Guidance on FCPA Compliance Programs for Companies

59 scrutiny than modest and routine gifts and entertainment. Similarly, performing identical due diligence on all third- party agents, irrespective of risk factors, is often counter- productive, diverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre- vent an infraction in a low risk area because greater atten- tion and resources had been devoted to a higher risk area. Conversely, a company that fails to prevent an FCPA viola- tion on an economically significant, high-risk transaction because it failed to perform a level of due diligence com- mensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effective- ness of its compliance program. As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-spe- cific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces. Training and Continuing Advice Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com- municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and y. g business partners.*!* For example, many larger companies have implemented a mix of web-based and in-person train- ing conducted at varying intervals. Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenar- ios, and case studies. Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audi- ence, including providing training and training materials in the local language. For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter. In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophisti- cation of the particular company, to provide guidance and advice on complying with the company’s ethics and com- pliance program, including when such advice is needed urgently. Such measures will help ensure that the compli- ance program is understood and followed appropriately at all levels of the company. Incentives and Disciplinary Measures In addition to evaluating the design and implementa- tion of a compliance program throughout an organization, enforcement of that program is fundamental to its effec- tiveness.” A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri- ate and clear disciplinary procedures, whether those proce- dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences. DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many HOUSE_OVERSIGHT_022561