By Timothy L. Dickinson and Corinne A. Lammers
When was the last time your anti-corruption compliance program had a check-up? Like any other “wellness” program, a periodic review of a company’s compliance program is an integral component of its overall health. As with many of us who delay personal health check-ups, a compliance check-up is often put off until a problem arises, at which point a significant issue could exist. This note sets out a brief background on anti-corruption compliance reviews and provides a set of basic areas to review which, when adapted to a company’s individual risks, can be crafted into a useful tool for ensuring a continued healthy program. Like any other good diagnostic tool, a compliance check-up can keep your company out of trouble.
Background: Early Compliance Programs
Before addressing the issue of a proper physical, some reflections on the origins of current programmatic best practices is imperative, since those essential components become the scope of a good assessment process.
Leading up to the enactment of the Foreign Corrupt Practices Act (“FCPA”), many companies participated in the voluntary disclosure program aimed at purging improper practices of U.S. issuers, including the deliberate falsification of corporate books and records or the maintenance of inaccurate books and records. Most of those same companies created FCPA compliance programs intended to police corporate practices and ensure compliant behavior. As the following 30 years have demonstrated, some companies have been more successful than others, and some industries have shown more awareness than others. For example, the defense and aerospace industries were in the crosshairs of the initial actions; those same companies subsequently became leaders in anti-corruption compliance activities, with significant resources dedicated to a compliance function, and pioneered best practices for that era.
Moving quickly forward through history, the Organization for Economic Cooperation and Development (“OECD”) Convention, other international anti-corruption conventions, and certain new domestic legislation, such as the UK Bribery Act, have radically altered compliance activity around the world and contributed to the development of heightened “best practices” in the compliance field. Likewise, the rapid expansion of enforcement activity in the United States has led companies to raise the bar on compliance activities, including through the development of industry-specific compliance practices to address the unique risks of certain sectors, such as oil and gas and pharma and medical devices.
The challenge, of course, in the early days of compliance, was that individuals tasked with designing an anti-corruption compliance program did not have existing models — or even a broad base of experts with experience in the field — on which they could rely when trying to ascertain best practices. Likewise, while prosecutors were interested in compliance programs when evaluating a potential violation (and especially the “what went wrong?” question), settlement agreements did not mandate particular compliance program elements until the Metcalf & Eddy disposition. While the lack of consensus regarding essential compliance program elements yielded interesting debate, it left companies in a quandary, unable to answer the questions of “when is enough enough?” and “what are essential components of a good anti-corruption compliance program?”
Modern Day Programs and the Requirement to Conduct a Check-Up
As mentioned above, 30 years of evolution have yielded some consensus on current best practices, a welcome trend. Moreover, today’s concept of best practices is not based merely on the dispositions of FCPA cases by the Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”), but has widened to encompass other guidance. The scope of this note is not intended to cover all elements of a proper compliance program (and, indeed, those elements will vary from industry to industry, country to country, etc.). However, a solid understanding of basic compliance program elements can be gleaned from what we believe have become the four most significant sources of guidance: 1) the appendices to recent settlement agreements between the DOJ and companies for violations of the FCPA that enumerate compliance undertakings by those companies (generically referred to here as “Recent Settlement Agreements”); 2) guidance from the OECD (the “OECD Good Practice Guidance”); 3) guidance issued by the UK regarding what constitutes “adequate procedures” to prevent bribery (the “UK Guidance”); and 4) the U.S. federal Sentencing Guidelines. Indeed, several of these documents explicitly call for companies to conduct check-ups. The OECD Good Practice Guidance indicates that a company should conduct periodic reviews of its “ethics and compliance programmes or measures.” These reviews should be designed to “evaluate and improve” the effectiveness of the compliance programs and take into account “relevant developments in the field, and evolving international and industry standards.” Some Recent Settlement Agreements have a similar requirement, and the U.S. Sentencing Guidelines similarly indicate that companies should take reasonable steps to evaluate periodically the effectiveness of the compliance program.
Thus, a company seeking to establish or enhance an anti-corruption compliance program that meets current best practices can glean enough from these documents to design a basic strategy and customize from there.
Components of your Physical
Like any good check-up, a compliance review has both basic components, like testing blood pressure, as well as patient-specific requirements. We focus here only on the generic patient.
What is perhaps most interesting to many of us who have practiced in this area from its inception is the fact that certain components of a good program today were not recognized as imperative ten or twenty years ago – or at least they were not enunciated as such at the time. Thus, one of the biggest risks all companies face is an aging program that has not kept up with current thinking, or consensus guidance. Moreover, as more domestic legislation such as the UK Bribery Act comes into force, compliance programs must be evaluated to carefully ensure global adherence to all applicable laws, which is no easy task.
