Business leaders and their companies continue to face an array of enforcement risks in 2014. To help mitigate risk, businesses can, first, stay abreast of government enforcement priorities; second, take reasonable and efficient steps to police their own activities so as to contain potential enforcement issues; and third, when presented with such issues, take swift action to obtain the relevant facts.

Past is prologue as to government enforcement priorities, but recognition that developing events can overtake them is important. For example, LIBOR and other rate-setting benchmarks existed in plain view for a considerable time. However, when these processes came under close scrutiny, a major international enforcement effort ensued. The same may be happening now as to the use of currency exchange rates. But even when new enforcement priorities such as these do arise, the enforcement machine also continues predictably grinding forward based on past priorities.

Thus, a company needs to be on the lookout for indications of issues under ongoing enforcement programs and for signs of major issues that could attract new enforcement interest. Both are critical components of a sound and comprehensive risk-management program.


Health care, manufacturing and energy sectors are likely targets of federal enforcement efforts going forward, especially in their international operations. Banking and financial services can expect continued attention as well, with both domestic and some aspects of international operations on the enforcement radar. Specific high-risk topics of government interest include fraud in the health care industry, environmental and anticorruption efforts in the energy and manufacturing sectors and regulatory compliance in the financial industry. Also expected to be pursued vigorously will be those cases in which knowledge and intent are sufficient to establish that criminal violations have occurred..

Addressing in a coordinated fashion congressional developments, which can drive enforcement officials’ conduct, is also an important element of overall legal risk management.

Foreign Corrupt Practices Act (FCPA) risk management presents a continuing challenge. In addition, the potential for changes in enforcement priorities arising from changes in leadership in the U.S. Department of Justice Criminal Division and its FCPA unit merits continued attention. Further, as U.S. companies increase international acquisitions, the potential to incur significant liabilities for noncompliant practices carried forward is a very real risk. Given the limitations of preacquisition due diligence, conducting detailed postacquisition examinations designed to discover and correct any FCPA issues acquired is an essential risk-management tool.

Aggressive enforcement continues to present high risk to banks and others in the financial services industry. According to the Committee on Capital Markets Regu­lation, some $43.4 billion in fines, penalties and civil recoveries were obtained through government enforcement in the financial sector in 2013. Recent government actions using the Financial Institutions Reform, Recovery and Enforcement Act — the 1989 law enacted in the wake of the savings and loan scandals — meant to protect banks from outside wrongdoing, to instead penalizing them for alleged internal transgressions portends aggressive use of existing law in the financial sector.

Banks generally employ some of the most extensive compliance programs in the corporate world designed to deter and to self-detect compliance risks. But the effectiveness of any such program in heading off significant enforcement problems is dependent on spotting those problems in the cacophony of more run-of-the-mill compliance issues and elevating them to an appropriate level of attention and response.

In the health care sector, the government in 2013 recovered about $2.6 billion in civil penalties for fraud against the government. That recovery was complemented by the proceeds of increased cooperation within the DOJ among civil and criminal enforcement authorities, resulting in another $1.3 billion in health care industry criminal fines and penalties. With waste, fraud and abuse in the health care industry being both an enforcement and a political target, companies in the segment can expect to face a continued need to self-assess and manage enforcement risk.

In the energy sector, the Deepwater Horizon incident shows that, although accidents happen in intrinsically dangerous operations, the fallout from the corporate response required by such incidents can be as — if not more — catastrophic than the event itself. The multifaceted response such incidents demand and the legal risks each carries point up a need for intense response coordination.

Cutting across all business sectors are the challenges presented by cybersecurity. Managing the considerable risks arising from cyberintrusions requires both the same type of internal vigilance and timely interaction with the government that characterizes the management of many compliance issues and incidents. Damage to reputation and loss of customer or client confidence are consequences that demand attention even as that given to potential legal liabilities remains undiminished.

Assessments to determine if internal reporting mechanisms are operating effectively are valuable exercises. Equally important is getting full facts about a particular issue or incident that arise, since the matter cannot be properly assessed and addressed without a well-developed factual understanding.

That means that using internal inquiries or investigations more rather than less can enhance effective management of enforcement risks.

George J. Terwilliger III is a partner at Morgan, Lewis & Bockius and co-chairs the firm’s white -collar litigation and government -investigations practice. He served in the U.S. Department of Justice for 15 years, where he was deputy attorney general, a U.S. attorney in two administrations and an assistant U.S. attorney.