Compliance Ethics · compliance training and certifi-cation regime intended to debar individuals if they are not quali-fied. However, most industries, organisations, and companies

Compliance & EthicsVol. 8 / No. 3

06 / 2011

A publicAtion of the Society of corporAte compliAnce And ethicS

Professional

Top sTories inside

4 The Compliance Covenant: More pull, less push

8 Is your chief watchdog an esquire?

12 The compliance risk of compliant behavior

18 Business gratuities: Sometimes it’s better not to give or receive

22 Managing ethics upwards

30 Third-party risk management: Properly managing compliance of outsourced relationships

36 Global Compliance: Thailand

46 The FAR raises the bar for ethics and compliance programs

52 Culture and values: “Adequate procedures” under the UK Bribery Act

Meet Laurie GallagherDirector, Healthcare Compliance Training at Amgen

This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 277-4977 or 888/277-4977 with all reprint requests.

Course OverviewYou are assigned to conduct an internal investigation. The facts are unclear and you are not sure who is telling the truth — yet you must reach a conclusion. In this hands-on seminar, you will learn practical skills for investigating alleged misconduct and ways to balance the rights of the complainant and the accused while protecting the interests of your organization. Plus, you will learn how to minimize administrative burden while writing effective investigative reports.

In this two-day workshop, you will learn:n How to strategically investigate “he said/she said” allegations where

there are no eyewitnesses

n How to interview witnesses using a specific method that enables you to gather all relevant information

n How the laws have changed regarding investigations (e.g. — is it lawful to use social media in your investigation?)

n Techniques and questioning strategies you can use to determine whether a witness is lying

n The rules for searching an employee’s workspace, computer or personal belongings

n The appropriate standard of proof for imposing discipline

n What to include and not include in the report

n How to properly document credibility determinations and compile exhibits

n Privilege and confidentiality designations and who should see the report

n What documents to retain in the investigative file

Continuing Education CreditApplications have been filed with the Society of Corporate Compliance and Ethics (SCCE) for the in-person sessions*, the 7 Steps Webinar has been approved for 6.9 units and the Report Writing Webinar has been approved for 3.3 continuing education units toward Certified Compliance and Ethics Professional (CCEP) credit. Multiple state bar associations have approved our Investigation and Report Writing Seminar for Continuing Legal Education (CLE) credit.

*Our website will be updated when approval is received

2011 Dates and LocationsMay 4–5 ............................. New York

May 11–12 .................. Washington, DC

June 1–2 .............................. Chicago

June 9–10 .............................. Atlanta

June 15–16 ...................... Hartford, CT

September 21–22 .................. Houston

October 5–6 ......................... Chicago

October 12–13 ......................... Dallas

October 19–20 ..................... New York

November 2–3 ................. Los Angeles

WebinarsFor the webinars, the Investigations and Reporting Writing classes will be offered separately.

May 18–19: 7 Steps to Investigate Alleged Employee Misconduct

May 25: Writing Comprehensive Investigative Reports

October 26–27: 7 Steps to Investigate Alleged Employee Misconduct

November 1: Writing Comprehensive Investigative Reports

December 7–8: 7 Steps to Investigate Alleged Employee Misconduct

December 14: Writing Comprehensive Investigative Reports

2011 Seminar SeriesJoin us for our highly interactive, step-by-step seminar to learn practical skills for how to investigate and document allegations of compliance violations, fraud, harassment, discrimination, theft and other employee misconduct.

For details, visit: www.globalcompliance.com/seminar

7 Steps to Investigate Alleged Employee Misconduct– Now including: Writing Comprehensive

Investigative Reports!

Phone: 800-443-9037 n E-mail: [email protected]

C 100M 15Y 0K 25

C 60M 0Y 100K 5

C 0M 0Y 0K 100

R 16G 120B 176

R 99G 185B 70

R 0G 0B 0

SIZE1 inch wide

FONTAdobe Garamond Pro Small Caps, Bold

Global ComplianceGlobal ComplianceGlobal Compliance

View a detailed course outline, watch a video clip of the seminar, or register at www.globalcompliance.com/seminar

www.corporatecompliance.org June 2011 compliAnce & ethicS profeSSionAl 3

Contents June 2010

4 The Compliance Covenant: More pull, less push (CEU) by Keith G. Readthe right incentives to address “What’s in it for me?” can help make compliance training more palatable.

8 Is your chief watchdog an esquire? by Michael bRozzetti

An empowered internal auditor is key to balancing the inherent conflict of interest in the general counsel position.

12 The compliance risk of compliant behavior by Joshua axelRodhighly specialized workers need to think across departmental silos to see that the results of their decisions may have unintended consequences.

14 Feature Interview: Meet Laurie Gallagher, Director, Healthcare Compliance Training at Amgenby adaM tuRteltaub

16 Letter from the CEO by Roy snellWhen i grow up, i want to be a compliance and ethics officer

18 Business gratuities: Sometimes it’s better not to give or receive by lauRel l. buRKeclear policies and oversight help executives and employees make the right decisions when offering or accepting gifts, entertainment, or hospitality.

22 Managing ethics upwards by FRanK J. navRan

Strategies for recasting the role of the ethics officer if senior leadership and executives aren’t setting the proper tone at the top.

28 Recently certified CCEPs®

30 Third-party risk management: Properly managing compliance of outsourced relationships (CEU) by steve McGRaw

the compliance risks of indirectly managed third parties can outweigh the economic benefits of outsourcing, unless you plan ahead.

36 Global Compliance: Thailandby GReGoRy unRuh and FeRnanda aRReola five ethics and compliance issues to consider before doing business in this growing and resilient nation.

40 Frankly Speaking by FRanK dalythe devil is in the details

42 Third-party corruption risk: Identifying the high-risk parties by dennis haistfive questions to help you focus your resources on the most common types of third-party relationship risks.

46 The FAR raises the bar for ethics and compliance programs by Michael PalMeRcommitment to high standards of ethics and integrity are essential for companies that want to do business with the federal government.

52 Culture and values: “Adequate procedures” under the UK Bribery Act (CEU) by Ruth n. steinholtz

employees trained to be ethics ambassadors can assist senior management in creating an ethical culture, especially in multi-national companies.

56 New Members

4 compliAnce & ethicS profeSSionAl June 2011 www.corporatecompliance.org

Meet Michael Samonas, Esq. continued from page 4

The dictionary definition of a covenant is that it is an agree-ment, usually formal, between two or more persons to do, or not do, something specified. Another definition is that it is a formal agreement between two or more people; a promise.

The Military Covenant is a term frequently used in Britain which reflects the “duty of care” that the country has to its armed forces. In return for putting the needs of the army and the nation before their own, British soldiers must always be able to expect fair treatment and to be valued and respected as individuals.

Background to the Compliance Covenant

One of the most common—and most discussed—challenges for compliance officers is that of ensuring that everyone in an organisation, from the board down, “signs up” to compliance, such that they understand the need for compliance, what compliance means for them, and why they need to—willingly—undertake training and other compliance obligations relevant to them.

I’m sure that many com-pliance officers (whatever their

background or industry) reading this article will share that view but, in case you’re not convinced, just take a look at the number of compliance events that feature ses-sions along the lines of “changing compliance behaviours,” “improv-ing compliance programme effectiveness,” or “making the case for compliance.”

I accept that some industries, such as financial services, have a compliance training and certifi-cation regime intended to debar individuals if they are not quali-fied. However, most industries, organisations, and companies do not, and that is where the “Com-pliance Covenant” comes in.

Training is usually at the heart of an effective compliance pro-gramme, but often, despite their best endeavours, compliance offi-cers struggle to deliver acceptable completion rates, largely because the training invariably takes second place to the latest busi-ness pressure, and there is neither the support nor effective mandate from senior management. Whilst compliance training of itself would not make a company compliant, it is nevertheless a key element in the “corporate shield.” Low comple-tion levels make it difficult to argue

with regulators, the courts, critics, commentators, and competitors, that there is a company-wide ethos of compliance.

By accident or design, organ-isations can often pay “lip service” to compliance, which only serves to make the compliance officer’s job more difficult. Compliance “horror stories” abound—of assis-tants undertaking their manager’s compliance training and, worse, with individuals completing the training for entire offices or teams. To compound matters, this behav-iour can be effectively condoned by some senior managers who have their secretaries complete their training and then “turn a blind eye” to everyone else. Not only are people being passive in not doing what is required of them, the only time that they are active is when it comes to avoiding completing their training!

To be fair, whilst I may have exaggerated the scenario above, I am sure that some of the situa-tions will strike a chord with many compliance officers.

The Compliance Covenant, however, offers a way of funda-mentally changing this situation through a pragmatic scheme—effectively, an agreement—that

The Compliance Covenant: More pull, less pushby Keith G. Read


continued on page 7

generates wider benefit from com-pliance, both for the company and for employees as individuals, without “over-compliance.” It also serves to raise the profile of com-pliance in the company and get the compliance message firmly in people’s minds.

I fully accept that employees should recognise the importance of compliance—and most do, when pressed. However, the Compliance Covenant would not diminish that in any way, nor would it remove the potential for compliance-related disciplinary sanctions. What it does do, however, is serve to raise the perception of compli-ance such that it becomes more of a business and personal essential, rather than a chore that effectively turns conscripts into volunteers.

The Compliance Covenant key concepts

Offering incentives to employ-ees to fulfill compliance training requirements, and recognition to those who successfully complete the programme, is one way to engage workers in a compliance culture.

The compliance passport for individuals

Most organisations and companies have some form of compliance training regime, usu-ally with a degree of differentiation based on an individual’s seniority, role, or responsibilities. The train-ing records system usually records

these completions and that is the end of the matter, until the next refresh completion in one to five year’s time.

Whilst failing to complete the training will usually generate mul-tiple reminders and escalations, completing the training on time often generates very little, other than the opportunity to print off a simple paper certificate. The com-pliance passport, however, changes that; it means that once an indi-vidual’s training is up-to-date, they have their passport, a more formal—and valuable—certifi-cation of their achievement. The passport is a pre-requisite for them to be able to apply for jobs, pro-motions, and other opportunities. It would also be a qualification that, potentially, could lead to a nationally- or industry-recognised educational qualification.

Industry compliance qualification

The UK rail industry has a system whereby track workers can gain safety certifications and other qualifications, which are then portable to a wide range of rail-related employers and activities. Clearly, this is no different from many vocational qualifications but, outside the financial services industry, there are relatively few compliance-related vocational qualifications.

Clearly, the concept behind the compliance qualification was simply that it gave a more

tangible—and potentially useable —recognition of the training that an individual had undertaken in compliance. Clearly, to be fully effective, the qualification would need to be recognised by other companies and by relevant regu-lators, which would also serve to move an industry a little way towards the financial services qualification-type paradigm.

Irrespective of the appetite in a wider industry for such a qualifica-tion, the principle clearly conveys the message, to government regu-lators and others, that there is a demonstrable commitment to compliance in the leading organ-isations or companies within that industry.

Compliance “hygiene” ratings for teams

Increasingly, restaurants and cafes in the U.K. display their hygiene rating, based on a 1 to 5 star system measured by their local authority; it has now become known informally as the “Scores on the Doors” scheme. What came from that for me was that, although we may require individual employees to com-plete compliance training and then undergo some form of test-ing of their knowledge, there was no single and straightforward indicator of a team’s compliance capability or performance. (A team in this context could be 10, 100, or 10,000 people.)


Effective ethics and compliance trainingby thomas Fox

Learn more and register at www.corporatecompliance.org/academies

Basic compliance & ethics

academiesJune 6–9, 2011scottsdale, arizona

august 15–18, 2011las vegas, nevada

november 7–10, 2011san francisco, california

Become a Certified Compliance & Ethics Professional following this four-day intensive training session

Space iS limited— regiSter

early

2011SCCEAcademies_1page_2C.indd 1 5/5/2011 3:51:14 PM


The Compliance Covenant: More pull, less push continued from page 5

As a consequence, as part of the Compliance Covenant, the concept of a team compliance rating system was established, driven by a number of parameters, including compliance training completion levels, failure rates, numbers of “serial offenders” (i.e., employees who had consistently failed to complete their training), and senior management compli-ance education performance, including levels of attendance at training sessions.

The “hygiene” rating system has the benefit that it also establishes a degree of compli-ance-related competition between teams, units, and divisions, and facilitates an additional board-level reporting measure, achievement awards, and similar supporting recognition.

Annual performance reviews/Performance against objectives

Clearly, under the Covenant, an additional approach could be to “gate” or restrict an individual’s annual performance review mark-ing, dependent upon achievement of their compliance passport or, more simply, completion of their compliance training. The same approach can be used regarding reward for performance against objectives, so that although com-pliance may not be an explicit objective, it is nonetheless implicit.

It has to be said that this approach can give rise to concerns from HR and other stakeholders

regarding the relationship between compliance, performance, and reward. As a consequence, stake-holder input is critical.

Incentives It could be argued that the

use of positive incentives and the avoidance of disincentives both have a role to play in compliance and in the Compliance Covenant. An incentive, for example, would be that the compliance passport is seen and used as a qualification, thus recognising and rewarding individuals who completed the process. Avoiding disincentives (e.g., allowing the passport to fall into abeyance, not differentiat-ing sufficiently between passport holders and others) is also equally important.

Some of the “softer” incen-tives could include, for example, entering passport holders into a regular prize drawing, although it is not considered that this type of approach should be used as a sig-nificant compliance management tool. From personal experience, based on using a prize competition for early completers of compliance training, this type of incentive did not appear to appeal widely to the management community.

OverallI have frequently heard the

argument, made by a range of attendees at compliance events and meetings, that without the quali-fication-type infrastructure of the

financial services industry, compli-ance officers have few tools at their disposal to drive up the focus on, and interest in, compliance.

This paper outlines the con-cept of the Compliance Covenant, of which the compliance passport, compliance hygiene ratings, and other techniques are key elements. Clearly, this type of approach may not be appropriate in all industries, organisations, and companies, but it does go some way in providing additional tools and techniques that can be used to develop an organisation’s compliance perfor-mance and capabilities.

In short, the Compliance Cov-enant goes some way to address the “What’s in it for me?” element of the compliance equation. The concept may well require tailoring, but the principle is certainly worth considering by compliance officers from a range of industry and com-pany backgrounds.

Editor’s Note: Keith G. Read is the Group Director of Compliance and Ethics for a major FTSE 100 com-pany in London. He is a past winner of the Compliance Register’s Best Compliance Officer award, when he also won the Best Compliance Company award. Keith may be contacted by e-mail at [email protected].

Learn more and register at www.corporatecompliance.org/academies

Basic compliance & ethics

academiesJune 6–9, 2011scottsdale, arizona

august 15–18, 2011las vegas, nevada

november 7–10, 2011san francisco, california

Become a Certified Compliance & Ethics Professional following this four-day intensive training session

Space iS limited— regiSter

early

2011SCCEAcademies_1page_2C.indd 1 5/5/2011 3:51:14 PM



Governance, risk, and com-pliance systems involve multiple stakeholders, which often include titles such as Audit, Risk, Com-pliance, Ethics, and Legal or combinations thereof. The term “compliance” has come to take on many meanings, so that overlap, gap, and even conflict can exist between organizational charters, duties, and responsibilities. This article expands upon the stark difference, and often-conflicting roles, of an organization’s general counsel (GC) and chief internal auditor (CIA) with respect to the application of law and ethics in the broader Governance, Risk, and Compliance systems of US-based organizations.

Internal auditing as the corporate conscience

In today’s New Normal, the concept of governance and risk management are evolving from mere written principles into robust practices within board and management processes. The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Inter-nal Auditing1 defines the role of internal auditing in governance in Standard 2110, where it states

“The internal audit activity must assess and make appropriate recommendations for improv-ing the governance process in its accomplishment of the following objectives:• Promoting appropriate ethics and

values within the organization;• Ensuring effective organiza-

tional performance management and accountability;

•Communicating risk and con-trol information to appropriate areas of the organization; and

•Coordinating the activities of and communicating infor-mation among the board, external and internal auditors, and management.”

With respect to business ethics, the internal audit function serves as part of the corporate con-science. Therefore, the posture of the internal audit function must be such that it can influence the corporate “brain,” which encom-passes members of the board and management who are the keep-ers of the organizational “body” and trusted guardians of its well-being. As the corporate con-science, internal auditors must be prepared to have the open, candid, and constructive dialogues with

their boards and management to balance the scale between the organization’s legal and ethical performance.2

One of the more sensitive challenges internal audit execu-tives are confronting is how to bring transparency to the board and management’s personal values, which are an essential part in establishing and maintaining the integrity and core values of an organization. In a new era where fraud and scandal seems to be standard fare, organizations must bring internal board and manage-ment transparency to the forefront of the reform agenda. Compliance stakeholders should recognize and consider this “inner” transparency when assessing governance struc-tures and processes. Stakeholders must also provide assurances over the ethical systems and their related internal adjudication pro-cesses, going well beyond the minimum requirements set forth by the law.

Is your chief watchdog an esquire?by Michael brozzetti, esq., cia, cisa

Michael bRozzetti


continued on page 10

Esquires are the “shield bearers” of an organization

Although many believe the term “esquire” is reserved for law-yers, it is not. There is no federal or state statute prohibiting the use of the esquire (Esq.) designation. A properly licensed lawyer is an attorney-at-law, and a properly certified internal auditor is an auditor-at-fact. In fact, the term “esquire” derived from the Latin root word scutarius, meaning “shield bearer.” The internal audi-tor shield is the profession’s code of ethics, centered on four key principles: integrity, competency, objectivity, and confidentiality. In contrast, the chief legal officer or general counsel shield is the law, which is coded by its source: constitutional, statutory, adminis-trative, or common.

A recent study revealed that less than 15% of US corporations have senior internal audit profes-sionals with titles of chief auditor or general auditor. In contrast, the most senior legal professional is widely known as a chief legal officer or general counsel. In fact, ALM Media’s Corporate Counsel magazine’s annual salary survey,3 says a general counsel is frequently among the top highest-paid execu-tives whose pay packages must be disclosed, yet we rarely see a chief internal auditor on this list of hon-orable recognition. This suggests that the corporate culture at-large undermines its chief watchdog and its jurisdiction to freely sniff and

fact find to discover fraud, waste, and abuse.

Directors and officers ought to consider placing equal weight on the views and opinions of their two essential shield bearers – the chief audit executive (CAE) and the chief legal officer (CLO). It is important for directors and offi-cers to view the work of the CAE, primarily within the context of business ethics, and the work of the CLO, primarily within the context of law. Free interaction and balanced discussion between these two esquire servants will bring both ethics-based and legal-based perspectives to those matters reflecting upon the director and officer duties of prudence, loyalty, and care.

A common theme for corporate failures

The majority of corporate fail-ures share a common theme. The house of cards comes crashing down, the culprits will often take their fortunes at the expense of those who entrusted their fortunes to them, and then take refuge behind the legal maze to mystify what really happened. In the U.S., obscuring the legal process is not very difficult in light of more than 4,450 US federal criminal laws, which grow at a rate of about 500 new laws per decade, and the Federal Registry, with more than 80,000 pages, which records all of the regulations the federal gov-ernment imposes on businesses, all

of which carry the force of law.4

The explosion of more law and regulation has made a very heavy shield for the GC to bear, thus a more balanced shield of protection should be sought with respect to the CAE and CLO in the New Normal. Courtroom motion practice has little tolerance for bringing ethical matters to light. In contrast, motion practice in the boardroom should encourage bringing these matters to the table for deliberation and judgment.