The primary purpose of a compliance check-up, then, is to ascertain the extent to which the company’s anti-corruption compliance program, as documented in its policies and procedures, is consistent with the relevant industry’s best practices and also addresses any identified areas of corruption risk. Accordingly, the first step in a check-up is to understand where the patient may have problems. This process of identifying problems – or risks – is typically called a “risk assessment.” Risk assessments are discussed below. Once the assessment is completed, you should have a good understanding of the source of the corruption risks that your company faces. Based on your understanding of those risks, you then can review the elements of your company’s anti-corruption compliance program to determine how well your program addresses and mitigates those risks to the extent possible by building in controls to prevent and detect violations. Below is a list of some compliance program elements to review when giving your company a check-up.
1. Risk Assessment (and periodic physicals!)
The first fundamental failure many companies face is not keeping up with their own risks. As acquisitions are made and geographic expansion occurs, fundamental risks also change. Thus, a risk assessment at defined intervals (with obvious recognition that new events may hasten the need…) is now deemed an essential and basic starting point of any good program. Indeed, certain guidance materials, such as the UK Guidance, specifically state that companies need to conduct risk assessments on a periodic basis. The UK Guidance identifies the following five broad groups of “commonly encountered external risks” that should be assessed: country risk, sectoral risk, transaction risk, business opportunity risk, and business partnership risk. The UK Guidance also identifies certain internal factors that may increase corruption risk. In the settlement of several enforcement actions, the Department of Justice also has required a risk assessment addressing the individual circumstances of and foreign bribery risks facing the company and has listed factors to be considered, such as geographical organization, interaction with various types and levels of government officials, industrial sectors of operation, involvement in joint-venture arrangements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration. A risk assessment also establishes a baseline to evaluate the effectiveness of a compliance program and sets up the beginning point for the next review. Accordingly, you should begin your check-up with a comprehensive risk assessment.
2. Commitment to Compliance and “Tone at the Top”
While compliance might have always been on some buried agenda, it must now be front and center at all levels, from the audit committee of the Board, the full Board, the Chair of the company and straight down. The UK Guidance notes that top-level management must foster a culture within the company in which bribery is never acceptable. Further, top-level management should be directly involved in bribery prevention. The tone at the top sets a compliance culture and will be evaluated as such. How that message is delivered is considered to be a measurable activity.
3. Appropriate Resources and Levels of Responsibility
Just as management needs to be front and center on their commitment to compliance, resource allocation and recognition of the imperative of the compliance function must be appropriate to the company and its risks. Again, basic budgeting is one measurable factor of a company’s commitment to compliance. Companies also should assign responsibility for the implementation and oversight of compliance with the policies, procedures and internal controls related to the FCPA and other international anti-corruption laws to one or more senior executives (typically the Chief Compliance Officer and the Chief Financial Officer) and may delegate day-to-day operational responsibility for the compliance program to specific individuals who report to the head of the compliance function.
4. Oversight, Monitoring and Independence
How does the compliance function report up and who oversees the function to ensure its effectiveness? Does the compliance function operate with a sufficient degree of independence? These issues require explanation in any check-up and as a company restructures, so also must these tasks be reviewed for effectiveness. The U.S. Sentencing Guidelines specify that specific individuals who have been delegated day-to-day operational responsibility for the compliance program must have the obligation to report periodically up the chain, including as appropriate, to the Board of Directors or a sub-group, such as the Audit Committee.
5. Compliance Policies and Procedures
Virtually all of the recent commentary indicates that companies should develop and implement a clearly articulated and visible policy prohibiting violations of the FCPA and other international anti-corruption laws. The OECD Good Practice Guidance further specifies that companies should have procedures to address specific risk areas, such as: (1) gifts; (2) hospitality, entertainment and expenses; (3) customer travel; (4) political contributions; (5) charitable donations and sponsorships; (6) facilitation payments; and (7) solicitation and extortion. Today, the vast majority of U.S. companies with international business have adopted policies proscribing improper payments which are supported by more detailed policies and procedures addressing particular risk areas. One of the more difficult of the detailed areas to address is that of facilitation payments. While most companies permitted facilitation payments ten years ago, most companies don’t today. Why? While the FCPA includes an exception for facilitation payments, such payments almost certainly violate local law. Further, other anti-corruption laws, such as the U.K. Bribery Act, do not contain a facilitation payments exception. Thus, if a company’s over-arching policy says “we comply with all laws of the jurisdictions in which we operate,” it is difficult to justify any facilitation payments. Even more critically, while such payments may not raise the ire of U.S. prosecutors, they could still land executives in jail overseas and require careful accounting practices to ensure accurate books and records.
