Home / 

Podcasts / 

Tom Fox: How to Design, Create, and Implement the Right Compliance Program

During this episode, Tom takes us on a deep dive into his vast experience as a compliance expert. With his dynamic storytelling and razor-sharp analysis, he reveals the challenges and triumphs he has encountered throughout his career. From high-stakes investigations to navigating complex regulatory landscapes, Tom leaves no stone unturned.

Listen in as Tom explores the critical role of compliance in today’s business world. He sheds light on the importance of ethical leadership, corporate governance, and risk management. Through thought-provoking conversations, he highlights the significance of creating a culture of compliance within organizations and fostering transparency and integrity.

But it’s not all serious business. Tom infuses the episode with his unique charm and wit, ensuring an engaging and entertaining experience. From sharing anecdotes to providing practical tips, he empowers listeners to navigate the compliance landscape effectively.

Tom Fox is the Compliance Evangelist™ and the Voice of Compliance.

He’s the guy who wrote the book on compliance with his seminal one volume book “The Compliance Handbook, 2nd edition” published in June 2021. Additionally, Tom has authored many books on business leadership, compliance and ethics and corporate governance, including the international best-sellers “Lessons Learned on Compliance and Ethics” and “Best Practices Under the FCPA and Bribery Act” as well as his award-winning series Fox on Compliance.

Meiran Galis: Tom Fox, thank you very much for joining our podcast. So it’s great to have you on the call on the episode.

Tom Fox: Happy to be here. Thanks. Thank you so much. Compliance evangelist and also known as the Voice of Compliance. You wrote books and up to 19 books actually, on business leadership, compliance and ethics, and corporate governance, doing so many things in the field and best practices under the FCPA and Bribery Act and so many more, actually. So there are so many achievements. Wow, that’s actually incredible. Maybe I forgot something. Would you tell the audience a little bit about yourself?

Tom Fox: Sure. It’s actually up to 23 books now and June was my latest publication, the third edition of the Compliance Handbook, which is, in my opinion, the best single volume on the design, creation, and implementation of a best practices compliance program. I’ve been in the compliance field since 2007. I was a general counsel at a company that had a violation of the US. Foreign Corrupt Practices Act and I was part of the new management team that came in to put together a compliance program. And that’s really where I learned how to design, create and implement compliance programs. I went out on my own in 2010. I wanted to be the nuts and bolts guy. And so if you need someone to help design, create or enhance your compliance program, I’m the guy.

Meiran Galis: I guess there are many complexities in the process and companies might have been asking themselves, where should they start?

Tom Fox: Well, it’s a simple program. It’s just not easy. And as you said, where do you start? Well, you start with a risk assessment because every government wants you to assess your risks. The risks of your company are going to be different than the risk of my company. One, we operate in different countries, for instance. Number two, we have different employees. Number three, your customers are not my customers, meaning they’re different. And so our risks are different. And so what the government would say to each of us for both your company and my company is assess your risks and then manage the risks you have through a compliance program.

Meiran Galis: Yeah. And thinking about that, companies, you said that the regulator might come in knocking at your door. Companies need to perform internal audits or external audits or just be prepared. How can they verify the implementation and effectiveness of the compliance program?

Tom Fox: Sure, and that’s a great point because remember when I gave the kind of eight categories? The last category was continuous monitoring. Internal audit is a part of that step. So an audit is a relatively narrow review, but a deep review. So audit may say, we want to look at your entertainment spending over the past two years. So they may come to you or me and we have to give them all of our entertainment, business entertainment for business development spend. And they would look at each one of our spending to see if we follow the policy and procedures that audit contrast monitoring with the audit. Monitoring is a very broad look at one topic, but not very deep. So monitoring might look at spending for the last three months, they might look at it for the past six months. But monitoring can look at it across your organization. So it’s going to look at all your salesman and say you’re spending is say you have a policy which says anything over $75 spent for business development must have pre-approval by your compliance program. Well, that means anything below that you don’t. So you would look at all of your spendings. Number one, if it’s above $75, was there pre-approval? Number two, do you have one salesman who has 100 receipts for 77 dollars and 99 cents tell you something as well? So monitoring and auditing are both tools to use in your continuous monitoring process. They have different functions, but they’re both an important part of a best practices compliance program.

Meiran Galis: Wow, that just raises many other questions, but that’s a great idea. Where to start? And also, it seems that also ethics is about compliance with the FCPA because ethics has something to do I think it’s closely related, ethics and SCPA, what do you think about that? Does it?

Tom Fox: Sure. And so in the United States, the US. Department of Justice talks about what is your corporate culture? Do you have a culture that asks each employee to do business in the right way, meaning don’t pay bribes to get business? That’s ethics. And so what’s the tone in your organization? Is your organization one that follows the rules? How do you measure that? How do you assess that? Because if it’s important to the US. Government, it’s important to you and me, and it’s important to our companies. So how you assess that issue of ethics and corporate culture is extremely important, but you have to find a way to do that because it’s important to the government. So ethics is absolutely a part of compliance. Compliance is how you implement the ethical values of your organization, which is another way of saying you’re corporate culture.

Meiran Galis: Yeah. Is this the thing that the code of conduct and ethics that every employee in the company need to sign when he’s hired for a new role in a company?

