Keeping Compliance Fresh:
The Compliance Evangelist Tom Fox Speaks with Vin DiCianni
Tom Fox
It’s clear to me that companies that have a robust compliance program also have a great culture. They tend to have a speak-up culture. They tend to have a listen-up culture, meaning they listen when someone raises their hand and speaks up, and that leads to highly motivated employees.
Intro:
Hello, and welcome to Integrity Through Compliance: AMI’s Business Success Series. This podcast was created by seasoned compliance experts at Affiliated Monitors to speak practically to your business needs. During this series you will hear from AMI’s experts who will provide their observations on industry trends, geared to raise your awareness and to protect your brand. So grab a cup of coffee and join us as we guide you and your business to integrity through compliance.
Vin DiCianni
Good morning, everyone. This is Vin DiCianni. I am with Affiliated Monitors. Today’s guest is the esteemed compliance evangelist, Tom Fox. I could go on for about an hour talking about Tom’s accomplishments in the world of ethics and compliance. Tom’s the author of a number of award-winning books on compliance, including the bestselling Lessons Learned From Compliance and Ethics. And he’s written the seminal text on the nuts and bolts of anti-corruption compliance, and he has a new book coming out sometime in June called The Compliance Handbook, Volume II. Tom writes and comments frequently on issues related to compliance and ethics. In addition to his daily blog and his weekly — biweekly podcast, he’s a monthly columnist for Compliance Week and a contributing editor to the FCPA blog. He’s a well-known and frequent speaker on issues related to compliance and ethics, and has mastered the use of social media in promoting compliance in corporate leadership. And he’s the founder of the Compliance Podcast Network. He’s been a friend to Affiliated Monitors for many years now, and we’re delighted to have him as our featured guest on the AMI podcast. So, I’ve participated in a number of podcasts with Tom over the years where he leads the conversation. So today we’re going to turn the tables on him and ask him some questions and get to know him better. Welcome, Tom.
Tom Fox
Vin, thanks so much for the introduction, and it’s great to be on your podcast for a change.
Vin DiCianni
So you and I have talked about — for so many years — about the start of Affiliated Monitors. What led you into the world of compliance?
Tom Fox
So, my journey to compliance really started when I was an in-house lawyer at Halliburton, and I was assigned these two projects that are seared into my mind. I didn’t know they were compliance related at the time, but they were a part of an internal investigation that Halliburton was doing, which led to its first FCPA settlement. I was asked to review and literally read every agent contract that Halliburton had across the globe — at that time, it was 211. This was sort of, ‘04 – ‘05. I was also asked to read all of the joint ventures that Halliburton was a part of — at that time, it was 87 across the globe. I was given a series of questions to research in each contract, and I didn’t know it at the time, but that was my introduction to compliance. I later became a general counsel at a company who in 2007, had the highest FCPA fine in the history of the world ever: $27 million. It was a company called Aibel, and I was a part of the team that came in after the FCPA settlement — back then, you didn’t engage in remediation until you had settled — so I was part of the implementation team for the new compliance program, and that was my introduction to compliance, really. We had a very — and let me emphasize — a very robust monitorship, and we learned a lot. I learned a lot about compliance. The company was sold eventually, and my job went away.
So I went out into private practice, and I decided to focus on what I had learned as a general counsel at the Aibel subsidiary Drilling Controls. and that was the nuts and bolts of compliance. The social media aspect came about for the following reason: I had a short hiatus between leaving Drilling Controls and starting my practice, which was to race bicycles, and I did that for about a year until I was involved in an accident on a training ride that ended my cycling career. So I had to go back to practicing law, and that’s what led to compliance, but at that point I was pretty banged up. I was on a walker and I couldn’t leave my house except to go to physical therapy. So I started engaging in social media — Twitter, LinkedIn, blogging — and that’s really what started me on my social media path. If I’d been able to get out of the house to go meet people, to go to conferences — you know, go have dinner, go give a speech, that kind of thing — it might look very different today, but I couldn’t. I could only market through social media, but I was able to create a worldwide compliance practice literally out of my house, through the use of social media.
Vin DiCianni
So it’s, I mean, it’s so interesting that you go from working in compliance to becoming the “compliance evangelist”. So how did that happen? And I say that — and I use that word really affectionately, because, you know, people call me the “compliance missionary”, but now I’m talking to the evangelist. How did we get there?
