In December 2008, Siemens AG, Europe’s largest engineering and electronics conglomerate, settled Foreign Corrupt Practices Act (“FCPA”) charges with the DOJ and SEC for a record-setting $800 million. Aside from the scope of the violations and the size of the penalties, the Siemens case was noteworthy because it so clearly criticized the deficiencies in the company’s compliance program. The DOJ charging papers stated that Siemens merely adopted a “paper program” largely limited to distributing anti-corruption policies without establishing a culture of compliance reinforced by adequate training and controls.

The FCPA prohibits U.S. persons, companies, and issuers from, among other things, bribing or attempting to bribe a foreign official to secure an improper business advantage. As the DOJ and SEC increasingly investigate small and medium-sized companies for potential FCPA violations, the lessons learned from the Siemens settlement are as important today as they were in 2008.  Drafting a comprehensive anti-corruption policy is of little use if it is not enforced, if the company’s compliance personnel are not empowered, or if no one in the organization is trained on how to spot corruption red flags. Companies (and their lawyers), particularly those with significant international operations or overseas sales, must ask themselves whether they too have a “paper” compliance program, assuming they have an anti-corruption program at all.

The following approaches, though not exhaustive, will help ensure that your anti-corruption compliance program is on sure footing and mitigate the damage should your organization face an FCPA investigation.  First, draft an anti-corruption policy that is tailored to your company’s risk, geographic footprint, and other unique considerations. You should not pull an FCPA policy off of a shelf—one size certainly does not fit all. While most anti-corruption policies will contain similar elements, the DOJ and SEC are more impressed with companies that take a risk-based approach to compliance rather than those who simply throw money at the problem and try to emulate what they consider to be a best-in-class compliance program. At the very least, the policy should emphasize a company’s commitment to adhering to both the spirit and letter of the law, as well as explain common FCPA pitfalls, such as travel and entertainment expenses or the role of consultants and agents.

Drafting a sound anti-corruption policy is only the beginning. You need to make sure that employees at all levels are aware of the policy, and that those who represent the greatest FCPA risk are regularly certifying their compliance. Some companies choose to make their anti-corruption policy part of their employee welcome packet. Be careful, however, that the policy is not just another document that everyone has to read and sign. Companies should consider having employees—or at least a subset of high-risk employees—recertify on an annual or semi-annual basis that they have reviewed and understand the policy. Companies should do the same for any overseas consultants or agents.

Next, among the criticisms of Siemen’s compliance efforts was that the company lacked a mandatory FCPA training program. Risk-based and continuous training is a key factor that the DOJ and SEC will consider when evaluating a company’s efforts to comply with the FCPA, and may potentially lessen the consequences of a violation. Training may be in-person, self-led, web-based, or some combination thereof. Moreover, to the extent feasible, companies should tailor their training to the particular audience. For instance, while it may be appropriate to discuss legal standards and concepts when delivering training to the General Counsel’s office, legal jargon is probably not appropriate when delivering the same training to a company’s sales team.

Again, one size does not fit all. Companies should be balancing their resources against their compliance risk. And what do we mean by risk-based? For instance, if a company employs 1,000 people, 900 of whom work in a factory in Oklahoma and 100 work overseas selling and marketing the company’s products to foreign governments, the company should focus its training efforts on those 100 employees who are more likely to deal directly with a foreign official.

The government also criticized Siemens for not appropriately investigating and responding to corruption red flags. Assuming a company has adequately trained its employees, and the policy provides a mechanism for those employees to report suspected corrupt activity, the company must ensure that it responds quickly and effectively. The company must first assess the allegations to determine the scope of the investigation and who should conduct the investigation. Decisions regarding an FCPA investigation should be taken at the highest level possible to ensure accountability.  For instance, the DOJ noted that serious allegations of bribery in the Siemens case were never even referred to the Board of Directors or the Audit Committee. Depending on the circumstances, the Company may not be in a position to investigate the allegations internally and should considering bring in outside counsel to conduct a thorough, impartial investigation.

Finally—although certainly not exhaustively—companies should ensure that their compliance function is adequately resourced and empowered to monitor the anti-corruption program and conduct the due diligence necessary to help prevent FCPA violations in the first place. The DOJ criticized Siemens for failing to establish a “sufficiently empowered and competent” compliance department. The adequacy of compliance resources will vary from organization to organization. After all, a company with 50 employees cannot be expected to spend the same amount of money on compliance as a company with 500 employees. But to the extent possible compliance staff should be independent and, ideally, not dual-hatted. Companies should, on a risk-based standard, conduct due diligence on third-party agents or consultants who operate overseas and potential acquisitions or joint ventures in countries known to have high levels of official corruption.

Anti-corruption compliance means more than drafting a policy or memorandum and sticking it in a drawer. If they hope to avoid FCPA liability, companies and their counsel should be prepared invest the time and resources commensurate with their risk. As the DOJ has been saying for years now, a paper anti-corruption program just doesn’t cut it.