31 Days to a More Effective Compliance Program

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.” It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk.” When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk. Three key takeaways: 1. The key to using a root cause analysis is objectivity and independence. 2. The critical element is how did you use the information you developed in the root cause analysis? 3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Learn more about your ad choices. Visit megaphone.fm/adchoices

The compliance community has long recognized the gaping hole in the FCPA. As a supply-side law, it criminalizes the payment of bribes, not the demand to pay a bribe or extortion. The gap was recently filled by the Foreign Extortion Prevention Act (FEPA), which extended crucial protections to Americans working abroad and provided the DOJ with a potent new tool. By criminalizing both the giving and demanding of foreign bribes, FEPA seeks to level the playing field for American workers while fostering ethical business practices globally. FEPA represents a promising solution to protect Americans working overseas, promote fair business competition, and combat corruption on a global scale. With its potential to bring about meaningful change, FEPA is a vital step in safeguarding American values and interests in the international arena. Sam Rubenfeld, cited Scott Greytak, the director of advocacy for Transparency International US, for the following: “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.” Three key takeaways: 1. FEPA changes the game for ABC. 2. Make sure your policies and procedures capture any extortion attempts made illegal under FEPA. 3. Determine your external reporting for FEPA violations. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Implementing AI in compliance requires strategic considerations and decision-making. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. Balancing exploration and rules, as well as selecting the right AI tools, are challenges that need to be addressed. By carefully navigating these considerations and challenges, companies can leverage AI to enhance their compliance programs and stay ahead in an ever-evolving regulatory landscape. Three key takeaways: 1. What are the key factors that impact these strategic considerations for implementing AI in compliance? 2. Compliance professionals need to stay updated with the latest AI developments and trends, which requires continuous learning and keeping abreast of industry news and insights. 3. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division. She stated, “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.” Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance. Three key takeaways: 1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said, “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.” 2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks. 3. Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company. The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. Three key takeaways: 1. How is compliance treated in the budget process? 2. Has your compliance function had any decisions over-ridden by senior management? 3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, it focused on whether the CCO held senior management status and had a direct reporting line to the Board. In the 2023 Update to the FCPA Corporate Enforcement Policy, the DOJ lists these factors as follows: 1) The quality and experience of the CCO, such that they can understand and identify the transactions and activities that pose a potential risk; 2) The authority and independence of the CCO; 3) The compensation and promotion of the CCO, in view of their role, responsibilities, performance, and other appropriate factors; and 4) The reporting structure of any CCO employed or contracted by the company. All of these factors are enhanced by the CCO Certification requirement, as announced by Kenneth Polite back in 2022. A CCO must certify the effectiveness of a compliance program after a DPA or NPA has been concluded. This requirement will only become more important moving into 2023 and beyond. In addition to CCO Certification, the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst, formally recognized the oversight duties of officers of Delaware corporations for the first time. Three key takeaways: 1. How can you show the CCO really has a seat at the senior executive table? 2. What are the professional qualifications of your CCO? 3. Delaware says the CCO is Number 2 in an organization, behind the CEO. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the attention of the Board of Directors and senior management to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage, followed immediately by the proclamation, “We are an ethical company.” However, it may well be the time for a very serious reality check. You may find yourself in a position where you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process. Finally, there should be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation. Three key takeaways: 1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward. 2. Be aware of how your investigation can impact and even inform your remediation efforts. 3. Be prepared to deal with the dreaded “where else” question. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin. This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation. Three key takeaways: 1. The DOJ and SEC put special emphasis on internal reporting lines. 2. Test your hotline on a regular basis to make sure it is working. 3. Every claim should be triaged before starting an investigation. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups, such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter. Indeed, there are a variety of factors around giving credit to corporate investigations, including: Did management, the board, or committees consisting solely of outside directors oversee the review? Did company employees or outside parties perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm? Three key takeaways: 1. A written protocol, created before an investigation, is a key starting point. 2. Create specific steps to follow so there will be full transparency and documentation going forward. 3. Consistency in approach is critical. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.” The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward. There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence. Three key takeaways: 1. A Level I due diligence should only be used when there is a low risk of corruption. 2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared. 3. Level III due diligence is a deep-dive, boots-on-the-ground investigation. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2023 ECCP that companies need to consider. Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins. Three key takeaways: 1. Have a strategic approach to third-party risk management. 2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing. 3. Managing the relationship is where the real work begins. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are: 1. Business Justification by the Business Sponsor. 2. Questionnaire to Third-party. 3. Due Diligence on the Third Party. 4. Compliance Terms and Conditions, including payment terms. 5. Management and Oversight of Third Parties After Contract Signing. Three key takeaways: 1. Use the full 5-step process for third-party management. 2. Make sure you have business development involvement and buy-in. 3. Operationalize all steps going forward by including business unit representatives. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

