Speaker 0 00:00:04 Hello, and welcome to integrity through compliance AMS business success series. This podcast was created by seasoned compliance experts at affiliated monitors to speak practically to your business needs. During this series, you will hear from Amies experts in corporate compliance, healthcare government contracts, antitrust manufacturing, education, and more who will provide their observations on industry trends, gear to raise your awareness and to protect your brand. So grab a cup of coffee and join us as we guide you and your business to integrity through compliance.
Speaker 1 00:00:47 Tom, this is Don stern. I am managing director of corporate monitoring at affiliated monitors. And today we're going to begin a two-part podcast and I'll introduce our guests in a moment. The first part we're going to focus on compliance, not necessarily just compliance in general, although we'll touch on that. No doubt, but we're going to have a particular focus on the department of justice has guidance, particularly as recently articulated in the last year or two, and where compliance is now, where it's headed and what some of the things that companies might do to prepare for the close look that the department of justice is now giving for compliance programs. The second part is going to really then shift to monitoring and affiliated monitors really does both parts of this. We really started as a company that focused on monitoring for companies that got into trouble with the department of justice, with the department of Navy state attorney generals, you name it.
Speaker 1 00:01:47 And as many listeners know sometimes what happens is that part of the price of the settlement is that the government requires that a monitor be appointed. Well, that's what we do. We've done probably six or 700 monitorships over the last 17 years that we've been in existence. But increasingly we finding that companies are asking us to come in really on a proactive basis, even if they have what they consider to be a very, very good program, a very sophisticated compliance program to come in and really kick the tires and to see how the compliance program works. And so really that's what we're going to be doing today. The first part will be focused on the compliance aspect of it, whether it's in the context of monitoring or not. And then the second part we'll, we'll shift to monitoring. I'm going to introduce our guests, but let me just say, just give you a little background about myself.
Speaker 1 00:02:37 I've been at affiliated monitors for almost eight years before that I had kind of a mixed career as a lawyer, both in the public sector and also in private practice in private practice. I was a partner at three national law firms over the years, and my practice focused very much on business and white collar defense, including compliance issues, uh, the public side, uh, I had three different stints in public service too for the state. I was in the state attorney General's office in Massachusetts. I was chief counsel to the governor of Massachusetts and then served as United States attorney in the district of Massachusetts for almost eight years. And that perspective, both having a government perspective and also a private practice perspective is something I brought to affiliated monitoring. Eric Feldman who's with us is one of my colleagues and Eric joined the affiliated in 2011, after retiring from the central intelligence agency.
Speaker 1 00:03:41 He had a distinguished 32 year career in federal government service serving in a variety of executive positions with the office of inspector general at the department of defense, the CIA defense intelligence agency and the national reconnaissance office, which I think was probably his last stint where he served as the IgE for the national recognizance. We're very pleased to have rod Rosenstein join us. Rod is now a partner at King and Spalding in Washington. He joined about, I think a year and a half or two years ago after really three distinguished decades as a federal prosecutor and serving in a variety of senior government positions, spanning three separate administrations dear to my heart. He was the former us attorney in Maryland for a really long time from, uh, I think both in the Obama administration and then in the Trump administration. And then during the Trump administration, you became the second ranking department of justice official. Uh, he became what the DOJ people refer to as the dag, which is the deputy attorney general. And, you know, I think much of Rod's stellar career was all going to something that is probably less well known, which is he served as an intern, uh, while he was a student at Harvard at the United States attorney's office in the district of Massachusetts, my old stomping ground before my time rod, but still I'm sure that I'm sure that was responsible for much of your success that followed
Speaker 2 00:05:16 No doubt, but let me,
Speaker 1 00:05:17 Before we get into the nuts and bolts of the monitoring, let me first just turn to Eric. And then I'll, I'll ask rod, uh, Eric, what have you been up to with affiliated monitors? I talked a little bit about your career in government, but what have you been doing these days?
Speaker 3 00:05:32 Uh, thanks, Don. And thanks for that nice introduction. Well for about the last 10 years or so, I've been serving as the independent monitor on a variety of cases, a, a DOJ foreign corrupt practices act case, which involved traveling around the world regarding a company's activities, particular company was accused of and pled guilty to bribing officials in four different countries. I have been a monitor on cases ranging from non-governmental organizations, engaged in USAID, in developing countries to prison companies in the United States. It's a wide range of things. And as you mentioned in your introduction, many of the things that we've done are at the state and local level, as well as the federal level school boards and municipalities anywhere where a monitoring solution could help resolve an enforcement issue.
