hubris at the Top: When Leaders Believe They Are Untouchable

The core of Tantalus’ failure is hubris, excessive pride that blinds leaders to ethical limits. He thought himself equal to the gods, just as modern executives sometimes see themselves as beyond internal controls, policies, or oversight.

We have seen it in corporate scandals from Enron to Theranos: charismatic leaders who create cultures where questioning authority is punished, transparency is discouraged, and the pursuit of results justifies every means. These leaders often start with good intentions —innovation, performance, growth — but end in disaster because no one dares to tell them “no.” When a CEO, department head, or even a team manager sends the message that rules are flexible for those who produce, that’s the modern equivalent of dining at Olympus. It’s the moment when culture begins to rot from the inside.

Tone from the Top: What Tantalus Forgot

In compliance, we often say “tone from the top” sets the ethical compass of the organization. Tantalus was the top, and his tone was deceitful. Instead of modeling integrity, he modeled arrogance and disrespect. His actions communicated that power excused anything.

Modern organizations are no different. Employees don’t take their ethical cues from the code of conduct on the intranet. They take them from leadership behavior, from what’s rewarded, ignored, or punished.

If Tantalus had shown humility or accountability, his descendants might have inherited a culture of honor. Instead, they inherited corruption, vengeance, and betrayal. It’s no coincidence that every generation of the House of Atreus, including Pelops, Atreus, Thyestes, Agamemnon, Clytemnestra, Orestes, repeats the cycle of wrongdoing and retaliation. The family’s downfall wasn’t fate; it was culture. A toxic tone from the top doesn’t just corrupt a moment; it defines a legacy.

Culture of Consequences: What Happens When Misconduct Goes Unpunished

One of the most striking aspects of the Tantalus myth is how long the effects last. His descendants commit crimes generations later, yet all trace back to his original transgression.

That’s what happens in modern corporations when ethical breaches are not addressed. Once misconduct is tolerated, it becomes precedent. Once precedent hardens, it becomes culture. Think of organizations where sexual harassment was covered up “to protect the company,” or where accounting irregularities were ignored “to meet quarterly targets.” Each decision not to act creates a silent permission structure. And before long, you have what we see in so many enforcement cases: a pattern of misconduct spanning years, sometimes decades.

Tantalus’ punishment, forever reaching but never attaining satisfaction, mirrors what happens in these companies. They chase success endlessly, but integrity is always out of reach because they’ve traded ethics for expedience. A culture of consequences, by contrast, does the opposite. It makes accountability tangible. It shows employees that integrity is the expectation, not the exception.

The Modern Mirror: When Hubris Meets Compliance Failure

The story of Tantalus echoes across modern boardrooms and compliance case studies. Consider:

  • The FCPA case against Siemens (2008): A culture of “business at any cost” led to systematic bribery across divisions, because leadership prioritized results over integrity.
  • The Wells Fargo scandal: Unrealistic sales goals, driven by executives insulated from consequence, encouraged widespread fraud at the branch level.
  • Theranos: A founder’s belief in her infallibility silenced dissent, distorted reporting, and destroyed trust both internally and externally.

Each of these stories began like Tantalus’ dinner with one decision to deceive, rationalized as necessary, even brilliant. Each became a legend of ethical collapse.

The compliance lesson is simple: arrogance without accountability creates catastrophe.

Rebuilding What is Broken: Lessons from Tantalus’ Fall

So how do we avoid the curse of Tantalus in modern organizations? Three principles stand out:

1. Make Ethics the Core of Leadership Identity

Ethical leadership isn’t a function of compliance checklists. It’s the lived demonstration of integrity. Leaders must see compliance not as a constraint but as an enabler of trust and sustainability. When executives model ethical decision-making, it cascades downward.

Compliance Lesson: Integrate ethical leadership into performance reviews and succession planning. Reward transparency as much as performance.

2. Institutionalize Accountability

Accountability must be structured, not situational. That means ensuring robust internal investigations, consistent discipline, and a compliance function with real independence. The moment compliance must “ask permission” to act, the organization has lost its compass.

Compliance Lesson: Empower compliance officers with direct access to the board and audit committee. Build transparency into reporting lines.

3. Preserve Psychological Safety

Tantalus’ court, like many modern workplaces, thrived on fear. When employees can’t question leaders or raise concerns, misconduct flourishes. Psychological safety is the soil in which ethical cultures grow.

Compliance Lesson: Implement anonymous reporting, protect whistleblowers, and make public examples of non-retaliation.

Breaking the Curse: The Compliance Evangelist’s View

The curse of Tantalus was not divine punishment; instead, it was a predictable outcome of leadership failure. Every compliance professional knows that culture is destiny. If leaders are deceitful, employees will be cynical. If leaders are accountable, employees will be engaged.