Tom Fox
Sure. So in ancient Greek — or I guess even modern Greek — the evangelist means “the bringer of good news”, and I adopted that moniker, Vin, because there is — the United Nations estimates there’s $3 trillion lost to the world’s economy each year due to bribery and corruption. And early on, I realized that I could be a part of the fight against this huge global scourge and that motivated me, literally every day, to try to do something to move the ball forward for compliance; and that we all have a role in this fight. Regulators like the Department of Justice and the SEC has a role. The legislatures who write laws like the FCPA have a role. The judiciary has a role. But we in the corporate world have roles, and we can embrace those roles, and those roles can be meaningful. And as the compliance evangelist, I evangelize that compliance is the way forward to fighting this global scourge, and it has the also — benefit of actually making corporations run better, run more efficiently, and (at the end of the day) more profitably.
Vin DiCianni
Yeah. And I call it an asset, right, of the company, when you have a strong compliance program. You know you, over the years, have touched on every aspect of compliance: you know, ethical culture controls, third-party due diligence, and all of those kinds of things. What aspects of compliance do you find most interesting?
Tom Fox
Well, I suppose I should say like all of my podcasts, and all of my children, I love them all the same. I find all of them inherently interesting. I find having management set appropriate and proper tone is a fascinating exercise, and you can tell a manager or a senior executive who is saying the right thing, but not necessarily doing the right thing from those who are doing the right thing and saying the right thing. I think risk assessments are a fascinating way to look at the opportunities to make your businesses more efficient and more profitable. My father was a labor arbitrator who believed that in the union management context, termination was the ultimate sanction against an employee. So he believed that institutional justice was paramount in the labor contract phase, and that as a labor arbitrator, he would never uphold a termination of an employee unless procedural due process was given to that employee.
So I’m very fascinated by discipline and incentives. How can you incentivize someone to do the right thing, is always an ongoing question. I’m a lawyer, so the written word is still significant to me, and I actually happen to love writing policies and procedures. I think that’s kind of cool. I agree, it’s a nerdy thing, but nevertheless, it’s cool. Third-party due diligence is still the highest risk, or third-parties are still the highest risk in FCPA, so I’m inherently fascinated around due diligence and how you have more effective due diligence, and how — a leopard doesn’t change its spots, so that if someone has something in their past, that’s a bit untoward, doesn’t mean you can’t do business with them, but it does mean you might need to watch them more closely and trust but verify. Mergers and acquisitions are a fascinating area to me, and how you can bring the risk assessment and pre-acquisition due diligence to really plan out what you do after you acquire a company, and then continuous monitoring and continuous improvement there. It’s now — the department of justice has drawn a straight line from your risk assessment, to continuous monitoring, to continuous improvement, which really points me in the direction that compliance should be viewed as a business process and that, as a process, it can be measured, and managed, and improved. So really all of those things fascinate me, and whether it’s ADD or not, I get interested in one area and I’m fascinated with that for a little while, and I get into another area and I’m equally as fascinated.
Vin DiCianni
So let me just follow up there, because I think it’s really quite interesting; because I’m hearing in the words you just used that a company really can rehabilitate itself ay adapting a strong compliance program, and developing an ethical culture. And that’s what we do as a company — Affiliated — in our independent monitoring work. But do you believe, as the compliance evangelist, that a company can be rehabilitated?
Tom Fox
Absolutely. And then, I would point you to the recent series of articles in Compliance Week about the Volkswagen monitorship, and what struck me in those series of articles by Aly McDevitt (where she did that case study), it was not really the work of the monitor that seemed to me to be the biggest focus. It was the work of Volkswagen, and how Volkswagen literally set up a structure to not simply deal with the monitor, but to implement the monitor’s suggestions, and that they would bring to the monitor their own suggestions. But they were accountable. They communicated with their employee base about what was going on, and it was really the work of Volkswagen internally to change that culture, which had led to the massive scandal of Dieselgate. And the work of the monitor was certainly important, but it was the work of the company — it wasn’t an outsider saying you shall do this. It was the company saying we will do this.
Vin DiCianni
You know, again, just to sort of reflect back on your career in compliance and you know, all of the podcasts that you do, you’ve also combined sort of a love of football — college and pro — Star Trek, Star Wars, classic rock, Marvel comics, and all of those kinds of things. And you’ve brought them into the world of compliance. How do all of these disparate cultural touchstones lead to the world of ethics and compliance?
Tom Fox
Well first of all, I’m trying to be a storyteller, and I’m trying to tell a story that’s interesting. And that seems to be a great way to communicate, but in many ways, Vin, compliance is doing the right thing, and it may be doing the right thing when no one is watching — I’ve heard ethics and compliance described as that. And there are so many examples in the real world, the cultural world, the fictional world, of doing the right thing when no one is looking. And I love bringing those out, because people remember those.