Speaker 1 00:06:35 What about you? I know you're relatively recently entered private practice. A King Spalding is a great terrific law firm with a national reputation and national maybe international footprint, but, but how is it going there? How has the transition from government to private practice been and what is your practice like?
Speaker 4 00:06:52 Well, it's been very good. Uh, as you know, of course I started in January of last year. So most of my time in private practice has been operating from my home, which is very unusual for all of us. I'm part of the special matters and government investigations, practice and King and Spalding. And I focus on helping clients with regulatory enforcement and litigation challenges, government investigations, primarily, but also crisis management, national security and cyber matters, and of course, compliance and monitoring. So this topic is a particular interest to me.
Speaker 1 00:07:22 W what what's been the biggest surprise going into practice from all your years in government?
Speaker 4 00:07:26 Well, keeping track of my time, I think that's the biggest shock. Eric could probably attest to that who I joined the private sector. You go from a situation where your time, your marginal value of your time is zero to keeping track of every six minute increments. So that's been a dramatic change.
Speaker 1 00:07:42 Yeah, that is a change. I don't miss the timekeeping. Uh, we, we keep time at affiliated monitors, but it's not quite as on the present, as it is with a law firm where, you know, every bit of time has to be accounted for. Let me first turn to you rod, as we get into the discussion of compliance, you know, there are any number of called guidelines or standards that are out there in the public dimension about how you put together a compliance program, what the elements are that a compliance program, but in recent years, the department of justice, really for the first time, and we'll get into this, I think in a helpful way has articulated for really a wider audience than just itself what it's looking for, uh, with compliance programs. So I guess the first question is why did that happen? Why did the department of justice feel that it was helpful not only for its own decision-making, but also for the companies to publish this?
Speaker 4 00:08:38 Well, I think it does serve those two purposes. Donna, as you mentioned, the first is to ensure some degree of uniformity within the department because in the absence of guidance, every prosecutor is free to make up his or her own mind. And so the goal of having this standardized guidance is to impose some degree of consistency, uh, which also promotes, I think the perception and the reality of fairness to those who are affected by the policies when they recognize that the department is following some standard guidelines. And it is in addition to influencing the decision-making of DOJ prosecutors, the goal is of course, to drive behavior of corporations. And I think to a large extent, it's having that impact through discussions like the one we're having today. And the goal is not just to impose these compliance standards on companies after they get into trouble, but to incentivize companies, to adopt self policing structures so that the justice department doesn't need to get involved in the first place.
Speaker 1 00:09:30 You know, I think people might be interested in hearing a little bit rod about what was the process to come up with the guidelines? Was there a task force internal within DOJ? Was it just in main justice that didn't include people in the us attorney's office? What was that process like?
Speaker 4 00:09:45 The guidelines, which the department has published as the evaluation of corporate compliance programs were developed by the criminal division of the justice department. And technically, I suppose they bind only criminal division prosecutors, but they obviously have an impact throughout the department, but there is a working group within the criminal division that has revised them from time to time. Most recently in June of 2020, which is the current version of those guidelines.
Speaker 1 00:10:08 What kind of feedback have you gotten when you were in the department where people moaning and groaning that the department had published these guidelines or were they pleased?
Speaker 4 00:10:16 I've not heard criticism about this. None. I think most people appreciate it. Uh, of course there are questions about how rigorous the department's going to be in applying these guidelines when companies do get into trouble. But I think everybody appreciates the effort to lay out what the standards ought to be, to lay out the components of an effective compliance program and the guidelines reflect input from the private sector. So from what I've heard and I'd be interested in Eric's perspective, but from what I've heard, they're very well received by pretty much everybody.
Speaker 1 00:10:45 Yeah, well, that's actually where I was going next. Uh, rod Eric you're on the more on the receiving end, you know, the advising companies dealing with companies and obviously the DOJ guidelines, you know, a very important component of that because you know, people who are under the microscope, whether or not they're under active investigation, every major company knows that anything can go off the rails at any time. You can get a Renegade outlier employees. So there's always a possibility of investigation. So w what's been your sense as to whether they've been well received or not?