Tantalus’ name survives as a warning to those who confuse privilege with power, and authority with exemption. His eternal hunger reflects what happens when organizations try to feed success on a diet of deception; they are never satisfied because trust, once lost, cannot nourish growth.

The modern compliance officer stands at the intersection of myth and management, tasked with ensuring that our organizations don’t repeat Tantalus’ mistake. We cannot test the gods of regulation or ethics without consequence. Instead, we must build cultures where doing right isn’t exceptional; it is expected.

Because in the end, every compliance program has a mythic choice: become Olympus or become Tantalus.

Join us tomorrow for Part 2 — Pelops and Myrtilus: Corruption in the Bidding Process. We will explore how bribery, betrayal, and broken promises tainted Pelops’ victory and what it teaches us about third-party risk and ethical procurement.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Dark Side of AI in Employee Training

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss emerging concerns surrounding AI, particularly ChatGPT, in the realm of employee training.

Their discussion centers on the potential use of AI, specifically ChatGPT’s newest ‘Agent Mode’, to administer compliance training courses on behalf of employees, which could potentially enable them to cheat. They debate the implications of this capability, touching on the historical context of cheating, the effectiveness of current training methods, and the need for new internal controls and strategies to adapt to these technological advancements. They also contemplate the future of training, potentially evolving into AI-driven bots that provide on-the-spot, micro-learning modules. The episode encourages compliance officers to thoroughly vet their training vendors to ensure measures are in place to prevent AI-enabled cheating.

Key highlights:

  • The Dark Side of AI in Compliance Training
  • AI’s Impact on Employee Training
  • AI’s Role in Training and Compliance
  • Future of AI in Corporate Training
  • Challenges and Considerations

Resources:

Matt Kelly in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, Communicator, and W3 Awards for podcast excellence.

Categories
Blog

Building Your Own AI Assistant: Compliance Lessons in Customization

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

In the ever-changing world of compliance, resource constraints remain one of our biggest hurdles. Whether you’re drafting policies, conducting risk assessments, or preparing investigation summaries, the work is often repetitive, labor-intensive, and subject to tight deadlines. Enter the AI assistant, not as a futuristic dream, but as a practical, buildable tool available to compliance professionals right now.

Alexandra Samuel’s article in Harvard Business Review titled How to Build Your Own AI Assistant, makes one point crystal clear: if you can describe a project in plain English, you can build your own AI assistant. And for compliance professionals, this represents a transformative opportunity to reduce administrative burdens while increasing consistency, accuracy, and adaptability.

But building your compliance AI assistant isn’t about chasing efficiency alone—it’s about making intentional design choices that reinforce compliance objectives, protect corporate culture, and ensure regulatory defensibility. Today, we consider five key takeaways for compliance professionals, each showing how you can harness AI assistants to enhance, not replace, your compliance program.

1. Start with the Right Use Cases

Before building, compliance leaders must ask: What problems do we want AI to solve? Samuel notes that AI assistants excel in four domains: writing and communications, troubleshooting, project management, and strategic coaching. For compliance, this translates into use cases like:

  • Drafting first-pass policy updates aligned with global regulations.
  • Summarizing enforcement actions for Board reporting.
  • Automating responses to routine employee compliance questions (e.g., “Can I accept this client gift?”).
  • Tracking investigation timelines and automatically extracting action items from meeting transcripts.

Choosing the right use case ensures your AI assistant is a force multiplier rather than a shiny distraction. Importantly, you want to start with low-risk, high-volume tasks. Drafting an anti-corruption annual training memo? AI can handle the boilerplate. Deciding whether to disclose a potential FCPA violation to the DOJ? That still belongs squarely in the human domain.

The real lesson here: compliance officers should not let “AI hype” dictate priorities. Instead, define pain points within your compliance workflow and build assistants targeted at those specific, recurring problems. Start small, iterate, and scale responsibly.

2. Design Clear Instructions—Your Assistant Is Only as Good as Its Guidance

According to Samuel, the “heart” of a custom AI assistant is the set of instructions you provide. For compliance teams, this is where risk and opportunity intersect. If your assistant doesn’t know who it is, what standards to apply, and what tone to use, it will produce outputs that undermine your credibility.

Think of instructions as your assistant’s Code of Conduct. Instead of saying “you are a compliance assistant,” you can be more precise:

  • “You are a corporate compliance officer drafting policies for a multinational company. You must ensure all content aligns with DOJ guidance on effective compliance programs, uses a professional but approachable tone, and provides practical examples for employees.”