The paradox for in-house general counsel

In-house counsel has a con-flicting interest when it comes to providing business advice to corporate executives versus legal advice, where the attorney-client privilege is enforceable. Accord-ing to Michael A. Lampert of Saul Ewing LLP:

When it comes to the successful assertion of the attorney-client privilege, any litigator currently active can tell you that the task is a whole lot easier if the lawyer involved is outside, rather than inside, counsel. While the legal principles are generally the same in both situations, practical experience and some recent court decisions suggest the emergence of a double standard, arguably resulting in a weakening of the privilege for inside lawyers.5



In a court case legal precedent,6 the view of the court was that the negotiation of a contract and the discussion of those negotiations with executives of the company did not constitute “exercising a lawyer’s traditional function,” but did constitute “acting in a busi-ness capacity.” So, although an executive may currently obtain both legal advice and business advice from in-house counsel, it is important to understand that these events are handled much differently within the context of the U.S. legal system, compared to that of the internal compliance system of the organization with respect to the discoverability of facts and evidence.

The emergence of the “new era” internal auditor

The Institute of Internal Audi-tors model audit charter states: “The internal audit activity, with strict accountability for confiden-tiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the organization’s records, physical properties, and personnel pertinent to carrying out any engagement.”7

If this is accepted as a uni-versal truth, then the authority of the internal audit activity should supersede the attorney-client privi-lege between in-house counsel and executives. If true, then the playing field has changed and an auditor-stakeholder privilege must emerge

within the Internal Auditing pro-fession, adopted by directors and officers, and respected by the Legal profession. This privilege must be consistent with the principles of conduct within the professions’ code of ethics regarding integrity, objectivity, confidentiality, and competency. A chief auditor who is a certified internal auditor certi-fies that he/she is accountable to uphold these four key principles:• Integrity. The integrity of inter-

nal auditors establishes trust and thus provides the basis for reliance on their judgment.

• Objectivity. Internal audi-tors exhibit the highest level of professional objectivity in gathering, evaluating, and com-municating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

•Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropri-ate authority unless there is a legal or professional obligation to do so.

• Competency. Internal auditors apply the knowledge, skills, and experience needed in the perfor-mance of internal audit services.

True freedom and indepen-dence to meaningfully carry

out internal auditing work can be achieved when the auditor-stakeholder privilege is adopted and trumps the attorney-client privilege with a higher duty to the corporate entity at-large. By making internal auditors impervi-ous to the legal system’s tolerance to shield unscrupulous execu-tive behavior, they are no longer blinded from the activities that can prevent them from obtaining the relevant, reliable, and sufficient information necessary to discover the facts required to protect the directors’ and officers’ duties of prudence, loyalty, and care.

Sustained ethical corporate culture

In a comment letter from the National Association of Corporate Directors (NACD), Chair Barbara Hackman Franklin wrote to Sec-retary Elizabeth M. Murphy of the U.S. Securities and Exchange Commission, “A strong corporate culture is one of the best tools a company has for combating fraud.”8

In the 2010 Berkshire Hath-away annual report, Warren Buffet affirmed that culture, not rules, determines organizational behavior. Former Governor of Pennsylvania Mark S. Schweiker at one time professed, “You can’t substitute good conscience with rules and regulations” at an IIA conference in reference to the Sarbanes-Oxley Act.9 If we are to hold these statements as truth,

Is your chief watchdog an esquire? continued from page 9


then we must accept the fact that the significance of ethics is equal, if not superior, to that of law within the context of an organization’s culture and internal compliance system. The mere existence of a code of conduct or ethics code is no longer enough to demonstrate to organizational stakeholders that an ethical corporate culture exists or is effective.

Sustained ethical corporate culture can be achieved with a continual and systemized process to monitor, evaluate, and inter-nally adjudicate those who engage in risky behavior that does not conform to the ethics code of the organization. Boards and directors must identify, quantify, and miti-gate cultural risk and play an active role in accepting or rejecting indi-vidual or group behaviors, before systems breakdown and fail. With respect to stakeholder relations, boards and directors must also consider how to substantiate their commitment to an ethical corporate culture by disclosing the method of measure and findings, and how results compare with other compa-nies within their industry. Mark Rome, founder of zEthics, Inc, is leading the way in this regard with the zEthics cloud computing tech-nology. The technology is designed to provide online corporate cul-ture benchmarks and incident management reporting to support transparency and accountability within organizational governance and compliance systems. In 2009,

analysts suggested that the market size for ethics-related hotlines and incident management systems was about $5 billion; however, only about $80 million in actual market demand could be verified around that time. In 2011, according to Rome, the estimated market size for this space is well over $10 bil-lion when you include government agencies and public and private corporations. These statistics bring to light both the challenges and opportunities for internal trans-parency and accountability in organizations.

Our philosopher friend Socrates once said, “A self-aware person will act completely within their capabilities to their pinna-cle, while an ignorant person will flounder and encounter difficulty.” My view is that organizations act the same way. Good governance, risk, and compliance calls for this higher level of thinking and Inter-nal Audit can serve as the center of the corporate conscience to main-tain an ethical corporate culture. Notes:

1 The Institute of Internal Auditors “Standards and Guidance.” Available at http://www.theiia.org/guidance/standards-and-guidance/

2 Michael Brozzetti “A New Era for Internal Auditors,” Institute of Internal Auditors Insight (2009).

3 ALM Legal Intelligence: GC Compensation Survey. Available at http://www.alacra.com/ALM-Legal-Intelligence-Surveys-Lists-Rankings/GC_Compensation_Survey-general_counsel_salary

4 William R. Maurer and David Malmstrom: “The Explosion of the Criminal Law and Its Cost to Individuals, Economic Opportunity, and Society,” The Federalist Society (2010). Available at http://www.fed-soc.org/publications/pubid.1771/ pub_detail.asp

5 Michael A. Lambert “In House Counsel and the Attorney Client Privilege,” FindLaw (2000). Available at http://library.findlaw.com/2000/Oct/1/128767.html

6 Georgia-Pacific Corp. v. GAF Roofing Manufacturing Corp., 1996 WL 29392

7 The Institute of Internal Auditors: “Model Internal Audit Activity Charter.” Available at www.theiia.org/download.cfm?file=14380

8 National Association of Corporate Directors: “Comment Letter to the Securities and Exchange Commission.” Available at http://www.sec.gov/comments/s7-33-10/s73310-135.pdf

9 The Institute of Internal Auditors Philadelphia Chapter, Fall Conference Key Note Session, Philadelphia, PA. November 2007

Editor’s note: Michael Brozzetti is President of Boundless LLC, an internal auditing and governance firm that specializes in training and integrating organizational ARCs (Audit, Risk, and Compliance activities). Michael serves as the Chairman for Business Integrity Alliance™, an organization committed to advocating and advancing the practices supporting the principles of integrity, transparency, accountability, and risk oversight. Michael can be contacted by phone at 267-297-0706 or by e-mail at [email protected].

http://www.alacra.com/ALM-Legal-Intelligence-Surveys-Lists-Rankings/GC_Compensation_Survey-general_counsel_salary





http://www.fed-soc.org/publications/id.444/author.asp



http://www.fed-soc.org/publications/pubid.1771/ pub_detail.asp



http://library.findlaw.com/2000/Oct/1/128767.html

http://library.findlaw.com/2000/Oct/1/128767.html

http://www.sec.gov/comments/s7-33-10/s73310-135.pdf






Compliant behavior can increase the risk of non-com-pliance, particularly in large companies where information silos are prevalent, low employee turnover is the norm, and interdis-ciplinary thinking and action have not been fully integrated into the company culture.

The situation is a common one. Employees work and develop experience in one or two functional areas and one or two departments of one company for many years. They develop skill sets that allow them to specialize (e.g., finance, marketing, sales). Workers become very good at their specialties. This division of labor allows the company to gain the greatest return on the time and money spent training employ-ees and decreases the compliance risk that accompanies functional performance of tasks. A culture is created that incentivizes special-ized competence and compliance.

But, division of labor is inher-ently divisive and inconsistent with interdepartmental team-work. Often missing is a singular, integrated, holistic, company-wide approach to value-added performance that all workers can understand and implement,

collectively and individually. Also missing is a challenge to the status quo (i.e., an assessment, analysis, and remediation of the risk associated with the increasing disconnect between a constantly changing world and an increas-ingly insular workforce).

This status quo also conflicts with the currently prevalent, corporate cost-cutting, efficiency-based mantra of “Do more with less.” How do you create jacks-of-all-trades from masters of one, particularly with downsized but unreplenished functional work-forces? The valued skill set now includes competence in holistic, cross-functional, facilitative man-agement. Company procedures need to be enhanced, and unless new employees are hired, legacy employees need to be retrained. In turn, the likelihood of employees becoming overwhelmed increases. Morale declines as employees lament that new responsibilities “are not our jobs.” Employees continue to disavow problems if their particular functions are per-formed appropriately, and they do not take personal accountability for the effects if their compliant work has unexpected, noncompli-ant effects downstream. In short,

interdepartmental communication and teamwork decrease, creating substantial compliance risk.

With ineffective communi-cation as the cause of so much compliance risk, addressing this issue appropriately is a poten-tial game-changer. So, how do companies facilitate and incentiv-ize communication among their departments and employees to achieve their new objectives and minimize and remedy the compli-ance risk of compliant behavior?

Companies need to custom-ize their goals to their particular needs, of course, but generally speaking, they need to ensure that all employees are working toward a singular goal. Decision making by employees should pri-oritize success of the organization above all else, with that success necessarily involving an integrated consideration of the business, legal, compliance, and reputa-tional interests of the company. To that end, companies need to

The compliance risk of compliant behaviorby Joshua axelrod, esq.

Joshua axelRod


carefully develop and implement a strategy that focuses resources and energy on the best interests of the company, not the individual, department, or function.

From a compliance stand-point, this strategic development involves a focus primarily on issues involving and activities captur-ing the greatest compliance risk. This is the best use of time and increases the likelihood of your message being heard and heeded, your being considered credible, and others following your lead to incorporate business and compli-ance into a single mind-set for all the decisions they make. Employ-ees want to know that what you have to say is important and focuses them on their goal.

Additionally, communicate clearly with each of the groups that perform particular functions to ensure that they are part owners of the larger process and problems identified within it. Employees should make decisions knowing that they will be held account-able for them. They should also anticipate how their particular work can be misconstrued, how-ever innocently, by others at the company. Information systems experts, attorneys, researchers, and accountants, for example, all process information differently but are all part of the process of providing one final product or ser-vice to customers. Make sure that employees know that the Com-pliance department is available

to provide guidance while they remedy the risk, but that it does so primarily in an auxiliary role.

Also, ensure that workers know that there will be regular and ongo-ing monitoring and auditing of their processes, and therefore, the extent to which they successfully minimize compliance risk will be measured. Subsequent monitoring and auditing activities can measure improvement in addressing the compliance risk through compari-son with the results of the initial monitoring and auditing exer-cise. Reward employees who look beyond their particular functional responsibilities and work to ensure an overall process that is effective and minimizes the risk of inadver-tent noncompliance.

So, how can this strategy be synthesized and facilitated by man-agement? This is a business process, but how it is implemented determines the extent of legal and compliance risk. As such, it should be viewed holistically as one process, with the risk being managed collectively by Legal, Compliance, Audit, Finance, and Operations managers. True, attorneys could focus exclusively on legal risks, compliance managers on compliance risks, etc., and in so doing be compliant in performing their particular disciplines. But, the goal for the company is to minimize risk generally, not each type spe-cifically. Compartmentalizing each type as if it exists in a vacuum unnec-essarily complicates the process, thus increasing the overall risk.

Take the example of conversion of paper records to electronic records, during which there is a risk of pri-vacy violation. This has elements of legal, compliance, and business risk, so why not address them simply as one risk? Facilitating a culture of shared information and shared goals promotes simplicity, which in turn helps prevent unnecessary problems. Shared accountability and collective decision-making based on shared knowledge should result not only in different – and better – decisions for the company, but also help avoid the moral hazard that can result when people are not held fully responsible for their decisions.

Editor’s note: Joshua Axelrod is an independent compliance consultant with experience in commercial compliance monitoring, auditing, and counseling. He has developed and implemented business plans, managed qualitative-based projects, and practiced corporate, securities, health-care, pharmaceutical, and employment law. Josh is certified in Six Sigma qual-ity management. He is the Philadelphia Business Devel-opment Examiner, and his articles can be read at https://www.examiner.com/business-development-in-philadelphia/joshua-axelrod. Josh can be contacted by e-mail at [email protected].



AT: Tell me a bit about your background, your professional training, your years at Amgen, and any prior compliance experience.

LG: I have worked in the pharmaceutical industry for over 20 years, 15 of those years in a training role supporting Research and Development. I have a BS in Medical Technology and an MS in Organization Leadership. Before joining Amgen in 2010, my compliance experience was mainly in the area of FDA regulations. My career history at Amgen has been focused on developing and implementing training on the company’s healthcare compliance policies and procedures along with Amgen’s Code of Conduct.

AT: You’re the Director, Healthcare Compliance Training. What does the role entail?

LG: My role is to ensure Amgen staff are effectively trained and educated on the company’s healthcare compliance policies and procedures. In addition, I am responsible for the training associated with Amgen’s Code of Conduct, which is delivered annu-ally to every staff member.

AT: Please tell us a little about Amgen.

LG: Amgen discovers, devel-ops, manufactures, and delivers inno-vative human therapeutics. A biotechnolog y pioneer since 1980, Amgen was one of the first companies to realize the new science’s promise by bringing safe, effective medi-cines from lab to manufacturing plant to patient. Amgen thera-peutics have changed the practice of medicine, helping millions of people around the world in the fight against cancer, kidney dis-ease, rheumatoid arthritis, bone disease, and other serious illnesses. With a deep and broad pipeline of potential new medicines, Amgen remains committed to advancing science to dramatically improve people’s lives. To learn more about our pioneering science and vital medicines, visit www.amgen.com.

AT: You’re a Certified Com-pliance and Ethics Professional (CCEP®). You didn’t prepare for the CCEP exam in the typical way, but by taking a Compliance Academy that the SCCE put on

at Amgen for Amgen people. In fact, it was the first of three of these programs. What led Amgen to decide to train so many compli-ance professionals?

LG: We are serious about developing our staff. Certification is becoming more widely regarded as a standard in the field of com-pliance and business ethics, and Amgen is committed to being a recognized leader.

AT: What led you to select the SCCE to provide the training?

LG: After reviewing available programs, we felt SCCE would provide the most appropriate training and certification program to our staff.

AT: The Compliance Acad-emy is focused on compliance in general, rather than biotechnology-specific compliance issues. Were

Meet Laurie Gallagherdirector, healthcare compliance training at Amgen

feAture intervieW

http://www.amgen.com/


there any areas of the training that were surprising to you?

LG: Not really. I do think, however, that it is important for participants in the program to have the required one year of com-pliance experience before they are admitted. This will help ensure that they are not in over their heads unnecessarily, and so they can be successful in the exam.

AT: What do you think the rest of the compliance profession could learn from how the biotechnology industry manages compliance?

LG: I am not sure that there are any unique lessons from our industry, per se. Compliance is

critical in any highly regulated industry such as ours.

AT: I’ll never forget how ner-vous I was when the envelope arrived with my test results. It was like applying to college all over again. How did you feel when you got the test results envelope in the mail and opened it up?

LG: At this point in my career as a training professional, I am no longer afraid of tests or scores. I was excited!

AT: How do you plan on stay-ing current on compliance issues, both for your role as a Compliance Director, as well as for keeping your CEUs current to maintain your certification?

LG: I will look to many of SCCE’s resources—web confer-ences, articles, etc. to stay on top of compliance issues and to main-tain my status as a CCEP.

Editor’s note: This interview was conducted in April 2011 by Adam Turteltaub, CCEP, CHC, Vice President of Membership Development for SCCE. Adam can be contacted by e-mail at [email protected]. Laurie Gallagher may be contacted in Thousand Oaks by e-mail at [email protected].

Get the latest on breaking issues and best practices. Hear directly from regulators and practitioners from the convenience of your own offi ce.

• Timely, quality training with no travel required

• With one registration, your whole offi ce can participate

• A convenient way to earn continuing education credits

SCCE WEB CONFERENCES

VISIT WWW.CORPORATECOMPLIANCE.ORG to learn more and register for the latest conferences

Psychology of Fraud: Why Good People Do Bad � ingsFebruary 15, 2011 | 12:00 pm Central | 90 min.

Frank Navran, Founder Navran Associates

SCCE_UpcomingWebConf_halfpagead_2c.indd 1 1/4/2011 11:25:56 AM

The Compliance Model: A Framework for All Things Compliance June 02, 2011 | 12:00 pm Central | 90 minJana Utter, Director, Corporate Compliance & Risk Management, Midwest ISOStephanie McCutcheon, Sr. Records Manager

mailto:[email protected]





When I grow up, I want to be a compliance and ethics officer

The main reason I want to be a compliance and ethics offi-cer when I grow up is because it involves integrity and telling the truth. These were a big deal to my father. It also involves facing your problems head on, dealing with mistakes, and helping people. These were a big deal to my father. Com-pliance and ethics involves honor and justice. We are in a respected profession. I understand there are those who don’t respect compliance and ethics, but that doesn’t matter to me, because I only respect the opinions of people I respect and those who are well informed.

There are more glamorous jobs. There are those who think it’s macho or cool to flirt with the edge. There are those who think it’s OK to deny, defend, and ratio-nalize. They seem to think life is a game. They are living in an imag-inary world that causes them to believe that if they can intimidate or bully people into submission, then they are right or ethical. They are rudderless. They have no moral compass. They seem to think it isn’t a matter of right and wrong—it’s a matter of who can run over whom. I have worked with and observed these people all my life. It turns out, they are all wrong.

Some seem to think that if you get away with it, it’s OK. Some think that if you can fool people into thinking that their unethi-cal behavior is OK, then they are OK. Some think that if they pre-tend their unethical behavior is not happening or didn’t happen, then they are OK. Some have been pretending for so long, they are lost forever. They have been “full of it” for so long, they can never have integrity. I am embarrassed for them. Even the very people who cracked under pressure and told the bullies what they wanted to hear, know the bullies have no integrity. They know they are wrong. They know the Emperor has no clothes.

My children’s relationship with their father is like my relation-ship with my father. Every year I understood more and more about what he stood for. Every year after his death (years ago) I appreciate more and more what he stood for. It wasn’t easy to understand when I was younger. I had little appre-ciation for what he was teaching me. He was demanding. If he saw BS, he would call you on it and make your day difficult. He would not tolerate lies. He would not tolerate rationalization. He would not tolerate the deny-and-defend approach. Not too different from

an effective compliance and ethics officer.

T h e r e is a sense of inner peace when you do the right thing. It is easier on the soul. I am proud to be the father of my chil-dren, because they respect what I do. To be perfectly honest, they have little idea what I do. Maybe I should say they will respect what I do, hopefully. My first child just entered the workforce. After a year, her employer stumbled onto something about me on the Inter-net. He asked her if I was related. It was kind of like, “Do you know who your father is?” It’s not her fault. When I get home, I am done talking about work. I didn’t figure out how great my father was until after his death. I appreciated him, but I didn’t yet know how few people had the degree of integ-rity he had. If I do deserve some respect from my children, I hope they aren’t as slow as I was.

The children of the deny-and-defend crowd won’t see what’s going on when they are younger, but every year of their lives, they will be putting the pieces together. Every year of their lives, their respect for their parents will change, just like my apprecia-tion of my parents changed. Just because you can win a battle, just because you can force people into submission, just because you can get away with it, just because

letter from the ceo

If you have any questions that you would like Roy to answer in future columns, please e-mail them to: [email protected].


you can rationalize your actions doesn’t mean people, including your family, will respect you in the long run. Some bad guys may win many battles during the course of their lives, but in the end, they are losers.