Speaker 3 00:11:16 Well, I really do think it's been a sea change in terms of how compliance is perceived within companies for many years and early on in my tenure at affiliated compliance officers couldn't really get a lot of attention to their programs and their company. It was seen as something of a necessary evil. There were a lot more paper programs out there. People just throwing together a code of conduct and a system and calling it a compliance program rather than some real discussion internally about what risks are and how do we mitigate those risks once DOJ started issuing guidance in, well, actually it started in 2017, uh, with the original set and it's gotten much more precise and insightful as it's gone on. I think companies are standing up and listening. That's the perception that I have. It's always a very tough sell within an organization to sell compliance, kind of like when I was a federal IgG, the two biggest slides in the world, we're here to help you, uh, when the, uh, IgG comes in and we're glad you're here. Response compliance is viewed the same way as an IgG within a company necessary evil, but no one wants to interact with them. They don't see it as a profit center. They see it as a cost center that's changing. And I think the guidance has a lot to do with that. The expectations are now much more explicit on the part of DOJ.
Speaker 1 00:12:52 Well, let's, let's let's, can we turn to that subject, you know, expectations both on the government side, whether those expectations have been met. And obviously I'm gonna look forward to rod to answer that. And also you Eric, but, um, maybe it'd be helpful just to provide a little bit more meat on the bones to have you guys talk a little bit about the guidance in particular. What does it consist of? I mean, it's easy to say. You have to comply with all laws and regulations of the United States and of the various States that that's helpful, but not particularly what are the components of the guidance that companies should pay attention to rod? Let me ask you first,
Speaker 4 00:13:30 It's built around three fundamental questions that the department believes should be asked about compliance programs. Number one is the program well-designed number two, is it applied earnestly and in good faith, which the department is clarified means that does it have adequate resources and isn't empowered to operate effectively. And number three, does it work in practice? And so the way the guidelines are laid out over the course of the 20 pages is by a variety of factors that are addressed under each of those three categories. And obviously not every company is going to fill every one of them, not every one is applicable to every company, but the idea is to lay out certain key aspects that ought to be considered by companies and designing compliance programs. And then when companies get in trouble, these are the issues the department will look to to determine whether or not the company did have an effective compliance program either at the time that the misconduct occurred, because we recognized that companies can get into trouble.
Speaker 4 00:14:26 Even when they have effective compliance programs. There are people who are going to violate them or try to circumvent them. And number two, did the company remediate the problem after the misconduct came to light, did the company revise its compliance program? Did it change its personnel? Did it develop appropriate structures to prevent that kind of misconduct from occurring again? So the upshot is that even if a company has not had an effective compliance, it still has the opportunity to get its ship in shape before you get to the charging stage. And the department makes the determination of whether or not to impose a monitor or what sort of resolution to impose on the company.
Speaker 1 00:15:03 Eric, what are the components I know of the guidance that we first and generally for any good compliance program has to have written programs, written policies. What have you seen in the field and in the real world here, and as rod alludes to, there are a lot of different flavors here that big companies or small companies, the companies that have been doing this for years, a lot of the defense industry for example, has been doing and compliance for for decades. So what, what are you seeing in terms of the level of sophistication of having robust, good, tailored, written programs?
Speaker 3 00:15:37 Well, that's a great question done, you know, and it really depends on how the company views compliance. There are some companies that will develop written policies and procedures within their office of general counsel in order to protect themselves rather than really to mitigate and manage risk within the organization. We've seen it run the gambit really from paper programs, where policies are taken off the internet and they fill in the blanks of, of the name of the company. And it really has very little meaning all the way to serious consideration of what kinds of guidance the employees need. And when we go into a company, one of the things that we ask right upfront after getting the documentation, the policies is how would these communicated are they trained? Are they discussed within their training programs in small groups between managers and employees, and do people understand the policies, procedures, and their responsibilities for compliance as they go forward.
