In this episode of the Principled Podcast, host Susan Divers continues her conversation from Episode 11 with Tom Fox, the founder of the Compliance Podcast Network, on the changing geopolitical landscape and its impact on E&C. Listen in as the two discuss how anti-corruption is a key component of ESG, the consequences of compliance in cybersecurity, and the growing interconnectedness of risks. You can listen to Episode 11 here.
To learn more, download a copy of Tom Fox's white paper Never the Same: Five Key Areas in Which Business Will Never Be the Same After the Russian Invasion.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.
Tom Fox is literally the guy who wrote the book on compliance with the international compliance best-seller The Compliance Handbook, 3rd edition, which was released by LexisNexis in May 2022. Tom has authored 23 other books on business leadership, compliance and ethics, and corporate governance, including the international best-sellers Lessons Learned on Compliance and Ethics and Best Practices Under the FCPA and Bribery Act, as well as his award-winning series "Fox on Compliance."
Tom leads the social media discussion on compliance with his award-winning blog, and is the Voice of Compliance, having founded the award-winning Compliance Podcast Network and hosting or producing multiple award-winning podcasts. He is an executive leader at the C-Suite Network, the world’s most trusted network of C-Suite leaders. He can be reached at tfox@tfoxlaw.com.
Susan Divers is the director of thought leadership and best practices with LRN Corporation. She brings 30+ years’ accomplishments and experience in the ethics and compliance arena to LRN clients and colleagues. This expertise includes building state-of-the-art compliance programs infused with values, designing user-friendly means of engaging and informing employees, fostering an embedded culture of compliance, and sharing substantial subject matter expertise in anti-corruption, export controls, sanctions, and other key areas of compliance.
Prior to joining LRN, Mrs. Divers served as AECOM’s Assistant General for Global Ethics & Compliance and Chief Ethics & Compliance Officer. Under her leadership, AECOM’s ethics and compliance program garnered six external awards in recognition of its effectiveness and Mrs. Divers’ thought leadership in the ethics field. In 2011, Mrs. Divers received the AECOM CEO Award of Excellence, which recognized her work in advancing the company’s ethics and compliance program.
Before joining AECOM, she worked at SAIC and Lockheed Martin in the international compliance area. Prior to that, she was a partner with the DC office of Sonnenschein, Nath & Rosenthal. She also spent four years in London and is qualified as a Solicitor to the High Court of England and Wales, practicing in the international arena with the law firms of Theodore Goddard & Co. and Herbert Smith & Co. She also served as an attorney in the Office of the Legal Advisor at the Department of State and was a member of the U.S. delegation to the UN working on the first anti-corruption multilateral treaty initiative.
Mrs. Divers is a member of the DC Bar and a graduate of Trinity College, Washington D.C. and of the National Law Center of George Washington University. In 2011, 2012, 2013 and 2014 Ethisphere Magazine listed her as one the “Attorneys Who Matter” in the ethics & compliance area. She is a member of the Advisory Boards of the Rutgers University Center for Ethical Behavior and served as a member of the Board of Directors for the Institute for Practical Training from 2005-2008. She resides in Northern Virginia and is a frequent speaker, writer and commentator on ethics and compliance topics.
Intro:
Welcome to the Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers.
Susan Divers:
Hello and welcome to another episode of LRN's Principled Podcast. I'm your host, Susan Divers, Director of Thought Leadership and Best Practices at LRN. Today, I'm continuing my conversation from episode 11 with Tom Fox on the changing geopolitical landscape and its impact on ethics and compliance. If you haven't listened to that episode yet, we highly encourage you to do so. Tom is the founder of the Compliance Podcast Network and the author of the award-Winning FCPA Compliance and Ethics Blog, as well as the Complete Compliance Handbook, which is in its third edition. Tom, welcome back to Principled Podcast.
Tom Fox:
Thank you, Susan.