One way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking. The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, coupled with audits and monitoring going forward. A variety of tools can be used to continuously monitor risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment. Three key takeaways: 1. Even after you complete your risk assessment, you must evaluate those risks for your company. 2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk. 3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective? There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point. Three key takeaways: 1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program. 2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence. 3. You should base your compliance program on your risk assessment. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the biggest benefits of podcasting is that it allows a compliance function to connect with their audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics. Now take these same concepts of audience engagement and apply them internally to an organization. What do you potentially have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Think again about all the advantages podcasting has in place already. A major US consumer product company started a podcast and had corporate executives on it. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve. Since you are only limited by your imagination in compliance, why not use some of that imagination to be creative in your compliance training and communications? Three key takeaways: 1. Using podcast storytelling to tell longer, more involved stories about compliance. 2. You can use compliance department-branded podcasts to have ongoing communications about compliance. 3. A Daily Compliance News show will drive engagement. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA, your specific company compliance program, and to create and foster a culture of compliance. While it seems axiomatic that compliance training is the mainstay of any best practices compliance program, the conversation around training has evolved over the years. The importance of determining the effectiveness of your compliance program has been enshrined by the DOJ. The 2023 Update confirmed that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein and the more robust assessment and results provide you with a start to fulfilling the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward. Three key takeaways: 1. How and why have you tailored your compliance training and how do you determine its effectiveness? 2. Try an “espresso” shot of training 3. Present your training in both local languages and a variety of media. For more information on Ethico and a free White Paper on top compliance issues in 2024, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law, such as Sarbanes-Oxley (SOX)? Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped? What are the levels of approvals that you have and what is your documentation? What are the reasons? And are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous control monitoring. However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted. Revelo emphasized that it is not simply identifying the issues but remedying them as well, “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there, you can conduct a root cause analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “You need to really do that in an in-depth manner and then remediate.” Three key takeaways: 1. An internal control override is not necessarily a bad thing if proper procedure is followed. 2. Internal controls are not set in stone. 3. The key is to have a process for monitoring the controls and taking input, literally from each line of defense. To obtain a free White Paper from our sponsor, Ethico on key compliance issues from 2023, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as: An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring, and training, reasonably assures: • The achievement of the process objectives linked to the organization’s objectives; • Operational effectiveness and efficiency; • Reliable (complete and accurate) books and records (financial reporting); • Compliance with laws, regulations and policies; and • The reduction of risk fraud, waste, and abuse, which aids in the decline of process and policy variation, leading to more predictive outcomes. The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you determine whether adequate internal compliance controls are present in your company. From there, you can move on to see if they are working in practice. Three key takeaways: 1. Effective internal controls are required under the FCPA 2. Internal controls are a critical part of any best practices compliance program 3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash or currency Learn more about your ad choices. Visit megaphone.fm/adchoices

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2023 ECCP made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance. Three key takeaways: 1. Written compliance policies and procedures, together the Code of Conduct, with form the backbone of your compliance program. 2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization. 3. Institutional fairness for the application of policies and procedures demands consistent application of your policies and procedures across the globe. Learn more about your ad choices. Visit megaphone.fm/adchoices

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal of the creation of your company’s Code of Conduct? How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on a violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be an FCPA internal control violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity that has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ. Three key takeaways: 1. A Code of Conduct is a foundational document in any compliance regime. 2. The substance of your Code of Conduct should be tailored to the company’s culture, to its industry, and to its corporate identity. 3. “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct. Learn more about your ad choices. Visit megaphone.fm/adchoices