Magazine Article | October 7, 2010

Building A Culture Of FCPA Compliance

Source: Life Science Leader

By Leila Daiuto

At last year’s Tenth Annual Pharmaceutical Regulatory and Compliance Congress and Best Practices, Lanny Breuer, assistant attorney general of the Department of Justice’s (DOJ’s) Criminal Division, made abundantly clear that Foreign Corrupt Practices Act (FCPA) enforcement is one of the division’s top priorities. Indeed,  life science executives and board members have faced increased scrutiny of their compliance with the FCPA by the DOJ and other regulatory agencies since Breuer made his comments. This is true not only of their overall company operations, but of their own actions and inactions as well.

Several pharma companies are now under government investigation, which can cause severe legal, financial, and reputational concerns for an organization. In August 2010, a California biotech company’s stock dropped 40% in one day after it announced it was facing inquiries from the SEC and DOJ regarding possible FCPA violations.

Enforcement activity in the life sciences industry is likely to increase under new government initiatives. For example, the DOJ’s FCPA and healthcare fraud units are now working together with specialized teams at the FBI and SEC to uncover FCPA violations.

In January, the SEC also announced that cooperation agreements, deferred prosecution agreements, and nonprosecution agreements will be used as incentives for individuals and companies to assist with investigations and enforcement actions. These tools, which have not been previously available in SEC enforcement matters, are similar to those used by the DOJ in its criminal investigations and prosecutions. In addition, a whistleblower provision of the recently enacted Dodd-Frank Wall Street Reform and Consumer Protection Act adds another incentive for reporting FCPA violations to the SEC: the opportunity to receive between 10% and 30% of the fines collected as a result.

Build A Culture Of Compliance
Life science executives can take a proactive approach to FCPA compliance to more effectively address increased scrutiny and enforcement by regulators. Building a culture of compliance within their organizations and aligning FCPA compliance with corporate strategy is the place to start. It continues with providing employees with the necessary tools and training to do so and regularly communicating the importance of FCPA compliance to them. This approach will help convey the message to everyone within the organization that FCPA compliance is to be taken seriously.

In fact, senior management’s leadership in an FCPA compliance program could favorably position the company with regulators. Evidence of this can be found in the fact that the DOJ has endorsed the Organisation for Economic Co-operation and Development’s (OECD’s) recently released good practice guidance on internal controls, ethics, and compliance. The OECD’s guidance urges management direction in antibribery programs. It also recommends “strong, explicit, and visible support and commitment from senior management to the company’s internal controls, ethics, and compliance programs or measures for preventing and detecting foreign bribery.”

In addition, board oversight of a compliance program is outlined as one of the elements of an “effective compliance and ethics program” in an amendment to the U.S. Federal Sentencing Guidelines that will take effect in November 2010.

Managing An FCPA Compliance Program
To help foster a culture of compliance and more efficiently manage an FCPA compliance program, companies can use a comprehensive governance, risk, and compliance (GRC) technology platform. With a single technology framework, organizations can more easily implement consistent compliance policies across the organization and integrate adherence to FCPA requirements into daily operations.

Policies and procedures that are clearly understood by employees are essential to creating a culture of compliance within an organization. A companywide risk assessment, conducted through a GRC platform, can help set the stage for development of such policies and procedures. The platform can be used to help evaluate existing policies and procedures to uncover compliance risks regarding financial relationships between the company or its partners and foreign physicians or hospitals.

A GRC technology platform can also enable the quick identification and prioritization of FCPA risk exposures related to foreign distributors, contractors, consultants, and sales representatives. And it can help streamline the documentation of results and the creation of action plans to remediate them. One key risk indicator is Transparency International’s annual Corruption Perceptions Index (available at, which many organizations use to evaluate the global markets in which they conduct business and the risk level of that market.

After risks have been identified, FCPA compliance policies and procedures can be established or revised to more thoroughly govern interactions with foreign third parties, such as hiring distributors and conducting due diligence. Including these policies and procedures in the company’s code of conduct and publishing them in a single, well-managed document repository will help employees learn, embrace, and use them. Similar policies should also be developed for third parties to comply with, translated into the languages of each country where the company operates and distributed to the appropriate employees in a partner’s organization.

An automated GRC system can also enable the communication and attestation of FCPA policies and procedures to individuals in sales, marketing, procurement, operations, and other departments that interact with foreign partners. Attestations require the individuals to certify that they understand and will follow the organization’s policies and procedures. Collecting acknowledgements and attestations of these policies and procedures in the GRC system will permit ready access in case of an investigation.

To promote understanding about the company’s FCPA policies and procedures, e-learning courses for relevant employees and third parties can also be distributed in all applicable native languages and tracked through a GRC system. Quizzes and tests can help gauge comprehension and identify needs for further training.

Measure Your FCPA Compliance Program
Beyond assisting with the implementation of policies and procedures and associated training, a GRC technology solution can allow leaders to measure FCPA compliance program performance through continuous controls monitoring. Automated monitoring and detection controls can help identify red flags, such as payments to politically exposed persons. The effectiveness of the controls should be confirmed through testing by the internal audit and compliance audit teams. Within the GRC system, control failures can be documented, tested, and remediated.

A similar assessment approach can be used to confirm that foreign counterparts are following the organization’s FCPA policies, procedures, and controls. Assessments can be tailored to different vendors and partners based on the potential risk the company determines they present to it. Considerations may include location of business, type of business, and access to secure data. Identifying higher-risk vendors and more closely monitoring interactions with them can help an organization more efficiently prevent major violations. The results of these assessments can be used to drive future decisions about whether or not to do business with third parties.

Assessments may be performed during contract renegotiation annually or as new partner relationships are established as determined necessary by the organization. Incorporating FCPA compliance policies and procedures into contracts and into contractor and vendor onboarding programs can help further reduce risk. The GRC system can help assess and categorize risk for each new third party doing business with the company.

A centralized investigations workflow within a GRC system will optimize the tracking and resolution of vendor compliance issues for an organization. The GRC system’s incident management system can help the organization record response time and consistency in corrective action.

Lastly, automated workflows will help the organization integrate FCPA policies, procedures, and controls into its business processes and ensure the prior approval and thorough documentation of high-risk transactions. Through such workflows, requests can be efficiently directed to reviewers and approvers, based on the risk level and due diligence results of the third party. An audit trail will prove that required steps were followed.

As the federal crackdown on corruption and bribery continues, life science executives can minimize their FCPA liability and prevent violations by driving a culture of compliance throughout the organization. Management’s leadership of and clearly defined involvement in the FCPA compliance program, including investments in compliance training and tools, will define FCPA compliance as a business-critical activity.

A comprehensive FCPA compliance program, effectively administered with the help of a GRC solution, can help protect the company and its stakeholders from regulatory violations, enforcement action, and financial and reputational damages.

About The Author
Leila Daiuto is senior director of Axentis, a part of ARC Logics, a Wolters Kluwer business. She has more than 10 years of experience helping organizations implement enterprise governance, risk, and compliance (GRC) solutions. She previously performed management consulting roles with PricewaterhouseCoopers and Ernst & Young.