Good guys may be frustrated. Good guys may lose battles. Good guys may not always be respected when they are forcing us to face our problems. Good guys may not look as cool as the hard charging, “Slick Willie,” deny-and-defend crowd. But in the end, good guys will feel good to the bone. In the end, good guys are respected by their families, friends, and most of their colleagues. It is not a superficial

feeling. What compliance and ethics officers achieve through their careers feels good deep down. It feels good forever. It feels good all over. That’s why, when I grow up, I want to be a compliance and ethics officer.

letter from the ceo

SCCE has stepped up our environmen-tal responsibility by printing Com-pliance & Ethics

Professional on recycled paper. The interior pages are now printed on paper manufactured with 100% post-consumer waste. The cover stock is made up of 10% post-consumer waste and is locally produced in Minnesota near our printing facility. In addition, the energy used to produce the paper is 100% renewable energy. The ink used in our magazine is 100% soy-based water-soluble inks. Cer-tifications for the paper include The Forest Stewardship Council (FSC), Sustainable Forestry Initia-tive (SFI), and Green-e.org.

Compliance & Ethics ProfessionalCOnTACT US!www.corporatecompliance.org [email protected]

+1 952 933 4977 or 888 277 4977 +1 952 988 0146 (f )

Society of Corporate Compliance and Ethics 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

SCCE’S UpComing REgionalCompliance & Ethics Conferences

SCCE’s regional compliance conferences provide a forum to interact with local compliance professionals, share information about compliance successes and challenges, and create educational opportunities for compliance professionals to strengthen the industry.

West Coast June 24, 2011 • San Francisco, California

Alaska June 30, 2011 • Anchorage, Alaska

Southeast October 14, 2011 • Atlanta, Georgia

Southwest November 4, 2011 • Houston, Texas

www.corporatecompliance.org/regional



Routinely, a business orga-nization must balance building and reinforcing relationships with business needs and revenue goals in the context of legal and ethical behavior. And, people in business often believe building relationships and securing their positions requires providing gifts and hospitality to their commer-cial counterparts.1

Certainly, ethical businesses seek to compete and win busi-ness fairly—without using illegal or unethical practices to gain advantages. However, sometimes organizational sales personnel, public policy staff, lobbyists, and others regard business courtesies or gratuities as a “cost of doing busi-ness” or something that “everyone else” is doing and are too lax about checking when a gift or hospital-ity is unethical or unacceptable or prohibited. To help ensure an organizational culture in which personnel do not succumb to an unethical mentality of getting the revenue no matter what the cost, organizations must provide clear direction and oversight to employees and executives. This article provides some recommen-dations regarding organizational policy considerations for public/

government personnel, discusses where to find rules and how to evaluate business courtesy requests, and finally suggests a sample checklist of items to assess for specific organizational courtesy requests.

Policy considerationsWhy should an organization

care about the business courtesies provided to and by its personnel? Organizations that mishandle business courtesies are at risk of being barred from future business up to and potentially including criminal charges for individuals. The Foreign Corrupt Practices Act (FCPA), federal government, and state and local agencies pro-hibit bribery and illegal payments. But, exceptions inserted in many rules, such as the “reasonable and bona fide expenditures” of the FCPA, make the distinction between prohibited payments and permitted expenditures less clear and more subjective. Additionally, organizations employing a lobbyist or involved in procurement may face different rules that may apply to others beyond the individuals performing those tasks, and have additional reporting requirements for the lobbyist or organization.

Inside an organization, every employee (or their business unit lawyer)—whether they sit in procurement or sales, policy or regulatory areas, technical, or somewhere else—should make an assessment of the state, local, and agency specific rules that regulate gifts before taking some-one to lunch or dinner, buying or providing game tickets, or even treating someone to coffee. The evaluation can be confused by existing relationships when, for instance, a conscientious employee asks the organization if he/she can invite a public employee who is his neighbor over for dinner because they periodically socialize in the neighborhood. If the neighbor has input on a pending agency

Business gratuities: Sometimes it’s better not to give or receiveby laurel l. burke, cceP

lauRel l. buRKe



decision to purchase services from the organization but the employee is far removed from the transac-tion, the organization may not be concerned. But, if the employee happens to be the director who pitched the services to the neigh-bor’s agency, the organization may want to consider the event more closely and determine if action is required, and possibly make sug-gestions about what the public employee would be permitted to accept.

If the organization chooses to allow gifts and entertainment of some type, it should provide a system that supports the deci-sion, ensures the rules used are the most up-to-date, and that the requests are not reviewed in isola-tion. On the isolation point, the system should have mechanisms to consider what else is happen-ing with the proposed recipient as well as the department or agency and the organization; for instance, is there a procurement or other contract pending or proposed leg-islation being considered, or will a commission be acting? Even if an organization chooses not to review every business courtesy proposed for public employees or officials, it should provide internal guidance in company policies and proce-dures and set limits that employees can easily find, understand, and implement.

Careful attention to the specif-ics and some oversight serves an organization well, because once

outside the bright–line of pure bribery, the stringency and acces-sibility of the requirements vary widely.

Where to find rules and requirements

At their essence, gift rules intend to protect integrity and encourage ethical conduct. Imple-mentation and content vary widely. Where to find the rules also varies widely (e.g., state statutes, munici-pal codes, ethics codes, lobbying requirements, procurement guide-lines, company codes of conduct, and industry “best practices” adopted by a company; and for those with federal relationships, the FCPA, Anti-kickback Statute, Anti-lobbying Act, Procurement Integrity Act, and others).

In addition to standard statute and ordinance searches within the rules for lobbying, procurement, and gifts, you can perform web searches on agency/local sites. Looking for policies, codes of con-duct, ethics codes, or terms such as gifts, gratuities, lunch, dinner, conflict of interest, entertainment, pecuniary/non-pecuniary, and hospitality are likely to provide more depth and understanding of what a particular agency intends. Searches may reveal that a state’s set of rules are vague, contradic-tory, or silent but, because of its own experience or leadership, a city or county in that state decided to publish guidance on what’s acceptable. City and county

agencies may issue more guidance still. For example, the Utah Pro-curement Code2 makes it a felony to accept or offer any emolument, gratuity, contribution, etc., if the recipient is or is acting as a pro-curement officer. Utah’s Uintah School District Purchasing Policy 004.0200 (adopting 63G-6-1002 with guidelines) and the Depart-ment of Administrative Services Internal Policy on Gratuities, Gifts and Solicitations, published July 21, 2008, provide guidance where there may be a conflict of interest with the objective to “pre-clude impropriety” and indicate the requirements of the law do not apply to occasional non-pecuniary gifts with a value not exceed-ing $50, unless the employee is involved in a procurement or other governmental action affecting the donor.3

Or, a state may provide a sig-nificant amount of guidance so that the bulk of the municipali-ties and agencies within the state choose to adopt the state rules, even if they issue their own codes of conduct. So, where do you start?• Identify the applicable rules to

analyze. If the proposed recipi-ent is a municipal employee or official, start with the state stat-utes, but don’t stop there. Take a look at the city’s ordinances and ethics or business codes, as well as the website for the specific department or agency.



• Look for opinions from ethics boards and the attorney gen-eral. Opinions are at least persuasive materials. Be sure to check the statutory definitions for who qualifies as a lobbyist, which vary widely jurisdiction to jurisdiction. Even registered lobbyists are surprised by the breadth of the plain language.

• Search procurement guide-lines for the agency. Look at what’s discussed in any appli-cable contract or Request for Proposal or Quote (RFP/Q) documents. Dig in to determine if there are policies that have been issued that address the spe-cific situation or an analogous one. One agency may permit a round of golf with the business contact, while another prohib-its entertainment of any sort. Consider that one department might exclude food from what is defined as entertainment or a gift, but some others might apply a dollar limit on the food that may be consumed with the business contact.

• Once the applicable set of rules has been determined, consider the recipient. Look at not only where the recipi-ent works, but also whether the recipient is employed, elected, appointed, or volunteering. What authority does the recipi-ent exercise? Officials, directors/trustees and employees may be subject to different require-ments, so look for different

policies for different people. For instance, a school district employee may not be permit-ted to attend certain events for free, but the superintendent of the same school district may, in certain circumstances, be per-mitted to attend the event at no or little personal cost.

• Determine the definition of “gift.” Some rules define the parameters of a gift rather than providing a definition per se, yet choose to exclude items from the definition of a gift such that a prohibition in practice becomes more lenient. For instance, items of “nominal” value may be excluded from an otherwise outright prohibition on accept-ing gifts, and therefore, the intended recipient may actually accept the item. Even the term “nominal” can mean different things in different states or be of “unexceptional value” rather than of nominal value. In the most extreme rules, all gifts are bribes and impose criminal pen-alties for violations on either the recipient or the giver or both.4 More typically though, rules look to what the giver intends to get as a result of providing the gift. If the giver intends to gain an advantage or buy his or her way into a contract opportunity, for example, the recipient would not be permitted to accept the offered items. But, if the giver has no such devious or under-handed intent, and the value of

the gift falls within the permit-ted parameters, the recipient usually may accept.

Gift rules cast a wide net and come in a variety of forms (see example on page 21). Focus-ing on the type of recipient first and acting with prudence when it comes to providing a courtesy help steer the organization to the right side of giving and receiving.

Organizations that have employees who interact with public employees should create a mechanism for those employees to ensure they provide business gratuities only when allowed by company policy and within the rules that apply to the intended recipient. Scrutinize the reasons for providing a courtesy and ensure that no impropriety could be inferred or attributed to the organization from its employee behavior. Notes:

1 See e.g. Gratuities, gifts and the ethical business relationship, by Simon Longstaff. Available at http://www.ethics.org.au/ethics-articles/gratuities-gifts-and-ethical-business-relationship).

2 Utah Code Ann. § 63G-6-1001 & 1002

3 See for example, The City and County of Denver Charter and Code of Ethics found in Article IV of the Denver Revised Municipal Code and Denver Public Schools Policies. Available at http://www.dpsk12.org/policies/.

4 See e.g., Utah Code Ann.§ 63G-6-1001 & 1002.

Business gratuities: Sometimes it’s better not to give or receive continued from page 19

http://www.ethics.org.au/ethics-articles/gratuities-gifts-and-ethical-business-relationship





Editor’s note: Laurel L. Burke is an Attorney with CenturyLink, a Fortune 500 telecommuni-cations company in Denver, Colorado. During her 11½ years with the company, she has advised business units regarding compliance, regu-latory, policy, and commercial contract matters and guided public policy. She can be contacted at [email protected].

Business Gratuities Checklist (Some things, but not the only things, to con-

sider when evaluating a business courtesy/gratuity request internally.)

Who is the recipient?• Public employee (employed by federal, city, state,

agency, department)• Public official (elected or appointed)• Person who has influence on decision makers •Decision maker for pending contracts or requests

for proposals or quotes (RFPs/RFQs)• Authority for agency/department

Who is the “giver”?”• Lobbying employer • Lobbyist providing courtesy

What are the rules?• Lobbying rules: By offering courtesy, does organi-

zation need to report it a certain way?•Does policy permit gratuity/entertainment of this

value?•Does policy permit gratuity/entertainment to

this type of recipient, given the present business climate?

What gift/gratuity/entertainment is proposed?•Value

− “Nominal” − More than nominal

• Food (breakfast, lunch, dinner, coffee)• Entertainment (giver will attend)•Cash or cash equivalent (gift card)• Tickets (giver will not attend)•Donation

Where is the agency/department (jurisdictions)• State/federal rules• Local ordinances• Policy statements•Code of conduct, ethics codes• Procurement rules/Guidance

When will the gift be given?• Legislature in session• RFP/RFQ pending•Contract negotiations in progress

Why or what is the reason for the courtesy?• Influence recipient •Get something in exchange for the gift • Relationship separate from business

Compliance & Ethics ProfessionalAdvErTISInG rATES

PeR InSeRtIOn

Full-page full-color (back cover, inside back cover, or inside front cover):

1...................... $1,725 3...................... $1,575 4–6 ...............$1,500

Full-page black-and-white: 1–2 ....................$905 3..........................$735 4..........................$605

1/2-page black-and-white: 1–2 ....................$630 3.......................... $535 4.......................... $455

1/4-page black-and-white: 1–2 ....................$375 3.......................... $335 4..........................$320

two-color ads are available (black and pmS 5115 c) for an additional charge of $435 per insertion.



22 ComplianCe & ethiCs professional June 2011 www.corporatecompliance.org


Since 1991, corporate ethics officers have been the “specific individuals within high-level per-sonnel of the organization” who have been assigned responsibility to oversee compliance with the organization’s standards and pro-cedures, as specified in US Federal Sentencing Guidelines. Early on, many of these ethics officers were, in fact, high-level personnel with direct access to the CEO, Ethics Committee of the board, and the whole board of directors.

Increasingly, we have observed two concurrent shifts in the role of ethics officers that suggest that organizational beliefs about the office and its roles may need reexamination.1. Shift One is the tendency of

more and more corporations to incrementally slide the ethics officer down the orga-nization chart so that their direct access to the highest-level strategic decision makers is decreasing.

2. Shift Two is the increasing focus downward through the organization that suggests that senior executives are view-ing ethics as having more to do with their subordinate

employees than with them-selves or with the board.

These two observations, illu-minated by the findings from research into ethics, leadership, and integration, suggest that organiza-tions in general (and ethics officers in particular) may need to pay more attention to managing ethics upward.

ErC Fellows Program preliminary research findings

Beginning in 1997, the Ethics Resource Center Fellows Program1 facilitated a series of research proj-ects, each in its own way looking at questions that examined aspects of effective corporate ethics ini-tiatives. From three differing perspectives these researchers all came to surprisingly similar conclusions on the critical role of the senior-most leadership of the organization.

In a paper entitled “Moral Person and Moral Manager: Developing a Reputation for Ethical Leadership,”2 Trevino, Hartman, and Brown examined the interesting question of how ethical leaders develop. The key finding is that ethical leadership

requires more than the leader just being an ethical person.

Joshua Joseph, in “Integra-tion of Principles into Practice in the Workplace,”3 examined how organizations put their principles into practice, with a critical look at the roles of the Ethics Office and senior leadership. He concluded it is necessary for the focus to be on culture, not just programs, for effective program integration. And, not surprisingly, it is leaders who set the tone at the top—the culture.

In “Ethics and Compliance in a Global Economy: Making the Case,”4 Vogl suggested that many ethics programs are too narrowly focused to meet the chal-lenges of today’s global economy. He discussed how ethics officers contribute to that by not making the right arguments to the right (senior level) people about what is required for an ethically effective organization.

Managing ethics upwardsby Frank J. navran

FRanK J. navRan

www.corporatecompliance.org June 2011 ComplianCe & ethiCs professional 23


Ethics and Leadership

The research on ethics and leadership is also telling us that there are three different types of leaders:• Unethical leaders are those

who believe ethical consider-ations are not relevant in the workplace. Their decisions are not guided by ethical principles. They tend to operate out of per-sonal and pragmatic motives with less concern for the altru-istic or idealistic implications of their decisions. This does not mean that every decision is unethical; merely that the ethics are not a serious consideration of the decision when it is being made.

• Ethical leaders are those who are personally ethical in word, thought, and deed, and conduct their decision-making openly, so that they are perceived as ethical at a distance. Not only do these leaders consider the ethical consequences of their decisions, in addition to the individualistic and pragmatic, but also it is obvious to the observer that such is the case. They make a point of ensuring that the ethical aspects of their decision-making process are as visible and transparent as the pragmatic.

• Ethically neutral leaders are those who are personally ethi-cal in word, thought, and deed, but are not open about it, so they may not be perceived as

ethical from a distance. These leaders are perceived as not paying adequate attention to the ethical component of their deci-sions, not because the outcome is unethical, but rather because their attention to ethics cannot be observed.

Conversations among the ERC Fellows regarding the leadership research revealed an interesting phenomenon. Ethics officers, in general, understood the concept of the ethically neutral leader. CEOs, by and large, argued against the notion. It is apparently difficult for an ethical person, especially one highly placed in an organization, to accept the need for making their private and internal ethical decision-making processes explicit and subject to review. These lead-ers find difficulty in accepting that it is not enough to do the right thing – they must point out how they arrived at that decision.

When that observation is coupled with the current prevail-ing perspectives that ethics officers are hired to manage an ethics program “downward,” we come to appreciate the depths of the problem. There appears to be no individual in many organizations who is specifically responsible for managing ethics upward, serving as advisor and counsel to senior leadership on ethics matters.

The obvious conclusion is the need for a new perspective as we move forward. That perspective

presumes that ethics officers need to manage their program in both directions, pushing the program through the ranks and ensuring both endorsement and visible par-ticipation from the top.

If we accept that proposition, then it suggests that every ethics officer should invest a significant portion of their total time in working with senior leadership to ensure that support for the program is evident and real (i.e., in communication and in deed). Just as importantly, they should be helping these leaders understand their own ethical decision-mak-ing processes, on both difficult, strategic decisions and on routine management decisions that impact the perceptions of employees throughout the organization.

An investment in working with senior leadership on com-munications and other methods of demonstrating senior leadership’s “living” of the ethics program can have a valuable impact on the efforts to manage the program downward. A few critical words at the right time, from the right senior manager, can have a trickle down effect of immeasurable pro-portions. Just as importantly, so can a few ill-chosen words have the effect of undoing a world of good. The old management adage, “It takes one hundred positives to wipe out one negative” can be applied here. It takes one ethical misstep or the perception of such




a misstep to erase any number of prior ethical decisions, actions, or choices. And, appearing to have made a decision without having considered its ethical implications is such a misstep.

So, who is “senior leadership?”

At a minimum, senior lead-ership includes the board of directors, the CEO and his/her direct reports, the presidents of major business units, vice presi-dents, chief legal counsel, and any other “officers of the corporation.” This is the target audience that should be receiving more of the ethics officers’ time and attention. That attention should be focused on communication and support. Open, honest, and frequent com-munication with senior leadership is essential for an ethics officer to be successful in managing an ethics program in both directions.

The ethics officer and the ethics program will both be more effective if employees at every level know, accept, and find credible that senior management “gets it” and is making a good faith effort to apply the same ethical standards to their own decisions as they do to the rules they impose on others.

That investment in time spent managing upward can take many forms, but experience suggests that face-to-face is better than paper, electronic, or telephonic com-munications. But, whatever the medium, the critical ingredient

is frequency. Communications between the ethics officer and senior leadership should be rou-tine, so completely expected and matter-of-fact as to be unexcep-tional. The absence of ongoing communications about ethics should be the deviation, not the other way around.

Leadership’s expanded challenge

An interesting element of the challenge facing ethics officers as they manage ethics upward is defining the boundaries of the subject. Just what is ethics in an organizational context?

Competing for a leader’s atten-tion can be a challenge, because the scope of concern for many leaders has broadened with the expand-ing demands of the changes in the marketplace. A changing market-place has resulted in a more diverse environment, where each location is fraught with a variety of unique challenges. The role and respon-sibility of senior leadership in global corporations has expanded accordingly. The demands inher-ent in a multicultural organization push leadership beyond tradi-tional bounds. Globalization can increase the amount of distance between senior leadership and the many other parts of the company, and that includes cultural distance as well as physical distance. Then there is the reality that senior lead-ership’s time is ever scarcer.

The attentions of an aggres-sive business press and the reality of high speed/worldwide commu-nications has increased the level of scrutiny and accountability of the modern organization. Watchdog groups and special interests groups are constantly on the lookout. In addition, the fiscal strength of the modern mega-company is so vast that companies often carry more power than the governments in countries in which they do busi-ness. As such, they have become higher profile players on the politi-cal stage and have a role in world events.

