International enforcement authorities have high expectations when it comes to companies addressing compliance failures. Responding to and remediating issues of misconduct in a swift and effective manner can greatly limit the scope of a company’s legal exposure and mitigate collateral risks. Consistent with this approach, it is important for companies to focus remediation efforts on addressing weaknesses in internal controls, making enhancements to their compliance programmes and conducting targeted remedial training for employees and relevant business partners.
- The importance of taking corrective action during an investigation.
- Implementing a structured process for root cause analysis.
- What should be included in a remediation plan.
- Taking disciplinary or remedial actions against culpable employees and third parties.
- Making enhancements to a compliance function.
- Improving, updating and expanding training.
Referenced in this article
- General Cable Corporation
- Telefonaktiebolaget LM Ericsson
- Kinross Gold Corporation
- Fresenius Medical Care AG & Co KGaA
- Airbus SE
- US Department of Justice and Securities and Exchange Commission
- UK Serious Fraud Office
- US Department of Justice’s Evaluation of a Corporate Compliance Program
- France’s National Financial Prosecutor
In a previous Europe, the Middle East and Africa Investigations Review, we explored best practices for conducting internal investigations in Africa. Here we turn to a related but equally important topic – how companies can effectively remediate when their internal investigations identify compliance issues.
Even companies with the most robust compliance programmes can expect to identify misconduct at some point. Responding to and remediating those issues swiftly and effectively can have a tremendous impact in limiting the scope of a company’s legal exposure and mitigating the collateral risks that come with compliance failures, such as reputational risk and adverse commercial consequences. In addition to potential reductions in amounts paid for fines or penalties, effective remediation can save a company significant amounts in professional fees.
International enforcement authorities have high expectations when it comes to addressing misconduct. The challenges associated with doing business in Africa, though well known, will not relax those expectations. Below, we discuss what international enforcement authorities expect companies to do when misconduct is identified and we offer practical guidance on how to approach remediation on the continent.
Enforcement authority expectations and best practices
Taking corrective action during the course of an investigation
From the outset of any internal investigation, companies should be thinking about how to address identified compliance issues through prompt and effective remedial action. Taking corrective action during the course of an investigation, rather than waiting until the end of the investigation, is not only consistent with the expectations of international enforcement authorities, it also can help a company put a swift end to any ongoing misconduct and avoid further losses or liability that may be caused by control deficiencies underlying the misconduct.
For example, the US Department of Justice (DOJ) may recommend reduced penalties or decline to prosecute a company, in part, based on that company’s ‘timely and appropriate remediation in [Foreign Corrupt Practices Act (FCPA)] matters.’ The International Organization for Standardization (ISO) guidance on anti-bribery management systems lays out a similar expectation, stating that:
[w]hen a nonconformity occurs, the organization shall react promptly to the nonconformity, and as applicable [. . .] take actions to control and correct it [and] deal with the consequences. 
While fully identifying the root cause of a particular compliance issue may require a company to conduct a thorough analysis of its controls, operations and culture, a company will often have enough information midway through an investigation to take effective remedial action. For example, if a company determines early in an investigation that one of its business partners has made improper payments on the company’s behalf, but additional investigation is needed to determine who at the company was involved in authorising such payments and the amounts at issue, the company can still take steps to mitigate risk, such as putting a freeze on payments to the partner or even terminating the relationship with the partner altogether.
Not only do international enforcement authorities expect such prompt action, but there is often a relationship between the remedial steps a company takes and the scope of further investigation by the authorities. In other words, companies can narrow the scope of the investigation by taking swift action to mitigate the identified risks. By way of example, in the case of the business partner previously mentioned, by promptly freezing payments to or terminating the partner, the company may be able to save itself the time and expense of having to conduct a burdensome forensic accounting exercise that might be expected if the company was to continue doing business with the partner.
Furthermore, in addition to giving the company ‘mitigation credit’ that may result in reduced fines and penalties, remediating during the course of an investigation may be essential in enabling the company to avoid the potentially burdensome compliance measures that are sometimes imposed in enforcement actions, such as an independent compliance monitor. To this point, in the 2018 DOJ guidance on the selection of compliance monitors, the DOJ explained that:
[w]here a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary. 