Speaker 3 00:16:49 And that understanding is going to differ in every business unit and in every type of organization. All too often, I see companies create policies. They throw them up on their intranet and call it a day. And then when we go in and interview employees and ask them, do you understand what your responsibilities are? They say, no, uh, I've never seen these policies. I, I have no clue. I didn't know it was up there. The other thing is that policies have to reflect current risk. They need to be current and updated often we'll go in and see policies that were written 10 years ago. And don't even reflect the current organization of the company, nevermind the current risks of the company. So yeah, written policies are a real important piece of this that need to be taken seriously
Speaker 1 00:17:44 About Eric. And after you respond, I'm interested in Roger response in the international sphere. I know you and I worked on a, a matter, it was an FCPA matter for the department of justice, it's now over, but that was a, uh, an international multinational company that had, in some cases written policy, some of which had not been translated into the appropriate language for some of their employees. So it's hard to really make the case that the policies and procedures have been understood by employees that didn't speak the language. What are the challenges for companies to basically, and as you know, it's not just simply a question of translating the language. There are some cultural differences out there for large companies going into certain other countries. What's your experience been?
Speaker 3 00:18:30 Well, that's true multinationals that are dealing with different languages and different cultures. And I'll get to culture in a second, have challenges in communicating why things should be done a certain way and why we can't do other things. What we and in the U S considered to be bribery is just a normal day to day business process in some other parts of the world. And it's hard to get them to understand that they shouldn't be doing it. You don't see anywhere in the DOJ guidance, the, the term immoral that you shouldn't be doing this because it's not right, or it's immoral. And, and if you, if you cheat that somehow makes you a bad person and a bad company, you can't lecture that way to employees in different parts of the world because they, it doesn't resonate with them. What does resonate is these are the rules communicated.
Speaker 3 00:19:28 Clearly, this is what is going to happen from a discipline standpoint. If you don't follow the rules, then the company needs to follow up on that. It really all comes down to small group communication. And that first-line manager, wherever that manager is, is an absolutely critical component of an employee's understanding of what the company expects of them. And if that great message from the CEO about compliance and ethical behavior is not communicated down the chain of command. And doesn't get down to that first line manager in the same way. It's very difficult to achieve success in compliance,
Speaker 1 00:20:18 Right? What, um, for a company that comes in, let's say, and is trying to persuade the department of justice, that they shouldn't be indicted, or the fine shouldn't be the size of the department is seeking. And they come in and they say, look, you guys don't understand. We operate in this country in that country. And that's, that's the way you do business and we're doing the best we can, but, you know, if we want to maintain our competitive edge, we've got to do it this way. And we try to have an effective compliance program, but you know, this isn't Kansas anymore. And we're in, in other places that's sympathetic is that argument
Speaker 4 00:20:49 That is not going to be an effective argument done. Unfortunately, that would be the department's responsibility is to enforce the law, including the foreign corrupt practices act. And the whole goal there, of course, is recognizing that there are certain countries where there's a culture of corruption that companies with ties to America should not be engaging in that corruption. So, uh, an argument like that would not be well received at all.
Speaker 1 00:21:10 And what's your sense, right? I mean, people talk about, and Eric alluded to this too, the tone at the top. I mean, that's been a, a buzzword and important, and I don't mean to minimize it. That's been an important concept for compliance really since the beginning, which is that the CEO, the chairman of the board, the board of trustees really need to set an ethical tone. But how, how does the department, as it assesses that as you look at compliance programs that I'm sure you've seen many, how do you assess that?
Speaker 4 00:21:40 Well, that's why Don that only one of the three questions is about how the program is designed. That is how it's written, because the department's concerned not about how it's written, but how it's implemented and how it's implemented as a function of those issues that Eric explained, making sure it's communicated to the employees, but even that isn't enough, you know, you could have an annual training session or even a weekly training session where you communicate the substance of the policy. The question is, do you communicate to the employees that you mean it, uh, that you in fact have a culture of compliance that the compliance is one of your concerns along with profitability and that profitability doesn't outweigh compliance concerns. And so the way to measure that is by looking at how the program is implemented by looking at things like whether or not there's a confidential reporting structure by seeing whether or not when this conduct comes to light, there's a root cause analysis that's done that identifies why it happened, how it escaped the compliance program and how it can be prevented in the future. And so by asking the questions in those three phases, and by going through three different categories of criteria, the department's goal is to ensure that that policy isn't just a written policy, but it's actually the lived experience of the employees throughout the company.