Given the press of events and expanding scope of concerns, senior leadership must also accept that the definition of organiza-tional ethics is expanding.

The shift from compliance to integrity and back

In the earliest stages, orga-nizational ethics for most US corporations centered on the notion of compliance. Are we fol-lowing the laws? Are we at risk from litigation? This is the nar-rowest perspective of ethics.

Ethics programs matured and ethics officers developed increased sophistication regarding the chal-lenges facing them and their organizations. Both they and their corporations began to embrace personal and corporate values in decision making (principle-based decision making) as the logical expansion of the definition of

Managing Ethics Upwards continued from page 23



what it means to be ethical. What emerged as “best practices” was a model of the principles-based corporation.

But, change continued. What emerged next was a more holistic definition of what it means to be a “good” corporation. It is a global view, and this will again help to reshape the responsibilities and focus of the ethics officer.

The shift to a global perspec-tive meant another broadening of the definition of ethics. “Global integrity” is a more accurate descriptor, and it embraces both compliance and ethics as described above. It also adds to the defini-tion concern for rule of law, human rights, good governance, labor/child labor concerns, anti-corruption/anti-bribery, concern for the environment, safety, social responsibility, good corporate citi-zenship, and respect for the whole diverse array of local cultures. This increases the organization’s obligation to reach beyond tra-ditional company boundaries to consider how decisions affect the surrounding community and the global community.

Concurrently, the global-ization of the definition of organizational ethics was accom-panied by increased scrutiny by the world of stakeholders, espe-cially advocacy groups and the media. Corporate ethics officers (especially those in multi-national corporations and/or corporations with global suppliers/markets)

were being challenged with fun-damental questions. Perhaps the most common, and most chal-lenging, was how the corporation ought to balance the desire for global standards (i.e., consistency) against the need for local applica-tion of standards (i.e., flexibility).

And the shifting continuesIn pressing economic times,

the Ethics Office faces the same budget realities as other organi-zational functions. Finding ways to do more with less is leading to reexamination and innovation. Technology is often the first place considered to reduce operating costs. Technology is neither good nor bad, but its implementation can be either.

Consider one recent example. A large, complex organization had embraced online training as the means for ensuring that every employee was adequately prepared to meet the ethical standards of the organization. In a series of focus groups in that organiza-tion, we heard a recurring theme: new employees were “coached” through the ethics curriculum, actually given an answer sheet. They were able to complete all eight required ethics modules in 20 minutes or less. The message clearly was that “supervision” saw no value in ethics training. The local ethics officer was aghast. He had been relying on the com-puter-generated reports and was confident that new employees were

being appropriately trained, but line management was responding to their “pressures” to get people up to speed and producing ASAP. Without doubt, there is work to be done managing ethics downward, but…

Changing the Ethics OfficeMany of today’s ethics officers

see themselves as staff to the senior leadership, charged with taking the ethics message down the orga-nization chart to the rank and file. That is but half of the focus.

Senior leadership has to be convinced of the merit of empow-ering the ethics officer to be a key resource to the senior team: a source of information, a check-point for critical choices, an educator, a con-science, and a source of undiluted truth and unchecked candor. Every senior leader needs someone who is freed from fear of retaliation or concern for personal career goals, who has the courage, but more importantly, the charge to speak up when the emperor is naked.

Ethics officers are more than minions executing the senior staff’s agenda, imposing it on the organization below. They are and should see themselves as key play-ers at the executive level. Although often several pay grades below their senior team, ethics officers require as much or more access to the top as those who report directly to the senior leadership. That will not happen if ethics officers do not




believe they are entitled to that degree of access and if they cannot make the case for it effectively and regularly.

Enlarging the scope of your work

The job of the ethics officer is enlarged significantly by this shift in focus. It may be that additional resources are required, because the traditional focus downward through the organization ought not to be sacrificed. Tradition-ally, the ethics officer has had to argue mightily for resources after the initial spate of interest and investment in creating the ethics program. That is not likely to change. Resources are, and will likely remain, the reason senior managers will give for not accept-ing changes in the Ethics Office’s role and scope, but the real reasons may lie deeper.

Strategies for managing the shift

As suggested above, the shift to managing upwards is no minor adjustment in the role of the ethics officer. It constitutes a major recasting of that role. What follows are several strategies for managing that shift. It is not expected that any ethics officer will find all of the strategies appropriate and/or feasible, but many ethics officers could include them in their rede-fined position.

Formal communications

The ethics officer should be included in the review process of all major communications ema-nating from the senior leadership team. This is not for approval purposes, but for a review of the likely impact on employees and other stakeholders regarding their perceptions of senior lead-ership’s continuing commitment to operating in accordance with the stated ethical standards. Left unreviewed, it is too easy for a document or speech to misstate a point and inadvertently undo months or years of effort and investment.

Example. A CEO of a hospital chain had spent two years trying to create a corporate culture built on the notion that quality care and highest ethical standards were the two pillars upon which both mis-sion and financial success would depend. In an effort to underscore the need for financial responsibil-ity, he decided to send a letter to every one of his 14,000 employees urging them to pay careful atten-tion to cost controls and then make every reasonable effort to balance patients’ needs against the system’s need to manage its finances. The message received by many employ-ees was, “Reduce cost by whatever means possible. Nothing else mat-ters but financial performance.” Clearly not his intended message, this ill-conceived communication undermined his credibility with employees and did terrible damage to the ethics initiative. There was

symbolic content in this letter that the CEO overlooked and that the ethics officer would likely have noted, if only he had been given the opportunity to comment on the letter:• A first class letter mailed to the

employees’ homes was perhaps the most expensive means for getting the point across—a mixed message itself, if the point was to encourage cost saving.

•The failure to remind employees that every decision must be bal-anced against the organization’s commitment to patient care and ethical standards was an even larger mistake.

One example of the conse-quences was a reduction in the number of nurses on the night shift. Nurses adapted. For exam-ple, when a patient rang the call bell late at night, a nurse would be certain to get to the bedside within the required two minutes and turn off the “light,” but if it was a “non-emergency,” such as soiled linens, the patient might be lying in those soiled linens for hours until the nurse had time to deal with the “non-emergency.”

An ethics officer positioned as part of the communications team would have been able to remind the CEO to include the ethics/care message and perhaps could even have pointed out that a 14,000 first class letters might not be the best way to communicate a con-cern for cost-control.



Informal communications

There is no substitute for the informal communications that take place in the organization. It often has more credibility than formal communications. And nothing has more power than sto-ries. Consider this example.

A newly appointed police chief made a point of showing his direct reports a small stack of traf-fic tickets he had received. These were speeding tickets issued by the radar-controlled cameras along the interstate. In several instances, the excessive speed may have been “justified” as he was responding to a police call in his personal vehicle. Others were because he, like most of us, was simply in a hurry. He explained to his employees that he had paid for all of the tickets and attached copies of his cancelled personal checks to each. He went on to explain that he kept the tick-ets in his desk to show influential friends or family members who dropped by looking for a favor—a ticket to be “fixed.” He would show them that he didn’t fix his own tickets, so they should not expect him to do so for them.

The message, though indi-rect (in keeping with his personal style), was crystal clear: We have a stated commitment to a set of values that I take seriously. I don’t fix tickets. You had better not either. Word spread through the city, including to the mayor’s office, and respect for the chief and confidence in his commitment

to the city’s ethics initiative both increased.

Sitting at the strategic tableVery often, the strategic deci-

sion-making team is so intently focused on their business purpose that they may slight the organiza-tion’s values and principles without even noticing.

Example: In their eagerness to acquire a strategic partner, one corporation ignored evidence, revealed during the due diligence process, regarding ethically ques-tionable actions of the former vice president of marketing for the corporation being courted. Four years after the acquisition, this small defense supplier was tempo-rarily debarred from government contract work while a full-scale investigation was conducted. The cost was staggering both to the bottom line and to the reputation of the organization and its leader-ship. An ethics officer, sitting in on the deliberations, might have been able to point out the risk and convince the leadership to continue the search, rather than acquire a potential ethics/compli-ance disaster.

Changing perceptionsAs noted in the discussion of

ethically neutral leaders above, many senior-level managers, people who view themselves as ethical managers, do not “get it.” They do not see the need for an ethics officer at their elbow. They

may find the mere suggestion of being “managed” by the ethics officer insulting, the idea totally offensive to their sense of self. But, that does not mean the idea is without merit.

This is not a shift that will occur easily, swiftly, or through the work of others. Those of us who believe that managing upward is more than a good idea—that it is an essential strategy necessary to prevent ethics programs and ethics officers from being marginal-ized—must work for this change. Perhaps more research needs to be done. Certainly more needs to be discussed and written on the sub-ject before it will have the gravity and “critical mass” needed for success.

One way of understanding the process needed to change the perceptions of what constitutes the legitimate role and responsibilities of ethics officers is captured in something called the tipping point phenomenon. Several years ago Malcolm Gladwell, in The tip-ping Point5 suggested that ideas, products, messages, and behaviors spread like viruses.

Viruses have three character-istics that form the basis of the tipping point theory:•They are contagious. • Little causes have big effects.•The change is dramatic after the

tipping point is reached.



Tariq Abdullah

Marie E. Allison

Fred R. Ange

Blake L. Barlow

Stefani Bonato

Terry L. Bridges

Randall K. Brown

William M. Brown

Gary D. Butkus

Eva R. Carlson

Javier Castillo

Fara Damelin

Meghan K. Daniels

Joann C. Del Bene

John J. Drouant

Lester P. Dupre

Jennifer S. Flandermeyer

Mitchell Friedman

Siew-Huon Gong

Timothy J. Gordon

Laurie W. Harrison

David J. Heller

David M. Henley

Debra A. Houck

Beverly B. Huff

Greg G. Hyndman

Dawn E. Johnsen

Devoney L. Johnson

Susan B. Johnson

Lester L. Journet

John Kalb

Martin Peter Keifer

John Krapf

Thomas A. Kubaitis

Rebecca A. Lloyd

Tara D. Love

Sam Mattar

Amanda Lynnette Mayhew

Olivia C. McClellan

Laura K. Merten

Dagny H. Mofid

Scott D. Nader

Robbi D. Nagel

Don B. Olsen

Brandy D. Olson

Matthew J. Paynter

A. Merrill Philips

Charity M. Pomeroy

Lisa A. Reeves

Dorothy G. Rhoades

Angeli M. Rodriguez

David T. Rybak

Marino I. Sanchez

Ariana N. Sarabia

Anna C. Shea

Lisa A. Simmons

Kelly A. Stahl

Deb M. Thompson

Sherrie Williams

Mabel F. Wilson

Vanessa R. Wisnoski

Harvey W. Woodford

Achieving certification has required a diligent effort by these individuals. CCEP certification denotes a professional with sufficient knowledge of relevant regulations and expertise in compliance processes to assist corporate industries in understanding and addressing legal obligations. CCEPs promote organizational integrity through the development and operation of effective compliance programs.

Questions? Please contact:Liz Hergert at +1 952 933 4977, 888 277 4977 or [email protected]

The Compliance Certification Board offers you the opportunity to take the Certified Compliance and Ethics Professional (CCEP) certification exam.

congrAtulAtionS to ccep designees!



Consider a hypothetical case. One hundred people are infected with a 24-hour virus. In the course of the day of their illness, they each expose one hundred people to the bug, but the illness only infects 1% of those exposed. The resultant number of newly infected people is equal to the original number, 100. At this rate, the disease would be spread, but the number of people infected at any one time would never exceed the number who were sick initially. This is not an epidemic.

But, what if the number of people exposed rose by just one or two per infected person? If every infected person exposed 102 people and 1% got infected The would be a geometric increase in the number of sick people daily. In short order, there would be a true epidemic.

Thus, the three characteris-tics of an epidemic are contagion, little changes can have big effects, and the change is dramatic after the tipping point is reached. If we apply tipping point theory to a business perspective, we could illustrate how a small action could have big effects (and even “tip” the scales) such that a culture/percep-tion is changed quite dramatically, for instance:• A small adjustment is made,

such as moving a senior staff briefing from the senior execu-tive boardroom to a meeting room on the other side of the building.

• Leaders must walk the public hallways to get to the meeting, thereby seeing others and being seen, hopefully to include a few hellos and handshakes, etc.

• Exposure to the rank and file may make the leader seem more human and approachable. “I ran into Mr. X in the elevator the other day and he held the door so that I could get in. I didn’t know he was such a regular guy!”

•The positive image is able to spread.

ConclusionThe challenge facing ethics

officers is to identify what fac-tors might contribute to changing their organization’s culture so that it accepts the appropriate degree of managing ethics upward. It then becomes necessary to change those factors, to tip the scales, so that the desired outcomes can occur. Several possible tipping points are described above (e.g., formal and informal communications, sitting at the strategic table, etc.), but it is reasonable to presume that the tipping point will vary from orga-nization to organization, leader to leader.

The actions required to change the dynamic, further empowering the ethics officer and strength-ening the ethical culture of the organization are within our reach. They include ensuring that ethics officers have greater access to and influence in the executive suite

and that their focus is directed up and down the organizational hierarchy.Notes:

1 More information at http://www.ethics.org/fellows

2 LK Trevino, LP Hartman, M Brown: Moral Person and Moral Manager: How executives develop a reputation for ethical leadership. July 1, 2000. Available at http://hbr.org/product/moral-person-and-moral-manager-how-executives-deve/an/CMR183-PDF-ENG

3 Joshua Joseph: Integration of Principles into Practice in the Workplace. Available at http://www.ethics.org/files/u5/Integrating_Ethics___Compliance_Programs.pdf

4 Frank Vogel: Ethics & Compliance in a Global Economy: Making the Case. 2000. Available at http://www.kbmi.or.kr/upload/global_compliance.pdf

5 Malcolm Gladwell: the tipping Point: How Little things Can Make a Big Difference. Back Bay Books (January 7, 2002)

Editor’s Note: Frank J. Navran is the Founder and Principal Consultant of Navran Associ-ates. Frank has worked with clients in more than twenty countries, reducing their risk of ethics and/or compliance failures and contributing to their success in developing and sustaining strong ethical cultures. Frank has authored five books and more than two hundred articles and book chapters. He may be reached at [email protected], or for more information, www.navran.com.



http://www.navran.com



Subsequent to the account-ing scandals in the early part of the decade and the near collapse of financial systems in the latter part of the decade, focus on enter-prise risk management (ERM) has increased significantly. Con-currently, as corporations have increasingly turned to outsource suppliers and service providers to reduce operating costs and increase internal focus on core competen-cies, third-party risk management has also grown rapidly in impor-tance as a subset of overall ERM initiatives. Why? Simply, liabil-ity and responsibility cannot be outsourced.

Generally, we can do a good job of identifying, quantifying, and managing risks within our own organizations. However, because our third-party business partners are managed indirectly and cannot be monitored as easily as our own employees and assets, many organizations must contend with blind spots in third-party risk management. A report titled “Third-Party Codes of Conduct: A Benchmarking Survey,” pub-lished by the Society of Corporate Compliance and Ethics (SCCE)

in February 2009, noted that 83 percent of the respondent’s organi-zations had not established a code of conduct unique to their third-party business partners.

Further compounding this dilemma, regulators, including FDIC, SEC, FFIEC, OCC, OIG1 and others, are increasing their focus on potential third-party risks. They want to see organi-zations proactively identifying potential risks, verifying that busi-ness partners and their employees are compliant, monitoring for changes that might create new risks or compliance gaps, and managing the investigation and remediation of incidents.

Driven by internal risk-reduction initiatives and external regulatory pressures, organiza-tions are discovering a broad array of challenges as they attempt to proactively manage their risks stemming from third-party busi-ness partners. External risks can manifest in many forms, includ-ing fraud and bribery issues, code of conduct and ethics violations, regulatory violations, privacy breaches, quality issues, and labor standards.

Managing these potential supply-chain risks can be sig-nificantly more challenging than managing similar risks that may emanate from within the orga-nization. Often, as organizations attempt to address third-party risks, they focus on the launch of relationships (on-boarding) but fail to account for issues that can occur throughout the life of rela-tionships. These are risks that can quietly creep into relationships over time and create exposures that are unknown until an inci-dent occurs. The reasons that organizations often fail to manage third-party risks throughout the life of relations are two-fold:

Third-party risk management: Properly managing compliance of outsourced relationshipsby steve McGraw

steve McGRaw

http://www.corporatecompliance.org/staticcontent/ThirdPartyCodesBenchmark_RebeccaWalker.pdf

http://www.corporatecompliance.org/staticcontent/ThirdPartyCodesBenchmark_RebeccaWalker.pdf


•Once a business relationship is established, organizations often neglect to routinely re-evaluate business partner risk.

• Business partners, such as sup-pliers, are usually managed by procurement or purchasing per-sonnel. Their metrics are most often focused on vendor deliv-ery of products or services, but fail to include numerous other risk-related measures, such as ethics and compliance.

A survey conducted by Com-pliance 360 in August 2010 highlights these issues.2 Of the 336 compliance and ethics pro-fessionals who participated in the survey, fewer than 40 percent identified initial risk assessments as one of the greatest challenges in third-party risk management.

However, ongoing compliance and risk assessments were most frequently cited as one of the greatest third-party risk manage-ment challenges, by two-thirds of the participants (see figure 1). So, what’s really at stake with third-party risk management? Most often, it boils down to the potential for significant finan-cial loss caused by damage to the organization’s brand and reputa-tion. Let’s put this in context by reviewing a recent example of brand damage caused by a third-party business partner.

In the summer of 2007, Mattel, Inc. announced that some of their toys manufactured by third parties contained lead in the paint. This resulted in a massive recall just ahead of the busy holiday season. The 2007 toy recall, announced in

August, was estimated to have cost Mattel more than $110 million in direct damages due to lost sales during the holidays.

Although the direct damages due to loss of sales were substan-tial, the subsequent loss in terms of shareholder value was significantly greater. As can be seen in figure 2 (on page 32), the market value of Mattel dropped dramatically as the story developed. The Mattel saga is just one of many examples that bring third-party risk man-agement to the forefront of risk management efforts for boards of directors of companies of all sizes.

What can organizations do to address mounting risks as they increase their use of third-party suppliers and service providers? First and foremost, they need to move beyond the initial risk assess-ment to proactively address what they acknowledge as their great-est challenge—monitoring and assessing third-party risks on an ongoing basis.

For organizations to cost-effectively address increasing risks emanating from third-party busi-ness partners, the use of automated systems is often seen as the only practical approach. Unfortunately, according to the survey conducted in August 2010 by Compliance 360, only five percent of the participating organizations con-sider themselves to have a highly automated process for managing their third-party risk. Nearly half, 47 percent, either have manual 0 10 20 30 40 50 60 70 80

On-going compliance and risk assesments

Ensuring contract compliance

Ensuring compliance with corporate policies

Mitigating risks prior to signing new agreements

Initial risk assesments

Management and investigation of compliance-related incidents

Credentialing business partners

Figure 1: Third-party risk management greatest challenges



Third-party risk management: Properly managing compliance of outsourced relationships continued from page 31

processes or no formal process established, manual or automated (see figure 3 on page 33).

Much like the sophisticated systems devised for managing enterprise risks within an organi-zation, similar systems can be used for managing external risks as well. Although similar in concept, there are some important distinctions between the two, primarily the level of control and visibility, cited at the beginning of this article. Because control and visibility can be so limited in third-party scenar-ios, risk management systems must provide easy methods for organi-zations to request, analyze, and validate information from third parties, and they must also make it easy for third parties to participate in the process. Overhead must be minimized for all involved.

