8 Journal of Regulatory Compliance Issue II
amendments charged Boards of Directors and senior executives with the
responsibility for the oversight of an entity’s effective compliance and ethics
programs and understanding the legal and compliance risks, both internally
and externally, 17 that could potentially harm their organizations.
B. Expanded Impact
The boundaries of organizations were being redrawn. The FSGO’s
requirements extended beyond the organization’s own employees. It
specifically talked of “agents” of the organization. 18 In an expanded world
of outsourcing and third-party relationships, this became a critical concern.
Outsourced services did not relieve organizations of their compliance
responsibilities and liabilities. FSGO expanded the scope of compliance and
ethics beyond the outsourcing organization, and with it the need for enhanced
due diligence of third-parties. One writer noted that the amendments had the
intended (or perhaps unintended) consequence that “ethical programs should
extend up and down the supply chain.” 19 The need to understand and address
compliance and ethical vulnerabilities and risks related to third-parties
extended beyond the FSGO. Initiatives in both the U.S. and internationally
have addressed third-party compliance risks. 20 The FCPA imposed stringent
compliance requirements21 on third-party relationships. The Federal
behavior . . . . An organizational culture that encourages a commitment to compliance with the
law includes positive actions which demonstrate that law compliance is a key value within the
organization.” RICHARD BEDNAR ET AL., REPORT OF THE AD HOC
ADVISORY GROUP ON THE ORGANIZATIONAL SENTENCING GUIDELINES 51 (2003),
17. The focus on recognizing both internal and external risks is noted in the April 2015
publication by the Office of Inspector General (OIG), Department of Health and Human
Resources: U.S. DEP’T OF HEALTH & HUMAN SERVS., OFFICE OF INSPECTOR GEN., PRACTICAL
GUIDANCE FOR HEALTH CARE GOVERNING BOARDS ON COMPLIANCE OVERSIGHT 14 (2015),
https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf [hereinafter U.S. DEP’T OF HEALTH & HUMAN
18. U.S. Sentencing Guidelines Manual, supra note 1. “Agent” means any individual,
including a director, an officer, an employee, or an independent contractor, authorized to act
on behalf of the organization.
19. Abe J. Zakhem, Organizational Ethics Programs and the Need for Stakeholder
Discourse, 1 J. BUS. THEORY & PRAC. (2013).
20. In February 18, 2010, the Economic Co-operation and Development (OECD) adopted
“Good Practice Guidance on Internal Controls, Ethics and Compliance” that provides for
ensuring effective internal controls, ethics and compliance programs or measures for the
purpose of preventing and detecting foreign bribery. This was especially applicable to third-parties. OECD, GOOD PRACTICE GUIDANCE ON INTERNAL CONTROLS, ETHICS, AND
COMPLIANCE (2010), http://www.oecd.org/daf/anti-bribery/44884389.pdf. In 2014, the
International Organization for Standardization (IOS) issued 19600:2014 which is guidance for
compliance management systems that focused on external risks. ISO, 19600:2014 (2014).