Susan Divers:
Tom, in our last episode, we talked about the impact of the war in the Ukraine on compliance and ethics. And specifically on the challenges that's imposed or brought to the fore for companies and specifically for their compliance teams who hopefully have a real seat at the table in terms of dealing with those challenges and mitigating those risks. But one of the topics that underlies what we were talking about is that of conducting your business in a fair, transparent, and sustainable manner. And I'm really struck by some of the things you were saying about the need to be transparent and the need to walk the walk and talk the talk. Because if you fail to do so, we live in an age of radical transparency and easy access to social media, and moreover, it's the right thing to do.
So with that as the background, anti-corruption has long been a focus for regulators. I mean, it's probably defined yours and my careers in a lot of regards. But only recently have some people started talking about it, and you're one and I'm one, as a major component of ESG. Could you explain for our listeners how that works and the role of anti-corruption in ESG?
Tom Fox:
Sure. So ESG, in my mind, Susan, the power of ESG is that it has brought together disparate strands that have existed in every corporation for some lengthy period of time. But brought them together in a way that someone is looking at them holistically. So, I'll pick on E because that perhaps is the easiest. As a compliance officer, I never looked at environmental issues in our company. That was somebody else's responsibility.
Susan Divers:
Me either. Right.
Tom Fox:
Didn't mean there wasn't environmental compliance, but it meant that I wasn't looking at that from the compliance perspective. Now, whether it's the Chief Sustainability Officer, whether it's the Board of Directors, whether there's a Board ESG Committee, somebody's connecting compliance to environmental. And so that in and of itself is, to me, the most powerful reason to have a robust ESG program. But anti-corruption in ESG, in my opinion, Susan, I've always seen it directly in the G.
Susan Divers:
Me too.
Tom Fox:
Number one, it's a good governance issue. Number two, it is a Board of Director's issue. Number three, it's illegal and regulatory issue.
But now Susan, I'm beginning to see it and have tried to articulate, that I see it in the S component as well as sustainability. Part of it is around one of the topics we touched on our last podcast of radical transparency, that if you do business ethically and in compliance, and if there's a question raised about a supplier, a customer, a distributor, a someone you've done business with in today's era of modern social media, that you can respond to that in a way that won't hurt your business from the public perception perspective. Leaving completely aside the regulatory perspective. So, I see ABC or anti-corruption compliance now, Susan, as directly within the S of ESG as well. And I also see it in the E. So to me, it sort of bleeds across all aspects of ESG and is a key component of a best practices ESG program.
Susan Divers:
Yeah, and I'm glad you articulated it so clearly for people, because I think there's a tendency perhaps, to silo ethics and compliance and sustainability. And they really are part and parcel of the same thing. And I'm going to quote from your recent white paper in support of that. "As a fundamental threat to the rule of law, corruption hollows out institutions, corrodes public trust, and fuels popular cynicism towards effective accountable governance." And that's, I think, a quote from the U.S. Strategy on Countering Corruption. Can you talk for us and link together how anti-corruption, anti-money laundering, and sanctions all are part and parcel of the same thing and relate to ESG? I think that'd be helpful for our listeners?
Tom Fox:
So Susan, the statement you read interests me for a couple of reasons. That came out of the U.S. Strategy on Countering Corruption, and it was aimed at national governments, so national governance. And I think it's absolutely correct that corruption, money laundering, all fuel cynicisms towards effective, accountable national governance. But Susan, as you were reading that, it struck me, that is equally true about corporate governance, or the G in ESG. Because violations of the rule of law, corruption, money laundering, they all corroded trust in our corporations, and indeed fuel cynicism towards effective accountable corporate governance.
The United Nations estimates that $3 trillion is lost to the global economy annually because of bribery and corruption. The United States Department of Treasury estimates that $2 trillion is lost annually because of money laundry. That's $5 trillion taken out of the global economy that could be used for a wide variety of other ways, reasons to help countries and people that's not available to them.
So having an effective anti-corruption and anti-money laundering strategy as well as trade sanctions, I think, are directly a part of ESG. They're certainly all in the G. We've talked about how they relate to sustainability. But money laundering and trade sanctions are as invidious, in my mind, as corruption is.
