Our New Video Blog: Beginning a Code of Conduct Revision

Recently, we started video blogging. In our first video series, "Discover How To Begin a Code of Conduct Revision," Eric, our principal consultant and host of Compliance Beat, takes you through the five questions that you should answer before you begin a code of conduct revision. In Part 1, Eric talk ou through the first question that you need to ask: What's out there? Watch Part 1 and subscribe to our new YouTube Channel.

New Compliance Beat: Hot Topics in Compliance & Ethics in Europe

Just a few years ago, Europe was considered behind the United States in compliance and ethics. That is not the case today. Eric looks at three hot topics in compliance and ethics in Europe as he prepares to leave for the Society of Corporate Compliance and Ethics European Compliance & Ethics Institute in Prague this week.

In some areas, European compliance and ethics standards are exceeding the United States’ standards. In recent years, regulators in Spain, France, and other countries have consistently recognized the importance of compliance and ethics programs. In the context of anti-corruption, the United Kingdom’s Anti-Bribery Act, the Brazilian Clean Companies Act, and other efforts to curb corruption, Europe has leapfrogged the Foreign Corrupt Practices Act, which used to be the primary legal mechanism internationally for fighting corruption. For instance, the UK Anti-Bribery Act is clearly a newer law than the FCPA and expands coverage. This leads to the questions: Will Europe become the new leader in defining what makes an effective compliance and ethics program?

There are a number of similarities between what is happening in Europe and the United States. Compliance professionals all over the world are focusing on corporate culture, measuring employees through surveys, and addressing issues like retaliation and observed misconduct. The notion that Europe is behind in compliance and ethics is not accurate anymore. We are now on the same page.

As much as we see similarities, there continue to be significant differences, particularly in data security. European Union's General Data Protection Regulation (GDPR) will go into effect in spring of 2018. This year is the last year to come into compliance with the GDRP. Organizations need to look carefully and determine whether they have any exposure under the GDRP because there are no safe harbor provisions.

In our newest episode of Compliance Beat, Eric discusses these three topics. Click here to listen now.

New Report on the Five Levels of an Ethical Culture

Last week, BSR, a global nonprofit organization that works with its network of more than 250 member companies and other partners to build a just and sustainable world, released a new report on The Five Levels of an Ethical Culture: How to Build and Sustain Organizations with Integrity. Happy, motivated, and ethical employees are the foundation of a positive organizational culture. However, creating a strong culture means knowing how to influence effectively complex systems of human interaction. The intersection between our social, legal, and economic systems and behavioral sciences is what makes the study of corporate culture and compliance fascinating.

This working paper breaks down the five levels of an ethical culture at which an organization should build an ethical culture: individual, intrapersonal, group, intergroup, and inter-organizational. It makes the important point that in order to build a strong culture, an organization must focus on building culture. This means making sure that the core organizational values are reflected in interactions and decision-making at every level of the organizations.

It's worth your time to sit down and read this report.

Risk Assessment & the Evaluation of Corporate Compliance Programs

In the last several episodes of Compliance Beat, Eric has been taking a closer look at some of the different topics that the Evaluation of Corporate Compliance Programs raises. When we are talking about risk assessment and the Evaluation, there are three areas to really focus on. First, the Evaluation considers how organizations create and use their methodology for risk assessment. Second, this new guidance focuses on how the data you gather informs the choices you make in your compliance and ethics program. Third, the Evaluation introduces the notion of manifested risk.

Tune in now to learn more about Eric's thoughts on these three risk assessment topics.

Announcing the Second Live Webinar in Our Series "Are You Covering Your Risks?"

We're excited to announce our second live webinar "Are You Covering Your Risks? Training Your Board of Directors" on April 19 at 12:00pm CST.

What will you get out of this webinar?

  • Learn about the role the Board of Directors should have in the oversight of your compliance and ethics program, including the Board's two most fundamental duties.

  • Discover how to educate your Board on the positive impact of an ethical culture on your organization's bottom line.

  • Find out how your Board of Directors can help deliver the message about compliance and ethics and encourage employees to participate and speak up about misconduct.

Register by clicking on the orange tab below.

