Tag: Venezuela

Categories
Blog

Returning to Venezuela: Part 4 – From Physical Security to Enterprise Risk

In this five-part series, I have walked through the core compliance risks US energy companies will face as they consider a return to Venezuela. We began with bribery and corruption and the long shadow of PDVSA (Parts 1 & 2), then moved to export controls (Part 3).

Today, we consider the security risks and the broader operational and strategic challenges of working in one of the most complex risk environments in the world. For many compliance professionals, “security” still conjures images of guards, gates, and cameras. It is treated as an operational afterthought or a line item buried somewhere between facilities and travel. The conversation I recently had with Marc Duncan, COO at Salus Solutions, should permanently disabuse compliance officers, boards, and senior executives of that narrow view. As Duncan describes it, security is not a physical function. It is an enterprise risk discipline. It is continuous monitoring at its purest. And it is inseparable from culture, governance, and decision-making authority.

For compliance professionals, especially those operating globally or in volatile environments, this conversation offers a masterclass in how risk really works when theory collides with reality.

The First Compliance Failure: Thinking You Already Know the Risk

One of the most striking observations Duncan makes is also one compliance professionals hear far too often after a failure: “We did not see that coming.” As Duncan notes, that usually means the organization was not looking. They had a preconceived notion of their threats, locked onto a narrow risk model, and failed to challenge their assumptions. This is a classic compliance failure. Risk assessments that confirm management’s beliefs instead of testing them are not risk assessments. They are comfort exercises.

True threat assessment, whether physical, cyber, financial, or reputational, begins with abstraction. You step back, examine the environment holistically, and then break it down across functions. Duncan’s approach mirrors what the DOJ expects from a mature compliance program: financial risk, personnel risk, operational risk, cyber risk, structural risk, and external conditions assessed together, not in silos. Compliance professionals should take note. If your risk assessment is static, annual, and checklist-driven, you are already behind.

An additional framework compliance professionals should consider integrating into this approach is Threat and Hazard Identification and Risk Assessment (THIRA). While THIRA originated in the public sector and homeland security context, its core discipline translates directly to corporate compliance and enterprise risk management. THIRA forces organizations to first identify credible threats and hazards, assess their likelihood and impact, and only then evaluate existing capabilities and gaps. The discipline prevents the most common compliance failure: designing controls around assumed risks rather than actual ones.

A THIRA has three key steps:

  • Identify Threats and Hazards: Identify the threats and hazards that could impact them. These can include natural disasters such as hurricanes and earthquakes, technological hazards such as power outages, and human-caused events such as terrorism.
  • Assess Impacts: Once threats and hazards are identified, assess the potential impacts of these events. This involves understanding how these threats could affect people, property, and the environment.
  • Determine Capabilities: Based on the assessed impacts, determine the capabilities they need to address these threats and hazards. This includes identifying gaps in current capabilities and planning for resource allocation and training.

Used properly, THIRA complements a compliance risk assessment by grounding it in real-world scenarios, stress-testing assumptions, and aligning resources to consequence rather than convenience. In practice, compliance teams can use THIRA-style analysis to model disruptive events, validate whether policies and response plans would function under pressure, and ensure that authority, communications, and escalation protocols actually work in dynamic conditions. Like Duncan’s threat hub, THIRA is most effective when it is iterative, cross-functional, and embedded into daily decision-making rather than treated as a one-time exercise.

Continuous Monitoring Is Not a Buzzword in a Crisis Zone

In compliance circles, we often talk about continuous monitoring and continuous improvement. In high-risk environments, Duncan explains, these are not aspirational concepts. They are daily survival requirements. Threats change by the hour. Routes become unsafe. Infrastructure fails. Information degrades. Misinformation spreads intentionally. As Duncan makes clear, relying on sanitized reports or publicly available data alone is insufficient, particularly in places like Venezuela, where reliable information can be scarce and manipulated.

For compliance professionals, the parallel is obvious. If your organization relies solely on lagging indicators, static dashboards, or once-a-year training, you are operating on yesterday’s intelligence. A mature compliance program must be dynamic, responsive, and empowered to change course quickly.

Authority Matters More Than Policy

One of the most underappreciated insights in the discussion is the emphasis on delegated authority. Duncan is blunt: security teams must be empowered to make changes on the fly. Operations teams often resist this because they have a plan for the day. But rigid plans fail in dynamic environments. Compliance professionals should see themselves clearly in this description. How often does compliance identify a risk, only to be overruled by operational convenience? How often does policy exist without authority to enforce or adapt it?

This is not merely an execution issue. It is a governance failure. If compliance, security, or risk professionals lack real authority, then the program exists in name only.