Performing a root cause analysis and developing and executing a remediation plan
While taking corrective action during the course of an investigation is a best practice that can help to stop misconduct in its tracks, it is also important for companies to take the time to identify and address the root cause, or causes, of the misconduct. In its April 2019 guidance on evaluating corporate compliance programmes, DOJ noted that:
a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes’ sufficient to ‘identify future risk’ and ‘reduce the risk of repetition of . . . misconduct. 
The DOJ has not provided detailed guidance on what a root cause analysis is or how a company should go about conducting one. While it may already be the practice of some companies to conduct such an exercise as part of broader investigation or remediation efforts, international enforcement authorities may now expect companies to show evidence of a discrete exercise, separate from the investigation of underlying misconduct, that can credibly be called a root cause analysis.
There is no ‘one size fits all’ approach to conducting an effective root cause analysis. However, companies can be guided by a number of best practices in this area.
- First, companies should consider developing a structured process for a root cause analysis that produces written work product. In designing such a process, it may be helpful for a company to look to its practices in other areas where root cause analyses are employed. For example, a company that has procedures associated with understanding the root causes of industrial accidents may be able to leverage existing processes to develop a robust root cause analysis process for compliance matters.
- Second, a company should look beyond the immediate compliance incidents under investigation and their most direct causes to also consider and investigate broader underlying causes, such as business pressures, misalignment of incentives, cultural issues or personnel issues.
- Third, a company should consider whether its compliance function has a sufficient understanding of the business operations at issue to truly understand the root causes. If not, a company may wish to consider implementing strategies to enhance the compliance department’s understanding of the relevant business unit or function – for example, by developing cross-functional compliance committees, rotating operational personnel into compliance roles or appointing ‘compliance champions’ within key business units.
Companies should also ensure that they have structured processes in place to develop and implement remediation plans based on the root cause analyses that are conducted. Whereas a root cause analysis focuses on the underlying causes of misconduct, a remediation plan should focus on the concrete steps the company will take to correct those failures. As with a root cause analysis, there is no prescribed methodology that the DOJ or other enforcement authorities instruct companies to follow, but in our experience, it is important that the remediation plan be a standalone document including specific, actionable steps to address the identified compliance issues. The plan should designate individuals as action owners who are accountable for executing specific items and it should contain specific deadlines for the completion of such action items. The deadlines should then be monitored and enforced to ensure that the action items do not fall by the wayside due to competing business demands or personnel changes.
It is also crucial that companies follow-up and test whether remedial actions are effectively implemented. Failure to follow through with monitoring and testing of remedial actions is something that international enforcement authorities will seize upon and this can prejudice a company in resolution of enforcement actions. For example, in its 2016 enforcement action against General Cable, the US Securities and Exchange Commission (SEC) noted that, although General Cable had instructed management at two of its subsidiaries to cease payments to a particular agent in Angola, a company employee nonetheless approved a payment of a past due commission of approximately US$340,000 to the agent. The SEC noted that this and other perceived shortcomings in the company’s remediation efforts ‘allowed [mis]conduct to continue.’ Further, in evaluating whether an independent compliance monitor is necessary, DOJ guidance instructs prosecutors to consider:
whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future. 
Taking appropriate personnel action
As investigations unfold, one of the key issues that companies must confront is how to handle situations in which employees are involved in misconduct. More challenging questions often arise with respect to employees who are not directly involved in misconduct but arguably bear some responsibility for it – for example, where an employee is aware of misconduct but fails to report it or where an employee in a management or control function could have detected or stopped the conduct but failed to exercise effective oversight.
Taking disciplinary or other remedial actions against culpable employees is a fundamental component of good governance and is expected by international enforcement authorities. Indeed, in evaluating whether to afford a company mitigation credit in an enforcement action, the DOJ will give significant weight to whether the company has appropriately disciplined employees:
including those identified by the company as responsible for the misconduct either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred. 