Your Board of Directors' Relationship to Your Compliance Officer & The Evaluation of Corporate Compliance Programs

What does the Department of Justice Fraud Section’s new Evaluation of Corporate Compliance Programs say about your compliance officer’s relationship with your Board of Directors? There are three salient points that you can take away from the Evaluation of Corporate Compliance Programs with regard to the Board of Directors. Some of these points aren’t necessarily new concepts, but they certainly give us more guidance in terms of what the Department of Justice is looking for when considering this relationship. In this episode, Eric takes a deep dive into the Evaluation of Corporate Compliance and how it relates to your Board of Directors.

Listen now to our new episode of Compliance Beat.

The Evaluation of Corporate Compliance Programs

The Department of Justice Fraud Section recently released new guidance called the Evaluation of Corporate Compliance Programs. While the Department of Justice has insisted that the Evaluation is not a checklist for effective compliance and ethics programs, it seems to be styled as a checklist. The Evaluation of Corporate Compliance Programs covers eleven "Sample Topics and Questions." These comprise the parameters that the Department of Justice says that they will review when looking at the effectiveness of a compliance and ethics program.

In a three-part series on our podcast Compliance Beat titled "The Checklist That's Not A Checklist," Eric examines each Sample Topic in detail. He talks about what the Department of Justice may be looking for when considering the effectiveness of a compliance and ethics program. Eric's in-depth analysis of this new guidance will help you understand what the Department of Justice requires for an effective compliance and ethics program.

Tune in here to listen to Part 1 of this series.

New Compliance Beat: 2017 Trends in Compliance & Ethics

What are going to be the overarching trends in compliance and ethics in 2017? In this episode, Eric talks about compliance and ethics program trends that will affect every company, no matter your size and no matter whether you are in a highly regulated space.

First, in the past year there has been lots of discussion deregulation. Will potential deregulation lessen the importance of compliance? How can you make the case for continued focus on compliance? How can you keep up the conversation within you organization? As part of his discussion, Eric references the data in the SCCE and NYSE Compliance and Ethics Program Environment Report.

Second, no matter what happens with regard to deregulation, all organizations face reputation risks. As we’ve all seen, social media amplifies these risks and information can go viral quickly. Eric makes the case that organizations need to consider potential reputation risks and ways to mitigate these risks.

Last, Eric predicts that defining what a risk-based approach to compliance will be a big trend in 2017. The idea of risk-based approach to compliance comes out of FCPA guidance. What does it mean to take this approach? Your organization should think about the empirical reasons for your approach to compliance and ethics. How can you use that data that you collect internally to determine where your risk areas are? How can you make the business case for investing in compliance?

If you have a question you want answered on the podcast be sure to submit it here.


Do we need to train our Board of Directors on compliance and ethics?

New Compliance Beat! Do we need to train our Board of Directors on compliance and ethics? & Three Questions with JoAnn Mahoney

The short answer is yes, you must train your governing authority, which may be your Board of Directors, on your compliance and ethics program. The U.S. Sentencing Guidelines require that you do so because the Board is required to oversee your program. How does this look in practical terms? Eric discusses what he calls the three pillars of Board of Directors' training:

  1. Compliance Risk Topic Specific Training. These topics may include conflicts of interest, anti-corruption, data protection, data privacy, insider training and other specific risk topic training.
  2. Periodic Review/Discussion of Board of Directors’ Responsibilities. This should address what the Sentencing Guidelines expect of the Board of Directors or other governing authority, including their responsibility for the oversight of the compliance and ethics program.
  3. Annual Code of Conduct Training/All Hands Training. This is the broader training that goes out to the vast group of employees and other stakeholders that receive training in your organization. Code of Conduct training kills two birds with one stone because it addresses the Board’s oversight role of the compliance and ethics program and it provides actual training to the Board. At a minimum, the Board or governing authority should receive the information that is provided in training and details of how the training is in administered. As well as exploring these topics, Eric also answers:

  4. How often should the Board receive training?

  5. How should Board training be accomplished?

The Upshot

When training your Board of Directors, you should address the three pillars in board training: risk specific topic, regular review of the Board’s responsibility to oversee the compliance and ethics program, and a comprehensive review of employees' and other stakeholders’ code of conduct training.