These custom instructions allow you to “bake in” compliance frameworks from day one. For example, you can require the assistant to reference the COSO Framework for Internal Controls, ISO 37001, or the DOJ’s Evaluation of Corporate Compliance Programs whenever relevant.

The key compliance insight: good AI assistants reflect great compliance design. Just as vague compliance policies create ambiguity, vague AI instructions create unreliable outputs. Invest time in precise persona-building for your assistant, and you’ll reap consistent, defensible results.

3. Feed It Knowledge—Without Losing Control of Sensitive Data

Samuel emphasizes that AI assistants become truly powerful when equipped with background documents, such as policies, reports, contracts, or training decks. For compliance, this is both a gold mine and a minefield.

On one hand, uploading prior investigation reports, risk assessments, or compliance training modules allows your assistant to generate outputs that reflect your company’s real history and regulatory environment. Imagine an assistant that can instantly pull together a cross-border risk assessment using your own prior filings and internal guidance.

On the other hand, compliance officers must stay vigilant about data protection, privilege, and confidentiality. Sensitive HR records, whistleblower reports, and privileged investigation materials should never be indiscriminately fed into a platform without proper safeguards.

Here lies the balancing act: compliance teams must create AI assistants that are well-informed but tightly governed. This may involve anonymizing data, working through secure enterprise-grade AI platforms, or restricting inputs to public and non-sensitive internal documents.

The compliance lesson is simple but non-negotiable: context matters, but confidentiality reigns supreme. Building a compliance AI assistant means establishing protocols for what can and cannot be shared.

4. Iterate Constantly—Think Like a Compliance Monitor

Just as compliance programs require continuous improvement, so too do AI assistants. Samuel makes it clear that assistants won’t be perfect out of the box. They require ongoing feedback, refinement, and adjustment.

For compliance professionals, this is second nature. We already think in terms of monitoring, auditing, and revising. Apply the same discipline to your AI assistant:

  • Audit its outputs for accuracy, tone, and regulatory defensibility.
  • Track where it consistently underperforms (e.g., misinterpreting data privacy rules) and feed corrective instructions.
  • Periodically, “refresh” its context files to reflect updated regulations, new enforcement actions, or changes in corporate policy.

Samuel suggests asking your assistant to write their own revised instructions based on your feedback. That’s a compliance monitoring exercise in itself—your assistant becomes both subject and participant in continuous improvement.

The compliance takeaway: treat your AI assistant as a dynamic system, not a static tool. Just as DOJ expects ongoing risk assessments and remediation, regulators will expect that AI tools in compliance are actively managed, not blindly trusted.

5. Embed Ethical Guardrails and Accountability

The most important compliance lesson in building your own AI assistant is ensuring accountability. As Samuel warns, assistants can hallucinate or produce flawed outputs. In compliance, this is not simply an annoyance; more importantly, it is a potential liability.

That means your assistant must operate under ethical guardrails:

  • Always include a human-in-the-loop review before any AI-generated compliance document is finalized.
  • Require disclosures when AI was used in drafting policies, reports, or training.
  • Train employees not to treat AI outputs as gospel but as drafts for critical evaluation.
  • Align your assistant’s objectives with compliance KPIs, accuracy, transparency, and defensibility, rather than raw speed.

This mirrors the DOJ’s emphasis on corporate accountability. An AI assistant may help draft your gifts and entertainment policy, but it cannot stand before prosecutors and defend your compliance program. That responsibility remains squarely with leadership.

The compliance lesson here is unmistakable: AI is a tool, not a scapegoat. Build it to augment compliance decision-making, not to absolve it.

From Experiment to Integration

Building your own AI assistant is not a technical challenge. It is a compliance design challenge. As Alexandra Samuel reminds us, if you can describe your project, you can build your assistant. For compliance officers, that means thinking intentionally about use cases, precision in instructions, safeguards for sensitive data, iteration, and ethical guardrails.

The opportunity is immense. With thoughtfully designed AI assistants, compliance professionals can shift their focus from repetitive drafting to higher-order strategy, from administrative overload to proactive risk management. But the responsibility is equally immense. An AI assistant reflects the design choices of its creators, choices that must always prioritize compliance culture, accountability, and trust.

Categories
Blog

When the Captain Isn’t the Captain: Star Trek’s Turnabout Intruder as a Root Cause Analysis Case Study

One of the Department of Justice’s most consistent themes in its 2024 Update to the Evaluation of Corporate Compliance Programs (ECCP) is the need for companies to conduct effective root cause analysis following misconduct or control failures. It’s not enough to identify what went wrong; you must understand why it happened and implement measures to prevent it from happening again.

