Tag: FCPA Resource Guide

Categories
Blog

Using AI to Embed Compliance into Business Operations

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

Compliance programs have long wrestled with a central challenge: how to move from “bolt-on” to “built-in.” Too often, compliance has been perceived as an overlay, a set of policies and reviews that operate parallel to business activity. The Department of Justice has repeatedly emphasized that compliance should be integrated directly into operations, not treated as an afterthought.

Generative AI offers compliance professionals a new tool to achieve this, as Elisa Farri and Gabriele Rosani argue in an HBR article How AI Can Help Managers Think Through Problems, that AI is not just a productivity enhancer but a thought partner. Instead, it is capable of helping leaders frame problems, test assumptions, and engage in structured dialogues that improve decision-making.

I aim to utilize their article to support compliance officers in leveraging AI to enhance our ability to embed compliance into business processes more effectively. Today, I conclude my five-part blog post series on using GenAI in compliance to explore how AI can assist in building compliance into the business and what it means for the future of compliance programs. I also provide five key takeaways for compliance professionals on how to do so.

1. AI as a Co-Thinking Partner for Embedding Compliance into Workflows

One of the article’s most powerful insights is the concept of “co-thinking”; AI as a partner in structured dialogue rather than just a tool for quick answers. For compliance, this is transformative. Imagine using AI not simply to draft a policy, but to help you think through how that policy should be embedded in day-to-day operations.

For instance, when designing a gifts-and-entertainment approval process, AI can walk compliance through stakeholder perspectives: What does sales need? What would regulators expect? What friction will finance raise? By simulating these perspectives, AI helps compliance professionals design workflows that are practical and embedded, rather than abstract and detached.

This approach also makes compliance more proactive. Instead of reacting to risks after violations occur, AI-enabled co-thinking allows compliance to anticipate where policies may clash with business objectives and design operational solutions upfront. The compliance lesson is to treat AI as a structured dialogue partner to design compliance that lives inside the workflow, policies, and processes that are not just documented but operationalized.

2. Enhancing Stakeholder Engagement Through AI Simulations

Embedding compliance into business operations requires more than rules; it requires buy-in. The article highlights how AI can role-play different stakeholders, challenging managers to anticipate reactions. Compliance can use this capability to stress-test initiatives before rollout.

Suppose compliance is introducing a new due diligence system for third-party onboarding. AI can simulate how procurement might respond (“slows down vendor onboarding”), how business development might object (“hurts competitiveness”), and how regulators might evaluate (“strong demonstration of risk-based management”). This multi-stakeholder dialogue allows compliance teams to refine both process design and messaging before rollout.

The implication for compliance programs is clear: embedding compliance requires deep cultural alignment. AI makes it possible to test and rehearse that alignment at scale, reducing resistance and building smoother adoption. The compliance lesson is to use AI simulations to bring stakeholder voices into the design process, ensuring compliance is not bolted on but built with empathy for business realities.

3. AI-Assisted Root Cause Analysis Strengthens Business Integration

Compliance programs are expected to conduct root cause analysis after misconduct, but too often these reviews remain siloed. AI-enabled co-thinking helps expand root cause analysis into an exercise that strengthens business operations.

For example, when analyzing repeated travel and expense violations, AI can guide compliance through structured questions: Were training gaps to blame? Were approval workflows too weak? Were sales incentives misaligned? Then, critically, AI can help map remediation back into operations—tightening finance approvals, adjusting incentive structures, and embedding compliance flags directly into expense systems.

This is not about AI making the decision. It is about AI helping compliance think through operational integration of lessons learned. Instead of merely complying with regulations by writing a report that sits on a shelf, the outcome becomes operational adjustments inside business processes. The compliance lesson (or rather, perhaps implication) is that the DOJ expects compliance programs to prevent recurrence through systemic fixes. AI co-thinking can ensure those fixes are operational, not theoretical.