Three Questions with JoAnn Mahoney, Senior Director of Regulation & Compliance, Equifax, Inc.

At Equifax, JoAnn wears many hats, like many compliance professionals. She is the compliance subject matter expert for the business units at Equifax of mortgage, healthcare, insurance, data and analytics, mobile commerce, and new product innovation. JoAnn has worked in the financial services industry since working at a credit union during college. Before joining Equifax, JoAnn held role in compliance within the financial services industry, including at Bank of America and Cornerstone Bank. In this segment, JoAnn talks about her career journey. She also discusses the importance of compliance professionals to see themselves as a member of an organization's team so that you gain credibility within your company. She also talks about future trends in the financial industry.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.


LinkedIn -Eric Morehead


New Compliance Beat!

We've been busy putting together a new compliance and ethics podcast for the past couple of months called Compliance Beat and we would love for you to check it out and subscribe at www.compliancebeat.com

We have six episodes available so far with topics from hotline to how not to be the compliance officer who is only know as the one who says "no". We have also had an amazing group of guests in the first few episodes, including Roy Snell and Adam Turteltaub from the SCCE and HCCA, Bill Brown and Kathleen Edmond who have been CCO's in the trenches, and this week we're happy to have Richard Bistrong on the podcast.

If you haven't heard Richard speak before, his story of a compliance failure from the perspective of a front-line actor is worth a listen.

Listen in -- and subscribe!


The Eighteen Billion Dollar Question for the Eighteen Million (and Less) Business

Eighteen billion dollars. And counting. Volkswagen’s widening emissions scandal seems to have no end. Sadly, it’s only one of many stories we have seen over the past few years where organizations are unable to detect or prevent misconduct until it becomes a headline. Even more troubling is the still strong perception that it’s just the big corporate names that make the headlines that have to fear the most serious repercussions. The headlines can be misleading, and in fact most organizations that face the serious repercussions brought on by being found guilty of a federal felony offense are usually much smaller. According to the U.S. Sentencing Commission, 90.2% of all organizations sentenced in 2014 had fewer than 500 employees, and 70.6% of those organizations had less than 50 employees. These organizations were unable to work out non-prosecution or deferred prosecution agreements and likely will suffer serious consequences beyond costly fines and attorney’s fees. These organizations will often be under a court’s supervision for a period of years, have court-ordered restitution and compliance requirements, and will likely face devastating collateral consequences such as debarment from future government contracting work.

So now that I have your attention, what is an under-resourced law function in a small to medium-sized organization able to do to avoid the most serious repercussions? The Department of Justice has been pretty clear about what they look for when assessing an organization’s commitment to compliance and ethics and there is plenty that can be done with even limited means.

First of all the management must care about compliance. US Sentencing Commission data shows that 59.6% of organizations sentenced in 2014 were found to be directly involved or “tolerant” of the criminal activity. I think it’s safe to say ethical culture and tone from the top were clearly missing in these cases. That is something that any organization can address head on. Does your CEO regularly talk about ethics to the rank-and-file directly? If your organization doesn’t conduct a stand-alone culture survey or ask about issues like misconduct reporting and retaliation in a larger human resources survey what are your data measures for culture? If your organization doesn’t have a well-publicized reporting and anti-retaliation policy that is consistently reinforced through training and communication how do you cultivate a “speak up” culture? Addressing tone doesn’t need to be resource intensive, just well-planned and thought through.

That brings us to a second important point. Having a tailored plan. Another area that the Department of Justice and the Securities and Exchange Commission in particular have stressed is the importance of having a “risk-based” compliance and ethics program. The DOJ has made clear that “[e]ffective programs are tailored to the company’s specific business needs and to the risks associated with that business.” This means that all organizations, regardless of size and scope, should be assessing their business risks with an eye toward tailoring their program resources in line with those risks. Having a plan to address the structure and resources for a program, as well as considering periodic review and update, is key to any effective program.

