Today’s post is from Scott Fredericksen (Partner, Foley & Lardner) and originally appeared in International Trade Law & Regulation, Vol. 21, Issue 3, 2015 (Thomson Reuters).
Not long ago, Foley & Lardner was selected as a monitor for a medical devices company that had been found to have engaged in activities alleged to have violated the FCPA. As the leader of the investigatory team, I did not have the normal advantage of working with a known client with a known business.
Rather, I needed to quickly develop a multi-faceted team that had to quickly get up to speed on the company’s business model, how it conduct business abroad, its distributor arrangements, its compliance program, its internal controls, and its training. In short, I had to set up a compliance review with the kind of probing that one would find in an in-depth financial audit.
The importance compliance lessons learned from Foley’s experience of a corporate monitor are provided below.
As most people who are involved in the compliance area know, establishing the right corporate culture is paramount. The key requirements include ensuring that the company has a culture of respect for compliance, that senior management is firmly behind all compliance efforts, and that there is a strong and well-funded compliance infrastructure that can catch compliance missteps from a variety of angles.
Establishing the appropriate corporate compliance culture requires constant reiteration of the compliance message. Compliance standards must be public and promulgated throughout the company, including through regular placement in company newsletters and on corporate intranets. Compliance policies should be readily accessible to employees and integrated into all aspects of employment, starting with discussions of compliance during the hiring process and references to the policy in employment contracts. Even employee performance reviews can help serve this purpose, by ensuring that employee adherence to compliance standards are part of the evaluation process.
The involvement of senior management is also essential for the development of a corporate culture focused on compliance. Placing a member of senior management in charge of compliance acts as a vital link between the executives and board members responsible for running a company and the employees on the ground who must deal with potential regulatory violations issues on a regular basis. A high-level member of management who is intimately involved in the compliance process also lends legitimacy to the company’s compliance policy and helps firmly establish the tone from the top.
This is not to say that every company needs to have a dedicated chief compliance officer. The establishment of the compliance infrastructure, like all compliance efforts, needs to be a risk-based endeavor, which means that the compliance needs of a smaller company that only operates in a handful of foreign countries may not be the same as those of a large multinational corporation that operates in a number of high-risk environments. It is common in smaller companies for compliance duties to be handled by an employee who has multiple responsibilities, such as the head of the human resources or audit departments. But at all companies, there should be a single person who is responsible for monitoring potential violations, managing due diligence, developing and providing compliance training, answering questions and resolving red flags, and testing the compliance program. This type of compliance ownership, by a person who is free from business pressures to achieve particular outcomes, is essential to ensure that compliance responsibilities are taken seriously. A Corporate Monitor’s Guide to International Regulatory Compliance.
A final issue is the adequacy of funding. Effective compliance requires hiring appropriate compliance personnel, taking time from busy employees for training, the establishment of internal controls and processes to monitor the effectiveness of the program and procedures in place, and periodic revisions to the policies and training materials. Companies should put in place programs that will be supported by commensurate resources. If, for example, a company states that it will perform due diligence on every agent it hires, then it should ensure that it has set aside sufficient resources to carry through on this commitment. Although compliance can be expensive, it pales in comparison to the multimillion dollar fines and high investigatory costs that now accompany even routine violations of U.S. regulations.
Compliance Program Improvements
A thorough and proper risk assessment forms the core of any good compliance program. No compliance program has the luxury of drawing on unlimited resources. Therefore, it is necessary to begin with a sober assessment of the regulatory risks facing the business, including those posed by its corporate profile, business model, types of products sold, areas of operation, use of third parties, degree of government interaction, and other business-profile issues that impact the degree of regulatory risk.
The ways in which to conduct a proper risk assessment vary, but certain principles are universal. Involvement from senior management and employees that understand the company, its business model, and its specific regulatory risk points is essential. The risk assessment must be conducted free of business pressures, without clouded judgment regarding where the highest risks arise. The risk assessment also should take into account all the ways in which outside actors can implicate the company or create regulatory liability, such as agents, distributors, joint venture partners, and other third parties.
Companies also need to update their risk assessments on a regular basis. Corporate expansions, mergers and acquisitions, establishment of new joint ventures, expansions into new countries or product lines, and new distributor arrangements are all activities that can alter the risk profile of a company. Even regulatory developments, such as enactment of broad anticorruption laws such as the UK Bribery Act or the recent ramping up of OFAC sanctions and related enforcement activity, can impact compliance requirements. Not all of these changes, or their impact on compliance efforts, are obvious, which makes a regular reassessment of risk an important compliance function.
After conducting a risk assessment, a company must decide how to allocate its compliance resources. Allocating most resources to identified high-risk areas is important. So, however, is recognizing that the risk even in low-risk areas seldom is zero, and thus deserve some compliance attention as well. A well-structured risk assessment can help balance the distribution of compliance resources.
It also is important to regularly update compliance measures. Compliance standards regularly change, driven not only by changes in the regulatory framework but also the expectation of the regulators. As a result, it is important for a company to remain educated about compliance issues, including through regularly sending compliance personnel to specialized conferences, and following developments that bear on the ever-evolving standards for an acceptable compliance program.