These systems must also help to automate risk management throughout the entire life-cycle of the relationship. According to

the report titled “Are You Manag-ing Risk and Compliance Across Extended Business Relation-ships?”3 published by Corporate Integrity in 2010, the key areas of focus for automation in a success-ful third-party risk management program are as follows.

On-boarding of new business partners

The on-boarding process is the initial stage for managing third-party risk. At this stage, a vendor or service provider is evaluated based on defined criteria to determine if the relationship should be estab-lished. If there is a high degree of inherent risk, but the relationship is necessary, compensating con-trols and monitoring requirements should be established. Elements of the on-boarding process include: • Initial collection of finan-

cial, legal, historical record of incidents and issues, and

references of a prospect’s busi-ness relationships;

•Validation that prospect busi-ness relationships are legal and approved by governing authori-ties (e.g., Office of Foreign Assets Control [OFAC] compli-ance to ensure the organization is not doing business with orga-nized crime, terrorists, or terror and criminal states);

• Initial risk assessment to deter-mine the inherent risk in a business relationship, to help identify if the relationship will move forward and establish mitigating controls as required by the contract;

• Initial risk ranking or scoring of the relationship, as well as targeted residual risk with the proper contractual controls in place;

• Initial communication and attestation of the code of conduct to the partner and its respective facilities and employees; and

Figure 2: Performance of Mattel stock (NASDAQ: MAT) July 2007 – March 2008

http://www.corp-integrity.com/documents/ManagingRiskComplianceAcrossExtendedBusinesRelationships.pdf






• Establish policies and proce-dures: Writing and modification, communication and initial implementation of defined poli-cies and procedures established by the authority of the contract that govern the business rela-tionship or aspects of it.

Compliance managementCompliance should be assessed

initially during the on-boarding process and throughout the life of the relationship. This should begin with validating and monitoring compliance with the agreement between the two organizations. Defined contractual requirements, regulatory requirements, and controls should be assessed and monitored on an ongoing basis with the frequency determined by the importance and inherent risk of the business partner. This also involves monitoring the relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business. Elements of compli-ance management include:•Monitoring changes in the legal

and regulatory environments or jurisdictions that impact the operation and execution of the business relationship, and iden-tifying changes that impact it;

• Establishment of a system-of-record of compliance and contract activities to ensure a historical record of all docu-mentation pertaining to the relationship;

•Management of communicat ion issues and per-formance as it is renewed to pro-vide a mutually beneficial ongoing relationship;

• Regular assessment of the relationship and its activities to ensure that it conforms to laws, regulations, and established policies and procedures;

• Annual attestation by the busi-ness partner that it adheres to a defined code-of-conduct, as well as the contract and its established controls, policies, and procedures.

Risk managementRisks emanating from third-

party business relationships don’t start and stop with adherence to contracts and compliance. A variety of risks related to environ-mental, labor, and other factors can impact the success or failure of any given business relationship. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationship on an individual and aggregate level. Elements of risk management include:•Monitor ongoing risk indicators

within the business and its rela-tionships, as well as external risk

indicators that can impact the business and its relationships;

• Regularly assess risks identified for the relationship;

•Continuously score risks and performance of business relationships;

• Identify and implement alerts and triggers on risk indicators, issues, and incidents to provide early warnings when things begin to go wrong.

Issue and incident managementEven the most successful

business relationships encoun-ter issues and incidents. These may arise from quality, health and safety, regulatory, fraud, and many other mishaps. The fall-out from incidents is exacerbated when everyone scrambles in dif-ferent directions because nobody defined action and resolution plans ahead of time. Manage-ment of third-party risks should account for issues and incidents, and plan for containment, miti-gation, and resolution.

Figure 3: Automation of third-party risk management

Higly Automated

Partially Automated

Slightly Automated

Manual Process Only

No Formal Process

23%

40%5%

15%

17%



Declining budgets, increased regulation, and heightened enforcement are all making compliance and ethics more challenging, and more important, than ever.

The Society of Corporate Compliance and Ethics can help you manage your compliance and ethics program—and your career— through these times. We’ll help you connect with and learn from compliance and ethics professionals from across industry, giving you new ideas for how to manage your program.

Our magazine and electronic newsletter will keep you informed of the latest issues, and give you perspective on how to effectively manage the long‑term challenges. Our conferences will enable you to build out your network and hear directly from other professionals, at a discounted, members‑only rate. Can’t travel? Our online social network is the next best thing, providing online interaction with thousands of compliance and ethics professionals. Or try a web conference.

In sum, SCCE can help you tap into a vast network of information and resources to help move your ethics and compliance program forward, no matter how difficult the times.

To learn more about the SCCE and how we can help, visit us online at www.corporatecompliance.org, and join more than 2,000 other professionals who already call themselves members of the Society of Corporate Compliance and Ethics.

Don’t Face Compliance and Ethics Issues AloneJoin the Society of Corporate Compliance and Ethics and Enjoy the Support of Over 2,000 Compliance and Ethics Professionals Worldwide

6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States+1 952 933 4977 (p) | +1 952 988 0146 (f)[email protected]

SCCEMembershipAd_1page_2c.indd 1 11/4/2010 7:11:31 PM


Third-party risk management: Properly managing compliance of outsourced relationships continued from page 33

Elements of issue and incident management include:• Extension of hotline report-

ing systems to include business partners and their employees so they can report unethical or unwanted behavior;

• Process and systems for investi-gation and resolution of issues that arise, including adjust-ments (as needed) in agreements and policies and procedures;

•Collaboration and communica-tion of issues that arise on both sides of the relationship;

•Collection and management of all communications sur-rounding an issue to provide a historical record and body of evidence.

AuditingContracts with business part-

ners and suppliers often include right-to-audit clauses that are never exercised. A successful risk and compliance strategy should have clear policies and processes defining when and how audits of business partners are conducted. This includes the role of internal audit as well as when external auditors should be engaged. Ele-ments of the audit process include:•Management and prioritiza-

tion of the audit staff time and resources, and calendar activi-ties to schedule and conduct audits. This is often driven by the risk assessments;

•Ongoing monitoring of watch-lists (e.g., OFAC, CMS, etc.) to

assure the company does busi-ness only with lawful entities;

• Periodic attestation and vali-dation of vendor and partner adherence to appropriate code of conduct, policies, and proce-dures. This is often integrated with the compliance manage-ment step; and

• Audit validation to assess the validity of risk and performance assessments of specific business partners.

Systems used to automate these five processes ideally inte-grate them to take advantage of obvious links, such as using the output of risk assessments to drive audit plans and using audit results to evaluate and revise compliance programs. These systems should also automate the process of on-going risk assessments and provide alerts linked to risk scores and underlying details.

Although the outsourcing of business functions to third par-ties is becoming more popular as companies strive to become more cost effective, the company must ensure that the proper risk management policies are in place before beginning these third-party relationships. The truth of the matter is that responsibility, accountability, and liability cannot be outsourced, and proactive risk identification will continue to grow in importance to make these relationships as economically beneficial as possible.

Notes:

1 Federal Deposit Insurance Corp (FDIC), Securities and Exchange Commission (SEC), Federal Financial Institutions Examination Council (FFIEC), Office of the Comptroller of the Currency (OCC), Office of the Inspector General (OIG)

2 Compliance 360 survey: Managing Vendor Compliance and Minimizing Third Party Risk – October 2010. Available at (http://www.compliance360.com/thirdpartyrisk)

3 Corporate Integrity LLC: “Are You Managing Risk and Compliance across Extended Business Relationships?” 2010. Available at http://www.corp-integrity.com/wp-content/uploads/2010/12/2011-02-Collaborative-Accountability-in-Extended-Enterprise.pdf

Editor’s note: Steve McGraw is President and CEO of Compli-ance 360 in Alpharetta, GA. Compliance 360 provides inte-grated compliance risk and audit management software applications for originations in regulated industries. Steve may be contacted by e-mail at [email protected].

http://www.compliance360.com/thirdpartyrisk

http://www.compliance360.com/thirdpartyrisk



Thailand is a country with strong and lasting religious tra-ditions that has adapted well to the demands of technological and industrial development. The nation has an established infra-structure and liberalized economy that has positioned it as one of East Asia’s top economic perform-ers. The people of Thailand are also notably proud of being the sole nation in the region to have never been colonized by any out-side power. Thailand is sometimes compared to Hong Kong as a lead-ing East Asian international hub, but political volatility tempers that ambition and remains a concern for many investors and entrepre-neurs. Recent events like the 2005 coup d’état and massive public demonstrations in 2008 and 2010 illustrate the risk. The country’s history of 18 coups d’état since its modern establishment shows the challenges Thailand confronts of maintaining stability in the face of strong regional competition and growing investor exportations for world class infrastructure and pro-duction quality standards. Despite the unsettling politics, business in Thailand provides many commer-cial opportunities and a growing population of potential custom-ers. Thailand is the 21st largest population in the world and its

booming young generation is demanding western-style services and products.

The Ethical Climate for Commerce

On June 24, 1939, Siam, the only Southeast Asian nation to never have been a European colony, changed its name to Thailand, a word that stands for “Free Land.” The change occurred following a bloodless coup which transformed the longstanding absolute monarchy into a consti-tutional government. Thailand’s economy boomed from 2000 to 2008 with an average 4 percent GDP growth annually over the period. The country has focused on building a solid infrastructure

to support a free-enterprise econ-omy with strategic emphasis on the development of high-technology goods for export. Although the recent financial crisis had a severe impact on Thailand’s economy, there are signs of recovery.

As good as the prospects for business might be, investors often complain about the chaotic political scene. Recent protests from “red shirts” (former Prime Minister Thatskin followers) have alerted foreigners, with concerns of a possible coup. However, regardless of street demonstra-tions, regular business activities seem to continue with little dis-ruption. While unrest concerns many international business play-ers, local entrepreneurs tend to

GLOBAL COMPLIANCE: Thailandby Gregory unruh and Fernanda arreola



discount the importance of fre-quent protests, feeling that they can be coped with.

Nevertheless, as a result of the recent crisis, credit has become tighter. According to Bangkok Bank, the country’s largest lender, debt resched-uling for small-medium enterprises had increased by around 3 percent by 2009. Thailand’s government has put in place a number of initia-tives including capital injections for Thailand’s Export-Import Bank and permits allowing Thai companies to offer loans to non-affiliated firms abroad.

State enterprises in Thailand represent a complex puzzle for foreign investors as well. Employ-ing over 300,000 people, most of these companies are in the pro-cess of consolidation into a State Investment Corporation, with the stated goal of providing more independence to all state-enter-prises. However, some have voiced concerns that this new entity will create private enterprises with access to government funding and opportunities for unfair competi-tion and abuses.

With regards to its social system, Thailand is a traditional society, with historic administrative practices that can lend themselves to exploi-tation. For example, the Sakdina system allowed government officers to remunerate themselves through the modest retention of taxes and dues collected. Such traditional

practices can create a lax attitude to what many consider unethical behavior in a global economy.

Five Compliance and Ethics Issues to Consider

Ma Tha Put The Ma Tha Put industrial

complex is an illustration of some of the risks in Thailand. In recent months a judiciary court issued a temporary suspension for more than 70 projects being devel-oped in the complex in response to the complaints from residents and NGOs over industrial pollu-tion and environmental damage created, critics contend, by the uncontrolled manufacturing facilities at the site. The decision has impacted confidence and for-eign direct investment, and it is unclear how the outcome of the court action will impact investors.

Deal With It The Ma Tha Put case repre-

sents a belated attempt to protect Thailand’s coastline from rapid development. At the time the complex was established in early 70s, there was no policy regard-ing conservation or environmental

management. The Ma Tha Put case indicates that this historic deficiency is being corrected and

investors will need to consider the environmental impacts of development. Thailand’s authorities have been willing to cooperate with investor initiatives that protect the environment, but a proactive approach to environmental management should be con-

sidered basic to any investment strategy.

Political Instability After 15 constitutions and

18 coups d’état in the last cen-tury, Thailand portrays an image of political instability. Investors coming to Thailand complain that the unstable investment envi-ronment makes forecasting risk exposure difficult. Many expect that political volatility will con-tinue with a repeat of the violent protests and sieges that caused interruptions to operations of Bangkok airports in 2008 and 2010.

Deal With It The Economist Intelligence

Unit ranks Thailand as a flawed democracy, terminology used to describe a country where, even where some regulatory factors are not under control, most admin-istrative processes are set and running regularly. Despite the political scandals, Thais have been

As good as the prospects for business might be, investors often complain about the chaotic political scene.



GLOBAL COMPLIANCE: Thailand continued from page 37

able to cope and economic devel-opment has continued. Monetary/investment exposure guarantees are possible ways to manage some of the potential business risks. The World Bank through the Multilat-eral Investment Guarantee Agency (MIGA), for example, can offer this type of coverage.

Corruption It has been said that cor-

ruption is one of the burdens of Thailand. As discussed, some his-toric practices and attitudes have left an impression in the country that bribery is like an additional tax or service fee to get things done faster. The World Bank has argued that little to no progress has been made in reducing cor-ruption. According to a 2009 poll by the Abac Pol Research Centre, just over 50 percent of respon-dents said they would tolerate a corrupt government as long as the economic condition improved. It should not then be a surprise that Thailand ranks 84th out of 180 countries in Transparency Inter-national’s Corruption Perceptions Index for 2009.

Deal With It Traditional and popular cus-

toms convey a lax attitude toward ethically questionable business practices. However, it is important to understand that corruption is also facilitated by a disorganized political system, low salaries for public officers, and educational

and financial gaps between the social classes. Dealing with cor-ruption in Thailand is an issue that has started to gain social attention and there are signs of a shift. The Global Corruption Barometer indicates, for example, that a sig-nificant percent of the population is willing to pay more to buy from a corruption-free company. This provides an opportunity for global businesses to advertise their ethi-cal business practices, which may draw customers and will help foster greater social understanding of the problem and role business can play.

Taxes & Tariffs The complex and non-trans-

parent nature of Thailand’s tax system poses a difficult task for international companies and individuals running operations from Thailand. A recent report produced by U.S. authorities presents Thailand as a country with high tariffs that remain an obstruction to the establishment of international business inter-ests. The average tariff rate was around 11 percent for 2008. The main concern among foreign busi-ness owners relates to a perceived unequal treatment to local and foreign investors, since the high-est import taxes apply to products that compete with locally pro-duced goods.

Deal With It Although, in general, high tar-

iffs remain a market impediment

in some sectors, the government is starting to provide conces-sions for companies listed on the national stock market or provide a value-added to Thailand’s society. Despite their apparent arbitrary nature, these tax breaks are a vehi-cle to achieving adequate taxation for investors. Businesses should be wary of questionable taxing prac-tices, remembering that Thailand’s drug trade means money launder-ing is a common risk that is closely monitored by international orga-nizations. Many companies may be able to take advantage of new regulations like a 2010 law that facilitates the repatriation of funds. Businesses should seek guidance from international auditing and taxing firms to better understand these opportunities.

Women and the Sex Industry Thailand is widely known as

a center of sexual tourism. This industry has been widely criticized for cases of child and adolescent slavery and abuse, and for foster-ing the growing number of HIV cases. People travelling or working within Thailand should be pre-pared to confront offers of illegal prostitution services during their stay.

Deal With It Available statistics show only a

small number of Thai women are actually involved in prostitution. However, because of the focus on business travelers, it is wise



to tactfully ensure that any new acquaintances introduced by local contacts are not engaged in illicit activity.

Five Etiquette Tips You Should Know Before You Go

Greetings While globalization has

brought western handshakes to Thai business culture, the tradi-tional greeting is still the “wai,” where a greeter joins the palms of his hands at chest-level and bows over them. The position of your hands signifies the level of respect you hold for the person in front of you. To acknowledge seniority, greeters lower their forehead closer to their hands. The wai will not be returned if there is a notable social difference between two people greeting.

Business Meetings Social status, hierarchy, and

connections are all considered by Thai business people when establishing a new partnership with both locals and foreigners. Status can also be determined by your dress, manners, education, complexity of your family name, and connections. It is therefore important to clarify hierarchical roles and ranks within your orga-nization during initial business meetings. Business meetings tend to take place at the office. Arriving late signals disrespect, so

you should always be on time for meetings. Dress should be tra-ditional, elegant, and conservative. During your meetings, decorum matters and openly complaining or losing your temper is viewed negatively within Thai culture. Try and keep a calm attitude at all times and present your ideas with tranquility and serenity.

Business Cards Business cards are exchanged

after an initial meeting and you should always offer your business card to the most senior person first. Cards are exchanged using the right hand and traditionally people tend to make comments about them to acknowledge their reception. It is recommendable to have your card translated into Thai prior to your visit.

Gift Giving Gift giving is not common

practice, even when visiting a Thai’s home. However, it will be appropriate and appreciated if you arrive with simple gifts like flow-ers, fruits, or chocolates. Avoid giving marigolds or carnations because these are funeral flow-ers. Also avoid wrapping gifts in green, black, or blue as they are also associated with funerals and mourning. Gifts are not opened when received, and they are usu-ally offered by the right hand and acknowledged with a wai.

General Country Facts

(Source: CIA World Factbook)

Top Import Partners

Top Export Partners

Capital: BangkokPopulation: 65,998,436Life Expectancy: 73.1 yearsLanguages: Thai, English, ethnic and regional dialectsLiteracy Rate: 92.6%GDP (PPP): $538.6 billionGDP (Real Growth Rate): -2.8%Inflation: -0.9%Major Industries: tourism, tex-tiles and garments, agricultural processing, beverages, tobacco, cement, light manufacturing



It has often been said that “In business, what gets measured, gets done.” But, as with all forms of evaluation, the devil is in the details.

In a recent article in The new Yorker, Malcolm Gladwell, the author of such well known books as The tipping Point and Blink, raises questions about the method-ology used by U.S. news & World Report to create its annual “Best Colleges” rankings.1 Gladwell shows us that with slight adjust-ments of the measuring criteria, the result would be different, as it could be with Car and Driver magazine rankings of sports cars. It’s an interesting caution and one we would do well to heed.

Frankly, I have always been skeptical of awards that rank ethics programs. The motivation for doing this is sometimes unclear and, not infrequently, has a mar-keting or commercial purpose. I must confess that I participated in one such event a few years ago. It appeared to end well, until the winner went out of business a few months later. We neglected to ask the business question.

Recently ethisphere magazine published a story about an orga-nization variously described as a company and a think tank called “The Ethisphere Institute” and its release of a list of the “100 Most Influential People in Business

Ethics.”2 As The Ethisphere Insti-tute notes in its announcement, this year the list is top heavy in the government and regulatory category. In other words, the list is top heavy with compli-ance, not ethics. To be sure, the list contains the names of people worthy of note for ethical activ-ity. I noted however, a few where the importance of the distinction between compliance and ethics is compelling and, in some way, their inclusion casts a shadow over the list. Number 11 on the list is former Senator Christopher Dodd of Connecticut who, along with his House colleague Barney Frank, spearheaded the passage of the Financial Regulatory Act—certainly a significant achievement in compliance. Apparently not considered was the fact that Sena-tor Dodd was investigated by the Senate Ethics Committee for accepting a sweetheart mortgage deal from Countrywide Mortgage, a company at the center of the sub-prime mortgage debacle and one that was overseen by Senator Dodd as Chairman of the Senate Banking Committee. Although such a conflict of interest may not violate Senate ethics rules, ask anyone who lost their house or has difficulty getting a mortgage today if they think it is ethical.

Another selection (number 9) is Jeff Immelt, CEO of GE, who was lauded for his leadership in business ethics. Really? Did some-one not ask a further question or was it a matter of bad timing (these lists are subject to that pit-fall) that the list includes the CEO of one of the largest corporations in the world—one that paid no federal income tax last year? Of course, GE will say it was legal; they were compliant with tax law. Most tax-paying Americans want to know if it was fair, an ethical concept. They know that what is legal may not be ethical. They are not the same thing and it would have served the Ethisphere Insti-tute well to recognize that.