A third area that the DOJ and SEC have specifically mentioned is that a “good compliance program” is a program that is “regularly” reviewed and improved to avoid going “stale”. The clear expectation is that all compliance and ethics programs must be periodically reviewed and updated as needed. Any plan is incomplete without consideration of assessment of the program. A strong review or assessment should reveal the areas of the program that need improvement. Whether that is training, written standards, monitoring or program structure and resources will obviously vary from organization to organization, and each organization that conducts a “risk-based” review will have different answers and different aspects of their program that will need attention. Be wary of solutions that address training or some other aspect of the compliance and ethics program before an assessment or review has determined their necessity and relative importance to other needed initiatives. Similarly, a strong review or assessment will focus also on the specific compliance risk topics that need to be addressed through policy, training, monitoring or some other resource. An organization’s compliance risk profile will be just as unique as any other aspect of the organization. There are compliance risks that most organizations share, to be sure, but making a determination about addressing particular risks without first assessing their applicability, and the current state of the program, is sometimes little more than guesswork. At any rate, for organizations with limited resources having a clear understanding of what risks the compliance program should be addressing is a better route to an effective program than adding resources before an assessment or review.

Finally, once your organization has a tone from the top, a plan for the program and has conducted an assessment, be ready to continue making compliance a priority – forever. The process of addressing corporate ethics and culture, and the structure and operation of a compliance program, is not a “one-and-done”. These expectations are not going to go away and there is no simple fix. The real key to success is changing internal expectations around compliance and ethics so that everyone feels ownership and consideration of compliance and ethics becomes an operational part of the business. We are all being moved by external expectations, from the government, the public and other stakeholders, but the real change happens when internal expectations for integrity blossom.

See These for Reference:

Volkswagen Posts Deep Loss After Taking $18.28 Billion Hit on Emissions Scandal, The Wall Street Journal, April 22, 2016 (http://www.wsj.com/articles/volkswagen-posts-deep-loss-after-taking-18-28-billion-hit-on-emissions-scandal-1461333307).

Size of Organizations Sentenced by Number of Employees, U.S. Sentencing Commission's Interactive Sourcebook (isb.ussc.gov) using the Commission's fiscal year 2014 Organizational Datafile, CORPFY2014.

Organizations Sentenced Under Chapter Eight: Culpability Factors, U.S. Sentencing Commission's Interactive Sourcebook (isb.ussc.gov) using the Commission's fiscal year 2014 Organizational Datafile, CORPFY2014.

Foreign Corrupt Practices Act ("FCPA"): A Resource Guide to the U.S. Foreign Corrupt Practices Act ("FCPA Guide"), pages 56-60 and 61-62 (https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf¬).

Broken Record?

I'm actually not repeating myself -- but I am presenting on Code of Conduct Development at the Dallas version of the Corporate Compliance Institute on May 6th.  

UT puts on a great event that covers the gamut from insurance to investigations to code of conduct development. So if you want to learn when a contractor might become an employee, what are the latest scary stories about data security mishaps or listen to me talk Code -- come join us!

If you are in Texas and might be interested here are the details: https://utcle.org/conferences/CC16

Forest for the Trees

A lot of ink has been spilled over the last week on revelations regarding the Unaoil story and the USDOJ releasing its latest and greatest guidance on the FCPA.  

The bottom line seems to be that things are getting more interesting (read "difficult") with regard to compliance, that preconceived notions about what due diligence standards will suffice and be acceptable are changing (again), and that "cooperation" and what makes “an effective compliance program" just got a lot muddier.

Allow me to posit a slight counterpoint: nothing significant has changed for an effective program. The core tools and skills that a compliance and ethics officer uses remain the same, the primary goals and strategy for an effective program remain unchanged and the expectations of the regulators, be they reasonable or not, should not be the sole motivator in program development.

To paraphrase Kipling: "If you can keep your head when all about you are losing theirs" yours is an effective compliance program. Perspective is important. If you must live by the words of our friends in DC I think a more salient mantra to remember is "risk-based program".  That is the key here.  

