Yesterday was Father’s Day and for the sixth straight year I publish this post (with updates) as the “compliance officer” / Dad journey continues and our twin boys turned 13 this year.
Father is just one of my titles. Referee and Compliance Officer being a few others. As to the later, Co-Compliance Officer along with my wife is the more accurate title (I wonder what the “Compliance 2.0” [or are we on to 3.0 now] folks would say about this structure)?
Father’s Day is a chance to reflect and to be sure being a Dad has informed my view of many things including compliance. When you really think about, compliance and parenting have a lot in common.
There are some general legal parameters that govern the act of parenting, yet most parenting is left to the discretion of the parent subject to rather loose “reasonableness” standards. Indeed, parenting is largely a “standardless” endeavor.
The same is generally true for compliance. For example, issuers subject to the Foreign Corrupt Practices Act’s internal controls provisions have an obligation to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” generally speaking, corporate assets are properly used and accounted for. Beyond this, the internal controls provisions lack any explicit standards.
As the internal controls provisions specifically provide, the statutory standard is not absolute, but rather subject to a reasonableness requirement, a concept the FCPA specifically defines as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” In other words, cost/benefit as well as balance are inherent in the FCPA’s internal controls provisions. Indeed, in its earliest FCPA Guidance (1981), the SEC explicitly rejected the notion that internal controls “conform to a standard of absolute exactitude or that a company’s control system meet some absolute ideal.” On this issue, the SEC stated:
“Inherent in [the reasonableness] concept is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds.”
The SEC further stated: “The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”
This balance inherent in the internal controls provisions has been formally acknowledged by the government on several other occasions. For instance, in a 1999 Staff Accounting Bulletin the SEC stated: “The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.” In the 2012 FCPA Guidance, the government acknowledged:
“The term ‘reasonable detail’ is defined in the statute as the level of detail that would ‘satisfy prudent officials in the conduct of their own affairs.’ Thus, as Congress noted when it adopted this definition, ‘[t]he concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.’”
Enough of that technical legal stuff, back to parenting.
A common thought/concern I have as a Father is whether I am doing enough to provide for my family, enrich the lives of my boys, and set them on a path for success.
In short, I sometimes ponder the family’s “internal controls.” Am I acting “reasonable”? Am I acting consistent with “best practices”? Are there even “best practices” for parenting?
Pondering these questions began even before the boys were born.
I’ve never been one to turn the ordinary into the complex. For instance, people have been having children since the beginning of time. Yet upon learning we were having twins, the thought entered my mind: would it be a “best practice” to attend a birthing class? To borrow from the FCPA’s internal controls provisions, would that be “reasonable” – more specifically – is that what a “prudent” expectant father of twins would do? Upon conferring with my wife and both determining that we were acting reasonably, we did not enroll in a birthing class.
Yet here is where parenting and compliance can diverge.
If a “red flag” occurred during the pregnancy that we did not recognize (but would have recognized if we enrolled in a “best practice” birthing class) would we, as parents, lacked effective internal controls?
The good thing about parenting is that an assessment of “reasonableness” takes place in real-time and without the benefit of perfect hindsight. In the current enforcement climate however, it seems that an assessment of “reasonableness” takes place after the fact (sometimes years after the fact) when the end story is know and there will always be an opportunity to look back and say “woulda, coulda, shoulda.”
Fast forward to when the boys were toddlers. As parents, we did our best to “contain” the toddlers. Gates in the house and constant supervision when outside the house (is that “reasonable” parenting or perhaps “helicopter” parenting).
Yet, as the internal controls provisions instruct, “inherent in [the reasonableness] concept is a toleration of deviations from the absolute.” The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”
Even in our “most ideally managed family,” there were deviations from the absolute.
One of the most dramatic occurred when staying at an out-of-state hotel. While waiting for friends in the lobby and keeping a “reasonably” watchful eye on the boys, one wandered on top of a chair, lost his balance and feel head first onto the tile floor. Blood everywhere, frantic 911 call, and a trip to emergency room in an ambulance followed. In the end, thankfully just some stitches.
Here again is where parenting and compliance diverge.
Were we bad parents because this happened? It would be easy, with the perfect benefit of hindsight, to list several things we could have and should have done differently in that brief moment of time. Yet, our actions as parents are not viewed in isolation, but rather holistically. After all, a bad outcome does not necessarily suggest bad parenting and deviations from the absolute occur in even the most ideally managed families.
Yet, when it comes to the internal controls provisions why – despite the above statutory terms and enforcement agency guidance – does conduct tend to be viewed with the perfect benefit of hindsight? Why do the enforcement agencies look at things in isolation (one transaction, one third party, one employee in one business unit) and judge the company based on that, rather than look at things holistically? Why in the compliance space are bad outcomes often viewed as bad compliance?
