Forest for the Trees

A lot of ink has been spilled over the last week on revelations regarding the Unaoil story and the USDOJ releasing its latest and greatest guidance on the FCPA.  

The bottom line seems to be that things are getting more interesting (read "difficult") with regard to compliance, that preconceived notions about what due diligence standards will suffice and be acceptable are changing (again), and that "cooperation" and what makes “an effective compliance program" just got a lot muddier.

Allow me to posit a slight counterpoint: nothing significant has changed for an effective program. The core tools and skills that a compliance and ethics officer uses remain the same, the primary goals and strategy for an effective program remain unchanged and the expectations of the regulators, be they reasonable or not, should not be the sole motivator in program development.

To paraphrase Kipling: "If you can keep your head when all about you are losing theirs" yours is an effective compliance program. Perspective is important. If you must live by the words of our friends in DC I think a more salient mantra to remember is "risk-based program".  That is the key here.  

As we all know, one size does not fit all, and while anti-corruption risk may factor into your program is it really a primary risk your organization faces?  Having a risk-based program means understanding all the significant risks that are particular to your organization. What does the data say? What gets reported up the chain of command and on the hotline/helpline? What does your culture survey tell you? What does the ERM data tell you? What are the results of any knowledge testing? These are just a few of the questions that are probably more germane to the effectiveness of your particular program than latest torrid headlines.

It may well be that your organization's top risks include foreign bribery. But the fact that your team devoted significant time to abating that particular issue and missed another risk that lands you in the headlines, or in the US Attorney's Office, will not be much of a consolation prize.

The point being that while anti-corruption is a high severity risk it is also a low likelihood risk compared to more mundane-seeming issues like harassment for most organizations. For organizations doing risky business in Iraq and the former Soviet bloc, as Unaoil's partners were, that likelihood very clearly skyrockets -- no doubt about that.  But is that what your organization does?  Is that really the picture that comes into view when you undertake a risk-based compliance assessment?

If not, take a deep breath and don't miss the forest for the trees.