4. Scaling Compliance Culture and Mindset Shifts Across the Organization

The article notes how AI can be used to coach managers through mindset shifts, helping them reflect on new behaviors and practices. Compliance can use the same approach to embed cultural expectations directly into business teams. For example, AI can be configured as a compliance coach embedded in daily tools, guiding managers through ethical dilemmas, prompting reflection during approval requests, or reinforcing company values during project planning. Instead of compliance being external and episodic, it becomes internal and continuous.

This democratizes compliance development. A frontline manager in Asia can interact with AI that reinforces compliance culture in real time, rather than waiting for annual training or sporadic compliance visits. It also gives compliance leaders data on where employees are struggling, revealing cultural gaps that can be addressed systemically.

The implication is that embedding compliance is not just about systems but about mindset. AI can make culture-building a daily, distributed activity rather than a centralized, one-time effort.

5. Ensuring Human Judgment Remains Central in AI-Enabled Compliance

Finally, while AI can enhance problem-solving and integration, the article underscores that co-thinking only works when humans stay actively engaged. Compliance cannot abdicate responsibility to machines. This has profound implications for compliance programs. AI can help frame problems, simulate stakeholders, and propose operational fixes, but it cannot weigh reputational risk, interpret regulatory expectations, or balance competing global obligations. Those decisions require human judgment.

The key is balance: AI accelerates and deepens thinking, but compliance leaders must build governance frameworks to ensure outputs are reviewed, validated, and contextualized. Embedding compliance into business operations does not mean letting AI run the show; it means letting AI augment human reasoning so that compliance becomes more practical, strategic, and defensible.

The compliance lesson, based on both the DOJ’s FCPA Resource Guide and the 2024 ECCP, is clear that compliance must be risk-based, well-resourced, and continuously improved. AI helps compliance think through integration, but humans remain accountable for ensuring it meets regulatory standards and ethical expectations.

AI as a Pathway to Embedded Compliance

The future of compliance is embedded, not bolted on. DOJ expects it. Boards demand it. Employees need it. The challenge is figuring out how to make it real. AI offers compliance professionals a powerful new tool: not as an oracle, but as a co-thinker. By helping compliance frame problems, simulate stakeholders, strengthen root cause analysis, scale cultural coaching, and reinforce human judgment, AI can accelerate the shift from compliance as oversight to compliance as an integrated business practice.

The call to action is simple: use AI not just to make compliance faster, but to make compliance inseparable from business. That is how compliance earns trust, drives culture, and meets regulatory expectations in the age of AI.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The DOJ in Crisis

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this Compliance into the Weeds episode, Tom Fox and Matt Kelly review the recent astonishing developments at the Justice Department involving the indictment and subsequent attempted dismissal of charges against New York City Mayor Eric Adams.

Tom and Matt explore the implications for corporate compliance professionals and the broader message this dysfunction sends about ethics and the role of compliance programs under the current administration. They consider the possible repercussions for future corporate enforcement, drawing important parallels between the Justice Department’s actions and the expectations for corporate compliance. They emphasize the necessity of disentailing the ethical dysfunction at the department from the practical guidelines for compliance programs. The episode critically analyzes how political maneuvers affect the justice system and corporate compliance standards.

Key highlights:

  • The Eric Adams Indictment
  • Resignations and Internal Conflict
  • Separating DOJ Integrity from Compliance Guidance
  • Tone at the Top vs. Mood at the Middle
  • Future of Compliance Guidelines

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Compliance into the Weeds was recently honored as one of the Top 25 Regulatory Compliance Podcast.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 27 – Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

 Three key takeaways:

1. How is compliance treated in the budget process?

2. Has your compliance function had any decisions over-ridden by senior management?

3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

How to Evaluate a Risk Assessment

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his BioProcess International article, entitled, Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies:

Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

William C. Athanas, a partner in Holland and Knight, in an article in Industry Week entitled, Rethinking FCPA Compliance Strategies in a New Era of Enforcement, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.