Boards Are Often the Weakest Link

Perhaps the most candid portion of the conversation is Duncan’s discussion of boards of directors. Boards understand that risk exists, but they often do not understand their lane. Worse, they sometimes overstep based on assumptions rather than expertise, thereby influencing the organization’s security and risk culture to its detriment. This should resonate deeply with compliance professionals. Many compliance failures originate at the policy level. Boards check in periodically, hear a summary, and move on. They rarely engage with the complexity of the operating environment or the second- and third-order consequences of their decisions.

Duncan advocates for an ongoing relationship with boards or policy groups, not episodic briefings. Education is continuous. Risk is dynamic. Governance must keep pace. For compliance officers, this reinforces a critical point: board engagement is not about presentations. It is about sustained dialogue, shared understanding, and clearly articulated risk tolerance.

Culture Is Defined by Accepted Loss

One of the most insightful compliance lessons emerges from Duncan’s discussion of risk acceptance, particularly in the energy sector. Every organization accepts some level of loss. The problem arises when that acceptance is implicit, unexamined, or outdated. Compliance professionals should recognize this immediately. Risk tolerance that is not written down, debated, and revisited becomes invisible policy. It shapes behavior without accountability.

Duncan’s approach is instructive. He pushes organizations to explicitly articulate acceptable loss, document it, and use it as a guideline. When conditions change, that tolerance must be reassessed at the policy level. This is exactly how compliance culture should function. Silence is not neutrality. It is permission.

Security Is Not Just Physical: Insider Threats and Human Risk

If compliance professionals think security stops at the perimeter, Duncan quickly disabuses them of that notion. Insider threats loom large. Alcoholism, substance abuse, personal stressors, and poor life choices can all create vulnerabilities. So can espionage, coercion, and cultural dysfunction.

This is compliance territory. Training that treats employees like mushrooms kept in the dark will fail. Effective programs connect behavior to consequences: personal, professional, financial, and reputational. Duncan’s emphasis on “wholesome” training aligns with modern compliance expectations. Employees must understand not just what is prohibited, but why it matters, how it affects the organization, and how it exposes them personally.

Partnering with Locals: A Lesson in Third-Party Risk

One of the most counterintuitive lessons for many executives is the need to partner with local communities, vendors, and even security forces. Cutting locals out of economic participation breeds sabotage and resentment. Compliance professionals should immediately recognize the parallel to third-party risk management. Isolation does not reduce risk. Engagement does. Oversight, contracts, inspections, and partnerships create shared incentives and stability.

Whether it is food supply, logistics, or perimeter security, Duncan emphasizes layered controls and local investment. This is not unlike building a resilient third-party ecosystem rather than relying on transactional relationships.

The Threat Hub: A Compliance Blueprint

Perhaps the most transferable concept for compliance professionals is the “threat hub.” Duncan describes a cross-functional, daily forum where representatives from legal, finance, operations, security, and other functions review threats, vulnerabilities, and operational changes. This is what an effective compliance program should look like. Not a standalone department issuing policies, but an integrated function embedded across the organization, sharing intelligence, and adapting in real time.

Finally, Duncan issues a challenge that every compliance officer should take seriously: crisis exercises will break you. They expose gaps in policy, logistics, communications, authority, and preparedness that no binder ever reveals. Compliance professionals often assume crisis plans are adequate because they exist. Duncan’s experience says otherwise. Without realistic testing, organizations are unprepared when it matters most.

Final Thoughts

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness—authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

Join us tomorrow for Part 5 as we conclude our series by looking at AML risks associated with returning to Venezuela.

Categories
Blog

Returning to Venezuela: Part 3 – Export Controls and the Illusion of “Reopening”

We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.

When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.

Venezuela Remains a High-Risk Jurisdiction by Design

Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.

That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.

Regulatory Enforcement Follows Politics, but Law Follows Process

One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.

This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.

Start With the Business, but Do Not Stop There

Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.

This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.

Dual-Use Risk Is Not Theoretical in Venezuela

Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.

This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.

One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.

Siloed Compliance Will Fail in Venezuela

If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.

For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.

Board Oversight Must Evolve Beyond Periodic Updates

Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:

  • What export control risks are central to this opportunity?
  • What sanctions exposure remains?
  • How are we monitoring changes in real time?
  • What is our exit strategy if conditions reverse?

The Case for a Standing Enterprise Risk Committee

Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.

Enforcement Is Coming, Not Fading

The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.

Final Thoughts

The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.