Vin DiCianni
Yeah, I think it is interesting. And I think it does lead to conversations where people perhaps didn’t take away from a Star Wars movie that kind of thought. Again, I think that it’s fascinating that you move into that space, and bring it home into compliance. So, you do so many podcasts and are recording, and writing, and all of that kind of stuff. The question is really: do you ever sleep? You know, how do you find the time to stay on top of all of the things that you have to read, to be as knowledgeable as you are, and to do all of the various podcasts?
Tom Fox
Well, I do sleep. And interestingly, Vin, the COVID health crisis really caused me to have an exponential growth in my podcast network, because there was basically nothing else to do. So, I mean, I do work pretty much 12 hours a day anyway, but during COVID I couldn’t travel. None of us could travel, couldn’t go to conferences; couldn’t come see you, and you couldn’t come to Houston. So all of those things, it turned out, kinda kept me from really focusing on doing all of this work. And when I would just sit down and not have any other distractions, and then my wife and I would watch TV for a few hours at night. She was working from home as well. So, it really kind of grew during the COVID health crisis, and I’ve always been kind of a pretty hard worker anyway. So all of that was pretty easy for me to do.
Vin DiCianni
You certainly keep it fresh at the same time, right? There’s an ability that you have to bring great people onto your podcasts, and keep the topic moving forward. And you also bring sort of those different perspectives in compliance because, as we know, there’s no one-size-fits-all, and there’s no right answer to every question, but you’re able to do that. So on our podcast, Integrity Through Compliance, we’re trying to seek out industry and thought leaders, right, to share relevant tips and real life stories with our listeners. If you were talking to an entrepreneur today that’s looking to start up a company, what advice would you give them on why they should consider — upfront — establishing an ethics and compliance program, and trying to establish a strong ethical culture?
Tom Fox
So, Vin, I would take the concept that you articulated, which is: compliance is an asset. And a best practice compliance program, in my mind, leads to greater business efficiency, leading to greater profitability, or greater ROI. It’s clear to me that companies that have a robust compliance program also have a great culture. They tend to have a speak-up culture. They tend to have a listen-up culture, meaning they listen when someone raises their hand and speaks up, and that leads to highly motivated employees. If you are in any sort of requests for production response, a request for proposal response, or RFP/RFQ and do you have a compliance program, that is a market differentiator, and people will notice that. If something untowards happens on social media, or some reputational issue comes up, you are more well-suited to respond — literally immediately — if you have a robust compliance program. Probably, when we both began to start our journeys in compliance, it was viewed as much more of a reactive, legal based, “protect the company”. And now it’s, I think, 180 degree flipped to: this is an asset, and this asset — we can improve this asset, and that improvement will make us a more profitable business. And if you can start off that way as a startup or an entrepreneur in a new company, it’s much easier to build it out when you have the infrastructure in place.
Vin DiCianni
Yeah, I completely agree with you. And it’s so nice and refreshing sometimes, when you see a startup or a company that’s relatively new, have an effective compliance program — but not just the program, it’s the commitment of the leadership, right? And it’s the people in the company that are all part of compliance. I find it fascinating. And it really leads me to this question — because again, you and I have been at this for quite some time now — and that is, from your perspective, how has compliance evolved right from those early days at Halliburton to now? Because now it is more of a consideration, right, that companies look at.
Tom Fox
Right, so when I started — or we started — I think it was more lawyer driven. I used to say, policies and procedures were written by lawyers for lawyers, and with pages and pages of definitions, sometimes citations. First compliance training program, I had a 287 page PowerPoint presentation. 7.5 hours with appropriate case law and citations throughout. It was absolutely fascinating to me as a lawyer, and it was absolutely useless to the business guys who fell asleep, literally, within the first 15 minutes. But we’ve evolved past that. And we evolved into being seen much more as a business process with an internal customer base, who are employees that we need to market to, we need to sell to, we need to communicate with, we need to take communication feedback from, and really operationalize compliance by moving it down into the front lines, rather than having it sit in the second line of defense in the corporate office.
In the United States, that really led to, I say — one of the two biggest evolutions after the operationalizing of compliance, have been the evolution of data and data analytics, and then the input of behavioral psychology into trying to incentivize people to do the right thing. And with data, how can we improve our compliance program by measuring it, and then managing that measurement really — that leads to the concept of risk management of compliance, and with risk management, you have a greater opportunity for profit if you can manage risk appropriately, quickly, and efficiently. That of course has really led to where we are now, which is the explosion in ESG. And people see ESG as a corporation’s outward facing, as opposed to CSR, which may have been more inward facing. And I wrote an article today about why compliance should lead the ESG effort. The skills we’ve learned as compliance professionals, and the tools available to us, I think lend themselves to leading that effort, and I see a broader remit for compliance into 2025 and beyond.