As the boys got older they evolved and so did our parenting. Call it “continuous improvement” and the DOJ’s “Evaluation of Corporate Compliance Programs” states: “Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
“Compliance Officer” / Dad reduced many of the behavioral rules to writing and properly communicated the rules during a family meeting. The executive officers of “Koehler Family Inc.” live a rule-abiding life and a few family rules were even uniquely applicable to Dad and Mom. (Insert “Top at the Top” rhetoric right here).
Yet breaches occurred. Does that mean that the family’s “internal controls” were deficient? To be sure, some would view the prior paragraph as just “check-a-box” type of stuff.
However, when breaches occurred, they were promptly addressed and remedial actions implemented. Indeed, one remedial action was requiring one of the boys to acknowledge, in writing, the existence of the breached rule and certify his obligation of future compliance. No joke!
Occasional breaches still followed and as parents we tried all sorts of rewards and incentives to induce behavior. That’s a “best practice” right? In fact, the DOJ’s Evaluation of Corporate Compliance Programs states:” Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.”
As the boys got older, that’s when chores entered into the equation and the question arose: should the boys be paid to help with the dishes, vacuum and other household tasks? The Co-Compliance Officers of Koehler Family Inc. disagreed on this, but let’s just say that if bribery is defined as offering something of value to alter behavior, we tried bribery as well, but at least we lacked corrupt intent (but perhaps there was a random e-mail or text message between the C0-Compliance Officers when viewed in isolation to suggest the contrary).
With all of these “best practices” in place, full compliance of course followed.
Does that mean that the family’s “internal controls” were deficient? After all, there are only two individuals for which the Co-Compliance Officers are responsible for.
Of course not, we were acting reasonably, and even in the most well managed family, deviations from the absolute will occur.
Yet why if occasional breaches occur in a business organization do enforcement agency officials often conclude that internal controls were deficient? Unlike the mere two individuals for which “Compliance Officer” / Dad is responsible for, business organizations are responsible for hundreds, thousands, and in some cases, tens of thousands of individuals.
As the boys grew older, parenting seemed to become more difficult as third-parties entered into the equation.
Gone were the days of 24/7 control as the boys went off to school and we ceded control to others. The birthday invites, after-school play dates, and (the grand-daddy-of-them-all) sleep over requests began to happen.
No problem right, all “Compliance Officer” / Dad needed to do was act “reasonably.”
But what is “reasonable.”?
What is the “best practice” for the appropriate level of “due diligence” on the play-date child and/or his/her parents? When visiting another child’s house, what is the “best practice” for the appropriate level of “due diligence.” Should the parents fill out a detailed questionnaire designed to flush out “red flags” (i.e. are there guns in the house, are medications properly stored)? How much due diligence is enough? Is a site visit required? Is it a “best practice” to conduct a public records search of the parents? What about others in the neighborhood if the kids will be playing outside? Would any of these purported “best practices” have negative collateral consequences for ourselves as parents or for my boys?
There are no easy answers to these questions and to borrow a compliance analogy “one size does not fit all” and different circumstances may warrant different levels of due diligence.
“Compliance Officer / Dad” found comfort that my obligation is to act reasonably, as a reasonably prudent Dad would in similar circumstances. Yet as every parent has probably contemplated, what if it turns out there was a gun in the house not properly secured and somebody was injured? What if there were medications in the house that were not properly secured and somebody was injured? With the perfect benefit of hindsight, the questionnaire and/or site visit seem so logical, indeed so “reasonable.”
Again this is where parenting and compliance diverge.
Just like parents, business organizations struggle with how much due diligence is enough. But here again, the enforcement agencies have the benefit of perfect hindsight and seemingly take the “woulda, coulda, shoulda” theory of enforcement. Sure the company did “some” due diligence on the third party, but with knowledge of the end story, the due diligence could have and should have been deeper and if so the improper conduct would have been averted.
Last year COVID presented a unique compliance challenge. I don’t recall a chapter on “Pandemic Parenting” in the manual. Was it “reasonable” for the boys to play 6+ hours of video games daily in late March 2020? After all, the term “reasonable” contemplates a variety of factors including the circumstances in which conduct occurs.
Regardless, soon my professional training kicked in including my ability to conduct a risk assessment unique to our family and situation. Let’s just say our family (living in a village of less than 1,000 people in East Central Wisconsin) has a much different risk profile than a family living in the New York City or similar metro areas.
Based on this risk profile, was it “reasonable” last year for the boys to play outside with neighborhood kids? As April 2020 turned into May 2020 and more information about COVID became available, was it “reasonable” for those neighborhood kids to play video games in our basement? As May 2020 turned into June 2020 was it “reasonable” for those neighborhood kids to sleep over at our house?