That principle is front and center in the Star Trek: The Original Series finale, Turnabout Intruder. In this episode, Captain Kirk is on an archaeological survey mission when he encounters Dr. Janice Lester, an old acquaintance from Starfleet Academy. Through a mysterious alien device, Lester transfers her consciousness into Kirk’s body, trapping his mind in her own body. What follows is a tense series of events in which “Kirk” behaves increasingly erratically, prompting suspicion among the crew.

For compliance professionals, the episode is a surprisingly apt case study in the perils of failing to dig past the surface when something seems off. Just as the crew needed to piece together the real cause of their captain’s strange behavior, compliance teams must be adept at peeling back layers to discover the true root cause of problems.

Here are five key root cause analysis lessons from Turnabout Intruder.

Lesson 1: Unusual Behavior Should Trigger an Investigation

Illustrated by: Shortly after the mind swap, “Kirk” begins making uncharacteristic decisions, belittling subordinates, ignoring Starfleet protocols, and punishing dissent in ways that are entirely out of character for the captain.

Compliance Lesson:

Behavior that deviates from established patterns should be a red flag. In corporate compliance, abrupt changes, whether in employee conduct, financial reporting patterns, or transaction activity, often indicate deeper issues.

Too often, organizations rationalize away early warning signs: “He’s under stress” or “That’s just her style.” But effective root cause analysis begins with the willingness to ask, Why is this happening now? Early detection is often the difference between a manageable problem and a full-blown crisis. Develop and maintain behavioral baselines for key personnel and functions. If something deviates sharply, investigate promptly rather than waiting for more evidence to emerge.

Lesson 2: Multiple Data Points Build a Stronger Case

Illustrated by: Several crew members—Spock, McCoy, Scotty—each notice something odd about “Kirk.” At first, their observations are anecdotal and separate. Only when they share information do they begin to see a pattern that suggests something is seriously wrong.

Compliance Lesson.  Root cause analysis is stronger when it integrates multiple perspectives and sources of data. If you rely on a single source, one audit, one complaint, you risk drawing incomplete or biased conclusions.

In the episode, no single crew member had enough to prove that Kirk wasn’t himself. But when their observations were combined, the collective evidence pointed toward an anomaly that needed urgent action. Create processes that encourage information sharing across departments. Compliance, audit, HR, and operations should have mechanisms to cross-reference findings because the root cause may only emerge when different pieces are put together.

Lesson 3: Be Alert to Hidden Motives

Illustrated by: In Kirk’s body, Lester uses her new authority to sideline suspected opponents, reassigning or threatening crew who question her behavior. Her motive isn’t mission success; it’s consolidating her stolen command.

Compliance Lesson. The apparent cause of a problem may mask deeper personal or organizational motives. Misconduct often occurs because someone is pursuing goals that conflict with corporate policy, whether financial gain, personal vendettas, or reputational enhancement.

If your analysis stops at “This person violated policy,” you miss the opportunity to uncover why they were willing to risk consequences. In many cases, systemic issues, misaligned incentives, toxic culture, and weak oversight are the true drivers. In every investigation, ask “What’s in it for them?” Understanding incentives, pressures, and personal agendas can reveal root causes that process analysis alone won’t uncover.

Lesson 4: Authority Structures Can Delay Recognition of the Problem

Illustrated by: Even when evidence mounts, the crew is reluctant to challenge “Kirk” because of the chain of command. Starfleet discipline dictates deference to the captain, making it harder to act on suspicions.

Compliance Lesson. In organizations, hierarchy can be a barrier to identifying root causes. Employees may hesitate to report misconduct by senior leaders, or they may assume questionable directives are “above their pay grade” to question.

This dynamic often allows problems to persist far longer than they should. A compliance program must be designed to bypass those bottlenecks, giving employees safe, confidential, and credible ways to report concerns, even about top executives. Ensure that escalation procedures allow for independent review of senior management conduct. Whistleblower protections, ombuds functions, and anonymous hotlines can help surface issues that otherwise stay buried.

Lesson 5: Validate Assumptions Before Acting

Illustrated by: Spock eventually confronts “Kirk” and demands an explanation. Through logical analysis and a mind meld, he confirms the body-swap truth. Only then can the crew take decisive action to restore the captain to his rightful body.

Compliance Lesson. One of the biggest pitfalls in root cause analysis is acting on unverified assumptions. If you jump to conclusions too early, you may “fix” the wrong problem—or make it worse. Spock’s mind meld was the ultimate verification step. In compliance, your “mind meld” might be corroborating whistleblower claims with independent documentation, or testing an internal control in multiple scenarios before concluding it’s defective.

