The compliance world loves its frameworks: DOJ’s three fundamental questions, France’s risk mapping requirements, the UK’s “adequate procedures” standard. But strip away the bureaucratic packaging and something interesting emerges — these disparate approaches share much of the same DNA. Former DOJ prosecutor Andrew Gentin joined World Bank senior counsel Joseph Mauro, former OECD legal director Nicola Bonucci and Paul Hastings’ Corinne Lammers, led by moderator Nathaniel Edmonds of DLA Piper, to dissect what works across jurisdictions, at the SCCE’s 2025 compliance and ethics institute.
Compliance with the panoply of international rules and regulations is among the central preoccupations of daily life for professionals in multinational corporations. And while the task is no doubt a complex one, many governmental and nongovernmental organizations have sought to clarify what it means to have an effective corporate compliance program.
By examining principles outlined by regulators and enforcers like the DOJ in the US, the Serious Fraud Office in the UK and the AFA in France as well as non-enforcement international bodies like the OECD and World Bank, it’s clear there are overlapping themes and consistent principles.
Those principles and themes were the topic of discussion in the general session Sept. 16 to start the second full day of SCCE’s 2025 compliance and ethics institute, hosted this year in Nashville.
Whether their guidance comes in the form of six principles, 10 elements or a flowchart, international bodies are making it clear that effective compliance programs share common DNA, and, perhaps, a common mission that extends beyond individual corporate protection.
“We really don’t see compliance as what one company does for itself,” said Joseph Mauro, senior counsel at the World Bank. “It’s what all companies do together to make it a more clean business environment.”
Where guidance overlaps
While the specifics of international bodies’ guidance for corporate compliance programs varies — and sometimes dramatically — they all seem to have a common fundamental foundation, the panelists said: risk.
In the DOJ’s “Evaluation of Corporate Compliance Programs,” the most recent update of which was announced at last year’s SCCE event, poses three fundamental questions, the first being whether the compliance program is well-designed, and the first subsection under that question is “risk assessment.” Risk mapping and risk management account for two of the three pillars of the AFA’s anticorruption framework, and risk assessment is one of six principles outlined in the UK Bribery Act, which requires companies to have adequate compliance programs. Meanwhile, the OECD and World Bank both emphasize a risk-based approach tailored to the company’s unique circumstances.
“When companies present to [the] DOJ, you’ve always gotta start with an explanation of [how] you designed the program the way you have, and that needs to go back to the risk assessment,” said Andrew Gentin, managing director and general counsel at RosettiStar, who until a few weeks ago, was chief of the Fraud Section’s corporate enforcement & compliance unit. “The program needs to be really tailored to the actual risks impacting the company.”
Indeed, tailored risk assessments are encouraged pretty much across the board, though implementation of requirements varies. France, for example, takes a more direct approach than American authorities.
“When you look at risk assessment in France, they take a pretty prescriptive view of the type of risk mapping that needs to be conducted,” said Corinne Lammers, chair of the compliance & regulatory counseling practice at Paul Hastings. “What that entails is actually documenting both the inherent risk, as well as the residual risk in quite a number of areas.”
Policy is one thing, though; making risk assessment requirements a reality is another, Lammers acknowledged, due to limited resources.
“It’s always the case there are more risks than you have time to do a deep dive on, so you have to prioritize,” Lammers explained. “I have yet to meet the compliance officer who tells me that they have more than enough resources and headcount and dollars to get everything done that they want to on the list.”
Other common threads of global compliance guidance include:
- Senior management commitment and tone at the top: The DOJ’s second fundamental question asks whether programs are “adequately resourced and empowered,” with management commitment as the first consideration, while France’s AFA lists senior management commitment as one of its three key anticorruption pillars.
- Third-party due diligence and oversight: The DOJ’s evaluation criteria include an entire section on “third party management.” The World Bank’s integrity guidelines flow “all the way down the supply chain to the lowest sub-subcontractor,” Mauro explained, while Nicola Bonucci, former legal director of the OECD, noted that intermediaries represent “80% of all transnational bribery cases,” calling third parties “the biggest difficulty” for compliance practitioners.
- Testing, monitoring and demonstrating effectiveness: The DOJ’s third fundamental question asks whether programs work in practice through “continuous improvement, periodic testing & review.” France’s risk management pillar focuses on detection systems and whether companies are “taking corrective action when issues arise,” and the World Bank requires companies to show “a demonstrated record of implementation,” not just policies on paper.