After 9/11, we saw a spike in the first real spike in FCPA cases starting sort of circa '04. And it was said that corruption led to crime, which led to terrorism. And there was really a belief that corruption had a direct line to the terrorism that impacted the United States directly on 9/11.
And now we see how corruption leads to erosion of trust in governance. But governance is not just corporate governance, it's democratic governance and democratic institutions. And certainly the Russian invasion of Ukraine put another exclamation mark on that. Whatever Russia is, it's not a democracy. And it is, if you want to see evidence of the invidiousness of corruption, you only need to look at a Russian army, their failures in Ukraine, how they've treated the people of Ukraine all wrapped up in an anti-democratic form. And that all speaks to the G. And when you read that line or that quote from my white paper, it struck me, that really works on multiple levels of governance.
Susan Divers:
Well, and you raise a good point too, that it's in the corporate governance area because if you... I've said this so many times, but it's worth repeating. If you have a code of conduct and you have training and you have policies, and you have an E&C team, that doesn't mean you have an ethical company, particularly if your leadership is engaging in sexual harassment or they're dealing with people who are banned because they're under sanction or they're violating anti-money laundering controls because it's a big account and they want the commission. That just means that your program is basically window dressing.
So for corporations and for E&C professionals, it seems to me that making sure that you're doing business in an ethical, compliant way is part of and parcel of being sustainable. And part of demonstrating that trust that is essential, if you're going to do business effectively, as we've talked about. We talked last time a little bit about how the Biden administration has basically shifted the view of anti-corruption enforcement. And I think that bears reemphasizing, 'cause I thought that was such an interesting point that you raised about that in the last podcast. Do you mind repeating that?
Tom Fox:
Sure. So in December, 2021, the Biden administration release our U.S. Strategy on Countering Corruption. Once again, this did not come about because of the Russian invasion of Ukraine, but it occurred during the run up to it. And it's one of the things that I think the Russian invasion have put an exclamation point on as to why business will never be the same in certain areas.
You and I have been in the anti-corruption field for a long time. As of December, 2021, our fight is now a national security fight. And they elevated anti-corruption and the fight against corruption to a national security issue. When something becomes a national security issue of the United States, that means resources are made available for that fight.
The strategy released by the Biden administration was the internal U.S. Government Strategy. It didn't impact our former employers or us today directly. But what it did was say, "The U.S. is going to enhance the global fight against corruption. They're going to work with foreign partners, foreign prosecutors, foreign departments of justice or ministries of justice to bring to justice people who engage in bribery and corruption, people engage in money laundering in a way they haven't done before."
Interestingly, there was a section on journalists and the fourth state and a specific acknowledgement that exposes, business exposes by journalists all the way from blood money of the story of Theranos to the Paradise Papers, to the Panama Papers, to the Paradise Papers, all exposed bribery and corruption, all exposed money laundering, all exposed sham corporations, all exposed fraud. And for the first time, we have the U.S. Government saying, "We're going to work to try to encourage good journalism to help expose these, because we can't do all of this on our own." And newspapers have a vital role to play, and reporters have a vital role to play. So, we have the fourth estate now being openly discussed by the United States.
We have government agencies that had never concerned themselves with anti-corruption, now being tasked with anti corruption. And I would point you to NATO. NATO's been around most of our lives. No, well, I guess all of our lives.
Susan Divers:
Yeah.
Tom Fox:
It's a key component of what I see as U.S. Security interests. But I've never heard NATO and anti-corruption in the same breath before. Well, now NATO is charged with enforcing anti-corruption statutes for its suppliers. It's suppliers are not all U.S. companies. NATO's a 23 member, I think, organization. So any country can have suppliers to NATO. Well, now they have to comply with U.S. anti-corruption laws probably in the form of the FCPA.