Build verification into your root cause analysis process. Don’t settle for the first plausible explanation; pressure-test your conclusions before implementing remediation.

Connecting Star Trek to DOJ Expectations

The DOJ’s ECCP explicitly asks:

  • “What is the root cause of the misconduct?”
  • “Were prior opportunities to detect the misconduct missed?”
  • “What systemic failures contributed to the issue?”

Turnabout Intruder illustrates the importance of addressing these questions. If the crew had stopped at “the captain is acting oddly” and focused on damage control, they might never have uncovered the deeper truth of Lester’s body swap. Similarly, in corporate investigations, stopping at the surface level (“employee violated policy”) without probing the environment that allowed it to happen fails both the DOJ’s expectations and your prevention mandate.

Final ComplianceLog Reflections

In Turnabout Intruder, the crew’s slow realization of the true problem nearly cost them their captain and perhaps the Enterprise itself. In the compliance arena, a slow or shallow root cause analysis can allow misconduct to persist, control weaknesses to remain unaddressed, and systemic issues to metastasize.

Effective compliance leadership means not just spotting what’s wrong, but relentlessly pursuing why it went wrong. That’s how you fix the problem in a way that prevents recurrence.

Like Spock confronting “Kirk,” we must be willing to gather evidence methodically, test our conclusions, and take decisive action once the truth is clear. Root cause analysis isn’t about blame—it’s about ensuring your organization emerges stronger, more transparent, and more resilient than before.

Because in the end, just like the Enterprise, your mission depends on having the right people in the right roles, operating with integrity, and that’s a result only a thorough, well-executed root cause analysis can guarantee.

 Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Institutional Justice and Fairness in Compliance: Lessons from Star Trek’s ‘The Cloud Minders’

Institutional justice and institutional fairness are not abstract ideals; they are operational requirements in a corporate compliance program. They define how policies are enforced, how decisions are made, and how employees perceive the integrity of their workplace. One of the most vivid illustrations of the dangers of systemic injustice and perceived unfairness comes from Star Trek: The Original Series in “The Cloud Minders.”

The DOJ’s 2024 Evaluation of Corporate Compliance Programs (ECCP) reinforces this point: for a compliance program to be effective, it must not only exist on paper but also operate fairly in practice. The DOJ expects companies to show that their compliance processes are applied consistently across the organization, regardless of seniority, revenue generation, or personal connections.

Why the DOJ Cares About Justice and Fairness in Compliance

In the ECCP, the DOJ focused on institutional justice and institutional fairness as key mandates for the compliance function. Why? It was rooted in practicality: a compliance program that is seen as biased or inconsistent will fail. Employees will not report misconduct, will hide mistakes, and will disengage from ethics initiatives.

Prosecutors know that when misconduct occurs in such an environment, it’s often a symptom of deeper cultural problems. That’s why, during investigations, they ask:

  • Are policies applied equally to all levels of the organization?
  • Is discipline consistent and documented?
  • Do employees believe the process is fair?
  • Has the company addressed the underlying causes of misconduct?

If the answers to these questions are unsatisfactory, the DOJ is more likely to view the compliance program as ineffective, regardless of its written policies.

The Tale 

The Enterprise is sent to the planet Ardana to collect zenite, a mineral needed to stop a plague on another world. Captain Kirk and Mr. Spock beam down to Stratos, a floating city inhabited by the planet’s elite, only to discover a deep societal divide. The surface of Ardana is worked by “Troglytes,” a laborer class forced to mine zenite under hazardous conditions, denied access to the comforts and education of Stratos.

The elites justify this arrangement as necessary for stability, while the Troglytes see it as systemic exploitation. The episode becomes a study in the consequences of entrenched inequality, distrust, and the refusal to address legitimate grievances, exactly the kinds of dynamics that can erode trust in a corporate compliance program if not addressed.

From this story, we can extract five compliance lessons on institutional justice and institutional fairness.

Lesson 1: Consistency in Standards Is Non-Negotiable

Illustrated by:  The leaders of Stratos apply rules differently depending on social status. The elite enjoy cultural and political freedoms, while Troglytes face restrictions and harsher punishments for similar conduct.

Compliance Lesson. The DOJ has repeatedly emphasized that policies and disciplinary measures must be applied consistently. If employees perceive that “rainmakers” or executives receive lighter sanctions, or none at all, for policy violations, trust in the compliance function evaporates. In The Cloud Minders, the double standard deepens resentment and drives conflict, precisely what can happen inside a company when justice is selective.

Why It Matters to DOJ: Prosecutors evaluate whether discipline is enforced “consistently across the organization, regardless of position or power.” Inconsistency is a red flag that the program is a paper exercise rather than a living system.