Categories
Blog

Returning to Venezuela: Part 2 – Bribery, Corruption and the Risks You Must Confront Before You Enter

We continue our review of bribery and corruption issues (ABC) that you must address before you travel to Venezuela.  There is another set of problems that every compliance professional will face if their company decides to go into Venezuela. It is systemic corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore some of the key issues every company and every CCO will face when considering whether to enter (or re-enter) Venezuela. In Part 2, I will consider the second half of the 10 ABC risks a compliance professional will face. Later in this series, we will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

In Part 1, we described the corruption environment. In Part 2, we consider what happens when companies actually try to operate inside it. This is where theory meets pressure. We begin our numbers with 6, picking up where we left off yesterday.

6. Extortion Is Not a Defense

In Venezuela, companies are often told, “You have no choice.” Payments are demanded to release cargo, protect personnel, or continue operations, sometimes thinly veiled as “fees” for expedited treatment. Venezuelan law itself recognizes extortion as a corruption offense, in which a public official abuses their position to demand an undue benefit. Under Venezuelan anti-corruption law, extortion (called concussion) carries criminal penalties and fines.

At the same time, U.S. enforcement views participation in extortion as a compliance red flag. While coercion can be a mitigating factor in narrow circumstances under the Foreign Corrupt Practices Act (FCPA) or the Foreign Extortion Prevention Act (FEPA), repeated payments, disguised invoices, or third-party routing create evidence of complicity. Deciding to pay from the field without escalation essentially decides for the company, and compliance will struggle to justify it under an ECCP review. Compliance professionals must define escalation paths, refusal protocols, and clear exit points before any signs of extortion arise. Waiting to decide “in the moment” is too late.

Compliance Response

1. Assessment Controls

  • Identify operational choke points where officials or intermediaries can halt operations, including ports, customs, checkpoints, utilities, and inspections.
  • Assess historical incidents involving detentions, delays, threats, or asset seizure tied to payment demands.
  • Map scenarios where employee safety or operational continuity could be leveraged for improper payments.

2. Management Controls

  • Establish a zero-tolerance policy for extortion payments, with narrowly defined emergency exceptions tied to imminent health or safety threats.
  • Implement pre-approved emergency response protocols for detentions, threats, or seizures.
  • Prohibit third-party routing, recharacterization, or retroactive approval of payments in the context of extortion scenarios.
  • Require contemporaneous documentation of all extortion-related incidents and decisions.

3. Monitoring

  • Track frequency, location, and duration of detentions or operational stoppages.
  • Review off-cycle, urgent, or cash payment requests for patterns.
  • Audit expense categories are commonly used to disguise extortion payments.

4. Board Oversight

  • Where are we most exposed to extortion pressure?
  • How often are emergency exceptions invoked, and are they increasing?
  • At what point do we pause or exit operations rather than continue under pressure?

7. Third Parties as the Primary Corruption Vector

In Venezuela, third parties are the everyday vectors through which corruption pressure crystallizes. Agents, customs brokers, logistics providers, security vendors, and even local fixers frequently serve as the conduit for improper value transfers. These intermediaries claim to navigate Venezuela’s opaque systems, but they also create liability if their actions result in bribery or improper advantage.

Pressure points are endemic and include:

  • Customs clearance: Goods may be held pending unofficial “service fees” or clearance bribes.
  • Port operations: Terminal operators or officials may demand payments for priority access.
  • Transportation: Toleration at checkpoints is often predicated on unofficial payments.
  • Security arrangements: Local guards or militia may demand fees for access or protection.
  • Licensing follow-up: Expediency “services” are offered at a premium.

Third parties promise solutions. They also create liability when their conduct crosses legal lines. Under the ECCP, regulators will ask whether the company understands and monitors how these third parties operate in practice, not just whether it has a diligence checklist. Paper diligence alone is insufficient where pressure is constant, and corruption vectors hide in plain sight.

Compliance Response

1. Assessment Controls

  • Classify third parties by function (customs, logistics, security, licensing), not by spend alone.
  • Identify third parties that interact directly with government officials.
  • Assess compensation structures for success fees, urgency premiums, or discretionary payments.

2. Management Controls

  • Apply enhanced due diligence to high-pressure third-party functions.
  • Require detailed, verifiable scopes of work tied to legitimate services.
  • Mandate compliance approval before onboarding or paying high-risk third parties.
  • Prohibit subcontracting or pass-through arrangements without prior written approval.

3. Monitoring

  • Conduct invoice analytics to identify duplications, rounding issues, urgency issues, or vague descriptions.
  • Monitor third-party performance against contractual scope and deliverables.
  • Review third parties involved in repeated government interactions or escalations.

4. Board Oversight

  • Which third-party functions create the greatest corruption pressure?
  • How do we verify what third parties do in practice?
  • When do we terminate a third-party relationship rather than attempt remediation?

