A company that commits bribery has to undergo a soul-searching examination of its operations, from top to bottom. Bribery violations come in all shapes and forms – systemic violations like Siemens, Daimler and other enforcement actions from the past; country (or regional) specific violations that involve a group of employees sometime limited to a specific function (e.g. Johnson Controls); and small group enforcement actions, sometimes involving a small number of actors or responsible supervisors.

FCPA, antitrust or other corporate crimes are rarely, if ever and I mean ever, restricted to a single “rouge” actor.   My argument is based on a very simple notion – even if a single actor steals money from a company, then negotiates a bribe in exchange for a benefit from a foreign official, the single actor acts with the inattention or even complicity of one or more individuals in the company who is responsible for supervising the employee or a specific internal control that is designed to prevent the illegal activity.

Assuming that a company has a set of internal controls and that an individual is subject to supervision by responsible management officials, the individual bad actor cannot carry out the scheme solely without some kind of failure to verify, supervise or enforce internal controls. A company’s internal controls are not effective, by definition, if an individual can carry out a bribery scheme without anyone specifically having to verify, supervise or enforce a requirement governing the bad actor’s conduct.

My point is not contradicted by the fact that DOJ or the SEC fail to prosecute any individuals in a specific case, or additional individuals beyond an identified bad actor.  In many cases, the evidence against other individuals may not support an individual prosecution or the indifference of an individual may be negligent rather than intentional.

My point is perhaps best illustrated by the JP Morgan enforcement action from last year in which the Justice Department credited JP Morgan’s remediation for the numerous violations occurring in relation to the Sons and Daughters bribery program that included the termination of an employee who was responsible for supervising the offending employees.  While the individual was not prosecuted, the individual failed to exercise his/her supervisory obligations to prevent and stop the Sons and Daughters program.

Aside from direct supervisors of individuals who engage in misconduct, there are other managers and employees who are responsible for oversight of a company’s internal controls. Consider another example, where an offending individual seeks to fund a bribery scheme through the submission of fake or inflated gifts and hospitality payments.

In carrying out the scheme, the offending individual’s reimbursement or pre-approval requests are reviewed by a person in accounts payable who has a responsibility to ensure that the payments are proper. In most companies, such a person will flag any unusual requests for further documentation or for review by a compliance officer. This internal control is specifically designed to identify unreasonable or potentially improper expenditures. A failure of the person to act or report the expenditure is another link in the chain of conduct that permitted the illegal actor to carry out his/her bribery scheme.

Hopefully, I am making my point that bribery requires more than one actor to succeed. Of course, the degree of culpability among the various actors ranges from corrupt to negligent.

The implications of my point should be clear – while a CCO can never design and implement a compliance program that will deter a bad actor from engaging in bad acts, a company’s compliance program should be designed to ensure that the surrounding actors – the supervisor, the accounts payable person, the financial staff and others who are “involved” in processing or supervising the bad actors conduct are able to identify, elevate and prevent the bad actor from carrying out his/her scheme.

A bribery violation does not occur in a vacuum nor does it occur without other corporate actors having some ability to detect, prevent and respond to a potential violation. Companies have to take a holistic approach to compliance to ensure that its internal financial and compliance controls are designed and effectively implemented to make sure that surrounding managers and employees act in conformity with these controls to prevent the “rogue” actor from successfully carrying out his/her scheme.