So, we have a greater scope, a greater reach, we have greater resources in the form of prosecutors or investigators. But the U.S. is acknowledging and saying, "This is part of our overall fight." And in part one of our episodes, Susan and I talked about the Department of Treasury saying that U.S. corporations are a part of the fight against money laundering. Well, I think the Department of Justice has come pretty close to saying that U.S. corporations are a part of the fight against bribery and corruption. And because it's a national security issue, we want you to come to us. We will incentivize you to come in and self-disclose, once again, even if it's within your organization.
I think that this means more funds, a wider remit for government agencies that have not had this remit before. And when you start talking about the press as a key part or a key whistleblower within the context of overall whistle blowing programs, I think that's an acknowledgement that is long overdue.
Susan Divers:
I totally agree with you. And I think it also sort of ups the ante, because when you couple that with DOJ's recent re-emphasis and added emphasis on personal responsibility and liability for misconduct, it's in a sense saying, "If you go out and you bribe or you violate anti-money laundering or you do business with people on the sanctioned list, or you help oligarchs move their yachts, you're not just committing an economic crime. You're doing something that violates the U.S. National Security interests." And I think that's something for boards and executives to really think about, especially in light of the recent absolutely horrible Lafarge cement case where they were bribing ISIS in order to keep their Syrian cement factory open.
It's an interesting dynamic. Let's leave that and let's talk about cybersecurity, because that's another major risk area for companies. And it directly plays into the area of sanctions in AML as well as others. What are you seeing in that space as a result of the war in the Ukraine and the risks that's created?
Tom Fox:
So once again, Susan, cybersecurity, cyber attacks, cyber hacks have been with us for some period of time. I think Target was probably the first one that got the attention of most of us in the compliance community. But certainly within the cyber community, this was well known. But what the Russian invasion of Ukraine has done is, here I have to cite to Brandon Daniels, CEO of Exiger who said, "We are now under permanent non-kinetic warfare.", meaning we are permanently under attack by our enemies in the cyberspace. Every company is subject to attack. It can be a state actor or it could be rogue groups. It could be criminal groups. So, that's sort of point one. We are all under attack now and we have to harden our defenses.
But point number two is that what you sort of raise at the end, Susan, you're attacked, you're hacked. You want to get the key so you can unlock your documents. You make a payment. Who are you making that payment to? They're probably not going to say, "My name is Thomas Robert Fox. My bank account at Chase is..." They're going to give you a false name and some sort of drop account that you don't know, or you may not know who the end user is. Well, in 18 months or 24 months, when you get a little knock at the door from the Department of Treasury, which says, "You've just paid ISIS." Or, "You've just paid Russia. We'd like to ask you some questions under oath." The point being that if you don't know who you're paying, you may be paying someone who's on the sanctions list. You may be paying rogue agents or agents rather from Cuba, from North Korea. You may be paying agents from China.
And so, cybersecurity is tied to money laundering and trade sanctions because of the potential payments. As a business, you're in an extraordinarily difficult position because you may have not had hardened defenses. And you may be at risk for losing your data or having it put out on the dark web. And that's not going to be an easy choice. But if you make a payment and it's to someone on the sanction list, the U.S. government has made clear, you will be punished for violations of those U.S. laws.
And this fall, it's not effective yet, effective March, 2023, Lloyd's of London has announced that they will not honor cyber insurance obligations where the attack was made by a state actor. And typically what companies will do after they're hacked and they have to announce publicly is, they will say, "Well, we were a hacked by the Russian government and there's nothing we can do for it because it was a top military hacking unit in Russia. And whatever defenses we had in place, we couldn't defend us." Well, if you say that trying to cover your backside, you've just lost your insurance coverage. And if you make payments, you're not going to be able to get indemnity and that money back. So, you have to be very careful about what you publicly say now, if you want to have full cyber insurance.
It's, here I'm less certain about the answer, Susan. I just know that the questions have become much more important, much more difficult. But you've got to have these conversations in your corporation. You've got to practice hack drill. It's like you and I did fire drills or bomb drills in elementary school. You've got to have a drill, you've got to have a plan in place. You've got to be ready, if you're hacked. You've got to have experts who you can call, trusted advisors, whether they be legal, whether it be technical, whether they be compliance, whether they be cyber, to come in and help you get through such an attack.