As we all know, one size does not fit all, and while anti-corruption risk may factor into your program is it really a primary risk your organization faces?  Having a risk-based program means understanding all the significant risks that are particular to your organization. What does the data say? What gets reported up the chain of command and on the hotline/helpline? What does your culture survey tell you? What does the ERM data tell you? What are the results of any knowledge testing? These are just a few of the questions that are probably more germane to the effectiveness of your particular program than latest torrid headlines.

It may well be that your organization's top risks include foreign bribery. But the fact that your team devoted significant time to abating that particular issue and missed another risk that lands you in the headlines, or in the US Attorney's Office, will not be much of a consolation prize.

The point being that while anti-corruption is a high severity risk it is also a low likelihood risk compared to more mundane-seeming issues like harassment for most organizations. For organizations doing risky business in Iraq and the former Soviet bloc, as Unaoil's partners were, that likelihood very clearly skyrockets -- no doubt about that.  But is that what your organization does?  Is that really the picture that comes into view when you undertake a risk-based compliance assessment?

If not, take a deep breath and don't miss the forest for the trees.


Code Pitfalls

Just a few words about what our friends at USDOJ have called the "foundation" of any compliance program: the code of conduct.

A number of organizations have spent time and resources on their code of conduct over the last few years and still seem to have results that they and their stakeholders are not too excited about.  I'm getting ready to speak in Houston on Friday (https://utcle.org/conferences/CC16) about code development and these organizations are on my mind.

It seems to me there are five common missteps organization's often make that lead to disappointing results.

First, code development is a team sport.  Traditionally this was the lawyer's job alone.  But that produces typical results. Byzantine language that uses terms like "byzantine" without considering the audience. Three pages on antitrust risk including legislative history. A lot of "thou shall not" and very little "we're in this together".  Also, considering the operational perspective outside of the usual suspects (legal, audit, HR and compliance) allows the code to speak to those parts of the organization that need the message the most. Build a team.

Second, just having a slicker layout doesn't cure the ills mentioned above or ensure that the message is meeting the stakeholders. I've often said that the code needs to look more like an annual report -- and that is true -- but looking cool doesn't ensure that you have coverage nor accessible content.  And having a pull-quote or a graphic on every page may end up being a distraction rather than a tool to drawn in the reader.

Third, just appending your organization's values statement to the front of the code doesn't make it a "values-based" code.  For many codes the values page could have just as easily been a photocopying mishap since those inspiring words and phrases are completely absent in the rest of the code.

Fourth, have a plan.  Have a plan and timeline for initial development.  Have a plan for the roll-out and introduction of the code to the stakeholders. Have a plan to review and revise the code on a regular basis.  This is not a one-and-done project -- you cannot ignore your "foundation" and expect superior results.

Finally, just ask for help. This is sometimes hard to do.  But there are often untapped resources within your organization that can provide you the help you need to implement a successful project.  And if not, the "foundation" is significant enough to seek outside help when needed.

Take a Break from the Crazy to Consider Compliance

Is the 2016 election cycle the most important in a generation? Does 2016 represent a sea-change for our national politics?

All good questions, and if nothing else, the national race thus far has provided a lot to talk about. We also know that the money and resources organizations are providing to these races post Citizen’s United has increased and the number of organizations that are participating has skyrocketed.

But not every organization has a history of being involved nor a history of ensuring compliance and an orderly, transparent process for that involvement. For organizations that are new to political giving the potential downside can be great and cause an unnecessary hit to the organization’s reputation or a costly compliance failure. And that’s certainly not how organizations, and their compliance officers, want to spend this season. 

Also, organization’s shareholders are expecting to see transparency and compliance on this issue.  Just last week the Wall Street Journal noted that while investors aren’t expecting the flow of money to stop, they are “asking for consistency in a company’s stated goals and its political spending, [and] saying disclosure will provide transparency and accountability to the issue.” http://blogs.wsj.com/riskandcompliance/2016/03/03/corporate-political-spending-becomes-compliance-issue/

Bill Lawlor, a dean of corporate governance law, also predicts in the Wall Street Journal article that we will see the SEC adopt rules for disclosure in the next few years.  So it’s wise to get ahead of this curve.

So, if it is imperative that compliance know what’s going on, has a plan to handle these issues, and is doing its best to be transparent, what does that all look like?  