8. Organized Crime and the Blurred Line of “Business”

In Venezuela, organized crime intersects with commerce, logistics, and even parts of the formal economy. Corruption and criminal networks often coalesce in sectors like mining, fuel distribution, and transport infrastructure, where armed groups and informal power structures exercise influence. Some of these networks are intertwined with state actors, and corruption and illicit activity can reinforce one another.

For compliance professionals, this means recognizing when business relationships drift into criminal entanglement. That drift is not always obvious at contract signing. Contracts negotiated under duress or through intermediaries with opaque ownership may conceal criminal activity. Continuous monitoring matters precisely because initial signals are subtle. The line between a vendor and a syndicate can be ecosystem-specific and may manifest in patterns of behavior, unexplained payments, or associations with known corrupt actors.

This is also where AML risk begins to dominate. When organized crime is part of the value network, it is present through smuggling rings, illicit fuel markets, or bribery conduits.  The controls for bribery, AML, sanctions, and export compliance must interlock to detect and escalate suspicious patterns.

1. Assessment Controls

  • Screen vendors and partners for criminal exposure, unusual affiliations, and opaque ownership.
  • Assess whether services operate in sectors known for illicit activity, including fuel distribution, logistics, or private security.
  • Review beneficial ownership structures and local power dynamics.

2. Management Controls

  • Integrate anti-bribery, AML, and sanctions screening for high-risk vendors.
  • Require certifications regarding lawful sourcing, operations, and subcontractors.
  • Prohibit informal arrangements, undocumented services, or side agreements.

3. Monitoring

  • Monitor for cash-intensive activity without commercial justification.
  • Track changes in ownership, management, or operational behavior.
  • Escalate associations with known illicit markets, actors, or criminal networks.

4. Board Oversight

  • How do we detect drift from legitimate commerce into criminal entanglement?
  • What triggers an immediate suspension or exit?
  • Are our controls sufficient to identify concealed criminal exposure?

9. Currency, Pricing, and Manipulation Pressure

Venezuela’s economic distortions, including exchange controls, multiple currency rates, and the scarcity of hard currency, create fertile ground for corruption. Access to U.S. dollars through official channels is tightly controlled, which historically has led companies and intermediaries to engage in schemes to secure foreign exchange at preferential rates. A notable U.S. enforcement action involved a major telecommunications subsidiary that allegedly bribed officials to gain access to a currency auction and disguised corrupt commissions through inflated equipment purchases.

These distortions become more than operational headaches. They create incentives for side payments and off-book arrangements on pricing and contracts. These practices are not just bribery issues. They implicate accounting integrity, financial reporting, AML vigilance, and sanctions exposure. Once money flows lose transparency, whether through inflated vendor invoices, opaque currency conversions, or third-party routing, compliance loses line-of-sight and control. This intersection reinforces why a compliance program must integrate transactional monitoring and financial controls alongside anti-bribery controls to detect anomalies that traditional gift/entertainment policies won’t reveal.

Compliance Response

1. Assessment Controls

  • Identify exposure to foreign exchange approvals, currency scarcity, and pricing discretion.
  • Review historical pricing anomalies or currency-related workarounds.
  • Map payment flows involving third-country or non-standard accounts.

2. Management Controls

  • Enforce strict controls over pricing adjustments and currency conversions.
  • Require joint Finance–Compliance approval for non-standard payment terms.
  • Prohibit side agreements, rebates, or off-book arrangements.

3. Monitoring

  • Monitor invoices for inconsistencies with market pricing.
  • Flag requests for alternative currencies or complex payment routing.
  • Conduct periodic reviews of foreign exchange transactions and pricing deviations.

4. Board Oversight

  • Where do currency controls create the strongest corruption incentives?
  • How do we maintain transparency in pricing and payments?
  • When does financial complexity cross into unacceptable risk?

10. Weak Rule of Law Raises the Stakes

Venezuela’s judiciary and law enforcement institutions are widely seen as politicized, under-resourced, and inconsistent in enforcing anti-corruption laws. Although the Venezuelan legal framework criminalizes extortion, passive and active bribery, and related offenses, enforcement is weak and selective. In practice, companies cannot rely on local remedies to resolve disputes or push back against corrupt demands.

This elevates the importance of internal compliance controls and pre-defined exit strategies. When there is no neutral referee, no reliable government adjudicator, and prevention becomes the only viable protection. It also means that compliance must internalize enforcement risk rather than outsource it to local authorities. A robust compliance program must include strict refusal protocols, incident documentation, real-time monitoring, and clear decision-making boundaries. Without these, companies are exposed to both local corruption risk and U.S. enforcement risk under the FCPA and allied statutes.