But we're under... make no illusions that this Russian invasion has unleashed corporate attacks in a way we have never seen before. It's here to stay. And you as a U.S. corporation and U.S. compliance practitioner are going to have to deal with it.
Susan Divers:
Well, and what you're saying too is a perfect illustration of the interconnectedness, which I don't think we thought in those terms too much in the past. We had FCPA compliance and we had sanctions compliance and trade compliance and AML. We didn't really, at least, I didn't, to confess, sort of think about it as all connected. But if you're basically being held to ransom and it's a Russian or an ISIS hacker, then not only could you violate the sanctions laws, but you could violate anti-bribery laws too, inadvertently. To use a great expression, it's sort of a dog's breakfast in some ways, what compliance officers are faced with.
So, what's your advice, because it's a new risk environment and the risks are really big? They're national security risks, they're not just good governance and good business risks. What should compliance officers do? Let's end on a practical note of, how do you actually deal with the situation going forward?
Tom Fox:
No, I wonder if I should open my door, bring my three dogs back in, and say, "Hey guys, what do you do when I put a dog's breakfast down in front of you?" And they look up at me and say, "Well, we eat it, Tom." It's here to stay. And that means you have to deal with it. It all goes back to risk. What are your risks? Assess your risks. Yes, I understand you have a robust cyber defense protocol. You have a program, you have tested that program, you've run drills on that program.
Now, have you done that same with your prime supplier? Have you done that with your Tom Fox vendor who has access to the vendor invoice system so that I can input my invoice into your system for work I do? Have you checked down to that level to make sure that my defenses are hardened, someone using my system can't get in? You have to go through the same exercise you do from a corruption compliance, any money laundering compliance, trade control, and trade sanction compliance.
Assess your risk. How do you assess your risk? Where are you doing business? Who are you doing business with? How are you doing business? In all of those manners, are there any gaps in your defenses in those three areas? If you assess those risks and then if you find gaps, weaknesses, material deficiencies, whatever you choose to call them, remediate those. It is a process you have to go through. You can't do it... I'm going to look at our cyber defenses in our third party supply chain this afternoon. You can't do that. It is a process and you're going to have to put work into it.
But that's where you get the real results. Because once again, as we found, I think in the supply chain discussion we had, Susan, once you look at those sub-suppliers, who you're doing business with, where they're doing business, and how you're doing business, you may find inefficiencies from the business operations perspective. And you can correct or improve those business efficiencies and make your company more efficient, and hopefully at the end of the day, more profitable, when you began as a program to assess risk based upon a DOJ pronouncement or a DOT pronouncement. But it all starts with recognizing what your risks are. And only you can assess your risks.
Susan Divers:
And I like too, the way you've mapped it out, because it really, again, comes full circle back to sustainability, that the way you do business is just as important as what business you do. And if you truly keep on top of your risks and really reinvigorate the risk function, that should be, as you've pointed out, a dialogue with the board and with the top management. It shouldn't be a dialogue that compliance and audit and legal are having because it involves the strategic direction of the company. And it also involves the way the company is governed.
So with that takeaway, I think this is a conversation we could be having for at least another hour, if not more. But we're out of time. And so Tom, thank you so much for joining us. And your thoughts are so valuable, because I think it's easy in the ethics and compliance field to get fixated on, "How am my rolling out the training? What's my curriculum, how many hotline calls have I gotten?" And it's much more about, how do we actually live in this world? And how do we in fact, conduct business in a way that's ethical, compliant, and sustainable? So you've really taken us to that perspective. And I'm very grateful to you for doing that.
Tom Fox:
Susan, thank you, and I look forward to continuing this conversation.
Susan Divers:
Thank you, Tom. My name is Susan Divers and I want to thank you all for tuning into the Principled Podcast at LRN.
Outro:
We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. And if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcast, or wherever you listen. And don't forget to leave us a review.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.