Speaker 3 00:22:51 That's a great point, rod. And I wanted to just, uh, elaborate on that because how does the company demonstrate to people within their organization that they really mean it? And within the three questions contained in the guidance, there are nine different factors that fall under those three questions. One of those factors that prosecutors will look at according to the guidance is one of my favorites and really a pet peeve and that's incentives and discipline, and going to the incentive side, well, discipline is easy, right? Discipline you, someone does something wrong. You discipline them in a consistent manner. You advertise that. So it serves as a deterrent. It doesn't matter what place you're in, in the company, whether you're in the C-suite or, you know, on the factory floor, uh, we're going to, uh, meet out discipline in a, in a consistent way. Incentives are tougher.
Speaker 3 00:23:51 And one of the first things that I like to ask and assessing, whether there is a culture of compliance, which is specifically in the guidance, is how do you incentivize look at the bonus program? If the bonus program of a company solely focuses on profitability and on business unit, meeting its targets and meeting its financial goals, without any mention of how they achieve those goals, it really is a recipe for disaster. What gets measured gets done. And if compliance and ethics are not part of the formula for how people are rewarded, incentivized, recognized, promoted, given good assignments, then you really going to have difficulty achieving that culture of compliance.
Speaker 1 00:24:44 You know, I remember rod, and this is a little bit of a war story, and it's probably an old war story at this point. But you know, when I was us attorney, and this goes back to the late nineties, we had a presentation by a major pharmaceutical company about how great their compliance program was. And it was, you know, the early days of compliance. And I think it was the early days of the department of justice focusing on the importance of compliance programs, but we heard great, you know, I'm sure you've been a recipient of many of those dog and pony shows by company executives and outside counsel. They had PowerPoints, they had manuals. And, you know, after they left the AOSA line assistant and I had a conversation and I said, well, how are we going to assess this? How do we know that this is just on the level or not?
Speaker 1 00:25:30 And again, we were at a fairly low level of sophistication, but I remember we decided, look, let's bring a couple of these company employees into the grand jury. And, you know, not just the head of compliance, but some other people. And frankly it took about half a dozen witnesses in the grand jury to realize it was a paper program. It was not a real program. You just got to ask a few people, have you read the compliance program? If you've been trained, has anybody been disciplined? So, you know, fast forward, what's your sense? Okay. You'll, you're the us attorney, let's say the district of Maryland, you have an ongoing investigation. Companies comes in with outside counsel. They make a very effective presentation. And you're trying to decide in the midst of an investigation now, should we weigh this? Should we give them credit for the compliance program? Should we not? What are the steps that you would think you might take to test that?
Speaker 4 00:26:23 Well, I think, uh, you know, one additional stepdaughter, really the obvious one that comes to mind is why did the misconduct in this case occur? And what steps have you taken to ensure that you can prevent it in the future? And I think that's one of the key factors is Eric mentioned, there's some factors that really jump out in the guidelines. And for me, one of them is the obligation to ensure that there's continuous improvement and periodic testing and review. Uh, in other words, you know, you can actually go in and figuring out finding creative ways to test whether or not you would pick up a misconduct under the existing compliance program, whether employees would respond appropriately when misconduct occurred. And just to give you an analogy, many companies now engage in testing of their employees, uh, cyber awareness by sending them pseudo fake links to see if the employees will click on the link.
Speaker 4 00:27:13 It's just a way of testing, whether or not you're training, that is your regular reminders of people not to click on straight links, actually in practice that have an impact. And so obviously you're not going to do sting operations where you have people coming off for bribes for employees, but you do want to run through scenarios. Think about the most likely problems that are going to occur. A particular challenge. Many companies face is with third-party payments. When you've got a third party in the transaction, do you have checks in place to ensure that that third party is properly vetted to make sure that they're providing a service and ensure that nothing nefarious is happening with regard to that third party, because that's a vulnerability, a lot of companies experience. And so by looking at the overall way that the program is implemented and determining whether it works and whether there is that kind of testing, I think that's a way for the department to suss out whether or not the program is effective and whether or not the company deserves credit. And, and what degree of credit it deserves, because you could be talking about a pitch, not the prosecutor at all. You could be talking about a pitch to reduce a fine or a pitch to avoid a monitor, and you need to weigh all those factors in determining whether or not the company deserves that credit.