When changes are made, the changes to the compliance program must be appropriately promulgated throughout the company. Depending on the change, this could require anything from company-wide training to a simple email from the company’s chief compliance officer. Regular communications regarding the company’s compliance message serves the dual purposes of keeping the compliance message top-of-mind while also communicating the company’s evolving compliance efforts and its commitment to compliance.
Training is an integral part of every compliance program, and serves a function that is much greater than merely communicating information. Done properly, it is an important part of the compliance-related dialogue that helps minimize the risk of violations and while helping to discover violations that already have occurred. It also is a key cog in the central goal of communicating the importance of compliance to the organization.
Although many companies conduct training electronically, including through the use of innovative compliance presentations and on-line quizzes, in-person training remains the gold standard. Company personnel tend to pay more attention to a live presentation, and the presentation can be tailored to the requirements of the audience. Allowing time for discussion not only allows employees the opportunity to ask questions about areas that are unclear, but often reveals areas where further inquiry may be appropriate. Properly presented, in-person training can result in compliance feedback that can be incorporated to improve the overall compliance program.
No matter how training is provided, it cannot be a one-time event. Although all employees should receive initial training upon their hiring, reinforcement of the training on a periodic basis is essential. Annually is a good benchmark that works for most companies.
Finally, companies should make training relevant to the evidence. The training should use as many real-world examples as possible, such as case studies drawn from actual problems confronted by the company in the past, as well as those that are more likely to occur based on the industry and where and how the company does business.
Audits and Compliance Checkups
Compliance as envisioned by the compliance program, and compliance as it actually occurs in the field, often are two very different things. A company that implements rigorous procedures, but then fails to live up to them, often enjoys the worst of two worlds, since its failure to meet its compliance goals would be held against it in any enforcement proceeding. To avoid this possibility, compliance implementation should be monitored by direct observation, by supervision of the program, and by testing the controls.
Some of this testing can be done in the company’s normal internal audit process, and it is important that internal audit employees receive specific compliance training so they understand what to do and why they are doing it. One increasingly common way of ensuring the testing of the controls is to conduct compliance audits. These audits are intended to stress-test compliance procedures by picking high-risk transactions at random to see whether the compliance program is functioning as envisioned. Beyond this, regime-specific audit items can be created, which generally will focus on whether the company is adhering to its internal controls in a given area. They can be conducted by properly trained internal or external auditors.
The tendency at many companies is to conduct audits based upon the ease of conducting them, rather than their utility. This shows up, for example, when companies target their own foreign operations for compliance-related audits, but do not exercise their rights to audit agents or joint venture partners. It also arises when companies do not return to the lessons of their risk assessments to determine the high-risk areas that merit follow-up checks. Unlike financial audits, which tend to concentrate on areas with the highest revenue impact, compliance-based audits often need to focus on areas that may have a small revenue impact but a large compliance risk footprint. Operations in a developing country, for example, may be new and have still-small revenue, yet present an outsized compliance risk.
Agent and Distributor Controls
No compliance program, no matter how well conceived, can perform its job unless the risks posed by third parties are adequately addressed. This is because many enforcement settlements are premised on agency principles, i.e., a determination that parties outside the company were acting on behalf of the principal, thus creating legal liability for the principal.
Dealing with agents, distributors, and other third parties presents unique and interesting challenges. Often companies work with these third parties in foreign countries because they do not understand the business culture or ins-and-outs of doing business in a particular country. Agents help fill this knowledge gap by bringing knowledge of the business environment that the company cannot fill by itself.
But the greater the separation from corporate headquarters, the greater the risk. The dangers of third parties can arise in a host of areas, including for matters handled by customs brokers, distributors, sales agents, political consultants, lobbyists, and other third parties. The consistent use of third parties, even when justified from a business perspective, by itself can be considered a compliance red flag. The oversight of third parties accordingly should be considered in every aspect of the company’s risk assessment, including with regard to the establishment of the relationship (with appropriate contractual protections), training, accounting, ongoing certifications, and even audits.
Due diligence is also a key step when managing third-party risks. Due diligence is a potpourri of tasks that may include interviews, background checks, reviews of databases and publications, consulting third parties to provide reliable local information, using forensic accountants to review books and records to evaluate risk, visiting the office of agents, and other methods of confirming suitability, as the case may be. Once again, the application of risk-based principles will help determine how much due diligence is appropriate for various types of third parties.
At too many companies, third-party compliance oversight begins and ends with due diligence. In other words, the company conducts its third-party due diligence, places the resulting report in its file, and then moves on to conducting the business relationship without much more in the way of oversight. Ongoing review of the relationship, however, is the best way to proceed, including through periodic certifications, ensuring up-to-date training, monitoring any deviations of the relationship from the anticipated course, and the conduct of third-party audits. Due diligence is important, but it is only a limited snapshot of the past. As the relationship evolves, the company’s best source of information about the relationship becomes the data concerning its own relationship with the third party.