Five Essential Elements of Corporate Compliance
Five Essential Elements of Corporate Compliance
A Global Template
Assessing the challenges facing multinational companies as they seek to effectively manage
their corporate compliance efforts
In today's active global regulatory environment, it can be particularly challenging for multinational companies to effectively manage corporate compliance efforts. A robust and balanced corporate compliance program serves many important purposes to meet those challenges. Indeed, when programs are well-constructed and properly implemented, they can, for example, help prevent corporate directors, officers, and employees from engaging in illegal activities. They can also mitigate a wide array of other compliance and risk management challenges.
Although enforcement and regulatory guidelines around the world vary in length, tone, vigor, and language, virtually all touch upon a set of key issues that can be boiled down to five essential elements: leadership, risk assessment, standards and controls, training and communication, and oversight. These five elements serve as the organizing principles for the approach we take in counseling our clients in the area of corporate compliance. When an entity’s compliance program effectively integrates these five elements, it will likely meet the wide variety of enforcement and regulatory expectations around the world and assist the company in proactively meeting its strategic business objectives through strong risk management.
This document describes our approach and offers practical guidance for legal counsel and compliance professionals responsible for designing, establishing, and maintaining compliance standards within their companies and throughout the relevant supply and distribution chains. We collaborate with corporations and other entities as a dedicated compliance advisor by providing real world advice to assist our clients in ensuring maintenance of a best practices compliance and risk management program.
Today's Compliance Environment
Designing, building, and maintaining a strong corporate compliance program that is properly customized to help prevent corporate officers, employees, and third-party agents from engaging in illegal practices such as bribery, fraud, and embezzlement is both challenging and time-consuming. Government authorities around the world are consistently raising expectations with respect to the comprehensiveness of corporate compliance programs, expecting robust policies, procedures, and controls not only for anti-corruption, but also for trade, antitrust, data privacy, and anti-money laundering compliance (among other areas). Furthermore, today's multinational companies operate in a highly competitive environment, with thousands of employees, multiple business partners, and extensive operations throughout the world, including in emerging markets where the rules of public and commercial engagement often differ significantly from what they are used to at home.
In China, Russia, Brazil, and many other countries, foreign multinationals do much of their business with state-owned or state-operated companies, which can create concerns under the anti-corruption laws of various countries, including the prohibition against making improper payments to foreign officials, as included in the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Brazil Clean Company Act, and Article 433 of the French Criminal Code. In other nations, a foreign company may find it challenging to get its products into the country without bribing customs officials.
Organizations headquartered outside the US must also be aware of the continuing trend toward increased enforcement by US, European, and South American enforcement agencies – such as the US Department of Justice (DOJ), the UK Serious Fraud Office (SFO), France’s Central Service for the Prevention of Corruption, and Brazil’s Federal Prosecutor’s Office – against companies in Europe, Asia, Africa, and Latin America. In fact, with respect to enforcement by US authorities, of the 10 largest FCPA settlements to date in terms of total assessed penalties, only two involve US companies, with the rest being foreign multinationals, a number of which had no shares or debt registered in the US.
Enforcement and Expectations
Despite the impact of globalization on the business landscape, enforcement officials are not slowing down in their pursuit of penalizing improper behavior. In fact, the increase in global anti-corruption investigations has been accompanied by the rising cost of enforcement actions, an emergence of more aggressive cross-border cooperation in multi-country government investigations, and a mounting risk of prosecution faced by individuals. In today’s environment, a Sao Paulo-based subsidiary of a US company that comes under investigation by Brazilian authorities will likely also receive a subpoena from the US government. Further, non-US (and non-UK) anti-corruption enforcement has seen a noticeable increase in recent years – a trend likely to continue as countries around the world such as France and Brazil significantly enhance their anti-bribery legislation to meet rising global expectations with respect to anti-corruption enforcement.
With the stakes so high, where should companies making compliance a top priority look to ensure that their compliance programs meet regulators' expectations? The answer to this question has become increasingly complex. The gold standard for what types of rules, protocols, communications, and oversight a company must have in place in order to meet best practice compliance program requirements used to be contained in the US Sentencing Guidelines' (USSG or Guidelines) "Seven Elements of an Effective Compliance Program," originally published in 1991. Since then, however, those guidelines have been revised numerous times and other country-specific and international standards have been added to the equation.
In November 2012, for example, the DOJ and the US Securities and Exchange Commission (SEC) jointly released their aptly titled A Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide). The FCPA Guide, a must-read for US and global anti-corruption practitioners and compliance officers, addresses a wide variety of topics related to US agencies’ enforcement of the FCPA. Since its issuance, there have been several other events that shape how the DOJ and the SEC evaluate corporate compliance programs. The first of these was the DOJ’s November 2015 appointment of a full-time compliance expert to serve alongside prosecutors and provide expert guidance as the agency evaluates the effectiveness of corporate compliance programs. The hiring of this full-time compliance expert underscores the importance that the DOJ places on effective compliance programs in determining whether a company should be held liable for violating the FCPA.