Where credible concerns arise that an employee may have engaged in unethical or unlawful conduct, a company should consider whether immediate personnel action, such as changes to responsibilities or a period of ‘garden leave,’ may be appropriate while those concerns are being investigated. Once concerns of misconduct have been substantiated, the findings should be weighed to assess whether termination is warranted or, in the case of less serious misconduct, other actions such as reducing or eliminating incentive compensation or issuing warning letters to put employees on notice about the ramifications of being associated with misconduct. When considering employee discipline in Africa, companies are well advised to consider as early as possible the relevant legal labour and employment questions that might arise if an employee is going to be subject to discipline. As a general matter, many African jurisdictions have labour and employment laws that are far more employee-friendly than those in the United States, with strict notice requirements often applicable and disciplinary hearings common. These legal regimes can raise a host of challenging issues for companies trying to navigate internal investigations, such as whether the attorney–client privilege can be maintained over internal investigation findings if the company relies on those findings as a basis for employee discipline.
Where a culpable employee is retained, it is often advisable not only to take action to discipline the employee but to provide the employee with coaching or tailored remedial training to ensure that the employee is clear on the company’s expectations going forward, as well as the resources available to the employee to assist in navigating compliance challenges. Follow-ups in the form of enhanced supervision of the employee, such as monitoring of employee expenses, may also be useful, particularly if the employee has the authority to approve company expenditures, engage third parties or interact with government officials. Such actions not only seek to hold accountable those who may be linked to the misconduct, but just as importantly help to minimise the risk of misconduct reoccurring.
Enforcement authorities have explicitly referenced companies’ efforts to take action against employees when describing remediation efforts in Africa-related enforcement actions. For example, since 2018 alone, the DOJ and the SEC have credited Société Générale and Kinross Gold for separating/or replacing employees who participated in or had knowledge of misconduct. Similarly, the UK judgment that approved the Serious Fraud Office’s proposed deferred prosecution agreement (DPA) with Airbus cited changes made to the company’s senior leadership – including the appointments of a new chief executive, new chief financial officer and new general counsel – and disciplinary investigations against its ‘top and senior management employees’ that resulted in 31 dismissals, as being among the remedial measures undertaken by Airbus that transformed it into ‘effectively a different company’ and contributed to the court’s decision to approve the DPA. On the flip side, we see examples of companies who have not received full mitigation credit in enforcement actions due to their perceived failure to appropriately discipline culpable employees. For example, in Ericsson’s recent FCPA settlement with the DOJ, which involved conduct in East Africa (among other countries), the DOJ stated that Ericsson did not receive full credit for cooperation and remediation pursuant to the FCPA Corporate Enforcement Policy, in part because it ‘fail[ed] to take adequate disciplinary measures with respect to certain executives and other employees involved in the misconduct’.
As noted above, enforcement authorities also expect companies to take appropriate action against managers whose failings in supervision contribute to misconduct. For example, the DOJ credited General Cable in its 2016 enforcement action for not only taking action against employees directly involved in the misconduct, but also extending such action to managers who failed to effectively supervise those employees or take appropriate steps in response to red flags. To this point, the DOJ has been clear in its expectations that in remediating misconduct companies should look beyond the circle of employees directly involved in misconduct and consider business functions that have ownership of the policies, procedures or controls that failed or were circumvented. A key question that the DOJ instructs its prosecutors to ask is:
[i]f policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable? 
Accordingly, as a company seeks to determine the root cause of the misconduct and the potential policies, procedures or controls that failed, it should consider whether individuals in control or ‘gatekeeping’ functions should be subject to personnel action.
It is also important for companies to strive for consistency in employee discipline. International enforcement authorities are particularly focused on issues of procedural fairness and whether companies are even-handed in meting out discipline. As the DOJ explains, ‘[p]rosecutors should assess whether the company has clear disciplinary procedures in place [and] enforces them consistently across the organization.’ In line with these expectations, companies should be mindful of whether senior employees or high-performers tend to be treated more favourably than others. To address such concerns, companies are well advised to benchmark proposed personnel actions against similar historical cases and to give the compliance function a ‘seat at the table’ in decisions on personnel actions.
