Welcome to Day 5 of 30 Days to a Better Compliance Program. Today, I focus on training, ongoing communications and the use of social media in a best practices compliance program. 


The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, the Justice Department began to talk about whether you have determined the effectiveness of your training.

Communication and Use of Social Media

Next you need to consider the messaging of compliance inside of your corporation and how it is distributed. This means that you will need to work to hone your message but also continue to plug away to send that message out. I think the Morgan Stanley Declination will always be instructional as one of the stated reasons the Department of Justice (DOJ) did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

In a compliance program, your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward.

Three Key Takeaways

  1. You need to demonstrate the effectiveness of your compliance training.
  2. Ongoing communications from compliance is an often overlooked tool in compliance.
  3. Utilize innovative social media techniques to communicate and train.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

This week I have been exploring the General Cable Corporation (General Cable) Foreign Corrupt Practices Act (FCPA) enforcement action. It was settled with the Department of Justice (DOJ) via a Non-Prosecution Agreement (NPA) and the Securities and Exchange Commission (SEC) via a Cease and Desist Order (General Cable Order). There was also the resolution of a civil charge by the SEC against a former General Cable executive, Karl Zimmer, via a Cease and Desist Order (Zimmer Order). The fines and penalties paid by General Cable were not insignificant. The company paid a $20MM fine based upon its criminal conduct and paid another $51MM in profit disgorgement. Finally, based upon the conduct laid out by the SEC in the General Cable Order, the company was assessed another $6.5MM for violations of the FCPA’s accounting provisions. The $20MM figure reflects a 50% discount off the bottom of the US Sentencing Guidelines fine range, demonstrating that as bad as the underlying bribery and corruption may have been, the DOJ will give significant credit when the company meets the requirements under the FCPA Pilot Program.

In Part II, I considered how General Cable obtained such a positive result in the light of multiple bribery schemes in multiple jurisdictions and corporate awareness or conscious indifference to them. Today I want look at some of the lessons to be learned by the compliance practitioner.

However, before I get to the lessons to be garnered, I want to briefly discuss the SEC enforcement action against Karl Zimmer (Zimmer). Per the Zimmer Order, he was a Senior Vice President of General Cable who approved improper commission payments to a third-party Agent on sales by General Cable’s Angolan subsidiary to Angolan state-owned enterprises. At the time, Zimmer knew that policies prohibited excessive commissions to third parties on sales to state-owned enterprises. For his violations, Zimmer agreed to a $20,000 fine. The Zimmer action should stand as a stark reminder that individuals who violate the FCPA stand to lose as much or even more than corporations as it is difficult to believe any reputable company would hire someone who blatantly violated the FCPA.

The first obvious lesson is that the FCPA Pilot Program provides significant benefits for companies which meet it strictures. Even with the odious conduct of General Cable, the company made a stunning comeback. As much as the other enforcement actions announced since the implementation of the Pilot Program, this enforcement action has changed the calculus around self-disclosure. If the call is anywhere close, a company should self-disclose. Yet that is only the first step, as the other prongs must also be met to obtain the discount offered.

Regarding the second prong of significant cooperation, a couple of things stand out. The first no doubt warms the heart of Mr. Translations (Jay Rosen) by specifically stating that General Cable produced voluminous documents, including translations. Next was the manner of production, performed in way, “that did not implicate foreign data privacy laws; collecting, analyzing, and organizing voluminous evidence and information for the DOJ”. Jonathan Armstrong once said on a podcast that it was his experience there were usually numerous ways to produce documents and other evidence in a manner that did not violate certain countries’ data privacy. General Cable would seem to have found a way to do so. This may require the compliance practitioner to use some creativity or bring in experienced data privacy counsel but the clear import is the DOJ expects such efforts in document and other evidence production. Finally, was the notation that General Cable disclosed “conduct to the DOJ that was outside the scope of its initial voluntary self-disclosure.” This sets an expectation for companies to continue their investigations and turn over new or additional findings.

Next, there were several remediation areas that stood out. The first was termination of recalcitrant employees and those third-party agents and distributors who participated in the misconduct. Next a Chief Compliance Officer (CCO) was hired who reported to both the Chief Executive Officer (CEO) and the Audit Committee of the Board.