Compliance Response

1. Assessment Controls

  • Assume limited availability of neutral local legal remedies.
  • Identify areas where officials exercise unchecked discretion.
  • Assess reliance on informal dispute resolution mechanisms.

2. Management Controls

  • Strengthen internal documentation, approval, and escalation requirements.
  • Define clear walk-away criteria when disputes cannot be resolved lawfully.
  • Require Legal and Compliance review of all high-risk disputes and resolutions.

3. Monitoring

  • Track disputes resolved outside formal legal or contractual processes.
  • Review patterns of repeated “local solutions” or informal settlements.
  • Assess escalation timelines and resolution outcomes.

4. Board Oversight

  • Where are we relying on influence rather than process?
  • How quickly do disputes escalate to senior leadership?
  • When do we exit rather than attempt resolution?

Parts 1 and 2 of this series make clear that bribery and corruption are not peripheral risks in Venezuela. They are the entry conditions. From systemic corruption and PDVSA exposure to extortion, third-party involvement, currency manipulation, and a weak rule of law, each risk compounds the next. For compliance professionals, the lesson is not that Venezuela is impossible, but that it is unforgiving of informal controls, delayed escalation, and weak governance. Elevated risk can be managed only through disciplined assessment, operational controls, continuous monitoring, and engaged board oversight. When corruption becomes operational, however, another risk inevitably follows.

Next in Part 3 of this series, we turn to anti-money laundering, where improper value moves, hides, and metastasizes beyond corruption alone. Bribery is how improper value enters the system. Money laundering is how it moves and hides. Once corruption becomes operational, AML risk becomes unavoidable. Join us tomorrow for Part 3 in our series.

Categories
Blog

Returning to Venezuela: Part 1 – Bribery, Corruption and the Risks You Must Confront Before You Enter

When US energy companies talk about returning to Venezuela, the conversation almost always starts with opportunity. Yet the CEO of Exxon has said Venezuela is ‘uninvestible’. There is another set of problems that every corporate compliance team will face if their company decides to enter the Brazilian market. For the compliance professional, it must start with corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore key issues every company and CCO will face when considering whether to enter (or re-enter) Venezuela. In Parts 1 and 2, I will consider the top 10 anti-bribery/anti-corruption (ABC) risks a compliance professional will face. (Part 1, risks 1-5; Part 2, risks 6-10). We will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

1. Systemic Corruption Is the Baseline Condition

Risk

Venezuela is not a market where corruption appears as an exception. It is the default condition against which all business activity must be measured. For compliance professionals, this means risk assessments cannot ask whether corruption exists. They must assume it does and ask where pressure will arise. Licensing, customs, inspections, labor issues, utilities, and currency all present opportunities for improper advantage. Boards must understand this upfront. Entering Venezuela without acknowledging systemic corruption is not optimism. It is a governance failure.

Compliance Framework Response

Before addressing individual risks, the compliance function must establish baseline principles governing how risk is assessed and managed in Venezuela.

  1. Assume corruption pressure exists. The risk assessment does not ask if corruption will arise, but where and how.
  2. Controls must be operational, not theoretical. Policies without authority, monitoring, and escalation are not controls.
  3. Risk ownership must be explicit. Every risk category has a business owner, a compliance owner, and a board oversight hook.
  4. Boards govern risk; they do not run operations. Oversight is mandatory. Tactical interference is prohibited.

2. PdVSA as a Prominent and Persistent Risk

Risk

Any discussion of bribery risk in Venezuela must begin with Petróleos de Venezuela S.A. (PdVSA), which has been at the center of some of the most significant corruption schemes in modern enforcement history, involving contracts, invoices, intermediaries, and payment routing. Indeed, 10 years ago, I wrote that it would cost a fortune to schedule and confirm a meeting. But companies make the mistake of treating PdVSA as a single risk node. In reality, it is a network risk. Joint ventures, service contracts, maintenance agreements, and procurement relationships all radiate outward, exposing the organization to corruption. If your counterparty touches PdVSA, you have inherited PdVSA risk.

Compliance Framework Response

The starting point is a Venezuela-specific bribery and corruption risk assessment, refreshed whenever business scope, counterparties, or operating conditions change.

This assessment must:

  • Map all government touchpoints.
  • Identify all third parties by function, not just by name;
  • Distinguish systemic risk from transactional risk; and
  • Flag PdVSA exposure explicitly.

Outputs are not static reports. They are control design inputs.