This is just one area of best practices that has shifted with time, but it is a good example of why all policies, from gifts and entertainment to charitable contributions, should be periodically assessed and updated as needed.
6. Due Diligence on Third Parties
While this is a subset of Number 5 above, it always merits special attention since third parties often present a company’s single largest bribery risk. Virtually all of the recent commentary indicates that companies should have appropriate due diligence requirements regarding the retention and oversight of third parties. Evolution has properly acknowledged that tiered due diligence based on specific risk criteria is appropriate, and one size does not fit all. How those tiers are established and what criteria are used requires periodic review. Companies also need to have standard provisions in their agreements with third parties that are designed to prevent violations of the FCPA and other applicable anti-corruption laws. These provisions usually include a prohibition against improper payments, compliance with applicable laws, termination for breach of the agreement and the relevant representations and warranties regarding compliance and audit rights.
Companies should provide training and periodic communications regarding their compliance program to employees at all levels of the company as well as certain third parties, and the training should be tailored to each audience. Since the Internet was not widely used 25 years ago, training has evolved with technology. Nevertheless, in a “back to the future” manner, companies could be ill-advised to place too much reliance on technology and not enough on face-to-face interaction.
8. Financial Controls and Internal Audit
The commentary also calls for a system of internal controls or procedures reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts. Here, evolving best practices now require some form of periodic review of financial controls and audit programs specifically focused on anti-bribery controls. Many companies have inappropriately relied on their Sarbanes Oxley controls and have failed to address risks that are not financially material to the company.
Likewise, audit programs for anti-bribery purposes must go much further than merely a review of accounts, and should include interviews that are intended to test compliance sensitivity and understanding of the company’s compliance processes. Lawyers and accountants now typically work together in developing and executing audit modules, which represents a fundamental shift from earlier practice.
9. Reporting Issues and Investigations
The commentary indicates that companies should have an effective and well-publicized system for employees to seek guidance regarding the compliance program and, where possible, confidential or anonymous reporting of potential or actual violations of the law or company policies. Where appropriate, a company’s third party partners should have access to this system. In addition to requiring or encouraging employees to report alleged violations to their supervisors and the compliance department, companies typically have “hotlines” and e-mail accounts that allow employees to anonymously or confidentially report alleged violations. In addition to an effective system for reporting alleged improper conduct, the OECD Good Practice Guidance and Recent Settlement Agreements indicate that companies should have effective measures for responding to such reports. The Sentencing Guidelines state that after criminal conduct has been detected, a company must take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar conduct, including any needed changes to the program. How a company responds to hotline and other reports of misconduct is now an imperative component of an overall program and not a simple add-on.
10. Discipline and Incentives for Compliant Conduct
The commentary also indicates that companies should have “appropriate” disciplinary procedures for employees who violate anti-corruption laws and company policy. The U.S. Sentencing Guidelines further indicate that appropriate disciplinary measures also should apply to those who fail to take reasonable steps to prevent or deter criminal conduct. Effective discipline is a difficult component for any good program, but it is essential to establish a good deterrent within a company. Most companies are not recidivists if employees have seen an example of the career impact of non-compliant behavior. On the other end of the spectrum, the U.S. Sentencing Guidelines and the OECD Good Practice Guidance indicate that companies should have incentive measures to encourage compliance and provide positive support for the compliance program at all levels of the company. To that end, some companies now include compliance-related goals in their annual performance evaluation criteria.
11. Monitoring and Testing
The U.S. Sentencing Guidelines indicate that a company should take reasonable steps to ensure that its compliance and ethics program is followed, including through monitoring and auditing. Similarly, the UK Guidance states that companies need to monitor and review the effectiveness of bribery prevention procedures and modify procedures when necessary. Recent Settlement Agreements also require periodic testing of the company’s compliance policies, procedures and internal controls to evaluate their effectiveness in detecting and reducing violations of the FCPA, other applicable anti-corruption laws, and the company’s policy against such violations. To that end, companies must design processes (in addition to their internal audit functions) to monitor and test compliance with the company’s anti-corruption compliance program.
With the U.K. Bribery Act’s application to commercial bribery, companies must consider how to address this issue in their programs, which may become a challenge as local law on this subject differs from jurisdiction to jurisdiction.
Thus, periodic reviews, risk assessments, diagnostics and blood tests are all key factors to a vibrant compliance program and will often be requested by prosecutors when evaluating how to judge a company’s overall program, and how much mitigation credit should be awarded. The imperative is clear and the ounce of prevention a good physical may yield is always well worth the time and effort…just like the trip to your doctor.