Vin DiCianni
So you say that, and I agree with you. And it’s sort of quite interesting how compliance has evolved. I mean, I think about when we started in 2004, and the first compliance programs that we drafted were hundreds of pages, with all of the details, you know, minutia — and now they are much more scaled down, and much more geared toward people, and the people that work within the company. At the same time we say that, over these years compliance is now an industry. It wasn’t like that, you know, when I started in 2004, but it is an industry now. And there’s a lot of people that are going — coming into the world of compliance. What advice would you give to those people who are looking to enter the world of compliance and ethics?
Tom Fox
Well as a compliance practitioner, or a compliance product provider?
Vin DiCianni
Either. Because I think there’s both, right? Go in either direction.
Tom Fox
As a compliance practitioner, Vin, I think the days of, perhaps, people like you and me — you an ex-prosecutor, myself a recovering trial lawyer — coming into compliance, there may be less of those days going forward. And the skill set of incoming compliance practitioners may be much broader than perhaps we were trained academically. The skills of data, data science, behavioral psychology — I can see a wider variety of skills, and to think of this, really, as a business process. And how can you use compliance? How can you improve this business process in all of the facets that we’ve talked about? So I think if someone wants to get into compliance, first of all, it’s one of the top fields around, because I think it’s going to be leading corporate efforts for many years to come. So I think you’ll have lots of opportunities, but you need to not only know how to read a spreadsheet, but go beyond that, and look at numbers; understand what numbers mean, and how you can implement changes based upon what those numbers tell you.
Vin DiCianni
It is continuing to evolve. Is compliance and ethics something that should be taught in a college, or a graduate degree program?
Tom Fox
Absolutely. I taught a compliance program at South Texas College of Law this past term. Business Ethics, I think, should be a part of every MBA program, because learning the quantitative skills to lead as a manager or senior executive are certainly critical. But equally critical is that tone you set, and the leadership skills, and the empathy that you’re able to articulate to your employees, will go a long way as well. So I’m a firm believer it should be taught in law schools, and it should be taught in business schools.
Vin DiCianni
Yeah, I think so, too. So let’s talk about your new book, Compliance Handbook: Volume II. I read Compliance Handbook: Volume I, which was so comprehensive and so brilliantly and well-written, I mean, so that people can understand it. It wasn’t, you know, theoretical, and it was — it was more practical. Tell us about Volume II.
Tom Fox
Sure. So Volume I really focused on the operationalization of compliance; moving compliance into the front — first line of defense; moving it down to the business unit, helping the business unit be able to implement the strategies, tactics, and tools of compliance. In the second volume, or the second edition, which comes out next month (published by Lexisnexis), I really focused on three key releases of information from the Department of Justice, and one from OFAC. In 2019, we had the Evaluation of Corporate Compliance Programs, supplemented by the 2020 update. In June of 2019, OFAC came out with a compliance framework, and then in July of 2019, the Department of Justice Antitrust Division came out with its Evaluation of Corporate Compliance Programs. Each had a little bit different focus, and what I try to do is synthesize their different focuses down into one kind of coherent framework that the compliance practitioner could implement.
In addition to the documents (or rather releases of information from the Department of Justice), we had an update to the FCPA resources guide, the seminal one volume document, issued — originally issued in 2012 by the Department of Justice and Securities and Exchange Commission that was updated in July of 2020, so I incorporated that update into the book as well. I’ve mentioned data, data analytics. I have an entire chapter around that issue, and how that relates to internal controls, monitoring, and updating. And then I wanted to take a look at compliance literally in 2025 and beyond, so I have an entire chapter around that. But it you’re right, Vin, it’s a nuts and bolts handbook designed for the compliance practitioner, that they can sit down — the first chapter is 31 Days For an Effective Compliance Program, where I give you idea (or one topic, rather) a day, with three key takeaways that you can do for your compliance program. At the end of 31 days, I think you’ll have a pretty close to effective compliance program. And then deep dive chapters to the board of directors, internal investigations, internal controls, training and communication, business ventures, in addition to third-party — so joint ventures and other business ventures — innovation, as well as policies and procedures. So it’s a comprehensive manual. It is, in my opinion, the best one volume handbook on how to design, create, and implement a best practices compliance program.