Gladwell points out that: “Who comes out on top in any ranking system, is really about who is doing the ranking.” If Ethics is a bucket into which those doing the ranking dump compliance, corporate social responsibility, sus-tainability, etc., you might end up with contradictions like numbers 11 and 9 above. If however, Ethics is related to but distinct from those other realities, you might have a different result.

Frankly, the devil is in the details. A very important detail is that compliance and ethics are not the same thing.

frAnkly SpeAking

The devil is in the detailsby Frank daly


GLOBAL COMPLIANCE: Thailand continued from page 39

Dinner and Social Events For Thais, eating is a central

and important activity. Sharing a meal is fundamental within Thai tradition and you should be ready to taste all dishes served. If the host is not wearing shoes when you arrive, make sure you remove yours before entering the dining room. In general, Thais will expect you not to talk about work-related issues during meals and adopt a calm attitude. Avoid talking about Thai monarchy, religious issues, or superstitions. It may be suggested that you pick up the tab for restaurant meals. This is actually a sign of respect as the wealthiest person is usually given the privilege of covering the cost of a meal. In general, there are no established tipping policies, but mid-range restaurants will include a 10 percent service charge on your check. When paying in cash or for smaller services, you can tip with any available coin.

Temple Etiquette During your visit to Thai-

land, you may be granted a visit to a temple. Temples are places of worship so treat your visit with utmost respect. Conservative dress is expected and flash photography should be avoided. Women should never touch or pass items directly to a monk.

Additional Facts: Thailand is a primarily Bud-

dhist country with 95 percent of Thais practicing the religion. The next most common religion is Islam at 4.6 percent, followed by Christianity at 0.7 percent, according to the CIA World Fact Book.

Reprinted with permission from ethisphere Magazine 2010/Q1

Notes:

1 Malcolm Gladwell, Dept of Education: “The Order of Things.” the new Yorker, February 14, 2011, page 68. Available at http://www.newyorker.com/reporting/2011/02/14/110214fa_fact_gladwell

2 ethisphere magazine “2010s 100 Most Influential People in Business.” January 31, 2011. Available at http://ethisphere.com/2010s-100-most-influential-people-in-business-ethics/

Editor’s Note: Frank Daly is a Kallman Executive Fellow at the Center for Business Ethics at Bentley University in Waltham Massachusetts. Frank was the Corporate Ethics Officer for a $30 billion Fortune 500 Corpo-ration since the compliance program’s inception in 1986 until his retirement in 2004. Frank has been a dedicated contributor to Compliance & Ethics Professional Magazine for several years, and we wel-come his unique perspective and insight. Frank can be con-tacted at [email protected].

BE SUrE TO GET YOUr CCEP CEUSComplete the Compliance & ethics Professional quiz related to the articles below:

The Compliance Covenant: More pull, less push—By Keith G. Read, page 4

Third-party risk management: Properly managing compliance of outsourced relationships—By Steve McGraw, page 30

Culture and values: “Adequate procedures” under the UK Bribery Act—By Ruth N. Steinholtz, page 52

new CEU Credit ProcedureVisit www.corporatecompliance.org/quiz to obtain one CEU per quiz. Select a quiz, fill in your contact information, and answer the questions. The online quiz is self-scoring and you will see your results almost immediately.

Or, you may FAX or MAIL the completed quiz to Liz Hergert at SCCE. Questions? Please call Liz Hergert at +1 952 933 4977 or 888 277 4977.

Please note that credit will be given only for quizzes received before the expiration date indicated on the quiz.

Only the first attempt to pass each quiz is accepted.

http://ethisphere.com/2010s-100-most-influential-people-in-business-ethics/





Multinational companies that conduct business using third-party intermediaries should, by now, be aware that they may have exposure under the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act, if such intermediar-ies engage in prohibited practices such as bribery of foreign offi-cials. The significant FCPA-related fines and criminal exposure have prompted companies to review and strengthen their ethics and compli-ance program provisions relating to third parties. Specifically, compa-nies are taking action to identify their third-party intermediaries and conducting appropriate risk-based due diligence, consistent with the most recent guidance from the US Department of Justice (DoJ) and Securities and Exchange Commission,1 the Organisation for Economic Cooperation and Development (OECD),2 and the UK Ministry of Justice (MoJ).3

For some companies, the number of third parties can range from thousands to tens of thousands. For those companies, determin-ing which types of third parties represent the highest corruption risk and, as a result, demand the most attention is a good first step in mitigating that risk. That first

step, identifying categories of high-risk third parties, is often vexing and delays the implemen-tation of a due diligence program. This article focuses on some of the characteristics of third-party busi-ness relationships which should, when combined with other factors, enable a company to make efficient progress in addressing the highest potential compliance risks. Exter-nal factors which may heighten the risk, such as the country in which the third party operates and the extent of interaction with foreign officials, can be considered after first identifying categories of high-risk business relationships.

Third-party riskThe FCPA prohibits indirect

corrupt payments (and also offers, promises, or authorization to pay), and imposes liability for “know-ing” that a third party will make a corrupt payment. “Knowledge” means either being aware of such conduct or substantially certain that such conduct will occur or consciously disregarding a “high probability” that a corrupt payment or offer will be made.4 A cursory review of reported FCPA cases will illustrate that many involve actions by third-party intermediaries, such

as agents, joint venture partners, customs agents/logistics compa-nies, consultants, etc. The DoJ has made it clear that anti-corruption standards and procedures shall apply, where necessary and appro-priate, to outside parties in foreign jurisdictions such as agents, consul-tants, representatives, distributors, teaming partners, contractors and suppliers, consortia and joint ven-ture partners (emphasis added).5 The MoJ notes that an organiza-tion can be liable under the Bribery Act where someone who performs services for it pays a bribe, but that the organization will have a full defense and can avoid conviction if it can demonstrate that it had “adequate procedures in place to prevent bribery.”6

risk-based due diligence Regulatory authorities and

the OECD can be said to have endorsed a risk-based approach to address the corruption risk represented by third-party inter-mediaries. The DoJ has approved a risk-based FCPA and anti-cor-ruption due diligence work plan which addresses the use of agents and other third parties, commer-cial dealings with state-owned customers, joint venture, teaming

Third-party corruption risk: Identifying the high-risk partiesby dennis haist, cceP



or consortium arrangements, cus-toms and immigration matters, tax matters, and any government licenses and permits.7 In a recent Non-Prosecution Agreement, the DoJ required the company to develop compliance standards and procedures on the basis of a risk assessment addressing the foreign bribery risks facing the com-pany, including its geographical organization, interactions with government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and per-mits, degree of government oversight and inspection, and volume and importance of goods and personnel through customs and immigration.8 The OECD identifies risk-based due diligence pertaining to the hiring, as well as the appropriate and regular oversight of third-party business partners as an essential element of an ethics and compliance program.9 The MoJ sim-ilarly endorses due diligence based upon a company’s risk assessment.10

Identifying high-risk third-party relationships

Five questions that can help identify high-risk foreign third-party relationships are:1. Will the third party have the

authority to act on behalf of your company in the nature of a principal–agent relationship?

2. Will your company and the third party be sharing in the risks and rewards of the

business relationship, such as in a joint venture?

3. Has the third party been rec-ommended based upon its technical expertise and knowl-edge of the business or based upon its connections and abil-ity to get things done in the local jurisdiction?

4. Will the third party be engaged to help your company obtain key permits or licenses or other permissions or have persistent contact with foreign officials who are vital to your company’s success?

5. Do you sell to foreign govern-ments and have third-party intermediaries in your sales channel who are closely associated with and highly dependent upon your company?

Application of criteriaBy way of example, the fore-

going questions or criteria can be applied to several common types of third-party relationships to yield relative risk rankings. Companies can then focus their resources on third parties within the highest risk category first, providing the high-est level of attention, including due diligence, at the earliest time.

Agents• Sales and MarketingForeign sales and marketing agents are often retained to develop business leads, assist in preparing proposals, and negotiate contracts or change

orders to contracts. They may or may not have the contractual authority to represent and/or bind your company. If they are pursuing public contracts, their compensation is success-based, and they have the reputation for strong local connections, they may fall into the high-risk category. An agreement containing vague descrip-tions of their services, compensation amounts, or other terms out of char-acter for the region or your business should add to the concern.

•Customs/LogisticsCustoms agents and logistics companies have persistent contact with foreign officials, are often designated as agents of the com-pany, and often operate with little oversight by the company they represent. They figure prominently in FCPA cases and may represent a high risk if your company depends on them for international move-ment of goods and personnel.

Joint venture partnersJoint ventures, teaming agree-

ments, consortia, and similar arrangements are often formed with foreign entities to ease entry into a foreign market and are some-times mandated by the foreign government if public contracts are involved. The partners share the risks and rewards of the joint venture, so your company may be viewed as benefitting from any joint venture advantage resulting from bribery. The risk represented



SCCE’s 2011 Educational Opportunities

DatES anD loCationS arE SubjECt to ChangE. for upDatES, viSitwww.corporatEcompliancE.org

SCCE is the premier provider of compliance and ethics education. faculty includes industry experts from around the world and professionals from the corporate environment, academia, government, and the law. attracting over 1,000 compliance and ethics professionals a year, SCCE events provide unparalleled networking opportunities, all with special discounts for members. programs are offered in the following formats to meet the diverse needs of this evolving profession.

compliancE & Ethics acadEmiEsThese four-day intensive training programs help those new to the profession quickly get up to speed and learn directly from experienced ethics and compliance professionals. The Certified Compliance and Ethics Professional (CCEP) examination is offered on the fifth day.

june 6–9 • Scottsdale, arizona

august 15–18 • las vegas, nevada

november 7–10 • San francisco, California

rEgional confErEncEsSCCE’s regional compliance conferences provide a forum to interact with local compliance professionals, share information about compliance successes and challenges, and gain the latest insights.

june 24 • West Coast • San francisco, California

june 30 • alaska • anchorage, alaska

october 14 • Southeast • atlanta, georgia

november 4 • Southwest • houston, texas

sccE wEb confErEncEs SCCE Web Conferences explore current hot topics for compliance professionals, providing instant and up-to-date education from the convenience of your own office. New conferences are announced regularly, and prior sessions are available for purchase on CD-ROM. Visit www.corporatecompliance.org for the latest updates.

higher Education compliance conference june 12–15 • austin, texasCompliance professionals in higher education gather with peers to discuss emerging issues, share best practices, and build valuable relationships.

10th annual compliance & Ethics institute September 11–14 • las vegas, nevadaSCCE’s annual Institute is the primary education and networking event for professionals around the world in compliance and ethics. Get insights you can use from expert presenters who share their latest methods and strategies for developing and improving compliance programs in this rapidly evolving profession.

Effective internal investigations for compliance professionalsnovember 10–11 • San francisco, CaliforniaA well-conducted internal investigation can help compliance and ethics officers quickly find and fix problems. A poorly conducted one can lead to morale issues, lost faith in the company’s integrity, and even litigation. This intensive educational program will cover the critical components that compliance and ethics officers need to know to conduct effective internal investigations.

2011SCCEConferences_1pagead_2c.indd 1 5/10/2011 11:08:53 AM


Third-party corruption risk: Identifying the high-risk parties continued from page 43

by a joint venture operating in a for-eign country may be essentially the same whether your company has a majority or minority interest in the joint venture, unless your com-pany has operational control and expatriate management with the requisite language skills to prop-erly oversee the joint venture and its dealings with foreign officials. Because the foreign joint venture partner is often selected because of its knowledge of local customs and practices, interactions with foreign officials are often left to the foreign joint venture partner and are con-ducted in the local language.

DevelopersLarge development projects can

involve local subsidies, land grants, zoning actions, and other permis-sions from local government officials. If your company has invested in a development project and/or is work-ing closely with a developer with an agreement to furnish equipment or construction services for the project, you may be viewed as benefitting from any advantage resulting from bribery by the developer.

ConsultantsConsultants figure promi-

nently in FCPA cases because a consulting agreement can be used to fund bribes directly or indirectly to a foreign official. Consultants engaged to help win public contracts and whose agree-ments contain vague descriptions of services or permit the retention

of sub-consultants should be included in the high-risk category.

Sales channel intermediariesSales channel intermediaries,

such as distributors, can represent high risk if they sell to foreign gov-ernments, are highly dependent on your product offerings, and are closely associated with your company. Close association can include such things as use of your company’s logo, joint marketing, referral of sales leads, and fund-ing by your company of marketing and sales initiatives or cash rebates that could be used to pay bribes.

ConclusionIf your company does business

overseas using third-party interme-diaries, your compliance program needs to address the bribery and cor-ruption risk represented by such third parties. An initial effort to identify the high-risk categories of inter-mediaries, based upon certain key characteristics of the business rela-tionship, will allow you to focus and tailor the depth of your subsequent due diligence efforts on those types of high-risk third-parties operating in high corruption risk geographies.

Editor’s note: Dennis Haist is the General Counsel of San Francisco-based Steele, a global business advisory and risk management company that provides investigative due diligence, risk assessments, and compliance program

development. He has devel-oped corporate compliance programs and conducted compliance-related internal investigations, and assists Steele’s clients in third-party risk assess-ment and compliance-related pretransactional due dili-gence. He may be contacted at [email protected].

Notes:

1 Non-Prosecution Agreement between the U.S. Department of Justice and RAE Systems, Inc., Appendix B (Corporate Compliance Program), December 10, 2010. Available at http://lib.law.virginia.edu/Garrett/prosecution_agreements/pdf/raesystems.pdf

2 OECD: Good Practice Guidance on Internal Controls, Ethics, and Compliance. Adopted February 18, 2010. Available at http://www.oecd.org/dataoecd/5/51/44884389.pdf

3 The U.K. Bribery Act 2010 Guidance, section 9. Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing. Available at http://www.justice.gov.uk/guidance/docs/bribery-act-2010-guidance.pdf The Bribery Act 2010, Quick Start Guide available at http://www.justice.gov.uk/guidance/docs/bribery-act-2010-quick-start-guide.pdf

4 U.S. Dept of Justice: Foreign Corrupt Practices Act Statute and Regulations. Available at http://www.justice.gov/criminal/fraud/fcpa/statutes/regulations.html

5 Supra, 1.6 Supra, 3.7 U.S. Dept of Justice: Opinion

Procedure Release No. 08-02, Foreign Corrupt Practices Act Review, June 13, 2008 (requested by Halliburton Company). Available at http://www.justice.gov/criminal/fraud/fcpa/opinion/2008/0802.pdf

8 Supra 1.9 Supra 2, A(6).10 Supra, 3.

SCCE’s 2011 Educational Opportunities

DatES anD loCationS arE SubjECt to ChangE. for upDatES, viSitwww.corporatEcompliancE.org

SCCE is the premier provider of compliance and ethics education. faculty includes industry experts from around the world and professionals from the corporate environment, academia, government, and the law. attracting over 1,000 compliance and ethics professionals a year, SCCE events provide unparalleled networking opportunities, all with special discounts for members. programs are offered in the following formats to meet the diverse needs of this evolving profession.

compliancE & Ethics acadEmiEsThese four-day intensive training programs help those new to the profession quickly get up to speed and learn directly from experienced ethics and compliance professionals. The Certified Compliance and Ethics Professional (CCEP) examination is offered on the fifth day.

june 6–9 • Scottsdale, arizona

august 15–18 • las vegas, nevada

november 7–10 • San francisco, California

rEgional confErEncEsSCCE’s regional compliance conferences provide a forum to interact with local compliance professionals, share information about compliance successes and challenges, and gain the latest insights.

june 24 • West Coast • San francisco, California

june 30 • alaska • anchorage, alaska

october 14 • Southeast • atlanta, georgia

november 4 • Southwest • houston, texas

sccE wEb confErEncEs SCCE Web Conferences explore current hot topics for compliance professionals, providing instant and up-to-date education from the convenience of your own office. New conferences are announced regularly, and prior sessions are available for purchase on CD-ROM. Visit www.corporatecompliance.org for the latest updates.

higher Education compliance conference june 12–15 • austin, texasCompliance professionals in higher education gather with peers to discuss emerging issues, share best practices, and build valuable relationships.

10th annual compliance & Ethics institute September 11–14 • las vegas, nevadaSCCE’s annual Institute is the primary education and networking event for professionals around the world in compliance and ethics. Get insights you can use from expert presenters who share their latest methods and strategies for developing and improving compliance programs in this rapidly evolving profession.

Effective internal investigations for compliance professionalsnovember 10–11 • San francisco, CaliforniaA well-conducted internal investigation can help compliance and ethics officers quickly find and fix problems. A poorly conducted one can lead to morale issues, lost faith in the company’s integrity, and even litigation. This intensive educational program will cover the critical components that compliance and ethics officers need to know to conduct effective internal investigations.

2011SCCEConferences_1pagead_2c.indd 1 5/10/2011 11:08:53 AM




Companies that want to do business with the federal govern-ment must be ethical, not just avoid breaking the law. They must put a business ethics program and an ethics-related internal con-trol system in place to achieve that result. And they must rigor-ously exclude legally and ethically compromised individuals from exercising any discretionary authority in government con-tracts. That is the core message of the ethics mandates of the Federal Acquisition Regulation (the FAR) that went into effect in late 2008.

In legal circles, the most widely discussed feature of the 2008 FAR amendments is the switch from vol-untary to mandatory disclosure of fraud and other crimes discovered by government contractors.1 But, the FAR’s scheme for an effective ethics program sets up a new stan-dard for all organizations, even those unlikely to seek contracts with the federal government.

A summary of the FAr ethics mandates

The FAR’s basic policy requires all government business to be conducted “in a manner above reproach” and with “the highest degree of public trust and

an impeccable standard of con-duct…”2 [3.101-1] (Note: The numbers in brackets refer to sub-parts of the FAR.)

Government contractors “must conduct themselves with the highest degree of integrity and honesty.” [3.1002(a)]

Although the mandatory ethics provisions apply only to non-com-mercial contracts having a value of more than $5,000,000 and lasting longer than 120 days, the FAR recommends that all contractors adopt similar ethics policies and practices, regardless of size and type of contract. The ethics man-dates in the original draft of the amended FAR applied to all entities without exception. After receiving comments suggesting that these requirements would be dispro-portionately onerous on small businesses, however, the drafters changed the mandatory language to the current recommendation, making clear, however, that the federal government prefers doing business with companies that put an effective ethics program in place.3 Accordingly, the FAR states that all contractors should have a written code of business ethics and conduct. To promote compliance, they should also have an employee

business ethics and compliance training program and an ICS that (1) are suitable to the size of the company and extent of its involve-ment in government contracting, (2) facilitate timely discovery and disclosure of improper conduct in connection with government con-tracts, and (3) ensure corrective measures are promptly instituted and carried out. [3.1002(b)] More-over, all contractors must disclose fraud and illegal activity when discovered or risk suspension or debarment. [3.1003]

If the contract exceeds $5 million and lasts more than 120 days, the contractor must exercise diligence to prevent and detect criminal conduct and oth-erwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. (These provisions do not apply to con-tracts for commercial items such as pens, pencils, automobiles, desks, etc., or to contracts that will be performed entirely outside the United States.)

All covered contractors must put a business ethics awareness and compliance program (BEACP) in place that includes:

The FAR raises the bar for ethics and compliance programsby Michael Palmer, Jd, Phd



• a written code of business ethics and conduct,

• an ethics code training program, • an ethics hotline reporting

system, and • a whistleblower protection

system. [3.1004(a) and 52.203-13(c)(1)]

All covered contrac-tors must also develop an Internal Control System (ICS) that: • establishes standards

and procedures to facili-tate timely discovery of improper conduct, and

• ensures corrective mea-sures are promptly instituted and carried out.