Later, in April 2016, the DOJ announced a one-year “Pilot Program,” under which companies that voluntarily self-disclose and cooperate in FCPA matters could receive credit “above and beyond” any fine reduction provided under the USSG.
In order to receive such credit, however, eligible companies had to engage in timely and appropriate compliance remediation. In November 2017, the DOJ converted the program into a permanent policy (FCPA Corporate Enforcement Policy) by incorporating it into the US Attorney’s Manual with a few modifications – most notably, a presumption of declination with disgorgement for companies that voluntarily disclose misconduct in FCPA matters, fully cooperate, and appropriately remediate, absent aggravating circumstances.
In February 2017, the DOJ expanded upon the compliance components of the FCPA Guide when publishing its Evaluation of Corporate Compliance Programs (Evaluation Guidance). The Evaluation Guidance, the most recent public statement by the Fraud Section demonstrating the sophistication of the DOJ’s compliance expertise, spotlights 11 key compliance program evaluation topics, with a corresponding set of “common questions” within each topic that the DOJ considers particularly relevant in assessing programs within the context of a criminal investigation.
Similarly, the global compliance landscape has evolved significantly in the past several years. In 2010, the Organization for Economic Co-operation and Development (OECD) released its "Good Practice Guidance on Internal Controls, Ethics, and Compliance." A year later, the UK Ministry of Justice published six principles for "adequate procedures" following the enactment of the UK Bribery Act. Transparency International, a leading anti-corruption organization, has also established "Nine Business Principles for Countering Bribery," and the World Economic Forum's Partnership Against Corruption Initiative has become a leading voice on the global compliance stage.
Also, notably, Brazil and France recently captured the attention of legal counsel and compliance practitioners around the world by issuing detailed guidelines and expectations for corporate compliance programs. In late 2015, Brazil’s Office of the Comptroller General (CGU) issued guidance clarifying the recommended elements of compliance programs set forth in the Clean Company Act. Likewise, in November 2016, the French National Assembly passed a Law on Transparency, the Fight against Corruption, and Modernization of Economic Life (known as the "Sapin II Law"), which imposes a new obligation on certain companies to actively manage corruption risks through the implementation of important compliance program requirements.
Prosecutors and other authorities in the US, the UK, Brazil, France, and other countries often require significant compliance program enhancements when resolving matters with companies under investigation for corruption. This adds to the long checklist of steps enforcement agencies around the world expect companies to take to deter, detect, and prevent misconduct.
Encouragingly, while these guidelines vary in length, tone, and language, they have a lot in common. They all touch upon a group of core components that are encapsulated in five essential elements: leadership, risk assessment, standards and controls, training and communication, and oversight.
If a company's corporate compliance program effectively covers these five essential elements, it will likely fulfill the wide variety of law enforcement and regulatory expectations around the world and help prevent costly prosecutions.
In the event of a government investigation, a company with a robust compliance program that encompasses these five elements is much more likely to be granted compliance credit, a reduction in penalties, and other forms of leniency that could ultimately minimize damages.
Three primary factors that prosecutors in the US and other countries consider when deciding whether to file an enforcement action include a company's decision on self-reporting, its level of cooperation, and its pre-existing compliance program.
To help companies meet the government's demands for maintaining successful compliance programs, we have distilled the various standards to five essential elements based on our extensive experience working on these matters in countries around the world. For each element, we have included specific actions that companies can take to ensure they are fulfilling the corresponding requirements.
While our primary focus in this document is in the area of anti-corruption, the five elements framework can be practically and effectively applied in other areas of your compliance program, such as trade, antitrust, data privacy, cybersecurity, and anti-money laundering.
Our subject matter experts around the globe can provide you with the detailed guidance to apply the five elements to such areas based on your company's unique risk profile.
Country-Specific Enforcement Activity
In November 2015, the DOJ announced the appointment of its first full-time compliance expert to serve alongside the Fraud Section prosecutors. This hiring was a clear indication to companies about how seriously the DOJ takes compliance. It further reinforced the DOJ’s stated mission of determining whether corporate compliance programs are simply “paper programs” or properly supported by leadership, resources, and culture.
Five months later, in April 2016, the DOJ unveiled a one-year enforcement “Pilot Program” aimed at promoting greater transparency and accountability for companies that violate the FCPA while rewarding voluntary disclosure, cooperation, and remediation efforts by companies that run afoul of the law. The Pilot Program was applicable to organizations that self-disclosed and/or cooperated in FCPA matters.
