In 2007, the Federal Bureau of Investigation became one of the first U.S. federal agencies to establish a compliance function, quickly becoming an example for other government agencies to follow.

Turning to the private sector for inspiration and using the U.S. Sentencing Guidelines as its guide, the FBI’s first order of business was to combine its already existing ethics unit with the newly created compliance unit. At the time, the FBI’s ethics unit sat in the Office of the General Counsel, but once it was merged with compliance, then-FBI Director Robert Mueller wanted ethics and compliance to be a standalone department—and that is how the FBI’s Office of Integrity and Compliance was born.

Named as its first assistant director was Patrick Kelly, reporting directly to Mueller and then-FBI Deputy Director John Pistole. Kelly would go on to lead the program until his retirement last year, leaving a legacy in his wake.

Compliance Week recently caught up with Catherine Bruno, current assistant director of the FBI’s Office of Integrity and Compliance, to learn more about its pioneering efforts in the government sphere, how it compares to compliance programs in the private sector, and what plans it has for enhancing its ethics and compliance program going forward.

Q. What is the purpose of the Office of Integrity and Compliance?

A. We have a pretty broad purpose: We promote a culture of compliance with laws, regulations, rules, and policy, and we support the FBI’s institutional and individual reputation for integrity through advice, education, training, and collaboration on risk mitigation and ethics.

Q. How is the Office of Integrity and Compliance structured?

A. The Office of Integrity and Compliance has two separate units. Initially, it was just one unit, but we more recently split it into two. In terms of management, there is me (the assistant director) and two unit-chiefs, one for compliance and one for ethics.

The ethics unit, with a total staff of eight, focuses on individuals and what they need to do to follow the rules and the standards of ethical conduct that apply to all FBI employees. The compliance side focuses on the institution and what it must do to follow the rules, laws, and regulations that apply to the FBI as an institution.

When trying to create a culture of “doing the right thing, the right way,” if people see that the institution cares about the rules, then they will want to do the right thing. The same is true with the inverse—if people see that the institution is cutting corners, they are going to think it’s okay to cut corners when it comes to the rules that apply to them in their individual capacities, so these two units—ethics and compliance—are complementary and self-reinforcing.

Q. How are risks identified, analyzed, and mitigated within the FBI?

A. In our compliance unit, we are very focused on supporting the FBI to identify, analyze, and mitigate risks, working with all levels of the FBI. With a compliance staff of 10 people, the Office of Integrity and Compliance can’t provide advice to all 37,000 FBI employees. Instead, we use the force multiplier of the division compliance officers. Each of the 22 headquarters divisions and all of the FBI’s 56 field offices have a compliance officer. The FBI headquarters divisions oversee different programs—including our priority programs, such as counter-terrorism, counter-intelligence, and cyber—and the field offices cover a geographic region. Each compliance officer reports up the division or office’s chain of command. A member of the Office of Integrity and Compliance staff provides training and support to the compliance officer.

In addition, each division or office has a compliance committee that is chaired by the director of the division or office. The committee’s job is to select risks and report on those risks to my office, including what they’re doing to mitigate those risks. We support those divisions directly with compliance advice. Those committees meet twice a year and provide a written report to OIC detailing what risks they’ve identified and what they’re doing to mitigate those risks.

For the FBI’s highest risks—those identified at the Director’s Integrity and Compliance Council and the seven Branch Compliance Committees (led by the executive assistant directors)—the Office of Integrity and Compliance plays a more central role. Our former assistant director Pat Kelly would always say, “Compliance is the business of the business.” So once risks are identified, we look to the subject matter experts to prioritize them. We bring all the stakeholders together in one room and ask them, “How do you feel that this issue should be resolved?” We feel that the compliance process is an excellent way for people to come together and gain a full understanding from all angles on what approach to take to get a handle on the issue. Then we ensure there is organizational responsibility for the outcome—each task in a mitigation plan has an owner.

At subsequent meetings, the executives brief the director or executive assistant director on what new risks they’ve identified and what they’ve done to mitigate those previously raised. [The] OIC is active in this process, working closely to advance progress on each risk, producing the briefing books, and advising the executives on how to approach obstacles.

Q. Everything you’ve described is analogous to the lines of business in a corporate compliance function, as far as achieving an enterprise-wide view of risk. What unique challenges does the FBI’s Office of Integrity and Compliance encounter that, perhaps, a corporate compliance function does not?

A. One of the things that makes our program unique is the many authorities that we operate under and the many partners with whom we interact. So, it can be extremely challenging, at times, getting issues resolved.

Q. Corporate compliance officers often speak about the importance of tone-at-the-top and the mood-in-the-middle in the context of having a robust ethics and compliance function. How is that demonstrated at the FBI?

A. We are extremely fortunate in that regard. The Office of Integrity and Compliance has a direct reporting line to the highest levels of authority in the FBI, and that’s consistent with the federal Sentencing Guidelines in terms of how the Department of Justice evaluates compliance programs. In modeling its program after the private sector, because the FBI does not have a board of directors, we had to come up with an analogous way of doing things. To have a direct line of reporting to the top was our way of achieving that.

In terms of current management, we’re very fortunate in the sense that Director [Christopher] Wray, when he was in private practice, worked with clients in the compliance field. He understands compliance very well. He is extremely supportive of our compliance program. We feel—and I personally feel as the assistant director—that we have tremendous support at the top.

Q. In what ways does the FBI educate and communicate ethics and compliance initiatives?

A. We personally train all incoming employees within 90 days of their arrival. We also engage in special projects. This year, for example, in light of the Department of Justice’s Inspector General’s June 2018 review of various actions by the FBI and Department of Justice in advance of the 2016 election, the FBI director felt some additional training was needed on a number of matters, including some ethics issues—such as conflicts of interest. In August, we brought back all senior executives, from around the world, and trained them for a full day, at least half of which was on ethics and compliance. Then we rolled out to all our employees a special three-hour training course called “FBI Fundamentals: Doing the Right Thing, the Right Way.” That course was rolled out, for the most part, live and in-person. That was a big push that we did this year on ethics and compliance in light of that IG report.

Q. Speaking of, how does the FBI hold employees accountable in instances of misconduct?

A. Any misconduct is investigated by the Inspection Division, although we can refer matters, and we can monitor the outcome to determine if any aspect should be looked at from a compliance perspective. If there are multiple instances of misconduct, we can decide if we should monitor the issue as a compliance risk.

Q. How does the Office of Integrity and Compliance continue to grow and evolve?

A. We’re currently trying to figure out how our compliance program—the FBI’s compliance with laws, rules, regulation, and policies—can fit better into the broader umbrella of enterprise-wide risk management. That really is the next frontier for us. We’re trying to come up with some innovative ways to broaden our view of risks and to take a risk-based approach, because, from our perspective, it’s an effective way to put resources toward things that can be most helpful to the FBI.