Back during the last national election cycle in 2014 I spoke with Wes Bizzell about common pitfalls and best practices to avoid missteps with regard to political giving and that discussion can be watched here: https://www.youtube.com/watch?v=H1Exl1FzsJM 

Many of these considerations, especially for organizations that are new to the game, are still of prime concern today.  Have a process. Be consistent. Train. Communicate to your employees, the board of directors and other stakeholders. Know who and what your organization is giving to. Don’t get caught flat-footed.

But the main point is this: now is the time to consider policy, process, communication and training for your organization to avoid a costly mistake that can negatively impact your organization’s reputation.

So, while you should enjoy the show, pay attention to your organization’s participation so that you don’t become a headline.

Small Fries and New Guys Need Compliance Too

The recent compliance implosion at online benefits success story Zenefits (see Ben DiPietro’s excellent summary from the WSJ here) underlines a consistent misperception I’ve seen my whole career regarding who gets in trouble and why.  Many small businesses and startups seem to think the only organizations that get in trouble, and therefore need to seriously address their compliance risk, are the large multinationals that make up most of the media stories devoted to fraud, abuse and non-compliance.

As with a lot of commonly held perceptions, it’s not right.  In fact, the most serious repercussions for organizations are overwhelmingly meted out to small organizations. In the past five years 88% of organizations that ended up with federal conviction had less than 500 employees and 70% of those businesses had less than 50 employees (Source: US Sentencing Commission’s Interactive Sourcebook - isb.ussc.gov).

Smaller organizations in particular find themselves in the danger zone because they are less able to absorb the costs and lost business opportunities that come with a serious investigation – even if that investigation ends up with exoneration. And let’s not forget that in six out of ten cases where an organization is sentenced at least one individual is sentenced as well. Unlike the organization, the individual is apt to find himself in the penitentiary (Source: US Sentencing Commission’s Interactive Sourcebook - isb.ussc.gov).

Newer companies, especially ones that hope to one day go public, also need to consider having more than the “basic requirements” when it comes to compliance.  Reading about the culture at Zenefits one gets the sense that turning that ship around is going to be difficult and resource intensive.  Imagine how much easier it would be to save and grow that business if such a radical change weren’t necessary right now?  Many of us have seen dysfunctional organizations with, shall we say, “complicated” cultures.  And many of us have seen men and women of good will attempt to undo the effects of poisonous culture on morale, recruitment and retention, business focus and long-term strategy.  Sometimes the poison has seeped too far into the roots and the organization cannot survive. It’s a sad thing to witness. It’s made doubly sad because it is so avoidable.

New and small organizations are in a unique and enviable position with regard to real culture change compared to larger, more-established organizations. A smaller, nimbler ship can be more effectively turned and guided away from the shoals.  A newer organization, in particular, doesn’t have the historical baggage to weigh down their efforts to seed a positive, ethical culture.  And while tending those seeds now takes consistency and work, it’s nothing compared to the resources needed to turn around an organization infested with rot.

Smaller organizations aren’t necessarily expected to have compliance and ethics programs that are as mature and structured as larger organizations. The Sentencing Guidelines and periodic guidance from the Department of Justice and the SEC make that clear.  But all organizations, regardless of size, are expected to take a risk-based approach to construct and maintain an effective program and nurture an ethical culture.

Doing too little, or nothing, never ends well.

Compliance Isn't a Trend

"What I'm hopeful for is that this has a Y2K feel about it.”  That’s the word from Lloyd Blankfein of Goldman Sachs this week when speaking about the bank’s current investment in compliance at a conference (http://www.cnbc.com/2016/02/09/at-goldman-traders-are-out-and-compliance-is-in.html). He also discusses how he forecasts that compliance costs will go down with automation and basing compliance personnel in cheap places -- like here in Texas.

While it is certainly true that any particular focus on narrow areas of regulatory compliance will wax and wane – we see that all the time – it is also true that a focus on a compliance and culture is here to stay and those that allow themselves to think it’s a transitory issue are not just missing the boat, they haven’t even found the shore.