In November 2017, the DOJ amended some components of the program, as previously described in the Introduction, and made it a permanent part of the US Attorney’s Manual.
Also, in February 2017, the DOJ published its Evaluation Guidance, which represents the latest in a series of important communications by the Fraud Section outlining the DOJ’s expectations for effective corporate compliance programs. The document includes 11 key compliance program evaluation topics, with a corresponding set of “common questions” that the DOJ considers relevant in assessing compliance programs within the context of a criminal investigation.
The primary source of compliance program guidance in the UK remains the statutory six principles guidance published by the UK Government on the meaning of "adequate procedures" under the UK Bribery Act. Since the publication of that guidance the compliance community has been waiting to see what further guidance on the meaning of "adequate procedures" may arise from enforcement actions brought by the SFO.
That guidance has begun to emerge, notably through the Deferred Prosecution Agreement entered into with Rolls Royce in January 2017. In reaching a decision that it was appropriate to dispose of the matter through a Deferred Prosecution Agreement, the enhancements to Rolls Royce's compliance program were taken into account. These included many of the hallmarks that have come to be expected of effective compliance programs, including the formation of a compliance function with sufficient resources, expertise and independence, and an overhaul of Rolls Royce's approach to the management of third-party risk. Given the strong pipeline of SFO investigations, it can be expected that further guidance will emerge in the near future.
Brazil’s Clean Company Act went into effect in January 2014. The Act establishes the civil and administrative liability for companies involved in corruption and other misconduct, such as fraud in public tenders.
In March 2015, Brazil’s president signed a decree regulating the Act, which establishes a new set of requirements and outlines the process for imposing liability on companies. The decree specifies the criteria on which compliance programs will be evaluated by the Brazilian government and provides credit for having an effective compliance program in place.
Another important aspect of the Act and its regulating decree relates to the possibility for companies to sign leniency agreements with authorities when a violation of the Act occurs. In practical terms, however, the leniency agreements provided for in the Act create some uncertainty due to the fact that multiple authorities have jurisdiction over the misconduct regulated by the Act.
In 2017, in an effort to provide more clarity around leniency agreements, the Federal Prosecutor’s Office released guidance containing 18 factors to be considered by prosecutors when negotiating these agreements.
On December 9, 2016, France reinforced its legislation to combat bribery and corruption by enacting the Sapin II Law. The main features of the Sapin II Law include the following:
- the creation of an anti-corruption agency known as the AFA (Agence Française Anticorruption) entrusted with broad powers;
- the requirement that companies meeting certain criteria implement anti-corruption compliance programs;
- the protection of whistleblowers;
- the possibility for companies to negotiate settlements called CJIPs (Conventions Judiciaires d’Intérêt Public) which are similar to the deferred prosecution agreements in the US; and
- the extension of extraterritorial reach for offenses committed outside France.
The most critical area of focus for companies is the design and implementation of compliance programs that can effectively mitigate corruption risks.
This requirement has been effective since June 1, 2017, and applies to companies with at least 500 employees (or companies belonging to a group whose parent company is headquartered in France and has at least 500 employees) and consolidated revenues in excess of 100 million euros. In November 2017, France entered into its first deferred prosecution agreement under the new anti-corruption regime.
Effective compliance programs must be built on a solid foundation of ethics and integrity that is fully endorsed by senior management
An effective compliance program must be built on a solid foundation of ethics and integrity that is fully endorsed by senior management. But compliance standards require even more than support from the top. Companies must have high-ranking compliance officers who have the authority and resources to manage the program on a day-to-day basis.
In addition, regulators have come to expect company structures that employ a number of full-time compliance personnel and demonstrate a meaningful compliance operational presence in subsidiaries, business units, and foreign countries. The company’s compliance officers should also have the ear of those individuals ultimately responsible for corporate conduct, including members of the board of directors.
Authorities also take note of compliance expertise within board membership, and pay attention to whether the board holds executive or private sessions with compliance leadership. Also, in the event misconduct is alleged, regulators are often interested in what types of information the board and senior management examine in exercising oversight in affected areas. The US Sentencing Commission reinforced the importance of ensuring that compliance officers have direct access to the board of directors when it published amendments to the USSG in 2010. To receive a "culpability score reduction" during sentencing under the Guidelines, a company must show that its compliance officers can promptly report any matter involving criminal conduct directly to the board or appropriate board committee. Compliance officers should also report to the board on the implementation and effectiveness of the company's compliance program at least once a year.
As a best practice, we advise clients to take this component of their programs a step further. We recommend that a company's chief compliance officer, or if necessary, a designated compliance professional from the legal department, provide quarterly presentations to the board about ongoing internal investigations, general developments in anti-corruption laws and enforcement, compliance challenges the company is facing, and what is being done to address those challenges. That way, it is clear that the line of communication between the compliance function and the board is open and that both entities are committed to regular feedback and are responsive to changing risks and realities.