- Training and communication tailored to roles: The DOJ guidance emphasizes that training should be tailored to employees’ roles and risks. “The salesperson in China is gonna get a lot different training than the domestic employee,” Gentin noted, recounting incidents where companies present statistics like training “98% of employees” without ensuring the content matches job functions.
- Confidential reporting and investigation processes: The DOJ explicitly lists “confidential reporting structure & investigation process” as a key element of well-designed programs, while France’s guidance asks whether companies “have a whistle-blowing system.”
Cyber Risk Mitigation, Courtesy the FBI
Early engagement with federal investigators creates strategic advantages that extend far beyond incident response
Read moreDetailsDivergent approaches
International programs and guidance, of course, are not carbon copies of each other, and expectations and approaches diverge in several important ways. Among the most meaningful is the extent to which enforcers and regulators have laid down strict rules governing corporate compliance programs.
In France, companies with more than 500 employees and annual revenue exceeding €100 million are obligated to implement anticorruption compliance programs under the Sapin II framework, while the UK Bribery Act mandates businesses in the UK have compliance programs adequate for the prevention of bribery. Their counterparts at the DOJ make no such requirement, though the presence of the ECCP guidance strongly suggests that such a program can reap rewards in the form of reduced penalties or even declinations.
Its nature as a nongovernmental organization is one thing that separates the World Bank, but its unique rule around collective action is another, Mauro said: “It’s actually a requirement when companies are working with us and building a compliance program that they engage in some kind of collective project outside their own company to advance compliance in their industry, in their community.”
That requirement has a ripple effect throughout local communities around the world, Mauro said.
“One of the most fulfilling parts of this job is a lot of the companies that have been through our processes, started with a sanction, didn’t know anything about compliance, maybe were in a jurisdiction where compliance is not something that’s common,” he said. “But they go through our process, they learn about compliance, they build a well-tailored compliance program. And now they are the biggest promoter of compliance in their own area.”
Scope and focus is another area of divergence with France taking a narrower approach than the US or UK. The AFA’s guidance is focused entirely on anticorruption; in fact, this past March, French authorities established a cross-border anticorruption task force along with the UK and Switzerland.
“It’s purely anti-corruption risk mapping,” Bonucci noted about the AFA’s requirements. “They are not really interested in the global risk mapping that any company is doing.”
Putting it into practice
The presence of overlapping principles doesn’t mean a compliance program builds itself, the panelists noted. Compliance professionals still face the practical challenge of building and testing compliance programs that satisfy multiple regulatory or organizational expectations, often with scant resources.
“I think you can’t just ignore that gap because it’s gonna come up,” Gentin said, referring to the potential that a compliance officer will need to defend their program in multiple countries. “What you want to do is put together a holistic compliance program, which is gonna work before all these jurisdictions. And it could be that the US emphasizes one thing, the French emphasize another.”
Panelists also emphasized the importance of maintaining internal ownership rather than outsourcing everything to external providers, especially when it comes to the essential risk assessment functions.
“If you externalize everything, I don’t think you will convince any law enforcement authority that you are doing really a good job,” Bonucci said. “There are tools, there are platforms, there are ways in which you can externalize, but at the end of the day, you need to have someone responsible who takes the ultimate decision.”
Gentin reinforced this point, warning that companies building risk assessments relying entirely on outside help could have some tough moments when called before the DOJ to defend their programs.
“When the chief compliance officer comes in, [they’re] gonna ask who did the work, and it could be that they used a third party consultant to do some of that.” Gentin said. “But they better be damn sure [at least] that people at the company helped design it, conducted the risk assessment and then actually followed up afterward to make the changes.”
Panelists offered other practical solutions, like integrating compliance into business operations from the outset rather than treating it as a reactive problem-solving function and focusing on demonstrating that programs actually work in practice rather than just existing on paper.
Complying with multiple overlapping international requirements has never been easy, but this year’s whipsaw-style federal enforcement changes in the US have added even more complexity, the panel acknowledged.
Fighting the good fight still matters, Bonucci said.
“This is the time for companies to decide why they’re doing compliance — and that cannot be only because they’re responding to regulatory pressures,” Bonucci observed, “because the regulatory pressures in the future may go in different directions, may even be contradictory.”