Interestingly was the requirement for operationalization of compliance into the business units of the company. The NPA stated, the company developed a “comprehensive compliance program that integrates business functions into compliance leadership roles, is designed to deliver clear and consistent communications and expectations Company-wide through policies and procedures, and includes frequent leadership communications to all employees.” This final clause speaks to the importance of not only tone at the top but continued communications from the senior management of the organization.

This operationalization also went down to the revamped third party program. The NPA specifically noted the company had built “a system for third-party due diligence that assigns ownership to business personnel to shepherd prospective third parties through a comprehensive risk assessment, review, and approval process.” This step clearly requires business unit involvement at the beginning and, indeed, all the way through the lifecycle of third party management.

Finally, remediation Step 10, which specified that the company would be “Delivering tailored face-to-face compliance training, including training on the FCPA, to the Board of Directors and senior executives, Internal Audit personnel, sales leaders, and all salaried employees.” [emphasis supplied]. The word tailored communicates the DOJ’s expectation for training far beyond the standard out of the box compliance training. It means you must put on training which is not only designed for the risk group it is being presented to but you must have some thought into the different risks for each discipline within an organization and their respective role in any compliance program.

As the final enforcement action of 2016, the General Cable matter may well be one of the most significant for the compliance practitioner as it clearly states the need to operationalize a compliance program. From the FCPA enforcement year for the record books, it could be the case which portends the most significant step in doing compliance forward. Finally when Hui Chen speaks through the vehicle of a FCPA resolution, the compliance profession should listen.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Welcome to Day 4 of 30 Days to a Better Compliance Program. Today we tackle risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What Should You Assess?

What risks should you assess? There are a number of ways you can slice and dice your basic inquiry. The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.

How Should You Assess Your Risks?

Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high risk countries, high risk business areas an more detailed review of your third party representatives.

How do You Evaluate a Risk Assessment?

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.

 Three Key Takeaways

  1. Assess the risks relevant to your company.
  2. Document your risk assessment protocol and results.
  3. The evaluation of your risks and remediation therefrom. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Welcome to Day 3 of 30 Days to a Better Compliance Program. Today I want to consider the Chief Compliance Officer (CCO) in your organization, through three prisms: access, resources and opportunities. 


What access does your CCO have to the top decision makers in your organization? While it really does not matter whether the CCO reports to the CEO, Board or GC; it does matter that the CCO have direct access to corporate decision maker.


This means both head count of personnel to operate your compliance function and the money available to implement the appropriate technology to sustain an effective compliance program. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. Put another way, if you spend more on paper clips than on your compliance program, your compliance program may well be under-funded.

CCO Pay, Opportunity and Expertise 

In the Pilot Program, the DOJ laid out another important element for every compliance program, which is expertise of your CCO and compliance function. I think the clear implication is that the DOJ will even look at salaries. Once again if a company tries to get by on the cheap, it may certainly come back to bite them in the end. Finally the DOJ has made clear that compliance is part of the corporate family by even requiring that the CCO have opportunities for advancement with the corporation at the senior management level and that the compliance function shall be afforded similar opportunities.

Three Key Takeaways

  1. The CCO must have access to the highest levels of your organization.
  2. The CCO must have adequate money and personnel resources to perform the function.
  3. The CCO must be qualified, appropriately compensated and have opportunity for advancement within the organization.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.


Show Notes for Episode 4, Year End Review, Part I

We turn to the 2016 year in review, in this Part I of a two-part series.

  1. Jonathan Armstrong leads a discussion on a very interesting UK Bribery Act enforcement action out of Scotland involving the Braid Group Ltd. It has some very significant implications for Bribery Act enforcement actions going forward. He also discusses the continued evolution of the UK DPA process and who it all works into the burgeoning global anti-corruption enforcement we saw in 2016.

For Cordery’s piece on the Braid case, click here.

For Cordery’s piece on the continued evolution of the UK DPA practice, click here.

  1. Jay Rosen takes us through a Paul Krugman NYT post on some of the invidiousness of corruption, focusing on the corrupting nature of compliance around undue influence. Rosen explains incentives more than anything else and how such incentives skew the marketplace. He asks a couple of provocative questions. First are there too many FCPA, ethics and compliance conferences? Second, even with the robust FCPA enforcement and maturation of compliance programs, why does corruption still exist? For a link Krugman post, click here.

Rants will return in a couple of weeks.

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.