In addition to strong leaders and compliance personnel, a company with a stout compliance program should be able to readily point to meaningful collaboration among the various senior leaders and other company stakeholders such as business and operational managers, finance, procurement, and human resources. Ideally, the various functions should be able to demonstrate their collective commitment to fostering a culture of compliance and know how to efficiently come together and take prompt action when needed. Companies should also be prepared to explain how compliance-related resources and information are shared among company functions or departments.
Ensure board level accountability for the effectiveness of your compliance program
A key element of successful compliance programs is that the highest level of responsibility for developing and maintaining a culture of compliance ultimately rests with the board of directors. This is also where the trust-building of a company originates, as the board must endorse ethical values at every level of the company in a manner that will influence behavior across reporting lines and help ensure these values reach all employees. Robust compliance programs require those responsible for the effective operations of the company to ensure that appropriate operational systems and corporate structures are in place to enable the company to operate in a compliant manner. A board of directors should therefore oversee implementation of a company's compliance program, ensure that it is effective in addressing the risks faced by the company, and provide direct supervision of those responsible for the day-to-day management of the program. And the board should get familiar with the business, know what is happening on the ground, consider how corporate values are being followed, and ensure employees feel they can speak up with any concerns they might have. Entities should reflect periodically on how often the board is updated on the compliance program, and what kind of data is shared with respect to how the program is functioning.
Emphasize “Conduct at the Top” for senior leadership
In addition to board leadership, company culture is significantly influenced by how senior leaders, through their words and actions, have either encouraged or discouraged compliance-related misconduct. In particular, authorities often focus on what concrete actions have been taken to demonstrate leadership in the company’s compliance and remediation efforts, how the company monitors the actions of leadership, and how senior leaders model proper behavior to subordinates. Senior management should promote clearly articulated standards, adhere to them in unambiguous terms, and disseminate them throughout the organization.
Conduct periodic board training and provide reports on hot topics in compliance and risk management
Corporate board members face the prospect of personal liability for failing to meet their fiduciary responsibilities in overseeing compliance policies and practices. With greater awareness of compliance issues from sources such as whistleblowers and bloggers, there comes a greater duty and expectation for board members to act. By providing regular compliance training for board members and keeping them updated on compliance and risk management trends, legal and compliance departments can help directors fulfill their compliance obligations and steer the company away from potential misconduct.
Place compliance personnel strategically, particularly in high-risk markets
Another common oversight is failing to have well-trained compliance personnel in a company's foreign offices. Maintaining a leadership structure that is too centralized will stifle efforts to foster a healthy compliance culture across all geographies and to minimize global risk. Ethical edicts issued from faraway headquarters are often ineffective without buy-in from local managers who have the training and experience to reinforce such rules. The determination of which overseas offices should have the strongest compliance presence should be made on a risk basis. Companies should build an active presence of trained compliance managers in markets with the greatest compliance risk, then expand this presence to other jurisdictions.
Make sure central compliance communicates with those in the field
Even if a company hires a number of full-time compliance personnel, one of the biggest impediments to effective compliance leadership is poor communication between a company's central compliance department and country managers working in the field. This can be a major oversight considering that country managers are often the employees in the trenches overseeing sales people and third-party agents who are selling and distributing the company's products and services. Neglecting to provide appropriate compliance training for country managers (or keep them in the corporate loop) increases the chances that efforts to establish a strong local compliance culture will fail. Especially important is providing targeted training for specific functions, such as procurement, logistics, and supply chain management, among others. Management tactics such as incorporating specific compliance requirements into annual evaluation criteria and connecting compensation to performance under these requirements can be effective for guiding employee behavior towards a greater respect for compliance. Local managers are often best situated to set the tone for compliance and to detect and address illegal or unethical practices before they become compliance issues that put the company at risk.
Leverage internal audit, finance, and other risk management functions for optimal collaboration
In order for a compliance program to be successful, it is also critical that other important company functions proactively support the compliance department in leading the way on program implementation and enhancement. Internal audit and finance are often in the best position to understand the company's financial risks and are typically on the front lines of identifying red flags. Leveraging their expertise and internal capabilities will extend the reach of compliance to those areas that are key to maintaining a successful program.
As multinationals become more dependent on global supply chains, understanding the nature and extent of business risks is now a critical first step
Although the original 1991 version of the USSG did not specifically identify the completion of a formal risk assessment as one of the seven elements of effective corporate compliance, Sarbanes-Oxley directed the US Sentencing Commission to add it to the list. This trend has continued and, importantly, the most recent public statement of the US government relating to compliance programs, the DOJ’s 2017 Evaluation Guidance, unequivocally emphasizes the importance of conducting regular risk assessments. Indeed, government officials in the US and beyond now routinely point to risk assessments as the foundation of an effective program.