3. Joint Ventures and Service Contracts: Shared Risk, Shared Liability

Risk

Joint ventures are often framed as risk mitigation tools. In Venezuela, they frequently do the opposite. Local partners may be politically connected. Governance structures may be opaque. Control rights may be illusory. Compliance professionals must scrutinize who appoints management, who controls procurement, and who interacts with government officials. Under the ECCP, regulators ask whether compliance has authority commensurate with risk. In a Venezuelan JV, symbolic compliance oversight is not enough.

Compliance Framework Response

1. Assessment Controls

  • Government interaction mapping by function and frequency
  • Identification of pressure points where discretion exists
  • Historical analysis of delays, denials, or unexplained variability

2. Management Controls

  • Pre-approval requirements for all government-facing interactions
  • Clear prohibitions on facilitation payments
  • Mandatory escalation for any demand tied to speed, access, or discretion

Monitoring

  • Trend analysis of approvals and delays
  • Comparison of processing times across regions or projects

1. Board Oversight Questions

  • Where do we face the highest government discretion risk?
  • What interactions cannot proceed without a compliance sign-off?

4. Procurement as the First Corruption Flashpoint

Risk

Procurement is where corruption pressure materializes fastest. Vendors expect to be paid for access. Officials expect influence. Intermediaries promise to “make things happen.” This is even more true in Venezuela. This is where third parties begin to matter and where compliance must be in place before contracts are signed. Retrospective diligence does not cure a corrupted procurement process. Boards should demand visibility into how vendors are selected, not just who they are.

Compliance Framework Response

1. Assessment Controls

  • Explicit identification of direct and indirect PdVSA touchpoints
  • Mapping of PdVSA influence over pricing, approvals, and payments
  • Review of historical enforcement patterns tied to similar structures

2. Management Controls

  • Enhanced due diligence for any counterparty touching PdVSA
  • Compliance approval of all PdVSA-facing contract terms
  • Segregation of duties around invoicing and change orders

Monitoring

  • Continuous review of intermediaries interacting with PdVSA
  • Red flag monitoring for unusual invoice timing or routing
  1. Board Oversight Questions
  2. How are PdVSA’s risks different from those of other SOEs we engage with?
  3. What controls exist beyond standard third-party diligence?

5. The Illusion of “Routine” Government Interaction

Risk

Companies often underestimate corruption risk by labeling interactions as routine: inspections, permits, customs clearances, utilities, and labor approvals. And yes, the DOJ has said it will back off on enforcement of small payments, which may be traditionally made, but in Venezuela, routine functions are often monetized.  Compliance programs must draw hard lines early and firmly.

Compliance Framework Response

1. Assessment Controls

  • Governance and control-rights analysis
  • Identification of who appoints management and controls procurement
  • Mapping of partner government relationships

2. Management Controls

  • Contractual compliance rights with audit and termination authority
  • Compliance veto power over high-risk activities
  • Mandatory training for JV-appointed personnel

Monitoring

  • Periodic compliance audits of JV operations
  • Review of partner interactions with officials

1. Board Oversight Questions

  • Where do we lack real compliance leverage in our JVs?
  • Are control rights aligned with our risk exposure?

Join us tomorrow as we look at ABC risks 6-10, including third parties, extortion, organized crime, currency issues, and a weak rule of law.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – The Corruption is Free Speech Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories This Week Include:

  • FirstEnergy defendants in Ohio say corruption is simply ‘free speech’. (Ohio Capitol Journal)
  • British national sentenced to 6 years in jail over Wirecard fraud. (FT)
  • Corruption led to the Hong Kong fire disaster. (Bloomberg)
  • Translations as a compliance issue. (BBN Times)
  • Will Trump suspend the FCPA in Venezuela? (FCPA Compliance and Ethics Report)
  • X Faces U.K. Probe Over Grok’s Sexualized Images (WSJ)
  • Six Compliance Events to Watch in 2026 (Radical Compliance)
  • Why Are Your Policies Yelling at Me? It’s Time to Rethink Tone in Rules (CCI)
  • 10 must-know workforce trends for 2026 (Dayforce)
  • Florida man arrested after trying to flee deputies on riding lawn mower (NBC News)

Connect with the Hosts:

Resources:

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
All Things Investigations

All Things Investigations – Navigating Compliance Challenges in Venezuela’s Energy Sector

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox welcomes back Mike DeBernardis to discuss the implications of entering Venezuela for energy companies and the historical precedents.

They explore the return of US energy companies to the Venezuelan market and historical precedents, such as the Iraq Oil-for-Food Program, post-2003 Iraq, and the 1990s Russian market opening, to identify the risks and the necessary compliance measures. Key insights include the importance of stringent third-party controls, understanding the nuances of dealing with state-owned entities such as PdVSA, and having a robust risk management strategy. The conversation underscores the critical need for compliance professionals to thoroughly understand business operations to build effective compliance programs in high-risk environments.