There were all sort of “experts” with opinions on this and plenty of unelected bureaucrats in Washington, D.C., Madison, WI and even our county seat with “guidance” on the issue. Was it “reasonable” to follow the guidance or were the Co-Compliance Officers capable of conducting their own risk assessment?
And then in Fall 2020, the boys went back to school (in-person) fives days a week and it stayed that way for the entire 2020-2021 school year. Some parents in the same school district opted otherwise, at least for portions of the year. Which parents made the best decision? Was one decision more “reasonable” than the other? Of course, there is no right or wrong answer to these questions and different families with different risk profiles were entitled to answer them differently.
But then again, shouldn’t different business organizations with different risk profiles be entitled to have different types of compliance policies and procedures? As highlighted in this prior post however, there appears to be no meaningful difference in enforcement agency theories (ranging from third party compliance best practices to internal controls best practices including the finance and audit function and training best practices) in large issuer FCPA enforcement actions compared to small issuer FCPA enforcement actions.
In short, there are several parallels between parenting and compliance as the legal standards are often similar, but the consequences for breach seem to be materially different for business organizations than parents.
One final thought about being a “Compliance Officer” / Dad.
It should be easy, I just ask my parents what their “best practices” were and act accordingly? After all, I turned out OK.
Not so easy perhaps. Has parenting evolved?
The FCPA’s internal controls provisions have not changed one word in 40 years.
But has compliance evolved? There is now a lucrative niche industry that attempts to evolve compliance and make things more complex than it really is. Perhaps you’ve heard about “Compliance 2.0” or is it “Compliance 3.0” that is now the prevailing best standard?
I conclude this post with one of my favorite commentaries on parenting (with obvious parallels to compliance). It was written by Dave Barry and appeared in the Wall Street Journal, not in connection with Father’s Day, but in February 2015.
Looking back on the parents of his generation, Barry observed.
“[T]hey did not worry about providing a perfect, risk-free environment for their children. They loved us, sure. But they didn’t feel obligated to spend every waking minute running interference between us and the world. They were parents, but they were not engaged 24/7 in what we now call “parenting,” this all-consuming job we have created, featuring many crucial child-rearing requirements that my parents’ generation was blissfully unaware of.
They didn’t go to prenatal classes, so they didn’t find out all the things that can go wrong when a person has a baby, so they didn’t spend months worrying about those things. They just had their babies, and usually it worked out, the way it has for millions of years. They didn’t have car seats, so they didn’t worry that the car seat they just paid $249 for might lack some feature that the car seat their friends just paid $312 for does have. They didn’t read 37 parenting handbooks written by experts, each listing hundreds, if not thousands, of things they should worry about.
It would never have occurred to members of my parents’ generation to try to teach a 2-year-old to read; they figured that was what school was for. And they didn’t obsess for years over which school their kids should attend, because pretty much everybody’s kids went to the local schools, which pretty much everybody considered to be good enough. They didn’t worry that their children would get bored, so they didn’t schedule endless after-school activities and drive their kids to the activities and stand around with other parents watching their kids engage in the activities. Instead they sent their kids out to play. They didn’t worry about how or where they played as long as they got home for dinner, which was very likely to involve gluten.
I’m not saying my parents’ generation didn’t give a crap. I’m saying they gave a crap mainly about big things, like providing food and shelter, and avoiding nuclear war. They’d made it through some rough times, and now, heading into middle age, building careers and raising families, they figured they had it pretty good. Not perfect, but pretty good. So at the end of the workweek, they allowed themselves to cut loose—to celebrate their lives, their friendships, their success. They sent the kids off to bed, and they partied. They drank, laughed, danced, sang, maybe stole a piece of an IBM sign. They had fun, grown-up fun, and they didn’t feel guilty about it.
Whereas we modern parents, living in the era of Death by Handshake, rarely pause to celebrate the way our parents did because we’re too busy parenting. We never stop parenting. We are all over our kids’ lives—making sure they get whatever they want, removing obstacles from their path, solving their problems and—above all—worrying about what else will go wrong, so we can fix it for them. We’re in permanent trick-or-treat mode, always hovering 8 feet away from our children, always ready to pounce on the apple.”
But maybe, just maybe, these are all parenting “best practices” and today’s kids will turn out better because of them.
I doubt it.
Just as I have many doubts about today’s compliance “best practices.”
Support This Free Public Website
FCPA Professor is widely regarded as a leading source of FCPA news and commentary. All of this takes time, money, and substantial effort. Thus, if FCPA Professor adds value to your practice or business, please consider a donation.