As multinationals have expanded their enterprises and become more dependent on global supply chains, knowing and understanding the nature and extent of business risks has become a critical first step for implementing successful compliance programs. Enforcement authorities around the world increasingly expect multinationals to have formal processes for periodically assessing compliance risks everywhere they do business, particularly in higher-risk regions, including emerging markets in South America, Eastern Europe, and Asia.
During the risk assessment process, companies must evaluate numerous compliance issues, including the degree to which the company's employees conduct business with government officials, the company's use of third-party agents and intermediaries, the regulatory environment of the regions where the company operates, the compliance expectations of authorities in each country of operation, and the effects of any recent business developments such as joint ventures, corporate affiliations, or expansion into markets that could create additional risk. Furthermore, public companies need to remember that they have additional compliance-related controls requirements. Failure to consider these in the risk assessment process and address them may suggest larger controls issues to the SEC.
Conduct annual risk assessments
The purpose of a risk assessment is to gauge where your company's greatest compliance risks are so you can target resources in those areas and establish policies and protocols to minimize those risks. Yet it is surprising how many companies do not do this. Companies will often wait until something goes wrong before self-assessing. To avoid the inherent risks in the "wait and see" approach, we recommend that you conduct a formal risk assessment every year. Because enforcement trends, such as those involving anti-corruption, trade, antitrust, data privacy, cybersecurity, and anti-money laundering laws evolve rapidly and multinationals tend to go through significant changes within a given fiscal year, we have found this to be an optimal timeframe.
Build the risk assessment process into your compliance program
Not only should you conduct annual risk assessments, but you should try to perform them at the same time each year. To pass muster with government authorities, it will be helpful to demonstrate that your risk assessment is a regular, systemic part of your compliance efforts rather than an occasional, ad-hoc exercise cobbled together when convenient. We also suggest designating a specific group, such as your compliance team, internal audit department, or enterprise risk management team to spearhead the annual review. This will help demonstrate to the government that your risk assessment procedure is a formal corporate practice with a carefully managed oversight component.
Scrutinize new business partners and third-party agents
One of the key areas that can get companies into compliance trouble is their lack of internal controls over business partners and third-party intermediaries such as consultants, distributors, contractors, and sales agents. A very high percentage of FCPA enforcement actions involve some use of third parties. Compliance standards require companies to conduct due diligence on new business partners and third-party intermediaries. But in the rush to close deals and enter new markets, that does not always happen as thoroughly as it should. Conducting a formal risk assessment each year provides an opportunity to take a closer look at newer business relationships to make sure partners and third parties do not have improper connections to government officials or involvement in unethical, improper, or illegal conduct. In addition, when choosing a potential business partner, include in your consideration the number of third parties (such as resellers, vendors, and distributors) it uses and in what jurisdictions those parties are engaged. In addition, obtain information on how many of these third parties engaged by your business partner undergo baseline and enhanced due diligence and how many of these are rejected. Any risk that you uncover should be addressed and remediated.
Update your policies and procedures based on enforcement trends
Throughout the course of a year, government officials around the world file numerous enforcement actions against companies for all kinds of corporate misconduct. Paying attention to the specific compliance areas that the government is targeting in these enforcement actions will tell you a lot about what your program needs to focus on to stay out of the government's cross hairs. If, for example, you notice that the government has been clamping down on gift giving and hospitality in Asia and you conduct considerable business in that region, that should become a focus area for your risk assessment. Then, depending on whether your hospitality policies and procedures in Asia are in line with what the government now expects, you should make necessary changes.
Memorialize your findings in an annual report
When conducted every year, routine risk assessments should generally take four to six weeks, depending on the size of your company and your compliance resources. Once the assessment is complete, the compliance or audit team should compile its findings and recommendations in a comprehensive report to be presented to the chief compliance officer and board of directors for review and consideration of appropriate program enhancements. However, the process should not stop there. An action plan that prioritizes the recommendations from the risk assessment and assigns parties responsible for implementation should then be developed to ensure that the necessary program enhancements are implemented.
Regularly review your risk assessment process
In addition to performing periodic risk assessments, companies should examine their assessment process and determine how it can be improved. For instance, consider the role of compliance and other involved functions, scrutinize the type of data you collect during a risk assessment, and gauge the evolving risks of your business. Regularly conducting this exercise will help you target customized and proportionate enhancements to your program and, if necessary, validate for the government that you are proactively seeking to improve your compliance program and applying it across all facets of the organization.
Standards and Controls
Authorities want programmes customized to the specific risks of the business
It would be challenging to find a global company today that does not have a code of business conduct — an easy-to-read summary of corporate do's and don'ts for employees. But compliance standards require that companies go much further.