Key questions from the DOJ’s evaluation of corporate compliance programmes
- What disciplinary actions did the company take in response to the misconduct and were they timely?
- Were managers held accountable for misconduct that occurred under their supervision?
- Did the company consider disciplinary actions for failures in supervision?
- What is the company’s record (eg, number and types of disciplinary actions) on employee discipline relating to the types of conduct at issue?
- Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc) for the type of misconduct at issue?
- Have disciplinary actions and incentives been fairly and consistently applied across the organisation? Are there similar instances of misconduct that were treated disparately, and if so, why?
- What has senior management done to let employees know the company’s position concerning misconduct? What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures and controls (eg, anonymised descriptions of the type of misconduct that leads to discipline)?
Companies should also consider how disciplinary actions are communicated to employees. DOJ guidance notes that ‘some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects’ and offers the example of ‘anonymized descriptions of the type of misconduct that leads to discipline.’ While this may be an effective deterrent measure in some cases, the value of such communications will depend on whether the audience has the perception that employees have been treated fairly by the company. Moreover, privacy considerations may weigh against issuing such communications – particularly in countries with robust data protection laws. Regardless of whether cases are publicised, companies should be mindful that the reasons for personnel actions may later be subject to review, with enforcement authorities testing whether ‘pre-textual reasons [have] been provided to protect the company from whistleblowing or outside scrutiny.’
Finally, effective remediation of personnel-related compliance issues in Africa often requires early and robust stakeholder engagement. For example, compliance personnel should, as early as possible in the process of developing remediation plans, have discussions on the operational impact of terminating an employee, especially given that significant capacity constraints affect many companies in Africa. This stakeholder engagement may require discussions with internal and external stakeholders – potentially including government officials who are accustomed to dealing with particular individuals at the company.
Addressing problematic third parties
It is also crucial for a company to take appropriate action with respect to third parties that engage in misconduct in the course of performing services for the company. In some cases, companies will be best served by taking remedial action before they have definitive proof that a third party engaged in misconduct. Companies may, for example, consider halting the relationship with a third party or freezing any outstanding payments, until compliance issues can be adequately investigated.
The suspension of a relationship or a payment freeze does not always mean the death of a company’s relationship with a third party and that should be communicated to the third party and business stakeholders. It is our experience that, in many instances, companies will suspend a relationship or freeze payments to a third party while they conduct an investigation and begin working with that third party to release any outstanding payments after the company is satisfied that the third party has been cleared of any misconduct or has implemented adequate control enhancements. As expected, taking these steps can cause tension between a company and a third party, so it is important that those conducting the investigation approach their work with urgency and that they remain in regular communication with the key personnel responsible for blocking payments and liaising with the third party.
Actions taken at the start of an investigation often pay dividends in the end. Halting or suspending relationships with third parties that may be connected with the misconduct, such as taking personnel action against employees, is critical to minimising the risk of the misconduct reoccurring and satisfying enforcement authorities’ expectations. International enforcement authorities have highlighted and credited the remedial steps that companies have taken as they relate to third party relationships in a number of recent enforcement actions involving countries in Africa. For example, in recent FCPA enforcement actions DOJ credited:
- General Cable for ‘[t]erminating the business relationships with forty-seven third party agents who participated in the misconduct’;
- Kinross Gold for ‘[t]erminating the use of the third-party consultant . . . [used] to obtain visas and work permits [associated with the misconduct]’; and
- Fresenius for ‘terminating business relationships with third party agents and distributors involved in the misconduct.’
Conversely, a company may face criticism for failing to terminate third-party relationships in the face of an investigation. For example, during the course of an investigation into suspected bribery via a third party owned by a government official, a subsidiary of Sweett Group plc failed to immediately terminate payments to the third party and instead contemplated making payments to an escrow account during the course of the investigation. In sentencing remarks following the parent company’s guilty plea to an offence under section 7 of the UK Bribery Act, the judge called this a ‘cynical commercial decision by the company to hedge its bets’ in a way that would allow it to pay overdue sums to the third party if the investigation concluded and avoid potential civil liability.
