No matter how strong a company’s compliance program, there is always a risk.  No matter how many times employees are trained, complete certifications and are reminded of their FCPA compliance obligations, there is always a risk.  All you have to do is look at the facts of the Morgan Stanley case which is usually cited as an example of DOJ and SEC crediting an effective compliance program.  Instead, the Morgan Stanley case represents an example of an employee “breaking bad.”

A gold-plated compliance program does not guarantee success.  In fact, a gold-plated compliance program only minimizes risk – that is the best one can expect.  Every company is vulnerable to an individual employee “breaking bad.”

Criminal law punishes conspiracy as a separate crime apart from the goal of the conspiracy itself.  This principle reflects the significant danger created when crimes are committed by more than one person pursuant to a common plan.

An effective compliance program should address this same principle.  One employee engaging in misconduct is bad enough but when two or more employees conspire to violate a company policy or the law, the company should treat such conduct as more serious.

A culture of compliance is the best guarantee against a single employee breaking bad or a group of employees engaging in misconduct.  The more the culture is spread, the greater the protection.  Joint misconduct typically occurs in separate offices where employees have regular contact and can easily disguise a scheme.

In addition to a culture of compliance, regular notifications and reminders of the importance of compliance are important to deter employees from engaging in misconduct.  These reminders can be important, when combined with regular training sessions – online and in-person – along with management reinforcement in each geographic office or division.

Compliance programs have to be directed towards risky employees who are involved in risk interactions with foreign officials who are responsible for government purchasing and regulatory enforcement such as customs and health inspectors.  In these areas, compliance should focus education, training and monitoring of employee activities.

At the same time, compliance officers need to coordinate these efforts with internal auditors to monitor financial activities.  Not all offices nor employees operate equally and building in financial monitoring is a must.  Forensic examinations of offices on a risk-based ranking is essential to a monitoring program.  Auditors can quickly identify suspect transactions or patterns of expenditures.

In combination with a risk-based focus, auditors can conduct deeper dives on suspect employees or groups of employees in a high-risk office.  Following the money is more than a catch-phrase, it is an effective way to identify potential bribes before the “breaking bad” employees have an opportunity to expand their misconduct.  Companies can then identify and isolate the problem and quickly take remedial measures.  Not all misconduct will require a government disclosure and a company which takes proactive measures reduces the likelihood of a problem growing in size and scope and the need for a voluntary disclosure to the government.