Tom Fox: Absolutely, and for a couple of reasons. Number one, so I’m a lawyer by professional training, and I believe everyone should know what the rules are. And your code of conduct broadly sets the rules. It doesn’t give you the specifics, but it may say don’t pay bribes. It may say don’t collude with competitors for anti-competitive actions. It may say don’t discriminate. They say a variety of things. So it’s going to set the general tone for your organization. So it’s important that when an employee, a new employee comes to your company, you give them code of conduct training so you can begin to set that tone. One, they get to know the rules. Two, you set the tone. And if I’m a new employee and I see that your company has a robust code of conduct, I’m going to understand this is what you expect of me when I do business for this company. So it’s important to set expectations. And lastly, it’s important to set not simply the expectations, but try to set the corporate culture or the tone of the organization through your code of conduct. So I believe every new employee should receive code of conduct training. You have to be tested on it to prove you’ve taken it and you understand it. As a lawyer, I’m all for telling people what the rules are, but it’s much broader than telling them what the rules are. It’s really to set the tone of the organization and the expectations for each employee.

Meiran Galis: All right, no, that makes sense. And I’ve been experienced this process myself working at EY and also our company Scytale. This is actually a mandatory process for a place to come and read the code of conduct, understand, get training, and eventually sign and consent to the code of contact. But I will think and that’s connected, get me back to the previous subject and monitoring the effectiveness, I guess it’s not easy. It’s very broad. It’s comprehensive across the company. You know what you know, you know what you don’t know. But sometimes there are things that you don’t know that you don’t know. So it’s quite challenging in some cases for a company into monitoring the effectiveness. Do you see any trends on that space?

Tom Fox: Sure. So you’re absolutely right, and you coming from EW is the perfect example. I’m sure you had a robust code of conduct. I know you do, and I know you have training on that, just as I was with major energy companies in Texas where I had code of conduct training, and I was tested on that training. I had to teach that as a lawyer in the legal department. But you can’t anticipate every situation in a code of conduct, nor should you. You try to give broad guidelines, don’t pay bribes, don’t discriminate, don’t engage in a competitive behavior, et cetera. But what I would ask of you if I was giving you training is if you have a question, raise your hand, call compliance. What I try to tell people in training is the most important thing I want you to leave here with is if you have a question, pick up the phone, call me, raise your hand, ask your supervisor, talk to someone, speak up, whatever it may be. And it could be a 32 second call. It can be the example I gave about the $75 limit on your expenditure. You call me and say, Tom, I’m going to a very expensive restaurant. I have a very important client. I wanted to let you know that we may go over the 75. Can I call you at home to get an approval when the bill comes? Answer sure. Is a verbal approval acceptable in that circumstance? Absolutely. If you’re sitting in the restaurant and your bill has come in, you’ve got a very nice bottle of wine, maybe a little more expensive than usual, and you call me and say, Tom, I’ve got this. Can I get it? Absolutely. But for me in the compliance function, one, I want you to trust me enough to pick up the phone. Two, I want to be there when you, as the business person, have that question. And three, I need to have the professional and subject matter expertise to answer your question. You don’t have to know everything about compliance. That’s the job of the compliance officer. And they should be able to answer your question about can I give this gift? Can I give this dinner? Can I do something quickly and efficiently so you can go do business for the company?

Meiran Galis: Yeah, you don’t know, just ask. As simple as that.

Tom Fox: Exactly. I could not have said it better. In fact, I’m going to steal that line from you. If you don’t know, just ask. That’s great.

Meiran Gallis: Yeah. That’s maybe the secret when it comes to compliance. And just before we finish, many people thinking about getting into the compliance space. And do you have any tips for people at the beginning of the journey, maybe lawyers or just personnel that really find this inquisitive about compliance? Any tips for them?

Tom Fox: Sure. And that’s a great question because I came to compliance from the general counsel’s office. I didn’t start in compliance like most people my age. We all started our career somewhere else and gravitated to compliance either or whatever the reason was, and I’m one of those people. But now compliance has become so important and so significant in every corporation that compliance is recognized as its own discipline. And there is now professional training you can get at the university level, at the graduate level, you can get MBAs focusing on compliance. You can take law schools now, have compliance courses you can take. And it’s a great opportunity for people in university right now or people who are thinking of making a change of going into a field that’s relatively young, relatively new, but it’s going to be around here forever. Go ahead. I see ESG as an outgrowth of compliance, and ESG is the most ubiquitous term in the corporate world right now, I think literally across the world. And so if you have the skills to do compliance, you can do a wide variety of things in a corporation. Some of those skills, as I’ve said, I don’t know how many times, I’m a lawyer, so I look at things through a lawyer’s eyes and I think it’s a value to know the law. But you don’t need to be a lawyer to be in compliance. You can be from marketing, you can be from supply chain, you can be from business operations, you can be from finance. All of those skills are incredibly important to compliance. The interpretation and use of data is probably the most important skill a person can have now going into compliance. Unfortunately, that’s not a skill I have. I can read and write and I tell you what the law is and I can tell you how to build a program. I’m not very good with numbers, nor are many lawyers. So if you really want to distinguish yourself in compliance and your professional background is as good as any with EY, whatever your work you did with ay was, and I don’t know what it is, but I know it involved numbers. And so you have a set of skills I don’t have. And whether it was audit, whether it was research, whether it was consulting, it doesn’t matter. You brought a different set of eyes to problems than I did and so you would have an advantage over someone like me who is legally trained. So the field is wide open. It’s open for women, it’s open for men, it’s open for non lawyers and it’s only going to grow.

Meiran Galis: Amazing. That’s super curious and I’m sure many people understand that that’s the future. It’s already been the past, it’s the present, it’s the future. It’s only going to grow for different spaces. I see this in the information security space. Compliance became a big thing when it came to data in financial, in legal and actually everywhere. So compliance is the future. And I think that personally, I’m very curious about that. And thank you very much for sharing from your insights and knowledge, this was fascinating. Thank you very much Tom, and hope to meet with you again soon.

Tom Fox: Well, I hope so. Thank you for having me on your show.

Meiran Gallis: Thank you so much.