Speaker 1 00:28:20 Well, I was gonna ask you that. So w obviously without mentioning names or particular cases, does it work? The department of justice concludes that the company did its best to that an effective program. And as we know, effective programs are constantly evolving and changing, responding to risk as they arise and the problems as you discover them after some kind of root core analysis, does it work? Will you give credits? I shouldn't say we anymore, right? It's not a wait you're on the other side now, but will the department of justice give credit for that?
Speaker 4 00:28:52 It takes me a while to get out of that habit done. I'm glad to see it's taken you two decades, but I think going back, I'm working with a client now who has a case that was resolved after I left the department in which the department did not impose a monitor. And I think one of the reasons was the company had clearly instituted a good faith effort to address the problems, to remediate, to go through the root cause analysis and to create an effective compliance program going forward. And so that's an example of where the company avoided at least a monitor, not necessarily a resolution, but the department is going to factor that in. And I think that the guidelines really obligate the department to do that. And from my experience, the department is operating in that way.
Speaker 1 00:29:35 What about you, Eric? Have you seen that work on the company side? I mean, I know we're affiliated monitors from time to time get brought in again with us, no particular investigation or problems. Sometimes there is an investigation or a subpoena or grand jury investigation, but we've had companies that say, you know, come in and let's not wait for the other shoe to drop. Let's really try to design a, an effective, a robust program. Have you seen that work?
Speaker 3 00:30:00 Yeah. You know, it's interesting. In fact, I was skeptical myself to a certain extent of just how well it would work. And we've seen multiple cases where companies took compliance seriously. They knew there was an issue. You know, we sometimes call these things proactive. It really is reactive proactivity. You know, something is going on. You may have had an investigation. You may have already had counsel look at it, but you're not at the point of resolving an issue with DOJ or whatever enforcement agency is involved. And the company then calls us in to do an assessment. If they follow the roadmap of things that we suggest to them, which is now articulated very well in the guidance. We've seen numerous cases where companies have just gotten a better deal at the end, from a resolution standpoint, even in government suspension and debarment cases, we've seen SDOs spending and debarring officials look at the compliance program of a company to decide whether or not they're going to Debar a company or give them an administrative agreement based on their willingness to remediate compliance. And that makes a big difference to a company whose 80% of their business is federal government contracting.
Speaker 1 00:31:25 Okay. We we're pretty much at the end. I want to ask you guys one more question before we finish this first segment, we're going to turn in part two to monitoring of what's happening in the monitoring world. But Ryan, let me ask you first focusing again on compliance and the department of justice guidance, any two or three takeaways that you think you want people to stay with them sort of highlights?
Speaker 4 00:31:48 Well, I would say number one, that investing in compliance brings a positive return on investment. Also, the compliance is about culture and not just about written rules and the compliance policies need to be reviewed on a regular basis. I think that for me, is, are the key takeaways from the policy.
Speaker 1 00:32:03 Good, excellent points. Eric, what about you?
Speaker 3 00:32:06 Uh, yeah. Rod's points are perfect. I would add to that, that the compliance program itself needs to be based on the actual risks of that company. When a prosecutor asks, why did you set up your program in this way? There should be a pretty cogent answer as to what you're focusing on and what your risks are. Number one, number two to me would be incentives, take a strong look at the incentive structure within your company and ensure that
Speaker 1 00:32:40 It's consistent with what you say are the core values of the company, and you're incentivizing the right kind of behavior. And that'll go a long way to convincing prosecutors that in fact, you are committed to a compliance program that has the principles contained in the guidance. Good. Okay. Well, thank you both. This has been very useful, very helpful. As I said today, we focus really on the compliance program, particularly as informed by the department of justice guidance. You know, we're going to shift gears now a little bit for part two and talk about monitoring. Thank you.
Speaker 0 00:33:18 Thank you for joining affiliated monitors podcast, integrity through compliance. Am I business success series today's segment is just a sample of the subject matter expertise captured by AMS compliance professionals. Go to our
[email protected] to view the comprehensive list of industry and in-house talent. AMI has available to enhance professional and business integrity programs and controls. Also connect with us on LinkedIn to receive updates and trends in the areas of enforcement and compliance. If you have any questions about today's podcast or would like to learn more, please contact
[email protected]. Our affiliated monitors podcast, production team of Dolores SIADH, our compliance associate, and Dan Barton, our editor and podcast music composer. Look forward to you joining us again for our next installment of integrity through compliance AMI business success series.