The 2023 ECCP provided the following:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

In the Treasury Department’s 2019 Framework for OFAC Compliance Commitments (OFAC Framework), the provided greater clarity by stating in the section entitled, Risk Assessments, the following:

II. The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

There are several ways to look at ‘Likelihood’ factors. An Event can be highly likely if it is expected to occur. An Event can be likely with a strong possibility than an event will occur Event may occur at some point, even if there is no history to support it. It can be possible and there is sufficient historical incidence to support it. Finally, an Event can be unlikely and not expected, with only a slight possibility that it may occur. Responses to likelihood factors to consider include the existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs.

The priority rating is the likelihood rating and ratings that reflect the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from the commercial perspective, on how your organization has identified, assessed, and defined its risk profile and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality it should be done each time your risk changes. Over the past couple of years, every company’s risks changed in going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, supply chain or even potential compliance risks in the 2024 election cycle. Have you assessed each of these new paradigms for risks from the compliance perspective?

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Having made clear what was risks needed to be assessed, the 2023 ECCP was focused on the methodology used in the risk assess process. It stated:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

Rick Messick, in his article, entitled, Corruption Risk Assessments: Am I Missing Something?, laid out the four steps of a risk assessment as follows:

First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurrence is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.

What should you assess? In 2011, the DOJ concluded three FCPA enforcement actions which specified factors that a company should review when making a risk assessment. The three enforcement actions, involving Alcatel-Lucent S.A., Maxwell Technologies Inc. and Tyson Foods Inc., all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices compliance program. The Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed seven areas of risk to be assessed, which are still relevant today:

1. Where your company does business;

2. Geography-where does your Company do business;

3. Interaction with types and levels of governments;

4. Industrial sector of operations;

5. Involvement with joint ventures;

6. Licenses and permits in operations; and

7. Degree of government oversight.

The 2020 FCPA Resource Guide, 2nd edition, laid out the following approach, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

Another approach, as detailed by David Lawler in his book Frequently Asked Questions in Anti-Bribery and Corruption, is to break the risk areas into the following categories: 1) company risk, 2) country risk, 3) sector risk, 4) transaction risk, and 5) business partnership risk. He further detailed these categories as follows:

Company risk. Lawler believes this is “only to be likely to be relevant when assessing a number of different companies—either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve some of the following characteristics:

• Private companies with a close shareholder group;

• Large, diverse and complex groups with a decentralized management structure;

• An autocratic top management;

• A previous history of compliance issues; and/or

• Poor marketplace perception

Country risk. This area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. The Transparency International Corruption Perceptions Index (TI-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.

Sector risk. These involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

• Extractive industries;

• Oil and gas services;

• Large scale infrastructure areas;

• Telecoms;

• Pharmaceutical, medical device and healthcare; and/or

• Financial services

Transaction risk. Lawler says this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up.” Indicia of transaction risk include:

• High reward projects;

• Involves many contractor or other third-party intermediaries; and/or

• Do not appear to have a clear legitimate object

Business partnership risk. This prong recognizes that certain manners of doing business present more corruption risk than others and may include:

• Use of third-party representatives in transactions with foreign government officials;

• A number of consortium partners or joint ventures partners; and/or

• Relationships with politically exposed persons (PEPs)

There are a number of ways you can slice and dice your basic risk assessment inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Conduct at The Top

The 2022 Monaco Memo emphasized the basic point that the key to every company is culture. The bottom line is that corporate culture matters, and corporate culture that fails to hold individuals accountable or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

 

Categories
Blog

DAG Monaco on Cooperation and Compliance Incentives for M&A

Early in October at the 2023 SCCE Compliance and Ethics Institute, Deputy Attorney General Lisa Monaco delivered a long-anticipated speech expanding and formalizing the Department of Justice’s (DOJ’s) new Safe Harbor for mergers and acquisitions in the Foreign Corrupt Practice Act (FCPA) context. The latest M&A Safe Harbor expanded on an old and frankly cumbersome Opinion Release from 2008 and some old FCPA enforcement actions from the last decade to create a clear, concise, and most welcomed announcement.