The ICS must: • assign responsibility at a suffi-

ciently high level and adequate resources to ensure effectiveness of the BEACP and ICS;

• take reasonable steps to ensure that no individual is included as a principal who has violated the contractor’s code of business ethics and conduct;

• provide for periodic reviews of company business practices, procedures, policies, and inter-nal controls for compliance with the contractor’s code of business ethics and conduct;

• provide for periodic reviews of company business prac-tices, procedures, policies, and internal controls for the special

requirements of government contracting, including:

− monitoring and auditing to detect criminal conduct;

− periodic evaluation of the effectiveness of the BEACP and ICS, especially if criminal conduct has been detected; and

− periodic assessment of the risk of criminal conduct, with appropriate steps to design, implement, or modify the BEACP and ICS as necessary to reduce the risk of criminal con-duct identified through this process;

• establish an internal reporting mechanism, such as a hotline, which allows for anonymity or confidentiality, by which employees may report suspected instances of improper conduct, and instructions that encourage employees to make such reports;

• take disciplinary action for improper conduct or for fail-ing to take reasonable steps to prevent or detect improper conduct;

• disclose in writing whenever the contractor has credible evidence that a principal, employee, agent, or subcontractor of the contractor has committed a violation of federal criminal law involving fraud, conflict of interest, bribery, or gratuity vio-lations or a violation of the civil

False Claims Act; and•protect whistleblowers

from all forms of repri-sals. [3.1002(b) and 52.203-13(c)(2)]

All covered contrac-tors must also display the Agency Hotline Poster. [52-203-14]

Improper business practices

In addition to the require-ments to develop a BEACP and ICS, the FAR also contains an extensive list of improper busi-ness practices that are specifically prohibited:• Gratuities to government per-

sonnel; [3.203]• Antitrust violations, including

collusive bidding, follow-the-leader pricing, rotated low bids, collusive price estimating systems, and sharing of the business; [3.301(a)]

• Contingent fees paid for solic-iting or obtaining government contracts; [3.402]

• Buying-in (i.e., the practice of submitting an offer below

“there is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.” benjamin franklin



The FAR Raises the Bar for Ethics and Compliance Programs continued from page 47

anticipated costs, expecting to increase the contract amount after it has been awarded and/or to receive follow-on contracts at artificially high prices; [3.501-1] and

• Subcontractor kickbacks (i.e., the payment of money, fees, commissions, credits, gifts, gratuities, anything of value, or compensation of any kind to anyone for the pur-pose of obtaining or rewarding favorable treatment in connec-tion with the prime contract). [3-502-1]

The internal control systemThe FAR provisions that

require the establishment of an ICS for ethics are a new feature in the federal law of corporate ethics. Neither the Federal Sentencing Guidelines nor the Sarbanes-Oxley Act have such a requirement; nor do the SEC regulations. Of course, the concept of internal controls in general is nothing new:

Internal controls are put in place to keep the company on course toward profitabil-ity goals and achievement of its mission, and to mini-mize surprises along the way. They enable management to deal with rapidly changing economic and competitive environments, shifting cus-tomer demands and priorities, and restructuring for future growth. Internal controls

promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial statements and compliance with laws and regulations.4

The express purpose of the FAR-compliant ICS is to facilitate timely discovery of improper con-duct and to ensure that corrective measures are promptly initiated and carried out. [52-203-13(c)(2)(i)] But a properly developed ethics-related ICS will provide the organization with many addi-tional benefits.

The process of putting an ICS for ethics might include the fol-lowing steps:1. The board of directors should

adopt a resolution stating the organization’s commitment to the BEACP and ICS.

2. Create a committee of repre-sentatives from key segments of the organization, includ-ing accounting, legal counsel, manufacturing, customer ser-vice, sales and marketing, and government contracting charged with administering the BEACP and ICS.

3. Assign overall responsibility to the chief ethics and compli-ance officer or other high-level official.

4. Devise a system for collecting and analyzing data relevant to assessing the effectiveness and value of the BEACP and ICS with respect to a vari-ety of metrics, including, for

example, incidents of mis-conduct, fraud, employee engagement, turnover rates, productivity, and profitability.

Implementing the FAr ethics mandates

Business organizations (both for-profit and non-profit) consist of parts that work together in ways that create a whole. In other words, like natural beings, they (a) are complex systems contain-ing sub-systems, (b) are capable of interacting with other systems, and (c) are themselves sub-systems of a larger economic and social system. Like all complex systems, they must be able to adapt to changed conditions or die. Ethics and com-pliance professionals agree that ethics programs are effective only when they are “seamlessly inte-grated into the corporate culture and [have] become an integral part of the product and not a post hoc response to a problem.”5

Among other things, this nugget of systems theory means that we cannot effectively imple-ment the FAR ethics mandates by viewing them as a “done-that” item on a checklist, like changing the oil in an automobile. Creating an BEACP is a process of institu-tionalization (i.e., putting policies, procedures, and practices in place) and a process of learning and adap-tation. Communication, feedback, and relationship maintenance are key. In ethics and compliance cir-cles, it has become a truism that a



commitment to the highest stan-dards of ethics and integrity by the board and top levels of manage-ment are essential to success.

Put differently, the vari-ous tools of an effective BEACP (e.g., code of con-duct, reporting hotline, training, monitoring, enforcement) and the eth-ics-related ICS should be seen as strategic resources deployed in the overall effort to achieve the mis-sion of the organization. The code of conduct should not be just a col-lection of abstract rules plopped on top of a col-lection of other policies that few, if any, in the organization pay attention to—the “print, post, and pray” approach. Instead, the code must be an expression of and a means for inculcating the delib-erately chosen ethical values of the organization together with other policies and procedures designed to achieve its mission. Ethics training must not be a simple exercise that employees grudgingly “comply with” once every few years. Rather, just as good technical and man-agement training (e.g., Six Sigma certification and negotiation skills) are directly related to what people actually do, ethics train-ing must be infused with real-life scenarios and embedded in the workplace conversation. As a prop-erly designed sub-system of the organization, these parts interact

with, affect, and are affected by all other aspects of the company. If not, they will be little more than window dressing, which is not what the FAR has in mind.

Better still: The ombuds program

By requiring an ethics-related ICS, the FAR ethics scheme has raised the bar in the federal law of corporate ethics; but an organi-zational ombuds6 program could make it even better.

An organizational ombuds is an office to which anyone (e.g., executives, managers, and other employees) may bring any type of work-related problem, concern, or issue with assurance that the matter will be handled independently, impartially, and confidentially. The employees in an ombuds office have no managerial respon-sibilities and, when the office is properly structured, communica-tions with ombuds employees do

not constitute notice to the orga-nization of the concerns raised.7

An ombuds program provides many benefits to an organization not otherwise available through

the Legal Counsel’s office, the Human Resources department, or the Ethics and Compli-ance office. For example, using impartial facilita-tors, such programs help resolve squabbles, and even more serious prob-lems among employees, confidentially. But, they also provide a place where employees can share a wide range of ethics problems, from work-

place harassment to awareness of fraud and other misconduct.

According to one study, a majority of employees feel “a sub-stantial amount of pressure on the job” (60%) and “some pressure to act unethically or illegally on the job” (56%).8 But most employ-ees do not report this pressure through established channels. Charles Howard cites several stud-ies and surveys showing that only 1% or 2% of employees use ethics hotlines operated by third-party vendors to report such problems, and only 1%-10% percent report problems to ethics officers.9

By contrast, where ombuds offices are available, significantly more employees use them to bring up ethics problems. Without

“What keeps me awake at night is the concern that somewhere out there in my company, an employee faces an ethical dilemma and doesn’t know what to do or where to go to get help. As an executive, i can now be personally liable for the outcome of his/her decision.” ken frazier, merck



From its introduction in 2004, � e Complete Compliance and Ethics Manual has been serving SCCE’s mem-bership and the compliance and ethics industry by providing straightforward and practical advice and resources that support compliance and ethics profes-sionals in the implementation and management of their compliance, ethics and risk management programs.

With contributions and input from leading experts and practitioners, the new and improved edition of � e Complete Compliance and Ethics Manual has evolved in a number of key ways to give you the tools you need to e� ciently and e ectively improve your program:

� is valuable resource includes:

Greater focus and perspective on global applica-tion of ethics, compliance and risk management programs

Comprehensive coverage of emerging trends, new regulatory requirements and associated challenges, and key risk areas, including: – Anti-corruption/anti-bribery – Board engagement and oversight – Records and information management – Con� icts of interest – Risk Assessments – Mergers/acquisitions – Government contracting & FAR – Trade restrictions (export/import) – Antitrust/competition – Corporate social responsibility and sustainability – Ethics & culture – And much more!

Helpful guidance and recommendations on e ec-tive program implementation strategies and best management practices

Information and advice on program e ectiveness with references to important governing laws, stan-dards and guidelines

Sample tools, templates and other resources that will aid in program development and implementation

Periodic updates will be made available through an annual subscription

MEMBERS $359 | NON-MEMBERS $399

PLACE YOUR ORDER NOW ATwww.corporatecompliance.org

The Complete Compliance and Ethics Manual (2ND EDITION)

6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org

SCCECompEthicsManual_CT1pagead_2c.indd 1 6/29/2010 8:39:55 AM


The FAR Raises the Bar for Ethics and Compliance Programs continued from page 49

an ombuds program, 28%-35% would not have brought up their issues at all, 13%-25% would not have brought them up as quickly, and 8%-10% would have left the company.10 This has particular value where employees fear retali-ation if they blow the whistle by using standard channels and would support the FAR’s goal of encouraging and protecting whistleblowers.

Experts stress that an ombuds program supplements, but does not replace, an ethics hotline and other reporting channels. “A well-communicated hotline, a strong independent Audit Committee, a professionally staffed Human Resources department, an ombuds program, and an effective compli-ance program are all key elements for successful communication of compliance issues.”11

An ombuds office can alert the management to systemic ethics-related problems without revealing confidential information provided by any single employee. As Charles Howard put it, “an organizational ombudsman pro-gram . . . has a much broader focus [than a hotline] and more time and tools to bring to bear on people’s concerns—for the benefit of those people as well as for the organization.”12

ConclusionIn Stan Freberg’s 1956 parody

of The Great Pretender, a hip pianist rebels against playing a

monotonously repetitive rhythmic chord he calls “that pling-pling-pling jazz,” preferring to play like George Shearing instead. Finally, the exasperated singer shouts, “You play that pling-pling-pling jazz, or you won’t get paid tonight.” Pause. Pling-pling-pling.

Companies are required to comply with the FAR’s ethics jazz—to be ethical—only if they “want to get paid tonight.” But all leaders who want to build endur-ing organizations that achieve their missions, perform at the highest levels, and excel financially would do well to use the FAR’s ethics mandates as the basic structure of an effective ethics program.

this article is an abbreviation and adaptation of portions of the author’s forthcoming book, Comply-ing With the Ethics Mandates of the Federal Acquisition Regulation.

Editor’s note: Michael Palmer is an ethics and litigation risk management consultant and Program Director at Ethics by Design. He may be contacted in Middlebury, Vermont by e-mail at [email protected] or at http://www.ethicsbydesign.com/.

Notes:

1 See, e.g., Guide to the Mandatory Disclosure Rule: Issues, Guidelines, and Best Practices (American Bar Association, 2010).

2 A pdf version of excerpts containing the FAR ethics mandates is available on the Ethics By Design website.

3 See 73 Fed. Reg. No. 219 at 67065-67066 (Wednesday, Nov. 12, 2008).

4 Committee of Sponsoring Organizations of the Treadway Commission, Internal Control – Integrated Framework 3 (1994).

5 H. Lowell Brown: “The Corporate Director’s Compliance Oversight Responsibility in the Post Caremark Era,” 26 Del. J. Corp. L. 1, 144 (2001).

6 The term “ombuds” is widely used by ombuds professionals, presumably to avoid the gender issues. The more common term is “ombudsman,” which is gender neutral in the original Swedish.

7 This summary description is based on Charles L. Howard: The Organizational Ombudsman: Origins, Roles, and Operations. A Legal Guide (Chicago: American Bar Association, 2009).

8 Edward S. Petry et al., Sources and Consequences of Workplace Pressure: Increasing the Risk of Unethical and Illegal Business Practices, 99 Business & Society Review 25, 25-26 (1998) (cited in Howard, supra n. 12, at 158).

9 Howard, supra n. 12, at 162-163.10 Id. at 178 (citing survey data from

The Ombudsman Association on file with the author)

11 Id. at 171 (quoting Patrick Gnazzo (former chief compliance officer at United Technologies Corporation and at CA, Inc.) in Martin T. Biegelman, Building a World-Class Compliance Program 102 (New York: John Wiley & Sons, Inc., 2008).

12 Id. at 180.

From its introduction in 2004, � e Complete Compliance and Ethics Manual has been serving SCCE’s mem-bership and the compliance and ethics industry by providing straightforward and practical advice and resources that support compliance and ethics profes-sionals in the implementation and management of their compliance, ethics and risk management programs.

With contributions and input from leading experts and practitioners, the new and improved edition of � e Complete Compliance and Ethics Manual has evolved in a number of key ways to give you the tools you need to e� ciently and e ectively improve your program:

� is valuable resource includes:

Greater focus and perspective on global applica-tion of ethics, compliance and risk management programs

Comprehensive coverage of emerging trends, new regulatory requirements and associated challenges, and key risk areas, including: – Anti-corruption/anti-bribery – Board engagement and oversight – Records and information management – Con� icts of interest – Risk Assessments – Mergers/acquisitions – Government contracting & FAR – Trade restrictions (export/import) – Antitrust/competition – Corporate social responsibility and sustainability – Ethics & culture – And much more!

Helpful guidance and recommendations on e ec-tive program implementation strategies and best management practices

Information and advice on program e ectiveness with references to important governing laws, stan-dards and guidelines

Sample tools, templates and other resources that will aid in program development and implementation

Periodic updates will be made available through an annual subscription

MEMBERS $359 | NON-MEMBERS $399

PLACE YOUR ORDER NOW ATwww.corporatecompliance.org

The Complete Compliance and Ethics Manual (2ND EDITION)

6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org

SCCECompEthicsManual_CT1pagead_2c.indd 1 6/29/2010 8:39:55 AM



http://www.ethicsbydesign.com/

http://www.ethicsbydesign.com/



As the UK Bribery Act of 2010 comes into force, many global ethics and compliance profession-als will be wondering what they must do to ensure that their com-panies have “adequate procedures” in place to combat bribery. This article will explore how culture and values play a role in estab-lishing adequate procedures and suggests using part-time “ethics ambassadors” to assist in this endeavour.

The Bribery Act introduces a specific corporate offence of failing to prevent bribery and establishes the concept of “adequate proce-dures” as a potential defence to that failure. A US Foreign Cor-rupt Practices Act (FCPA)-driven compliance programme will con-tain many of the elements needed; however, it may not be sufficient to address the wider scope and the approach of the Bribery Act. One notable difference is the ban on facilitation payments contained in the UK Bribery Act. This article will not address the specific legal differences; rather it will advocate a particular foundation on which to build adequate procedures.

On March 30th, 2011 the UK Ministry of Justice issued its final Guidance concerning the adequate procedures defence to the corpo-rate offense of failing to prevent bribery. On the same day, the Seri-ous Fraud Office (SFO) and the Director of Public prosecutions published their joint guidance for prosecutors for offences under the UK Bribery Act. The Adequate Procedures Guidance contains the Six Principles for Bribery Prevention Guidance to assist organisations in complying with the Act. The principles themselves are not prescriptive; rather they are “outcome focused” and meant to be flexible and to be adapted by organisations depending on their size, the challenges they face, and other relevant circumstances.

The six principles for bribery prevention as set out in the Guid-ance are:1. Proportionate procedures 2. Top level commitment 3. Risk Assessment4. Due diligence5. Communication (including

training)6. Monitoring and review

The use of principles, rather than a reliance solely on more detailed and prescriptive rules, has been a feature of the regula-tory regime for the UK financial services since the 1990s. “Prin-ciples-based regulation” was a term coined by the UK Financial Services Authority with the aspi-ration that regulation which is based upon principles is actually farther reaching than that based on detailed rules. No amount of compliance-based rules will be sufficient, as rules can be open to interpretation and circum-vention. In a compliance-based system, if something is not explic-itly prohibited, it is allowed. In a principles-based system, it would not be allowed if it was not in accordance with the principles.

Although there is a need for both ethics and compliance, too much emphasis on compliance can be counterproductive. It can erode trust, which is required in any organisation to foster a cul-ture of “doing the right thing” and may lead to a culture where the lowest common denominator of behaviour is all that is achieved, or worse, aspired to.

Culture and values: “Adequate procedures” under the UK Bribery Act by Ruth n. steinholtz



The role of corporate culture

Principle 2 illustrates the dif-ference. Principle 2 is top-level commitment, which means that the responsibility for establishing a culture across the organisation, in which bribery and corruption are considered unacceptable, is owned by the board and senior manage-ment. The mere statement that this is the case will, of course, not be sufficient. The prosecutors will want to see evidence that manage-ment is leading by example and consistently exhibiting appropri-ate values and behaviours. In other words, they will want to look at the corporate culture.

Another example of the cru-cial role of culture in developing adequate procedures is the topic of whistleblowing. The compli-ance approach would require the establishment of a whistleblow-ing hotline and the monitoring of input to the hotline. The prin-ciples- or values-based approach would say that this would not be enough if the culture was one of fear of speaking up. Therefore, additional steps would have to be taken to develop a culture of open communication and accountabil-ity, if this did not already exist.

What are the potential pitfalls with a principles- or values-based approach, and how can these be dealt with? The international nature of today’s business means that organisations must be sen-sitive when seeking to develop

and embed a set of ethical values consistently throughout the com-pany—and around the globe. Cultural differences must be con-sidered in the company’s choice of values and also in the process used to embed those values. Embed-ding values, and indeed the code of ethics, should be a dialogue between the organisation and its employees.

Just as it is not enough to merely publish a code of ethics and expect that it will “stick,” simply translating a code of ethics into different languages is not enough to ensure that its messages are communicated effectively and meaningfully to staff in other ter-ritories. Different countries and cultures may have different inter-pretations of how to apply those values into what is considered “ethical” practice.

Embedding ethical principles for business conduct throughout an organisation so that they form the basis of the culture, deci-sion making, and behaviour is a challenging process that requires sensitivity, patience, and resources. However, it is far easier and more effective than trying to commu-nicate a complicated set of rules and trying to ensure they are applied consistently in every place where the company does business. An excellent way to support the embedding of ethical values and the various elements of an ethics programme is by using ethics ambassadors.

Ethics ambassadorsEthics ambassadors are

employees selected to formally assist senior management in promoting and embedding the company’s values, ethics poli-cies, anti-corruption codes, and other related policies. They help ensure that ethics programmes have both a relevancy and consis-tency throughout a multinational organisation.

The post of ethics ambassador may be full-time or may be taken on in addition to an employee’s day-to-day job. Ethics ambassa-dors will normally be positioned throughout the company (across business units, geographical loca-tions, and/or the hierarchy of an organisation) and form an informal “network” of diverse employ-ees with similar responsibilities. I would suggest that employees who have varying functions across the organisation become ethics ambassadors in addition to their normal duties. Ethics is everyone’s responsibility, and incorporating responsibility for supporting it in this way helps to reinforce that message. Some full-time support will also be required, but in the main, I favour this approach.

