Hallmarks of Effective Compliance Programs

Hallmarks of Effective Compliance Programs

Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program. Thus, the discussion below is meant to provide insight into the aspects of compliance programs that DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations, a fact DOJ and SEC take into account when evaluating companies’ compliance programs.

Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

1.        Commitment from Senior Management and a Clearly Articulated Policy against Corruption

Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business. A well-designed compliance program that is not enforced in good faith, such as when corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the pro- gram even in the face of obvious signs of corruption. This may be the result of aggressive sales staff preventing compliance personnel from doing their jobs effectively and of senior management, more concerned with securing a valuable business opportunity than enforcing a culture of compliance, siding with the sales team. The higher the financial stakes of the transaction, the greater the temptation for management to choose profit over compliance.

A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure.312

In short, compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.

2.        Code of Conduct and Compliance Policies and Procedures

A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC. These types of policies and procedures will depend on the size and nature of the business and the risks associated with the business. Effective policies and procedures require an in-depth understanding of the company’s business model, including its products and services, third-party agents, customers, government interactions, and industry and geographic risks. Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. For example, some companies with global operations have created web-based approval processes to review and approve routine gifts, travel, and entertainment involving foreign officials and private customers with clear monetary limits and annual limitations. Many of these systems have built-in flexibility so that senior management, or in-house legal counsel, can be apprised of and, in appropriate circumstances, approve unique requests. These types of systems can be a good way to conserve corporate resources while, if properly implemented, preventing and detecting potential FCPA violations.

Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.

3.        Oversight, Autonomy, and Resources

In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization.313 Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.314 Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).315 Depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company.316 DOJ and SEC recognize that the reporting structure will depend on the size and complexity of an organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk pro- file of the business.

4.        Risk Assessment

Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.317 One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low- risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment. Similarly, performing identical due diligence on all third- party agents, irrespective of risk factors, is often counter- productive, diverting attention and resources away from those third parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre- vent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area. Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effective- ness of its compliance program.

As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.

5.        Training and Continuing Advice

Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.318 For example, many larger companies have implemented a mix of web-based and in-person training conducted at varying intervals. Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies. Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language. For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter. In addition to the existence and scope of a company’s training program, a company should develop appropriate measures, depending on the size and sophistication of the particular company, to provide guidance and advice on complying with the company’s ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.

6.        Incentives and Disciplinary Measures

In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.

DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro- gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern. Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career. SEC, for instance, has encouraged companies to embrace methods to incentivize ethical and lawful behavior:

 [M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win- loss record.

No matter what the disciplinary scheme or potential incentives a company decides to adopt, DOJ and SEC will consider whether they are fairly and consistently applied across the organization. No executive should be above compliance, no employee below compliance, and no person within an organization deemed too valuable to be disciplined, if warranted. Rewarding good behavior and sanctioning bad behavior reinforces a culture of compliance and ethics throughout an organization.

7.        Third-Party Due Diligence and Payments

DOJ’s and SEC’s FCPA enforcement actions demonstrate that third parties, including agents, consultants, and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business transactions. Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.

Although the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third-party, some guiding principles always apply.

First, as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.

Second, companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed. Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business. Moreover, companies may want to confirm and document that the third party is actually performing the work for which it is being paid and that its compensation is commensurate with the work being provided.

Third, companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.

In addition to considering a company’s due diligence on third parties, DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments. These can be meaningful ways to mitigate third-party risk.

8.        Confidential Reporting and Internal Investigation

An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen. Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.

9.        Continuous Improvement: Periodic Testing and Review

Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.

According to one survey, 64% of general counsel whose companies are subject to the FCPA say there is room for improvement in their FCPA training and compliance pro- grams An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas. For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas. Other companies periodically test their internal controls with targeted audits to make certain that controls on paper are working in practice. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.

10.    Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration

In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.

In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. In addition, such actions demonstrate to DOJ and SEC a company’s commitment to compliance and are taken into account when evaluating any potential enforcement action. For example, DOJ and SEC declined to take enforcement action against an acquiring issuer when the issuer, among other things, uncovered the corruption at the company being acquired as part of due diligence, ensured that the corruption was voluntarily disclosed to the government, cooperated with the investigation, and incorporated the acquired company into its compliance program and internal controls. On the other hand, SEC took action against the acquired company, and DOJ took action against a subsidiary of the acquired company. When pre-acquisition due diligence is not possible, DOJ has described procedures, contained in Opinion Procedure Release No. 08-02, pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.

FCPA due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.

For example, as a result of due diligence conducted by a California-based issuer before acquiring the majority interest in a joint venture, the issuer learned of corrupt payments to obtain business. However, the issuer only implemented its internal controls “halfway” so as not to “choke the sales engine and cause a distraction for the sales guys.” As a result, the improper payments continued, and the issuer was held liable for violating the FCPA’s internal controls and books and records provisions.

11.    Other Guidance on Compliance and International Best Practices

In addition to this guide, the U.S. Departments of Commerce and State have both issued publications that contain guidance regarding compliance programs. The Department of Commerce’s International Trade Administration has published Business Ethics: A Manual for Managing a Responsible Business Enterprise in Emerging Market Economies, and the Department of State has published Fighting Global Corruption: Business Risk Management.

There is also an emerging international consensus on compliance best practices, and a number of inter-govern- mental and non-governmental organizations have issued guidance regarding best practices for compliance. Most notably, the OECD’s 2009 Anti-Bribery Recommendation and its Annex II, Good Practice Guidance on Internal Controls, Ethics, and Compliance, published in February, 2010, were drafted based on consultations with the private sector and civil society and set forth specific good practices for ensuring effective compliance programs and measures for preventing and detecting foreign bribery. In addition, businesses may wish to refer to the following resources:

•     Asia-Pacific Economic Cooperation—Anti- Corruption Code of Conduct for Business;

•     International Chamber of Commerce—ICC Rules on Combating Corruption;

•     Transparency International—Business Principles for Countering Bribery;

•     United Nations Global Compact—The Ten Principles;

•     World Bank—Integrity Compliance Guidelines; and

•     World Economic Forum—Partnering Against Corruption–Principles for Countering Bribery.