Key highlights:

  • Challenges and Opportunities in Venezuela
  • Historical Parallels: Iraq Oil for Food Program
  • Lessons from Post-2003 Iraq
  • Comparing Venezuela to 1990s Russia
  • Counseling Clients on High-Risk Opportunities

Resources:

Hughes Hubbard & Reed website

Mike DeBernardis

Categories
Daily Compliance News

Daily Compliance News: January 12, 2026, The Corruption is Free Speech Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • FirstEnergy defendants in Ohio say corruption is simply ‘free speech’. (Ohio Capitol Journal)
  • Corruption allegations rock Cyprus. (Politico)
  • Venezuelans say Trump ‘too corrupt’. (Fortune)
  • Florida MAGA ‘queasy’ over Trump corruption. (AlterNet)
Categories
FCPA Compliance Report

FCPA Compliance Report: Going into Venezuela, Navigating the Corruption Risks, a Conversation with Matt Ellis

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. We take a short break from our 2-part series with Mike Volkov to review the issues arising from the Trump Administration’s invasion of Venezuela. Matt Ellis joins Tom Fox to look at what all this means for companies looking to do business in Venezuela.

They discuss the complex landscape of doing business in Venezuela, focusing on the rampant corruption, security challenges, and the implications of U.S. sanctions. They explore the risks associated with engaging with the national oil company, PdVSA, and the broader implications for U.S. companies considering re-entry into the Venezuelan market. The conversation also touches on Cuba’s role, international organizations, and the potential for infrastructure rebuilding in Venezuela, emphasizing the need for long-term strategies and careful risk management.

Key highlights:

  • Navigating Corruption and Security Risks in Business
  • Banking and Money Laundering Concerns
  • Cuba’s Role and Sanctions Implications
  • International Organizations and Corruption Regulations
  • Infrastructure Rebuilding in Venezuela
  • Long-term Strategies for Companies

Resources:

Matt Ellis on LinkedIn

Miller & Chevalier LLC

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: January 9, 2026, The Tell Me If You’ve Seen This Movie Before Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump says the US could stay in Venezuela ‘for years.’ (NYT)
  • Cambodian scam tycoon extradited to China. (WSJ)
  • A Kazakh oligarch paid Prince Andrew millions. (BBC)
  • How a botched Bulgarian corruption investigation brought chaos to EPPO. (Follow The Money)
Categories
Blog

Will Trump Suspend FCPA Enforcement in Venezuela?

Now that I have your attention with this clickbait title, I want to explore today what the Venezuelan imbroglio may mean for compliance professionals and energy companies who are looking at either entering the Venezuelan market or, in many cases, re-entering it after the not invasion (since it was not a military action authorized by Congress); not a police action (that the Korean War takes the moniker); but the capture of President Maduro and his wife to purloin Venezuela’s oil. As noted by New York Times (NYT) columnist Thomas Friedman today, “It is now clear that Trump’s priority in capturing President Nicolás Maduro of Venezuela was not to make that country safe for the restoration of democracy but to make it safe for the restoration of American oil companies’ dominance over Venezuelan oil extraction.”

But there are multiple obstacles to the US getting to and removing Venezuelan oil. As the Wall Street Journal (WSJ) noted, “But getting foreign companies to flock back to Venezuela will be a massive challenge. Chevron is the only major U.S. oil company and the country’s largest foreign investor. Other oil executives will be forced to gauge the stability on the ground in a country where the industry has fallen into disarray after more than two decades of mismanagement and corruption.” Economically, it may make little to no sense.

Corruption and PDVSA

But from the compliance perspective, there is the issue of corruption. As I wrote back in 2017, “Of all the stench from corruption, not much is more odious than that from the Venezuelan state oil company Petróleos de Venezuela SA (PDVSA). Whether it is shaking down contractors for Rolex watches to schedule a meeting, requiring a bribe to get payments on outstanding invoices, or simply good old-fashioned cash to get on a bid list, PDVSA is perceived to be one of the most institutionally corrupt energy companies around.”

How President Trump plans to get the Venezuelan oil out of the country is not known at this point. But unless he orders US energy companies to put boots on the ground to rebuild PdVSA’s decrepit infrastructure, those same companies will have to deal with the same corrupt PdVSA officials.

