Please enter your email below to subscribe
Last month, Guidepost Solutions wrote about how the Justice Department and the Securities and Exchange Commission jointly released comprehensive FCPA guidance, A Resource Guide to the Foreign Corrupt Practices Act(“Guidance”). The Guidance provides insight into what the Government believes are best practices that companies should follow when implementing compliance programs of all types, including statements about the Government’s expectations for due diligence and for the continual improvement of compliance programs. The Guidance should be required reading for compliance officers of all types, not only for those who manage an FCPA portfolio.
Below are some key points from the Guidance that compliance officers should keep in mind when creating and implementing company compliance programs.
1. The Government expects that compliance programs are not simply created and then left alone, but that they are implemented effectively and monitored going forward.
Companies cannot rely on creating a compliance program in name only, simply to “check the box” on the list of regulations they need to follow, and expect that the government will view that as making a good faith effort at compliance. Organizations must make a genuine effort at establishing an effective program that is headed by an executive with enough authority to make sure that procedures are followed and that the program is monitored in the future. Page 67 of the Guidance provides the guidance related to this particular point. Although the language is focused on the structure of a program, it makes clear that oversight and effective implementation are a core part of a compliance program, from the government’s point of view:
“In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”
2. The Government gives more credence to companies that adhere to a risk-based approach to compliance, not a one-size-fits-all program.
The Guidance provides additional confirmation that the Government wants company compliance resources to be expended intelligently, using a risk-based approach. This approach involves conducting a comprehensive review of a company’s specific market and the geographic locations where business is conducted, as well as a realistic assessment of the types of violations for which the company is most at risk. This method has the added benefit of helping to avoid wasting capital and resources where they are not needed. A simple “cookie-cutter” approach to any type of compliance program is neither effective nor looked upon favorably by the government. Page 68 of the Guidance, titled “Risk Assessment,” details how the government gives more credit to companies who follow the recommended risk-based approach:
“Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.317 One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment. Similarly, performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area. Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program.
“As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
3. The Government expects a company’s executive management team to set the tone for compliance at the top of the organization.
Clear management articulation of standards is a requirement for effective compliance programs, according to the Government. Compliance must start at the top, in order to be effective throughout the organization’s hierarchy. The executive team must lead by example to ensure that compliance program protocols and procedures are followed by employees below them. Page 66 highlights this point:
“Compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
4. The Government expects that companies continually reevaluate their compliance programs and make process improvements based on assessments of strengths and weaknesses.
A compliance program should involve having a flexible plan that can be modified and improved when company circumstances change and when weaknesses are discovered. A truly effective compliance program that is implemented in good faith is one that is continually monitored and is changed when necessary. Conducting periodic strategic initiatives reviews and acting on the findings is one practical way that a diligent compliance officer can ensure they are monitoring and improving their program. Page 71 of the Guidance explains this point and lays out some additional examples of how companies can test and improve their programs:
“In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale. According to one survey, 64% of general counsel whose companies are subject to the FCPA say there is room for improvement in their FCPA training and compliance programs.324 An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas. For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas. Other companies periodically test their internal controls with targeted audits to make certain that controls on paper are working in practice.”
5. In regards to training, the Government is open to a mix of both in-person and web-based training. The Government also recommends targeted training based on an employee’s expertise and role within an organization.
In the past, there was a widely-held belief that the government strongly preferred in-person training (particularly for FCPA training). The language in the recent Guidance suggests that the Government is becoming more open to modern forms of training that make use of technology. This point, and the suggestion that training is targeted to specific departments and employee types within a company, are both outlined on page 68:
“Many larger companies have implemented a mix of web-based and in-person training conducted at varying intervals. Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language. For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter. In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophistication of the particular company, to provide guidance and advice on complying with the company’s ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.”
Creating and implementing an effective compliance program requires conscientious effort and diligent followup, regardless of the specific focus of the program. Guidepost Solutions’s team of compliance experts can advise companies on how to properly and professionally put a compliance plan into action and conduct reviews to improve it down the road.
Julie Myers Wood is chief executive officer for Guidepost Solutions LLC. She focuses on regulatory compliance and investigative work with significant experience as an independent monitor. Julie can be reached at firstname.lastname@example.org.