Training and preparation of ethics ambassadors is key to the success of the programme. They must have adequate and appro-priate level of training for the responsibilities that they are given; otherwise their appointment is



Culture and values: “Adequate procedures” under the UK Bribery Act continued from page 53

likely to be seen as mere “window-dressing.” This does not mean that they must become experts, but it does mean that they have the basic understanding and skills demanded of the role.

Ethics ambassadors may be helpful in demonstrating ade-quate procedures in many ways. By providing local knowledge, language, and case studies, they help make the ethics programme relevant to the needs of the local operating environment. This encourages buy-in from employ-ees and decreases the likelihood of misconceptions which commonly arise from faulty translation or clumsy choice of wording. Poor translation can create inadvertent resistance. An example of this is the use of the word “collaboration” in Europe, with its connotations of World War II. A less controversial choice would be “cooperation.” Historical context can be impor-tant to the perceived meaning of a word, and taking this into con-sideration is best done by someone familiar with the local culture and company history. Other transla-tion errors can cause employees to feel patronised or resentful.

Continual risk assessment is another element of adequate pro-cedures where ethics ambassadors can contribute. Companies are required to have some kind of pro-cedure whereby they are informed of both internal and external matters which may affect the development and implementation

of the ethics programme. A net-work of ethics ambassadors can be a conduit for feeding infor-mation to a central Ethics and Compliance office and assist in monitoring the effectiveness of policies and procedures.

Principle 5 of the Six Principles is “Communication (including training).” A programme must be effectively implemented and embedded through all areas of the business, from recruitment to training. A network of ambassadors is well placed to ensure that all rel-evant policies are communicated effectively. Ambassadors may also deliver training, providing local knowledge so that messages are communicated appropriately with scenarios which will be relevant to employees. Ethics ambassadors can also help to insure that policies and procedures are “clear, practical and accessible,” as is required by Principle 4.

Ethics ambassadors can also act as a local point of contact, so if an employee has a query or an ethical dilemma, they can talk to a local person, rather than a tele-phone helpline or a more formal contact with the head office. Ambassadors may record and report issues, and occasionally (with proper training) help con-duct investigations into unethical behaviour. However, as their name suggests, it is as advocates for the ethics programme that ambassa-dors are most valuable.

Borealis’ experienceIn 2005, when Borealis, a

leading provider of innovative plastics solutions based in Den-mark at the time, had completed the design phase of its Ethics Excellence Programme, the small team who had the responsibility for rollout and implementation were pondering the question of how to ensure that the concepts underpinning our approach to business ethics were consistently communicated throughout the organisation. We asked ourselves, how could we embed ethical deci-sion-making and knowledge of the ethics policy and procedures throughout the entire company with scarce resources?

It was not consistent with the culture of Borealis to have a separate Compliance department, because ethics was already con-sidered to be a line responsibility. However, we feared that there could be inconsistent messages or an uneven commitment to the subject by busy managers. We were convinced that, after appro-priate training, employees from any discipline would be capable of assisting to embed the concepts, just as we were doing when creat-ing the programme. For example, there was nothing in ethics that was more complicated than being an operator in the control room of one of our hugely complex petro chemical plants. Also, we had the example of a Step Change in Safety programme, already in


progress, which was also based on individual responsibility. Ethics was no different in our view.

So, we decided that we would create a network of ethics ambassa-dors, thus ensuring that there were trained, native-language speaking people in each company location and business unit. The number of ambassadors was therefore deter-mined by geography, linguistic need, and number of employees, as well as organisational structure. We needed enough ambassadors so that no one person would have too much of a burden when it came to facilitating training workshops, because they would all continue with their day jobs. We needed people in all of the different businesses and locations who could generate training sce-narios for the face-to-face training. And, we knew that these people should be connected to each other in order to share best practice and challenges.

Ethics culture bearersIn recent years, pressure

from regulators has resulted in the growth of large Compliance departments within many com-panies. It is far easier to measure the number of compliance offi-cers in a company, or the number of employees who have taken an online training course, but are these measures really indicative of an ethical culture, or, as we will now have to prove, “adequate procedures” to prevent bribery?

It is increasingly possible to mea-sure “culture,” and the extent to which company values are shared across the organisation, by using various tools to determine whether employees believe that the organ-isation is living up to its values or not. There is a growing consen-sus that ethical values are a part of everybody’s job, not some-thing that is the sole province of a separate Compliance (or Legal) function. However, there is less knowledge about how to measure the effectiveness of programmes to create sustainable ethical behav-iour, but I believe that things are changing in this regard.

Ethics ambassadors are a form of ethics culture bearers. Deploying ethics ambassadors is empowering, both to the ambas-sadors and their colleagues. Cross-functional ethics ambas-sadors will also help to ensure that ethics does not operate in a silo, separate from the daily busi-ness processes of the organisation. Establishing an ethics ambassa-dors network, distributed across the organisation geographically, departmentally, and hierarchically, can help ensure ethical values are part of “the way business is done around here.”

Creating a culture of integ-rity and openness—where ethical dilemmas are discussed and debated and employees feel supported to do the right thing—is a powerful way to mitigate against the risk of corruption and

will be a strong element in creat-ing adequate procedures to prevent bribery. Indeed, a healthy ethical culture is the basis of a sustain-able business in the long term. No company should feel that the requirement to have adequate procedures to prevent bribery is anything other than good man-agement sense.

Editor’s note: Ruth N. Steinholtz assists organisations in the development of values-based ethics programmes, focusing on change man-agement and leadership at all levels as the fundamental building blocks of sustain-able ethical performance. Previously, Ruth was General Counsel of Borealis AG, where she was responsible for the development and embed-ding of the company’s Ethics Excellence Programme. She co-authored with Judith Irwin on the new Good Practice Guide ethics ambassadors, available from the Institute of Business Ethics (www.ibe.org.uk). Ruth may be contacted at [email protected].

http://www.ibe.org.uk

http://www.ibe.org.uk




BELGIUm• Andrea Borrell Vila, Baxter World

Trade SA• Peter Moeller, UCB SA

BOLIvIA• Christian Zelada, Chaco SA

BrAzIL• Sabrina Calixto, Prudential Do

Brasil Seguros De Vida SA• Fabricio Lins, Gerdau Acos Longos

SA• Rogerio Moleiro, Philip Morris

Brasil• Fernando Palma, Archer Daniels

Midland Company• Danielle Sanavio, Siemens• Mariana Teixeira, Gerdau Acos

Longos SA

• Erica Winter

CAnAdA, ALBErTA• Grant Kowpak, TransCanada

PipeLines• K. Lynn Meyer, Capital Power Corp

CAnAdA, BrITISh COLUmBIA• Wenata Babkowski, Mercer

(Canada) Limited• Susan Dicks, Direct Energy• Nicola Taran, Direct Energy

COLOmBIA• Juan Carlos Noguera Serrano, Gases

De Occidente SA ESP• Ana Maria Buitrago, Promigas SA

ESP• Viviana Nule, Surtigas SA ESP• Paoia Jimena Ramos Caicedo,

Compania Energetica De Occidente SA ESP

• Sagrario Del Socorro Urruchurtu

Hernandez, Surtigas SA ESP

GrEECE• Maria Gkioulmpaxioti, Ru Hellas

SA

PhILIPPInES• Raqueliz M. Facun, Omgeo LLC

POrTUGAL• Rui Souto

SInGAPOrE• Shirley Goh, Visa Worldwide PTE

Limited• Siew Hwee Koh, Visa Worldwide

PTE Limited

UnITEd ArAB EmIrATES• Uzzair Ahmed, Corporate Research

and Investigations LLC• Zafar Anjum, Corporate Research

and Investigations LLC• Mary Queen, Corporate Research

and Investigations LLC• Kanwal Zafar, Corporate Research

and Investigations LLC

UnITEd KInGdOm• Robert Bond, Speechly Bircham LLP

ALASKA• Leslie W. Crocker, Business

Integration Solutions LLC

ArIzOnA• Ayodele Adesegun Sodimu

ArKAnSAS• Jim Farinelli, Walmart Stores Inc.• Brenda Ledford, Tyson Foods Inc• Mike Patten, Wal-Mart Stores Inc.• Ken Woodlin, Wal-Mart Stores Inc

CALIFOrnIA• Cynthia Adams, Southern

California Edison• Bret Bechis, VMware,Inc

• Sabrina Brutus, Progress Investment Management Company, LLC

• Jason Campbell, LA County MTA• Katherine Edwards, Kje• Dale Fullwood, Parker Hannifin Corp• Allegra Gaines • Greg Hyndman, Global Compliance

& Ethics• Pamela D. Koyzis, California

Institute of Technology• Steven Long, Pacific Gas and Electric• Lisa Milanes, California ISO• Janice K. Mirza, California State Univ• Cheryl Mullally, Southern

California Edison• Charles Pak, VMware,Inc• A. Merrill Philips • Dean Prater, Alameda County

Employees Retirment Association• Tracy Preston, Levi Stauss & Co• Donney Ramsey, Edison Mission

Group• JP Shotwell, Southern California

Edison• Katherine P. Snodgrass, California

Institute of Technology• Judy Starling, InterMune• Kenneth Stewart, The Church of

Jesus Christ of Latter-Day Saints• Cindi Peterson Tompkins, ESRI• Richard Vine, California

Independent System Operator• Stuart R. White, Nuvasive Inc• Sadaf Yamin, VMware,Inc

COLOrAdO• Laurel Burke, CenturyLink • Lisa Hunter, Amstar Advisers, LLC• Beth A. Katzenberg, Colorado

Foundation for Medical Care• Barbara Mettler, Spanish Peaks

Mental Health Center

Welcome to SCCEthe Society of corporate compliance and ethics welcomes the following new members and organizations. All member contact information is available on the Scce website, www.corporatecompliance.org, in the members-only section.

Scce’S neW memberS



COnnECTICUT• William M. Brown, Knights of

Columbus• Frank J. Chesky, Sportech, Inc

dELAWArE• Paula Jenkins-Massie, Wilmington

Trust Company

FLOrIdA• Peter Crosa, ethics-speaker.com• Caroline Fultz-Carver, Univ of

South Florida• Wendy Morrow, JTA• Jeffrey A Muir, Univ of South

Florida• Hope Newsome, Newport Group

Securities Inc• Christian Wistehuff

GEOrGIA• Randy England, Reeves Construction

Company • Scott D. Nader, AMEC PLC• Tia Panch, Gulfstream Aerospace

Corp• Derrick Storm, United States Postal

Service

hAWAII• Adam R. Jacobsmeyer, BYU-Hawaii

IdAhO• John Kalb, Kootenai Health

ILLInOIS• Kenneth Amos, Walgreens• Sharon Anderson, American Hotel

Register• Cathy Bodnar, Cook County Health

& Hospitals System• Donna J. Brasky, Astellas Pharma

US Inc• Cheryl Cravens, Heitman• Cheryl M. Cromer, United Stationers

Supply Co• Sheryl Head, SwedishAmerican

Health System• Bettye Hill, Walgreen Co.• Mariya A. Kozlova, Gateway

Foundation, Inc.

• Marsha Liu, Northwestern Memorial Hospital

• Eve Moran • Dalia Sen

IndIAnA• Gary Butkus, Eli Lilly and

Company• Randel Clark, Eli Lilly and

Company• Gordon L. Scott, NiSource Inc

IOWA• Helen Adams, Pioneer Hi-Bred

International, Inc• Karee Vernon, Pioneer Hi-Bred

International, Inc

KAnSAS• Tariq Abdullah, Kansas Bioscience

Authority• Sherrie A. Williams, Spirit

AeroSystems, Inc

KEnTUCKY• Rachael Givens, ResCare, Inc

LOUISIAnA• Kimberly S. Higgins, Kinder Morgan• Dean L. McInnis, Kinder Morgan

mArYLAnd• Cheri Battee • Marianne Bechtle, Centers for

Medicare & Medicaid Services• Salvatore Ceraolo, Northrop

Grumman• Kimberly J. De Chello, KEYW Corp• Gwendolyn M. Pal, KEYW Corp• Jay G. Reilly, Emergent Bio Solutions• Nancy M Simpson, KPMG LLP

mASSAChUSETTS• Lewis Beilman, Osram Sylvania• Ellen Chiniara, Alere Inc.• Robert A. Jordan, Siemens/Osram

Sylvania• George Maden, Sun Life Financial• Christine Meyers, Inverness Medical

Innovations, Inc.• Nancy Repice, Univ of Massachusetts

Medical School

• Greg Rotatori, Omgeo LLC• Kerry Scarlott, Goulston & Storrs, PC

mIChIGAn• Thomas J. Kopera, DTE Energy• Catherine L. Ruster, Emergent

BioSolutions Inc

mInnESOTA• Donald Franke, Smiths Medical• Mary Lou Freathy, Paddock

Labaratories, Inc• Thomas R. Lorang, Target Corp• Nancy C. Riley, Kroll Ontrack

mISSOUrI• Robert E. Anderson, Kansas City

Power & Light Co• Patrick Baumhoer, Associated

Electric Cooperative, Inc.• David Douglass, KCP&L• Laura Ellsworth, Gateway Insurance

Company• David Henley, WellPoint• Sharon Nunley, Hannibal Regional

Hospital• Lisa Reeves, Siemens Energy Inc.• Nitish Singh, Saint Louis Univ

nEW JErSEY• Mojola K. Adewumi, State of New

Jersey• Russell Ball, Telcordia Technologies,

Inc• Jacki Cheslow, Avis Budget Group• Scott Ernst, Air Cruisers Company• Daniel J. LaFrance, Colas Inc• Barbara Landmann, Alcatel-Lucent• Anthony L. Martino, Colas, Inc• Mary Rosenbauer, Sportech Racing• Jeanne Seigle, Chubb & Son/

Federal Insurance Company

nEW mExICO• Joyce Montes, Providence Service

Corp




nEW YOrK• Mikhail Belov, FTI Consulting• Teuta Bitici Mercado, Dragados-USA• Stefani Bonato, Judlau Contracting Inc• Ruthann Granito Niosi, Studio

Legale Sutti• Corinne Lanuti, Siemens Corp• Jim Moore, Merrill Corp• Nicholas Palas, NYISO• Maria Sattler, NBTY, Inc• Lisa Volo, Human Technologies Corp

nOrTh CArOLInA• Peter Anderson, Anderson Terpening

PLLC• Malinda Falardeau • Jodi Monteiro, Talecris Biotherapeutics• Marisa Sifontes, SERC Reliability

Corp• Jennifer Verruto, Harris Teeter, Inc.

OhIO• Fred Ange, Parker• Paul E. Fiorelli, Xavier Univ• Joseph Oddi, Hyland Software, Inc

OrEGOn• Tami J. Endicott, Mt View Hospital• Matthew A. Schroettnig, Bonneville

Power Administration

PEnnSYLvAnIA• Ronald Change, Curtiss-Wright• Daniel Cornali, HRI, Inc.• Sharon Grunwald, Glaxo Smith Kline• Mark H. Mapp, P. H. Glatfelter

rhOdE ISLAnd• Kathleen Holt, Plan USA

TEnnESSEE• Beverly Cawthon, Aegis Sciences Corp• Robert DelPriore, Baker Donelson

Bearman Caldwell & Berkowitz, PC• Darcie Duckworth, Aegis Sciences

Corp• Cheryl Maplesden, Aegis Sciences Corp• Jack K. Matens, Russ Blakely &

Associates

• Bradley Ottinger, Baker Donelson Bearman Caldwell & Berkowitz, PC

• Steve Pickens, Aegis Sciences Corp• Brad Reid, Lipscomb Univ• Earl Schliesman, Univ of Tennessee• Robert L. Stewart, Oak Ridge

National Laboratory

TExAS• Dwain Akins, American National

Insurance Company• Blake L. Barlow, Univ of Texas at

Austin• Eric Bowman, Celanese• Kesha Boykin-Mclean, Houston

Community College• Diana K. Floyd, Synagro

Technologies• Michael Frank, American Bureau of

Shipping• Beverly Huff, Calpine• Ursula Ann Logan, ERM• Tonia McGaffie, Mercer• Nike Otuyelu, Universal American• Karen Payne • Erin Pinegar, The Univ of Texas

Intercollegiate Athletics• Kathy J. Powell, Pride International, Inc.• Nicole Richards, Heart to Heart

Home Care LLC• Shawn Rogers, American Bureau of

Shipping• Hector Alfonso Sanchez • Steve Scarpino, BP• Kathlynn Self, Universal Weather &

Aviation, Inc.• Jose A. Solis, Lloyd’s Register

Americas, Inc.• Brandon L. Spencer, 20/20

Communication• Mindy Thompson, The Univ of Texas

Intercollegiate Athletics• Trace Wilgus, The Univ of Texas

Intercollegiate Athletics• Joya F. Williams, Transocean• Sarah Yancey, Transocean

UTAh• Sharon Harned, Intermountain

Healthcare Virginia• Walter Arnold, Altria• Laurie Blackburn • David Bourne, Deloitte• Christiana Franchet, L-3

Communications• Kristen Galloway, BRTRC• Timothy Janes, Capital One Gregory

Nixon, DynCorp International• Charity Pomeroy, Ethos LLC

WAShInGTOn• Elaine Bailey, PopCap Games• Reina Cabatana, Microsoft• Monica Reinmiller, Univar• Leslie R. Schenck, Univar USA Inc• Steve Secrist, Puget Sound Energy• Arthur Volkle, Marine Resources

Group, Inc.

WISCOnSIn• Allan Crider, Pentair

WAShInGTOn dC• Jamel Harling, US Federal

Government• Heather Janssen, AARP Services Inc.• Vincent Lacovara, The George

Washington Univ• Dorn McGrath, Greenberg Traurig,

LLP• Tina M. White, Federal Reserve Board

New Members continued from page 57


To learn more and register, visitwww.internalinvestigations.org

A TWO-DAY WORKSHOP

NOVEMBER 10–11, 2011 | SAN FRANCISCO, CALIFORNIA

How Investigations Fit into the Context of Compliance Programs

Latour ‘LT’ Lafferty, CCEP, CHC, Practice Leader, Fowler White Boggs P.A.

Setting Policies and Guidelines for Conducting Internal Investigations

Al Gagne, CCEP, Director, Ethics & Compliance, Textron Systems Corporation

How to Plan an InvestigationMeric Bloch, CCEP, CFE, PCI, JD, Vice President-Compliance and Corporate Investigations, Adecco Group North America

Conducting Effective Interviews

Michael Johnson, Esq., Co-President, Global Compliance, Brightline Learning Division


Gathering Documentary Evidence

Meric Bloch, CCEP, CFE, PCI, JD, Vice President-Compliance and Corporate Investigations, Adecco Group North America

Forensics and Electronic Documents

Andy Teichholz, Daylight Forensic & Advisory LLC

Investigation Pitfalls and How to Avoid Them


Preparing the ReportAl Gagne, CCEP, Director, Ethics & Compliance, Textron Systems Corporation


Discipline, Follow Up and Closing the Loop


Investigations RoundtableAl Gagne, CCEP, Director, Ethics & Compliance, Textron Systems Corporation

Michael Johnson, Esq., Co-President, Global Compliance, Brightline Learning Division



EffectiveInternal Investigations

for Compliance Professionals




Register Now

Visit www.complianceethicsinstitute.org/hotel for details on booking your hotel stay at The Cosmopolitan of Las Vegas.

Rick Harrison, from the hit TV series HISTORY’s Pawn Stars, will address the 10th Annual Compliance & Ethics Institute on Monday, September 12.

Compliance & Ethics Institute September 11–14, 2011 | Las Vegas, Nevada, USAThe Cosmopolitan of Las Vegas

10TH ANNUAL

www.complianceethicsinstitute.org