In addition to addressing specific issues identified in an investigation, companies may, in some circumstances, consider undertaking a broader proactive review of third party relationships that raise similar risks. For example, in their settlements with Airbus in January 2020, the UK and French authorities noted favourably the company’s decision to freeze payments to all sales intermediaries shortly after discovering suspected bribery concerns during an internal review. The judgment approving the UK DPA stated, for example, that the ‘steps taken prevented some substantial corrupt payments being made’ and that this was a mitigating factor that counted in favour of Airbus being granted a DPA. Similarly, in 2018, in assessing Vantage Drilling’s remedial actions, the SEC credited the company for ‘undertaking a review of all of its relationships with joint venture partners, agents, custom brokers, and freight forwarders.’ This may be a particularly useful action if a company’s internal investigation or root cause analysis has identified systemic issues with its internal controls.
The expectations of international enforcement authorities have to be weighed against the business challenges associated with taking remedial action against third parties. Those challenges can be particularly acute in Africa, where the business environment places a premium on relationships and collaboration, and terminating a particular third party may cause considerable operational disruption and loss of goodwill in a community. Moreover, many businesses in Africa face significant issues of physical security, geographical and operational isolation, and capacity constraints, meaning that finding qualified partners or vendors as replacements can be exceedingly difficult. In many markets where we have assisted clients, we find that the pool of operationally qualified suppliers is thin and dealing with politically exposed persons is unavoidable. In many situations, alternative partners may raise the same, or more significant, compliance issues.
In light of the foregoing factors, there may be a broader range of circumstances in Africa in which companies may seek to rehabilitate third parties that have fallen short of their compliance standards – for example, by conducting remedial training, enhanced monitoring or requiring the third party to implement and demonstrate remedial measures similar to those outlined in this article. That said, there will often be circumstances in which termination is the only suitable option for a compliance-minded company. As a result, it is important for companies to consider and plan for any operational disruption or difficulty identifying replacements in the event it decides to terminate a relationship with a third party. This means taking proactive steps to regularly try to identify other potential third parties or having contingency plans for slowing or halting business for a period until supply lines or operations can be shored up in the event a relationship with a third party is paused or terminated. While some of these actions may come across as extreme, international enforcement authorities and other stakeholders (eg, external auditors and lenders) may not consider it acceptable for a company to continue to engage with a third party after it suspects or is aware of misconduct involving that third party.
It bears mentioning that the process of halting or terminating a relationship with a third party is rarely straightforward from a legal perspective. Indeed, we have seen third parties that paid bribes threaten to bring civil lawsuits against companies for terminating contracts with them after the bribery came to light, thus raising the possibility of public proceedings with the potential to cause reputational damage and attract interest from enforcement authorities. To ensure that they are adequately prepared in this regard, companies are well-advised to include robust compliance provisions in contracts with higher-risk third parties, specifically addressing what happens in the event that the company identifies compliance issues with the third party. This may include not only provisions requiring third parties to comply with applicable laws and supplier codes of conduct, but audit and cooperation provisions and clear rights to withhold payments in the event that credible allegations of misconduct arise and to terminate the contract if those allegations are ultimately substantiated.
Finally, companies should be mindful that executing payment freezes and terminating and blocking suppliers is often a complex process that requires significant coordination with personnel across a range of business functions and a detailed understanding of how the supplier has been paid in the past. In our experience, payment freezes may require highly manual interventions in a company’s accounts payable systems. Moreover, in executing a directive to block a supplier from further business, compliance professionals should be mindful of the risk that the supplier may return in a different corporate form.