The Halliburton Opinion Release (08-02) gave some very tight deadlines for engaging in due diligence post-acquisition and reporting to the DOJ. The deadlines were 90 days to identify and report high-risk agents, 120 days to identify and report medium-risk agents, and 180 days to identify and report low-risk agents. For those scoring at home, that is three, six, and nine months, which for most corporations is the blink of an eye.

Moreover, while the 2012 FCPA Resource Guide did provide some guidance on what may constitute a safe harbor, the word “may” was a sticking point for corporate management when deciding whether and how to proceed with a potential merger or acquisition. There is a big difference between a theoretical outcome and one that is concrete and presumptively available. Finally, a series of FCPA enforcement actions involved mergers and acquisitions. It was unclear when remediation of any issues must be completed, from 18 months to “as soon as is practicable.”

This new DOJ policy is then aimed at encouraging cooperation and compliance in the corporate world, particularly during acquisitions. This policy allows companies to avoid charges for compliance violations discovered during the acquisition process as long as specific deadlines are met. Compliance officers are crucial in this process, conducting due diligence before and after the acquisition.

Monaco stated, “We are announcing a Department-wide Safe Harbor Policy for voluntary self-disclosures in the mergers and acquisition process context. In the future, acquiring companies that promptly and voluntarily disclose criminal misconduct within the Safe Harbor period, cooperate with the ensuing investigation, and engage in requisite, timely, and appropriate remediation, restitution, and disgorgement will receive the presumption of declination.”

Under this new policy, acquiring companies will not be held accountable for aggravating factors at the acquisition target. This means that the acquiring company will not be responsible if there are compliance issues at the target company. However, there are concerns about how this policy will be executed and its potential impact on different enforcement actions.

A key element is the clear and concise timelines articulated by DAG Monaco. She stated, “To ensure consistency, I am instructing this Safe Harbor policy to be applied Department-wide. Each part of the Department will tailor its application of this policy to fit its specific enforcement regime and consider how it will be implemented.

To ensure predictability, we are setting clear timelines. As a baseline matter, to qualify for the Safe Harbor, companies must disclose misconduct discovered at the acquired entity within six months from the date of closing. That applies whether the misconduct was found pre- or post-acquisition.”

After that, “Companies will have a baseline of one year from the closing date to fully remediate the misconduct. These baselines are subject to a reasonableness analysis because we recognize deals differ and not every transaction is the same. So, depending on the specific facts, circumstances, and complexity of a particular transaction, Department prosecutors could extend those deadlines.”

One essential tradeoff in this policy is the balance between encouraging cooperation and holding companies accountable for their actions. On one hand, the policy incentivizes companies to disclose compliance violations and cooperate with the Justice Department voluntarily. This can lead to more effective enforcement and greater transparency in the corporate world. On the other hand, there is a risk that some companies may take advantage of this policy and try to cover up compliance violations.

Compliance officers also face challenges in this new policy. If they are not involved in pre-acquisition due diligence, it could be a red flag for their career security. There is a concern that unscrupulous management teams may try to close a deal without proper due diligence and then blame the compliance officer if issues arise later on. Compliance officers must proactively ensure their involvement in the acquisition process to protect themselves and their companies.

The enforcement of this policy, particularly in antitrust cases, is also a subject of curiosity and anticipation. It is unclear how the policy will apply to corporate misconduct beyond bribery and corruption or anti-competitive actions. There are questions about whether the default position of the DOJ antitrust division will be a declination or if they will still bring charges against companies involved in antitrust violations.

While this new policy is a step forward for compliance, there are still concerns about its effectiveness and potential abuse. The Justice Department is trying to balance providing incentives for cooperation and holding companies accountable for their actions. However, there is a need for further clarity and guidance on how this policy will be executed in practice.

Overall, the new policy on corporate compliance during acquisitions is an essential development in the corporate world. It highlights the importance of considering compliance issues when making decisions about acquisitions and encourages companies to take proactive steps to address compliance violations. Compliance officers play a crucial role in this process and must be vigilant in ensuring their involvement to protect themselves and their companies. The execution of this policy and its impact on different enforcement actions will be closely watched in the coming months.