What should you do?

  • Establish clear, documented disciplinary protocols.
  • Apply them uniformly, with oversight from the compliance function.
  • Communicate to the workforce that no one is above the rules.

Lesson 2: Address Root Causes, Not Just Symptoms

Illustrated by: The Troglytes’ performance and health are impaired because mining zenite exposes them to toxic vapors. The elites interpret this as proof of inferiority, ignoring the environmental cause.

Compliance Lesson. Organizations sometimes treat compliance failures as isolated misconduct rather than symptoms of deeper issues, such as inadequate training, unrealistic sales targets, or flawed incentive structures. In Ardana, fixing the air quality in the mines would have solved much of the productivity gap, just as fixing systemic drivers of noncompliance prevents repeat issues.

Why It Matters to DOJ: The DOJ looks for root cause analysis after misconduct. They want to see whether the company took corrective action to address systemic issues, not just discipline the individuals involved.

What should you do?

  • Investigate not only “who” did something wrong, but “why” it happened.
  • Use findings to improve processes, incentives, and controls.
  • Share non-confidential lessons learned with the workforce to demonstrate fairness and transparency.

Lesson 3: Perceived Fairness Matters as Much as Actual Fairness

Illustrated by: Even when Kirk offers protective gear to the Troglytes, they are slow to trust his intentions. Years of mistreatment have convinced them that promises from the elites are empty.

Compliance Parallel: Employees judge compliance programs not only by their design but by how fair they feel in practice. If people believe investigations are biased or that whistleblowers will be punished, they will avoid reporting, even if the official policy says otherwise. On Ardana, the absence of trust kept both sides from engaging in good-faith solutions—something corporate leaders must avoid at all costs.

Why It Matters to DOJ: Prosecutors assess whether employees trust the compliance program enough to use it. A hotline no one calls is not evidence of a healthy culture—it may be proof of fear or cynicism.

What should you do?

  • Publicize examples where issues were raised and resolved fairly.
  • Protect whistleblowers from retaliation and make that protection visible.
  • Use employee surveys to measure trust in compliance processes.

Lesson 4: Leadership Must Model Ethical Behavior

Illustrated by: Stratos’s leaders speak about justice and stability, but are unwilling to live under the same risks or hardships as the Troglytes. Their detachment from the reality of mining life fuels the unrest.

Compliance Lesson. Leaders who preach ethics but cut corners for themselves undermine institutional fairness. Employees take cues from the top; if executives are exempt from rules, the rest of the organization will follow suit. In The Cloud Minders, the Stratos elite’s credibility collapses because they refuse to share the burdens of those they govern, a mistake no corporate leadership team should make.

Why It Matters to DOJ: The DOJ examines “tone at the top” and “conduct at the middle.” They want to see that leadership’s actions match their words and that managers reinforce the message through daily decisions.

What should you do?

  • Ensure executives participate in the same training and certifications as all employees.
  • Make leadership accountable for compliance metrics.
  • Publicly acknowledge when senior leaders are held to account for violations.

Lesson 5: Dialogue and Inclusion Are Tools for Justice

Illustrated by: Spock approaches the Troglytes with genuine respect, listening to their grievances and acknowledging their intelligence. His willingness to engage earns him credibility that Stratos leaders lack.

Compliance Parallel: Institutional fairness is strengthened when employees feel heard and included in shaping solutions. This doesn’t mean every request can be granted, but the act of listening and considering input builds trust. Just as Spock bridged the divide on Ardana, compliance leaders can bridge gaps in trust by treating all stakeholders with respect and dignity.

Why It Matters to DOJ: A compliance program is stronger when it incorporates feedback from the workforce. The DOJ favors companies that regularly assess the program’s effectiveness through interviews, surveys, and focus groups.

What should you do?

  • Include employee representatives in policy review committees.
  • Hold listening sessions for employees and other stakeholders after major incidents or policy changes.
  • Act on feasible suggestions and explain when ideas can’t be implemented.

Practical Compliance Takeaways from The Cloud Minders

  1. Apply Rules Equally: Avoid double standards by holding everyone—from the C-suite to front-line staff—to the exact requirements.
  2. Investigate Root Causes: Fix systemic issues, not just individual mistakes.
  3. Build Trust in the Process: Ensure employees perceive the program as fair and protective.
  4. Lead by Example: Leadership must model the ethical behavior expected of all.
  5. Listen and Include: Use dialogue to bridge divides and strengthen buy-in.

Final ComplianceLog Reflections

The Cloud Minders is more than a parable about class division; it is a warning for any institution that neglects fairness and justice. In Ardana, injustice created resentment, distrust, and rebellion. In a corporation, those same dynamics can lead to silent disengagement, hidden misconduct, and public scandal.