Vin DiCianni
Outstanding. Looking forward to it very much, and wish you the best with it. For those listening, Tom has given us a code for a discount on the purchase of the book. It’s for pre-sale, and it’s a — we’ll give you the code with the notes to this podcast. So Tom, one of the things that we see with companies that have well established compliance programs, right, not at the start, but they’re now well-established is: keeping the program fresh. You know, training gets stale. The words in the compliance program which people will have to read are the same, and we hear sort of a sense of boredom, and how do I get through this training as quickly as I can? From your perspective, and you know, all of the things that you’ve done and learned, how do you keep compliance fresh?
Tom Fox
Sure. And that’s a very real question and reasonable question, Vin. You have to keep compliance fresh by bringing fresh examples. It’s basically the same strategy I employ in my podcast network, and in my blog writing. I try to bring historical events — famous people who may have passed away — current events from non-fiction and fiction, whatever it may be. But you can create communications around compliance to keep it fresh with short bursts of appropriate, targeted communication that is disguised as training. If you figure out who needs the targeted training in your organization — probably it’s 20–10% of the people. 80–90% of the people, a good ethics and compliance reminder annually is probably going to be enough. But for the gatekeepers, and the people on the first line of defense, they need more effective communications. So keep that fresh.
Vin DiCianni
Yeah, I couldn’t agree with you more. I mean, I’ve heard feedback from those companies that are doing exactly what you said: shorter bursts, and disguising compliance as part of just a conversation within like a team meeting, or that kind of thing. And the reviews are overwhelming that it’s the best training they’ve ever had, and they feel much more a part of the compliance effort in doing that. A couple more questions for you — and this is here for you to have a little bit of a plug — why should people listen to your podcasts?
Tom Fox
They should listen to my podcast, because they’re the most fun podcasts in compliance. They’re the most comprehensive podcasts in compliance. And you can have anything from as little as five minutes each day — of compliance and corruption news of the day to start your day — all the way up to a one hour round table of top compliance commentators every other week, talking about the things that have caught their attention, and everything in between. So if you’re interested in any shape or form of compliance, there’s a podcast for you on the Compliance Podcast Network.
Vin DiCianni
And just going to piggyback on that by saying you keep it fresh. You keep it pertinent, and you keep it interesting, right, and what more can anybody, any listener ask for? I mean, making compliance interesting is, I think, something that you’ve mastered, and you have been very innovative in the approach to compliance. So you were — you mentioned earlier about — you know, some elements like ESG sort of taking compliance out to about 2025, right?
Tom Fox
Right.
Vin DiCianni
What’s the future of compliance and ethics programs, you know, from your perspective?
Tom Fox
Well, I think they — it will be a continuation of some of that evolution we’ve seen, which increased exponentially during the 2020 phase of the COVID health crisis. One, I think we will continue to see compliance evolve as to a business process. There will be a much greater input of data, data analytics. We are now seeing the use of AI and machine learning in companies such as AB InBev and others. That seems to be kind of the cutting edge there. And the compliance professional will have, at their fingertips, a larger amount of data, which will point towards: if something is becoming a problem; if there is an issue, we will move from simply a detect mode or detect-mainly mode, to a preventative mode, to even a prescriptive mode so that we stop problems before they become issues or legal violations.
Vin DiCianni
Tom, this has been terrific. And I want to thank you for participating in the Affiliated Monitors podcast. Keep up the great work, and again, thank you so much for all that you do, and all that you contribute to the world of compliance.
Tom Fox
Well, Vin, thank you. It’s been a ton of fun to be on the other side of the microphone. And as always, I look forward to continuing the conversation.
Vin DiCianni
Excellent. Be well. Thanks everyone, for listening.
Outro
Thank you for joining Affiliated Monitors’ podcast, Integrity Through Compliance: AMI’s Business Success Series. Today’s segment is just a sample of the subject matter expertise captured by AMI’s compliance professionals. Go to our website at www.affiliatedmonitors.com to view the comprehensive list of industry and in-house talent AMI has available to enhance professional and business integrity programs and controls. Also, connect with us on LinkedIn to receive updates and trends in the areas of enforcement and compliance. If you have any questions about today’s podcast or would like to learn more, please contact us at podcast@affiliatedmonitors.com. Our Affiliated Monitors podcast production team of Deloris Saad, our compliance associate, and Dan Barton, our editor and podcast music composer, look forward to you joining us again for our next installment of Integrity Through Compliance: AMI’s Business Success Series.