Besides a flagship code of conduct, which has to address a wide range of issues such as bribery, corruption, trade, antitrust, data privacy, money laundering, conflicts of interest, and accounting practices, companies are also expected to provide clear procedures and protocols for employees and third parties to follow while acting in a manner that may implicate one or more of these subject matter areas. For instance, a code of conduct will usually expressly prohibit bribery. However, best practices now require additional standards and controls, including detailed guidelines regulating interactions of employees with government officials and robust due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability, and improper associations with government agencies.
Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on paper (often referred to as a “paper tiger”).
Authorities will require companies to show that the program is customized to the specific risks of the business, is being applied in good faith, and actually works.
Establish stringent protocols for screening business partners and third parties
In most risk assessments we perform for clients, we find gaps in the company’s third-party due diligence program. Many companies have not yet created an effective platform for screening third-party intermediaries and other business partners for previous misconduct and improper ties to the government. Some companies still give their business partners only a cursory look — a considerable oversight considering how often government investigations involve allegations of impropriety by a company’s third-party agents. Third parties should not be viewed as a means to “outsource” risks. They should instead be required to follow similar compliance standards as employees while acting on behalf of the company. To conduct proper due diligence, companies must require third parties and other business partners to complete background questionnaires detailing, among other things, their financial stability, foreign government ties, and any history of investigations. Third parties should also declare their commitment to robust corporate compliance in a signed certification form. To increase accountability, we also recommend using business sponsor forms in which employees who refer or hire third-party agents provide background information about the agents, such as the experience and attributes that qualify the agents for the role they will play as new company partners.
Conduct background checks on important business partners in high-risk markets
Risks posed by third parties vary considerably across markets. Performing background checks on third parties can be an expensive undertaking. It may be advisable when screening major business partners and third parties in higher-risk markets (or those acting for or on behalf of the company before government officials) to make sure they have represented themselves accurately in their paperwork. Consider hiring trained, local investigators to get an even clearer picture of whether your potential partner could become a compliance liability. If there are red flags, document them and explain how they factored into the decision whether to hire the relevant third party.
Include strict compliance covenants in your third-party contracts
Today’s best practice compliance standards also require companies to monitor the conduct of third parties and other business partners. We strongly encourage companies to integrate contractual provisions with business partners that facilitate the company's ability to do so. At a minimum, these compliance covenants should cover three core concerns: adherence to the anti-corruption laws that are of most relevance to the relationship, audit rights, and termination rights. More specifically, these provisions should require the business partner to agree not to violate relevant anti-corruption laws, to give the company the right to review the partner's books and records, and to enable the company to terminate the contract if it later determines the partner is engaged in misconduct, unethical behavior, or illegal activity.
Establish internal controls to ensure financial records are accurate
Both the FCPA and the anti-corruption laws of many other countries require companies to book transactions correctly by securing receipts and accurately recording the date and amount of the payment. To be compliant, companies should reconcile bank accounts with outgoing and incoming payments every month and inquire into any suspicious payments and missing funds that could indicate misappropriation or off-the-books transactions. Companies should pay particular attention to transactions with consultants and business development agents, customs payments, charitable giving arrangements, political contributions, cash transactions, and gifts and hospitality involving government officials.
Include compliance early in the M&A process
In some jurisdictions, there is a possibility that companies may “acquire” liability for past or continuing actions of target entities that were not earlier subject to the company’s compliance program. Companies should therefore perform careful due diligence on proposed targets prior to closing. Feedback from the compliance group can then be used to address any red flags identified and to prepare a risk mitigation plan prior to closing. The company should also utilize a post closing compliance integration plan so the target will be assimilated into the company’s compliance program as soon as possible after closing.
Provide clear guidelines for gift giving and hospitality
Giving clients and business associates gifts, treating them to dinner, or taking them to sporting events are common business development practices. But anything too extravagant or lavish could quickly cross the line into bribery. Differences in culture and economic prosperity can make it difficult for companies to establish one-size-fits-all gift giving and hospitality guidelines for the countries where they conduct business. While paying $200 per person for a business dinner in Canada may not constitute bribery, in poorer countries such as Ethiopia or El Salvador it might. That is why it is so important to tailor hospitality policies to individual countries. Companies can do this in any number of ways, including through the use of a thresholds table listing permissible hospitality amounts based on local laws and regulations in each country where they operate, supplemented by advice from experienced local counsel.
Training and Communication
Authorities across the globe expect companies to provide training programs
Training and Communication
One of the most important elements of a strong compliance program is properly training company directors, officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct.
Authorities across the globe have come to expect companies to provide training programs. In recent years, the rise of technology platforms such as webinars, video conferencing, and online testing has made training across business operations easier to manage and more affordable.