The DOJ’s message is clear: fairness and justice are not optional add-ons to compliance; they are the foundation of a program that works. As compliance leaders, our role is to be the “Spock” in the room, listening, respecting, and bridging divides while ensuring that the rules are fair, transparent, and consistently applied.

When we do that, we do not just comply with the DOJ’s expectations; we build organizations where people trust the system enough to make it work.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Argentieri at ABA White Collar Conference: Corporate Enforcement, Part 1

There were recently two significant speeches by Department of Justice (DOJ) officials at the American Bar Association National Institute on White Collar Crime. The first was by Deputy Attorney General Lisa Monaco. The second was by Acting Assistant Attorney General Nicole Argentieri. They both had important remarks for the compliance professional. Over the next several blog posts, I will review both speeches and what they might indicate for compliance and Foreign Corrupt Practices Act enforcement going forward. Yesterday, I considered the Monaco speech. Today is the speech by Nicole Argentieri.

After reviewing some of the more significant individual prosecutions, Argentieri turned to corporate enforcement, noting, “Corporate accountability is the other side of our white-collar work because companies are the first line of defense against misconduct.” She emphasized the need for “a strong compliance program that is key to preventing corporate crime before it occurs and addressing misconduct when it does occur.” The DOJ’s Corporate Enforcement Policy also encourages “companies to invest in strong compliance functions and to step up and own up when misconduct occurs.” She cited one company that did not have a robust compliance program (or a culture of compliance), Binance, which explicitly communicated its “priorities, telling employees that, when it came to compliance, it was “better to ask for forgiveness than permission.”

In the Foreign Corrupt Practices Act enforcement arena, Argentieri pointed to four cases the DOJ prosecuted over the past 18 months. The companies all entered into corporate resolutions for FCPA violations. This group included Vitol, Glencore, Freepoint, and, most recently, Gunvor. Additionally, the DOJ prosecuted multiple individuals in connection with these cases. She even detailed the multiple bribery schemes involved: “Bribe payments funneled into the pockets of foreign officials through corrupt third-party agents using sham contracts and fake invoices.”

In each organization, there was a decided lack of a culture of compliance. Additionally,  employees exploited gaps in their companies’ internal controls and compliance programs. Personal cell phones and personal email accounts were used, which the organizations seemingly had no access to during the corruption and after the internal investigations. To make payments, internal controls were overridden or ignored to make off-the-books systems not subject to the organization’s standard checks and controls.

Because of the internal control and compliance failures that led to or contributed to the FCPA violations, each of these entities was required to make critical enhancements to their compliance programs to prevent future violations of the FCPA. Argentieri said, “Companies that take forward-leaning steps on compliance will be better-positioned to certify that they have met their compliance obligations at the end of the term of their agreements, as is now required in corporate resolutions with the Criminal Division.”

However, the DOJ’s work done after a settlement with a company is equally important. She clarified that the DOJ will monitor companies after resolution as they make, monitor, and attest to their compliance program and internal controls enhancements. She reported that “twenty-four companies have a market capitalization of more than $1 billion, and 22 are public companies. Over the past decade, hundreds of other companies across a wide range of industries have similarly been subject to compliance obligations in cases brought by the Criminal Division.” This ongoing oversight is not an independent monitorship but to ensure compliance with the resolution documents and to “have a real impact on corporate culture and compliance.”

The DOJ wants good corporate citizens and incentivizes companies to do so in various ways. Beyond enforcement actions are the Evaluation of Corporate Compliance Program (ECCP), the Corporate Enforcement Policy (CEP), the Voluntary Self-Disclosure Program (VSP), and the Compensation Incentives and Clawbacks Pilot Program. Argentieri reported that self-disclosures have increased over the past three years: “In 2023, we received nearly twice as many disclosures as in 2021. We expect this trend to continue as more companies take advantage of the benefits of voluntary self-disclosure and the CEP more generally.”

Argentieri believes that the DOJ has articulated policies that apply transparent criteria for both prosecutors to use and as “guideposts for companies and their counsel to consider when deciding what to do when faced with the prospect of a government investigation. It is a goal of the DOJ “to demonstrate the benefits that await those who voluntarily disclose misconduct.” She concluded this section by stating, “It’s one thing to issue and update policies. It’s another way to change corporate behavior. That is why we track the number of disclosures from companies. I’m proud to announce that early indications are that our policies are bearing fruit.”

Join us tomorrow as we examine how the ECCP, VSD, CEP, and Clawbacks Program have been reflected in recent enforcement actions.