Making enhancements to internal controls
While a detailed discussion of potential accounting and other internal control enhancements is beyond the scope of this chapter, internal controls are a common focus area for international enforcement authorities and are frequently an area where companies need to focus remediation efforts. The specific types of control enhancements called for in a particular investigation will be fact-dependent. Accordingly, investigators and compliance professionals should be focused on questions such as how funds were generated for any illicit transfers of value and the controls in place with respect to the specific transactions at issue. Based on common corruption schemes we have observed in Africa, this can mean enhancements to controls relating to third party due diligence and monitoring, procurement (particularly where local content requirements apply), commission payments and success fees, cash payments, travel and entertainment expenses and documentary support for expenses. When assessing control deficiencies, companies should be mindful of whether there are broader impediments to a robust control environment, such as limitations with accounting systems or resource constraints. It is also important that this type of exercise address the feasibility of control enhancements and potential implementation challenges, recognising that impractical or poorly implemented controls can lead to efforts to evade the very controls put in place as part of a remediation effort. Finally, as noted above, international enforcement authorities will focus on whether enhanced controls have been tested, meaning that companies should consider implementing or increasing the frequency of audits and control testing exercises to ensure that enhanced controls are functioning as intended.
Making enhancements to the compliance function
In our experience, one of the most important steps that a company can take to demonstrate its commitment to addressing root cause problems and preventing future misconduct from occurring is to make enhancements to its compliance function. While a full discussion of optimal compliance programme structure and resourcing is beyond the scope of this chapter, as part of remediation exercises, companies should consider questions such as those set forth in DOJ guidance, including whether compliance personnel have sufficient stature and autonomy in the relevant business organisation. A key question to ask as part of a root cause analysis is whether compliance personnel had a ‘seat at the table’ in any compliance-related decisions (eg, whether to on-board a high risk third party) that led to the issues to be remediated. Depending on the circumstances of the investigation, companies may also need to consider revamping and upgrading their mechanisms for reporting potential misconduct (eg, making compliance hotlines more accessible).
Companies should likewise consider whether they need to commit additional resources to the compliance or other control functions. Companies need to assess whether strained compliance resources were a root cause of the misconduct and whether additional headcount would help to address manifested risks. Like other remedial measures, regulators often credit companies for adding compliance headcount, as was the case in the Kinross Gold enforcement action. While we understand the budget constraints that many companies face, enforcement authorities frequently credit companies for making financial investments in their compliance departments, particularly where such investments may mean sacrificing other expenses to increase compliance resources. For example, the SEC highlighted that Vantage Drilling committed additional resources to its compliance and internal audit functions at a time when the company had ‘reduced its overall expenses.’ Similarly, the ‘significant financial investment’ incurred by Airbus in relation to improvements to its compliance programme was acknowledged in its UK DPA as one of the key remedial steps taken by the company.
Conducting remedial training and making enhancements to regular training programmes
Improving, updating and expanding training on core risk areas identified during an investigation is another important step that companies should consider taking to address the root causes of misconduct. This includes delivering regular, tailored, face-to-face trainings on relevant anti-corruption-related laws to senior executives, the board of directors, audit personnel, employees and select third parties who may have touchpoints or interactions with government officials. Updating trainings to include real-world case studies and hypotheticals that teach employees and select third parties how to identify and handle manifested risks equips those on the frontlines with the tools they need to navigate risks and prevent the company from making the same mistakes again. Our experience conducting trainings on the ground in Africa has also emphasised the importance of training sessions as a valuable opportunity to hear from frontline employees about the compliance challenges that they are facing and receive feedback on the effectiveness of the company’s compliance programme more generally. Not surprisingly, international enforcement authorities also view training as a key tool that companies can use to address manifested risks and combat corruption. The DOJ credited Société Générale and Kinross Gold for initiating or enhancing their training efforts, including by delivering routine in-person training and targeting training for senior executives in the government-relations department. The introduction of improved compliance training was also cited as a mitigating factor in the judgments approving the UK DPAs with Airbus and Rolls-Royce.
 Benjamin Haley, Mark Finucane, Sarah Crowder, and Chiz Nwonkonkor, Conducting Effective Internal Investigations in Africa, GIR Insight Europe, the Middle East and Africa Investigations Review, 40 (2019), https://www.cov.com/-/media/files/corporate/publications/2019/06/overview-investigations-in-africa.pdf.
 U.S. Dep’t of Justice, Justice Manual § 9-47.120 — FCPA Corporate Enforcement Policy, https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977.