Regulators, however, continue to place significant emphasis on the provision of live sessions, especially for individuals working in higher-risk functions or countries.
Importantly, conducting occasional compliance training for employees is not enough. Enforcement officials want to be sure management’s compliance message gets through in a meaningful way. Thus, when determining whether a company's training program meets expectations for effectiveness, government authorities often scrutinize who a company trains, how the training was conducted, how often training occurs, and the overall effectiveness of the training. This evaluation can sometimes play a significant role in an agency’s determination of culpability in a matter involving allegations of misconduct by either employees or third parties.
Develop an annual, risk-based training plan
While designing training programs and materials, companies are expected to utilize a risk-based approach, taking into account the market and operational risks unique to its business. In order to demonstrate an understanding of such risks, authorities will want to see that your training program is properly customized and, as necessary, strategically integrates online and live components. Also, government authorities will assess whether your training plan recognizes employees and third parties performing higher-risk activities, and those who monitor higher-risk transactions, to ensure that both groups are regularly trained in a manner designed to minimize risk, identify red flags, and escalate or remediate compliance-related problems. A training plan should include a schedule for tracking when employees complete required compliance training. Tools for encouraging timely completion can include a reduction in performance scores for staff who do not complete required training and supervisors whose staff are delinquent.
Conduct live, annual training in high-risk markets
Enforcement officials have made it clear that live, in-person training performed relatively frequently is the preferred method in high-risk markets. Therefore, merely conducting a simple five-question online anti-corruption compliance test in a country such as Russia, or performing training in China once every five years, will probably not be sufficient from a regulator’s perspective. One of the many benefits of conducting live, in-person training is that you often receive immediate feedback. During live training, employees are more likely to casually mention a potentially precarious practice, giving you the opportunity to address an impropriety before it becomes a larger problem.
Provide live compliance training for country managers
If resources permit, officers and managers in your foreign offices should receive live, in-person compliance training every year, particularly those working in your highest-risk markets. In the compliance world, anti-corruption laws, enforcement trends, and government priorities change quickly. Waiting more than a year to conduct periodic compliance training can impede awareness. If lack of resources is an issue, conducting live videoconferences or webinars with question-and-answer sessions is a good alternative. Also, involving country managers in training for local employees could help demonstrate the commitment of local management to the company’s compliance efforts.
Train the right people
When providing compliance training, it is important to prioritize which audience to educate first, particularly when you have limited resources. Besides country managers, it is imperative to focus your initial training efforts on high-risk markets and directors, officers, sales employees, and third-party intermediaries who have direct contact with government officials or deal with state-owned entities. Then expand the training around the globe and across your employee spectrum.
Develop your training to address a broad range of global issues
Some companies make the mistake of having a generic script for all compliance training that misses the practical challenges employees routinely face. Training programs typically cover the FCPA, UK Bribery Act, OECD guidelines, Brazil’s Clean Company Act, and enforcement trends in some other countries in Europe, Asia, and South America. Additionally, however, you need to focus on the specific compliance risks in the countries where employees and third parties are actually working. In China and Russia, for example, training should address the many corruption risks of dealing with state-owned entities. In Brazil and Nigeria, training should include guidance on how to handle government officials who expect facilitation fees to move business processes along more quickly. Finally, certain functions that are key to effective compliance monitoring should receive function-specific training. For example, the accounting and finance teams should receive specific training on how to identify red flags related to improper payments or that signal potentially corrupt or fraudulent activity. Furthermore, to maximize effectiveness, training should be delivered in the form and language appropriate for the intended (local) audience.
Update your training regularly
Enforcement trends and anti-corruption laws change quickly, and government officials are increasingly collaborating across borders to conduct large-scale investigations. That is why it is important to monitor what is happening around the world and incorporate those developments into your training. Feedback from past training sessions involving real-life case studies should be integrated to keep the company’s compliance messaging contemporary and relevant. In addition to specific training, changes in law or company policies should be communicated to relevant personnel as soon as feasible. Compliance is a global issue that requires corporate vigilance and constant attention. By providing timely and effective training and communication, companies can demonstrate their commitment to cultivating and supporting a strong compliance culture.
Is the workforce actually complying?
After all the ethical messages have been put in place and communicated to the appropriate audiences, the question remains whether the workforce is actually complying. Two of the seven compliance elements in the USSG call for corporations to monitor, audit, and promptly respond to allegations of misconduct. These three activities — monitoring, auditing, and responding — are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
The importance of monitoring, auditing, and responding was reinforced in the recent Evaluation Guidance. There, the DOJ clarified that when problems arise, companies are expected to conduct a “root cause analysis” – a process of identifying systemic issues that allowed misconduct to occur and evaluating whether there were prior opportunities to deter it.