Categories
Blog

Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2023 ECCP made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2020 FCPA Resource Guide 2nd edition, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy, which should stake out the following:

  • Identify who the compliance policy applies to;
  • Set out the objective of the compliance policy;
  • Describe why the compliance policy is required;
  • Outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • Lay out the specific consequences for failure to comply with the compliance policy.

The 2023 ECCP went further by requiring an assessment whether a company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations, through a design which is appropriate to the organization, based upon that organization’s assessed risks.

Design––What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?

Comprehensiveness––What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?

The 2023 ECCP Evaluation mandated there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third parties and business venture partners.

Accessibility––How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Responsibility for Operational Integration––Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?

Moreover, just as risks evolve, your policies and procedures should evolve. The 2023 ECCP asked the following questions:

  • How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices?
  • Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training?
  • What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
  • Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?

The bottom line is that the DOJ expects updates to your policies and procedures needed to be reviewed on a regular basis and updated as your risks evolve.

Finally, the 2020 FCPA Resource Guide, 2nd edition, ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedures are applied fairly and consistently across the organization. Institutional fairness demands that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, inconsistent application of your policies and procedures will destroy the credibility of your compliance program. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.

Categories
Blog

Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United’s operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former CEO, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to its 2016 Non-Prosecution Agreement (NPA) settlement with the DOJ, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

In the 2020 FCPA Resource Guide, 2nd edition, the DOJ and SEC stated:

A company’s Code of Conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.

The 2023 ECCP specified “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” The Antitrust Guidance also specified “If the company has a Code of Conduct, are antitrust policies and principles included in the document?”

The 2020 FCPA Resource Guide, 2nd edition, the 2023 ECCP and Antitrust Guidance go on to make it clear that it is difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its code.

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company upholds and supports proper compliance.

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company’s Code should emphasize it will comply with all applicable laws and regulations, wherever it does business. The code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The three most important things about your compliance program are “Document, Document, and Document.” The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very publicly announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith.

However, your Code of Conduct is not a static document to be put on a shelf and never reviewed again. For just as your compliance program is a living entity; it should be constantly evolving, the same is true for your Code of Conduct. If your company has not reviewed or assessed your Code of Conduct for five years, do so in short order, as much has changed in the compliance world. Some of the questions you should begin with include:

• When was the last time your Code of Conduct was revised?

• Have there been changes to your company’s business model since the last revision to the Code of Conduct?

• Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?

• Are any provisions of the Code of Conduct outdated?

• What is the budget to revise your Code of Conduct?

After revision of your Code of Conduct, you should develop a plan to communicate the revised document. A rollout is always critical because it is important that revisions are communicated in a manner that encourages employees to review and use the Code of Conduct on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance Code of Conduct roll out meeting where the revised Code is announced with great fanfare out across the company all in one day. Also remember, with all things compliance; the three most important aspects are “Document, Document, and Document”. However, for each delivery of revised Code of Conduct, you must document that each employee received it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct need updating, but also practical steps on how to tackle the problem. It is far better to review and update your Code of Conduct, than wait for a massive FCPA investigation to go through the process.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 1 – What 2023 Brought to Compliance

2023 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate enforcement actions under the Foreign Corrupt Practices Act (FCPA), there were significant announcements from the Department of Justice (DOJ) that directly impacted compliance professionals and compliance programs.

The first came in January, and it was an update to the Evaluation of Corporate Compliance Programs (2023 ECCP). Next, we heard speeches about the increased focus on clawbacks and other areas of consequence management. In October, Deputy Attorney General (DAG) Lisa Monaco introduced a new Mergers & Acquisitions Safe Harbor Policy in October. Finally, in late November, Acting Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivered remarks at the 39th International Conference on the Foreign Corrupt Practices Act (FCPA) on the use of data analytics in a compliance program and DOJ expectations going forward.

The 2023 ECCP brought forward several new initiatives laid out in the 2020 Update to the Evaluation of Corporate Compliance Programs, including additions and deletions.

In October 2023, Deputy Attorney General Lisa Monaco announced a new policy regarding M&A. It is a Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company.

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its own use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC are increasingly focusing on data analytics for corporate compliance, signaling higher expectations for larger companies. Both agencies have successfully utilized data analytics in various areas, such as securities and healthcare fraud, and are actively improving their own capabilities in this field. She made several important points for all compliance professionals, which will be significant going forward into 2024 and beyond.

Three key takeaways:

1. 2023 was a key year for the DOJ’s evolution in its views on compliance programs.

2. Clawbacks, incentives, and consequence management have become more important.

3. The new DOJ safe harbor initiative for M&A raises many questions.