First of all, unlike the Y2K issue, organizational compliance has no finish line.  There is no end to the problems that people in groups can create. And the policing and mitigation of those problems isn’t a matter of applying triage and moving on.  When an organization sees compliance as a stop-gap measure to get past a certain milepost, well, that’s a recipe for failure. 

If I were on the audit committee of the board of such an organization I’d have some questions about this perspective. I’d like to ask what type of effort can be expected from a resource that is told at the outset that the company is planning to automate their roles and fire them as soon as possible? What sort of tone does that set for the compliance department, let alone the rest of the organization? How much respect will a compliance officer brought into this environment command with the trading floor?

I submit the answer is “very little”. 

Compliance officers monitoring the activities at a bank like Goldman have to be sophisticated professionals, have to have the resources and tools to do their jobs, have to have respect and authority, and must have the open, full-throated support of their management.

I understand that a lot of this has to do with pleasing a small, powerful community of analysts that see these expenses as a drag on the bottom line. It’s up to powerful executives like Blankfein to change this narrative.  The answer should not be “look, we’re going to get over this ‘compliance’ thing as quick as we can” it should be “we are going to invest in a more compliant culture and that will pay dividends far beyond just avoiding trouble.” 

Blankfein is a smart guy and I know he can look at the abundant data that shows stakeholders, both outside and inside the organization, have different expectations from the analysts that decry these expenses.  Stakeholders today expect compliance and ethical cultures and disappointing them can lead to calamity -- including a big hit to the bottom line.  Look at the plummeting stock price and double-digit sales declines for Volkswagen as just one example.

Executives need to use their platform to change this dangerous and wrong-headed narrative.  This is not a trend.  This is how you do business successfully.

The Negative Case

As compliance and ethics professionals when we are evangelizing about the importance of a strong program and a healthy culture we often try to be aspirational and positive about the organization's goals. We want to focus on the benefits that "doing the right thing" can bring.

But when that doesn't work we can always bring out the big guns.  We can talk about those failures out there -- and there are plenty from Enron to Volkswagen. We can talk about the time, money and dollars lost as well as the potential for prison time.  The negative case is never far from reach when we need it.  That's why I think a headline like the one in the New York Time this morning ("Corporate Bribery Cases and Fines Fell in 2015") can cause even the veteran evangelist to shake her head and sigh. Just when we thought we had some of them convinced.

But I wouldn't worry, and in fact, I think it's a great moment to seize on a couple of potentially problematic narratives and, as good evangelists do, turn them around to the program's benefit.

First, it's a chance to free up some of the oxygen that anti-corruption has been consuming. As compliance officers know, bribery isn't the only risk out there.  For many organizations it's not even in the top five risks they face as an enterprise. When a compliance program's resources are not allocated in a risk-based fashion the effectiveness of the program suffers and, in the nightmare scenario, that top five risk that was ignored because of improper focus becomes the issue that consumes the program -- and in some cases -- the organization itself. This may be a good opportunity to have a real discussion about the risks your organization faces and how those risks have been identified, addressed and monitored.  And it opens up the opportunity to discuss how (and if) the program has been properly assessed to address those compliance risks.

Second, this story allows a discussion about those other risks that exist. If the narrative in the C-suite or boardroom has been too often dominated by anti-corruption -- or for that matter data security or any other issue -- to the exclusion of all else, here is the opening to talk about the ever-changing nature of compliance risk and the need for a program that address and assesses such risks on an ongoing basis.  My new favorite chart in the last year is by Professor Brandon Garrett at UVA ("Corporate Criminal Penalties by Type of Crime"). This chart brings together two great points. One, a real negative case standby, that despite the headline today fines overall all continue to skyrocket. Almost $9 billion dollars in 2015, or over a nine-fold increase in ten years. Two, the types of cases, and the types of risks faced, vary significantly year by year.  One could be forgiven if you just attended compliance seminars for the last ten years into thinking that foreign bribery made up a majority of the fines levied against organizations.  As this chart so crisply shows, that's never been the case.  

The negative case is not going anywhere, but whether you lead a discussion with prison and fines, or culture and performance, moments like this can provide a really valuable opening to get to the real issues your organization uniquely faces.