Sunday was the 69th anniversary the most iconic photo of World War II, at least from the American perspective. Of course it was the raising of the American flag at Mt. Suribachi on Iwo Jima. To say that one photo cannot change the lives of those pictured is belied by this image. The photographer, Joe Rosenthal, won a Pulitzer Prize for the photograph. While three of the six flag-raisers died fighting on Iwo Jima, one survivor, Rene Gagnon appeared during half time at the 1969 Orange Bowl; Ira Hayes was immortalized songs both by Johnny Cash and Bob Dylan and the last remaining flag-raiser, John Bradley, died in 1994.

I once tried a lawsuit in Harlingen County, Texas, where the name of one of the flag-raisers, Harlon Block, is inscribed in the Memorial to the county’s deceased war veterans on the courthouse square. The Judge of the trial used it as an example of civic duty and, years later, when I read James Bradley’s book, “Flags of Our Fathers”, about his father John Bradley and the men who raised this flag, I learned that the Judge in my trial was one of 16 high school seniors from Harlingen High School who all volunteered for enlistment on the same day. Harlon Block was one of the Judge’s classmates and they volunteered together. I am still moved when I think of that story.

One of the commitments I believe can enhance a compliance program is the creation of a compliance committee. As far back as in the 2005 Monsanto Corporation Deferred Prosecution Agreement (DPA) the compliance committee concept appears to have found favor with the Department of Justice (DOJ). In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Committee. Later, this concept was used in the settlement of Halliburton’s shareholder action around its Foreign Corrupt Practices Act (FPCA) enforcement action.

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Compliance Committee. It would also indicate that more than one department should be represented on the Compliance Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

The Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

The compliance officer and committee shall retain a direct line of communication with and a direct reporting responsibility to the board of directors, executive committee, and CEO.

In the November/December issue of the SCCE Compliance & Ethics Professional magazine, Donna Boehme wrote an article entitled “Building a horse and not a camel: The compliance committee”. Where she cautioned that “More often than not, a [compliance] committee that is conceived with all best intentions evolves into something less that ideal: (a) a team of micromanagers that routinely substitutes its judgment for that of the CCO; (b) a source of unnecessary red-tape and ‘make-work’ for the compliance function, (c) a filter between the CCO and the governing body.”

To remedy these potential pitfalls, Boehme recommends three rules for building an effective compliance committee.

1. The compliance committee should have a clear, written charter that sets out the functionality, goals, and parameters of the group, along the lines discussed above.
2. The CCO should chair a committee of her peers-senior level officers in a position to make decisions and marshal resources.
3. The compliance committee should be periodically reviewed for effectiveness and adjusted as necessary to meet the stated goals of the charter.

One of the things  Boehme makes clear is that “every compliance structure should be fit-for-purpose.” In other words, if your company’s highest compliance risk is third party relationships, I think you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

To this end, a compliance committee should review all documents relating the full panoply of a third party’s relationship with a US company. This would begin with a review of any initial requests to engage a new third party. The information presented to the compliance committee would include a Business Unit’s request to engage the third party, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective third party.

The compliance committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with a third party. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the third party or Business Unit. The compliance committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the compliance committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the third party with at least a minimum of a Level One Due Diligence and higher levels of Due Diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third parties. All FCPA compliance training should be reviewed and certifications confirmed. The compliance committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document and Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the compliance committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the compliance committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve such requests.

The compliance of a third party is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the compliance committee and its full engagement with all aspects of a company’s relationship with a third party is one of the areas that the DOJ will look for in a successful FCPA compliance program.

A compliance committee is a key tool, which can be utilized by a company to manage its relationships with its third parties. Its use has been commented upon favorably by the DOJ through its citation in the Monsanto DPA. A Compliance Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all deals with a third party. It should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

But take Boehme’s cautionary words to heart, that the guiding principles of a compliance committee should be that it helps and does not hurt your overall compliance efforts going forward. And then use the raising of the flag on Iwo Jima to think about commitment.