In the context of Venezuela’s reopening to Western energy investment, President Trump’s decision to pause enforcement of the Foreign Corrupt Practices Act (FCPA) reflected a broader strategic pivot toward what his administration calls economic competitiveness and national security. His Executive Order issued in early 2025 directed the Department of Justice (DOJ) to halt new FCPA investigations for at least 180 days while it reviewed enforcement priorities on the premise that strict anti-bribery enforcement, as it has traditionally been applied, “impedes U.S. foreign policy objectives” and disadvantages American companies relative to global competitors. The policy rationale was that, in markets perceived as corrupt or opaque, rigorous FCPA enforcement has historically dissuaded US firms from competing effectively, particularly against foreign rivals who do not face the same legal constraints. This argument, which resonated with a strand of populist economic nationalism, frames FCPA enforcement as a barrier to energy companies securing strategic resources, such as Venezuelan oil, rather than as a purely ethical safeguard.

From a compliance professional’s lens, this recalibration had two implications. On one hand, it might reduce the immediacy of DOJ scrutiny for conduct in jurisdictions like Venezuela, where corruption risk is endemic. On the other hand, the suspension does not abolish the law; FCPA remains on the books, and enforcement priorities can flip with the political winds or through congressional action. Moreover, the suspension could embolden local partners or intermediaries to push for irregular payments under the assumption that US enforcement is weak, creating significant red-flag risks for energy companies seeking to operationalize robust controls aligned with the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) standards. Even under a relaxed enforcement regime, a strong compliance program grounded in the ECCP’s emphasis on risk-based design, continuous monitoring, and senior-management accountability remains a critical commercial and legal hedge.

Compliance Going Forward

One of the most important takeaways for compliance professionals confronting Venezuela is the necessary shift from reflexive risk avoidance to disciplined risk management. Mike DeBernardis told me that the modern compliance mandate “is no longer to say ‘no’ when risk is high; it is to say ‘yes, if’ the risk can be identified, structured, and controlled.” This is not a philosophical shift. It is explicitly embedded in the ECCP, which does not reward companies for avoiding difficult markets but instead evaluates how effectively they manage risk in precisely those environments.

In the Venezuelan energy context, this means compliance must be deeply embedded in the business strategy from the outset. Compliance professionals must fully understand the proposed energy project, including its commercial objectives, operational footprint, and timelines. They must map every anticipated interaction with the Venezuelan state, particularly with state-owned enterprises, regulators, customs authorities, and security services.

From there, compliance professionals must identify where corruption pressure is most likely to arise, not in theory but in practice, based on how the business will actually operate. Only then can bespoke controls be designed to address those specific risks. The ECCP repeatedly emphasizes that effective compliance programs are well-designed, adequately resourced, and genuinely empowered. This is where compliance earns its seat at the strategy table. If compliance is engaged only after contracts are signed and capital committed, its ability to influence outcomes is sharply diminished, and the program is far more likely to fail under real-world pressure.

If initial program design is the foundation, continuous monitoring is the load-bearing structure. Energy operations in Venezuela will not tolerate static compliance approaches built around annual certifications or periodic check-the-box reviews. The ECCP explicitly asks whether companies test the effectiveness of their controls and whether they respond promptly and meaningfully to issues as they arise. In a high-risk jurisdiction like Venezuela, corruption risk will evolve rapidly as political conditions, counterparties, and regulatory expectations shift. Compliance programs must therefore be dynamic.

This requires live monitoring of payments, invoices, and reimbursements, particularly those involving third parties and state-linked entities. It requires regular compliance check-ins with project teams operating on the ground and under real-time pressure. It also requires targeted audits that focus narrowly on high-risk transactions rather than broad, generic reviews that miss the point. When red flags appear, swift remediation is essential, including the authority to pause transactions or relationships when necessary. Friction with the business is inevitable in this environment. Under the ECCP, however, that friction is not evidence of failure. It is evidence of independence, effectiveness, and seriousness of purpose.

For energy companies, Venezuela may well be worth the risk. The size of the opportunity, particularly in hydrocarbons, may make disengagement an increasingly unrealistic option. For compliance professionals, however, the mandate is clear and unforgiving. Programs must be designed with the assumption that pressure will occur, that shortcuts will be suggested, and that local counterparts may view compliance as negotiable.

Effective programs anticipate misconduct rather than react to it, and they are built to withstand scrutiny not only from local stakeholders but also from US enforcement authorities looking back months or years later. This requires compliance professionals to think and act as strategic risk managers, not policy custodians. They must insist on visibility into business decisions, demand resources commensurate with risk, and maintain the authority to intervene when necessary.

In the Venezuelan context, success will not be defined by the absence of issues but by how quickly and credibly the organization detects and addresses them. That approach is not merely about satisfying regulatory expectations. It is about protecting the company’s people, assets, and reputation in one of the most challenging operating environments in the world. That is not just compliance. That is strategic risk management at its purest and most demanding.