Many companies fall short on this element, often because of confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance problems in “real time,” then acting quickly to remediate them. The primary goal is to identify and address gaps in your program on a regular basis. An audit is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover or evaluate certain risks. Some companies assume that because they conduct audits or have a dedicated auditing team, they are effectively monitoring. This is usually not the case. A robust compliance program should include separate monitoring and auditing functions.
While unique in protocol, these two program components are often viewed as compliance "cousins" because they work in tandem. If, for example, you notice a trend of suspicious payments in recent monitoring reports from Thailand, you may decide it is the appropriate time to conduct an audit of those operations to target and further investigate the issue.
Establish a regular monitoring system to spot problems and address them
Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company's risks to detect and remediate compliance problems on a continuing basis. Ongoing, “real-time” monitoring, when effectively managed, will provide valuable insight into who a company's business partners are and the specific transactions entered into with such business partners. Monitoring complements the risk assessment and audit processes by providing additional context for the nature and scope of high-risk relationships and transactions. It facilitates ongoing visibility into these risks for the period of time between regularly scheduled risk assessments and audits. The result is that compliance personnel have the opportunity to thwart corruption and bribery attempts while in progress. This is why your compliance team should be checking in regularly with local finance departments in your foreign offices to ask whether they have noticed recent accounting irregularities. Also, as part of their corporate compliance accountability, regional business directors should be required to keep tabs on potentially improper activity in the countries they manage. Your global compliance committee or enterprise risk group should talk as often as feasible (perhaps every month, or at least on a quarterly basis) to discuss and address issues as they arise. Ongoing efforts like these will show government authorities that you are serious about compliance.
Create an internal compliance committee
Consider creating a standalone internal committee to regularly meet and review current company investigations. This committee can serve as an additional “check” that such investigations are being conducted according to company policies and with appropriate rigor. Often, companies find it helpful for legal department representatives to lead the committee — with employees from human resources, finance, and internal audit, among other relevant functions, participating as committee members.
Require country managers to complete regular compliance reports
One of the factors that US prosecutors consider when deciding whether to file an enforcement action is whether a company is applying its compliance program in good faith. The program may look good on paper, but the government wants to know, is it really working? One of the most effective ways of answering that question is being able to show prosecutors regular, periodic monitoring and auditing reports prepared by senior executives and managers across your operations.
Pay attention to what employees say during training
Training is a form of monitoring because it can alert you to potential problems based on the types of questions employees ask and their response to certain concepts. For example, during training, employees sometimes mention their interactions with government officials or gift giving practices that can raise red flags, which should quickly be addressed. The information learned from engaging with employees in this manner can assist the company in taking appropriate actions to initiate program improvements and further enhance corporate values.
Regularly test your compliance program to verify its effectiveness
Regulators expect a well-functioning compliance program to identify program weaknesses and promptly address those weaknesses. While companies typically test their financial controls, they should be mindful of testing the entire anti-corruption program, not just the financial controls system. One particularly useful method of testing is to track categories of payment methods often used by third-party agents – such as commissions – and require compliance to confirm that due diligence screening was successfully completed. Upon implementation of an enhanced in-person training program, periodically review hotline reports and inquiries to determine whether such reports have increased, or whether more compliance-related inquiries have been received from categories of employees who have not previously communicated with the compliance department. Conduct employee surveys to measure the compliance culture and employee knowledge and awareness of compliance practices and procedures.
Establish protocols for internal investigations and disciplinary action
Responding swiftly and effectively to compliance issues will sometimes require your company to conduct an internal investigation. All organizations should have procedures in place to make sure every investigation is thorough and authentic. The procedures should include document preservation protocols, data privacy policies, and communication systems designed to manage information and transmit it promptly to the appropriate people. The procedures should also clearly explain how to report investigation findings to all relevant functions.
Be equipped to conduct a “root cause” analysis if misconduct is identified
The DOJ’s recent Evaluation Guidance explains in detail the importance of identifying any systemic issues in your company that may have allowed underlying wrongdoing to occur in the first place. Furthermore, the Evaluation Guidance prompts companies to consider whether there were prior opportunities to detect the misconduct, and recommends that companies analyze why such opportunities were missed and implement appropriate remediation measures.
Remediate problems quickly
A key concept behind the oversight of effective corporate compliance is the idea that if companies are policing themselves for compliance-related issues, the government will not have to do it for them. That is why remediation is such an important component of oversight. For instance, if it is clear that your sales representatives in Poland are doing something potentially improper (partly because they never received adequate compliance training), remediate the deficiency by scheduling that training immediately. In the end, it is not enough to just gather information and identify compliance problems. To fulfill this essential element of compliance, you also have to repair them. Making this effort expeditiously can help show authorities that your organization is both serious and proactive with respect to remediation efforts and capabilities.