 ISO 37001, Anti-bribery management systems — Requirements with guidance for use (2016).
 Assistant Attorney General of the United States, Memorandum re Selection of Monitors in Criminal Division Matters (Oct. 11, 2018), https://dlbjbjzgnk95t.cloudfront.net/1091000/1091818/selection_of_monitors_in_criminal_division_matters_memo_0.pdf.
 U.S. Dep’t of Justice, Evaluation of a Corporate Compliance Program, 16, https://www.justice.gov/criminal-fraud/page/file/937501/download; See also ISO 37001, Anti-bribery management systems — Requirements with guidance for use, 21 (‘When a nonconformity occurs, the organization shall evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere by: reviewing the nonconformity; determining the causes of the nonconformity; [and] determining if similar nonconformities exists, or could potentially occur.’)
 In the Matter of General Cable Corporation, Order Instituting Cease-And-Desist Proceedings, 6 (Dec. 29, 2016).
 Id. at 2. See also, e.g., In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 5-6 (March 26, 2018) (finding that despite Kinross taking steps to enhance its internal accounting controls in the areas of procurement and payment of goods and services to prevent violations of the FCPA, on at least two occasions, Kinross failed to maintain these internal accounting controls, including by awarding a $50 million, three-year logistical support contract to a company preferred by a Mauritanian government official, against the recommendations of Kinross regional management in West Africa and in violation of Kinross’s internal accounting controls).
 Assistant Attorney General of the United States, Memorandum re Selection of Monitors in Criminal Division Matters (Oct. 11, 2018), https://dlbjbjzgnk95t.cloudfront.net/1091000/1091818/selection_of_monitors_in_criminal_division_matters_memo_0.pdf.
 U.S. Dep’t of Justice, Evaluation of a Corporate Compliance Program, 16 (quoting Justice Manual § 9-47-120(2)(c)); see also UK Sentencing Council, Fraud, Bribery and Money Laundering Offences: Definitive Guideline, 50 (including ‘Offending committed under previous director(s)/manager(s)’ among a list of mitigating factors for corporate fraud, bribery and money laundering offences).
 United States v. Société Générale SA, Deferred Prosecution Agreement, 5 (June 5, 2018); In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 7.
 Serious Fraud Office v. Airbus SE, Deferred Prosecution Agreement, Approved Judgment of Dame Victoria Sharp, para. 76–78 (Jan. 31, 2020).
 United States v. Telefonaktiebolaget LM Ericsson, Deferred Prosecution Agreement, 4 (Nov. 26, 2019).
 General Cable Corporation Criminal Investigation, Non-Prosecution Agreement, 2 (Dec. 22, 2016).
 U.S. Dep’t of Justice, Evaluation of a Corporate Compliance Program, 16.
 Id. at 12.
 Id. at 5.
 Id. at 12.
 General Cable Corporation Criminal Investigation, Non-Prosecution Agreement, 2.
 In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 7.
 Fresenius Medical Care AG & Co. KGaA, Non-Prosecution Agreement, 2 (Feb. 25, 2019).
 Serious Fraud Office v Sweett Group plc (unreported) (Feb. 19, 2016).
 Serious Fraud Office v. Airbus SE, Deferred Prosecution Agreement, Approved Judgment of Dame Victoria Sharp, para. 70; see also French Nat’l Fin. Prosecutor’s Office v. Airbus SE, Judicial Public Interest Agreement, 21 (Jan. 29, 2020) (listing as a mitigating factor in favour of Airbus: ‘the implementation [by Airbus] of corrective compliance measures designed to prevent reoccurrence of the conduct at the very start of the investigation’).
 In the Matter of Vantage Drilling International, Order Instituting Cease-and-Desist Proceedings, 7 (Nov. 19, 2018).
 U.S. Dep’t of Justice, Evaluation of a Corporate Compliance Program, 16.
 Conducting Effective Internal Investigations in Africa, GIR Insight Europe, the Middle East and Africa Investigations Review, 46 (2019).
