I often write about what I call the McNulty Maxims of
Compliance. I heard them in a presentation by Paul McNulty to the Houston
Chapter of the Texas General Counsel Association in my most recent corporate
position. They were (1) What did you do to prevent it?; (2) What did you do to
detect it?; and (3) What did you do when you found about it? These three maxims
generally translate into (1) Your compliance program, made up of policies and
procedures; (2) Your internal controls to serve as both a front-line detection
and back-up against corruption; and (3) What remedial steps did your company
take when they discovered the issue of concern?
So how does a compliance practitioner create the compliance
program, or in McNulty Maxim terms create a "What did you do to prevent it?"
compliance program? Many companies are still in the infancy of creating their
compliance programs with their General Counsel or perhaps hiring an initial
Compliance Officer. This person or persons may be somewhat overwhelmed about
how to even get started. Transparency International, in its "Business
Principles for Countering Bribery: TI Guidance Document" ("Guidance
Document") has provided a specific road map for the implementation of a
compliance program. Although the Chapter in the Guidance Document is designed
for the Transparency International's
Principles for Countering Bribery: TI Six Step Process"; this process
can be used as a guide for any compliance practitioner who must create a
compliance program or who needs a guide to assess whether a compliance program
should be enhanced.
Action: Decide to develop an anti-bribery and
Primary Responsibility: Owner of Company/Board of
Directors/Chief Executive Officer (CEO).
Process: Commitment to anti-bribery and anti-corruption
policy from the top of the company. Appoint a senior manager to head the
compliance function and cross functional Project Team.
Time Span: One Month.
Action: Plan the compliance program implementation.
Primary Responsibility: Appoint a senior manager of the
Project Team, preferably the new Chief Compliance Officer (CCO).
Process: Define specific company risks and review current
practices through a risk assessment, review all anti-bribery and
anti-corruption, develop an initial draft of the compliance program and
obtain buy-in from senior management and key stakeholders through the risk
Time Span: 3 to 6 months
Action: Plan the project implementation: Appoint a senior
manager to head risk assessment or bring in an outside expert.
Primary Responsibility: CCO or outside expert.
Process: Integrate the compliance program into your
company's organizational structure and assign appropriate responsibilities,
develop detailed implementation plan including human resources policies, a
communications program and training programs.
Time Span: 3 to 6 months.
Action: Implementation: Getting the compliance program
Primary Responsibility: CCO in conjunction with persons
brought into the compliance function.
Process: Communicating the compliance program both
internally and externally as appropriate through training courses for employees
and appropriate third parties, establish anonymous reporting hotlines and
advisory function channels to provide employees guidance on day-to-day
compliance issues, introduce a sanctions process for violation of the
compliance program and a rewards process for conducting business in an ethical
Time Span: One year.
Action: Monitoring of the compliance program.
Primary Responsibility: CCO, Compliance Department,
Internal and External Auditors.
Process: Regular reviews of the compliance program
through basic testing, detailing of and reporting of all hotline calls,
statistical reporting of any events or other significant issues which may
Time Span: Continuous.
Action: Evaluation of the compliance program.
Primary Responsibility: CCO, in conjunction with
specialized outside counsel or external auditors, reporting to Audit/Compliance
Committee or Board of Directors.
Process: Annual compliance assessment; quarterly reports
to Audit/Compliance Committee of Board of Directors; no less than annual reporting
to full Board of Directors.
Time Span: No less than annually. Full compliance audit
The TI six step guide provides the compliance
practitioner with a manner to think through how to approach and implement a
full compliance program. It can also be used to internally market to management
how the program should be created and implement. In short it is yet another
example of tools that TI has created and made available at no charge to the
compliance practitioner to assist in moving forward to create or enhance a
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011
For more information about LexisNexis
products and solutions connect with us through our corporate site.