 See, e.g., Fresenius Medical Care AG & Co. KGaA, Non-Prosecution Agreement, 2 (finding that Fresenius, through its agents and employees, made improper payments totaling approximately $30 million to publicly-employed health and government officials in order to obtain or retain business in eight countries in West Africa and other countries around the world, while also crediting the company for ‘adopting heightened controls on the selection and use of third parties, to include third party due diligence’).
 See, e.g., In the Matter of Halliburton Company and Jeannot Lorenz, Order Instituting Cease-And-Desist Proceedings, 4-5 (July 27, 2017) (finding that Halliburton: (1) entered into two contracts with a local Angolan company to satisfy local content requirements and curry favour with senior Angolan government officials, not for the stated scope of work set forth in the contract; and (2) violated its internal accounting controls by entering into ‘interim consulting agreement without either seeking competitive bids or providing an adequate single source justification’ and failing to get the contract ‘reviewed and approved by a Tender Review Committee’).
 See, e.g., General Cable Corporation Criminal Investigation, Non-Prosecution Agreement, A-3–A-5 (finding that in Angola, from 2003 to 2013, General Cable’s subsidiaries made improper payments in the form of sales commissions either directly to employees of state-owned enterprises in Angola or to a third-party agent knowing that the agent would pass a portion of those payments to officials at state-owned enterprises).
 See, e.g., In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 2 (‘Kinross paid vendors and consultants, often in connection with government interactions, without reasonable assurances that transactions were consistent with their stated purpose or the prohibition against making improper payments to government officials. For certain of these transactions, the company used petty cash to pay consultants which it then failed to accurately and fairly describe in its books and records.’ The SEC credited Kinross for ‘institut[ing] more formalized controls over the use, documentation, and approval of petty cash.’)
 See, e.g., General Cable Corporation Criminal Investigation, Non-Prosecution Agreement, 2 (crediting General Cable for ‘issuing, and providing training on, business amenities policies specific to certain countries’).
 See, e.g., United States v. Telefonaktiebolaget LM Ericsson, Deferred Prosecution Agreement, 4 (finding that the company ‘had inadequate anti-corruption controls and an inadequate anti-corruption compliance program during the period of conduct,’ which included failures by the company to maintain adequate documentation of and accounting of payments to agents and consultants); In the Matter of Layne Christensen, Order Instituting Cease-And-Desist Proceedings, 5 (Oct. 27, 2014) (finding that ‘[w]ithout providing any supporting documentation, the . . . CFO [of the company’s second-largest business division] sent an email to Layne Christensen’s corporate office seeking an urgent transfer of funds[,]’ and ‘[d]espite the lack of documentation or a justification for the transfer, Layne Christensen wired more than $200,000 from a U.S. bank account to [its wholly-owned subsidiary’s] local bank account on the same day’).
 See, e.g., In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 3 (noting that Kinross’s ‘internal audit group faulted the Enterprise Resource Planning . . . accounting and disbursements system, which did not include ‘much detail on the nature of disbursements’ thus making it ‘not possible’ to identify suspect payments such as excessive rebates and discounts, advance payments, government commissions and unjustified business expenses’).
 In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 7.
 In the Matter of Vantage Drilling International, Order Instituting Cease-and-Desist Proceedings, 7.
 Serious Fraud Office v. Airbus SE, Deferred Prosecution Agreement, 5.
 United States v. Société Générale SA, Deferred Prosecution Agreement, C-5 (explaining that the company ‘enhanc[ed] anti-corruption training for all management and relevant employees’); In the Matter of Kinross Gold Corporation, Order Instituting Cease-and-Desist Proceedings, 7 (‘Kinross [took] steps to improve training of its senior decision-makers, especially in the government-relations department, to recognize the corruption risks in hiring a consultant to work as a liaison.’).
 Serious Fraud Office v. Airbus SE, Deferred Prosecution Agreement, Approved Judgment of Dame Victoria Sharp, para. 80; Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Sys. Inc., Deferred Prosecution Agreement, Approved Judgment of The Rt. Hon. Sir Brian Leveson, 44 (Jan. 17, 2017).