Embedding Compliance

How to Approach Compliance

How should corporations approach the task of compliance and the organization of a Compliance function? In its Resource Guide to the U.S. Foreign Corrupt Practices Act, issued last November by the DOJ and the Securities Exchange Commission (SEC), the government identified nine “Hallmarks of Effective Compliance Programs.” Id. at 57-62. The list offers no surprises, but we are intrigued by the government's acknowledgement that “[w]hen it comes to compliance, there is no one-size-fits-all program.” Id. at 57. Companies are encouraged to design programs that will reflect their culture, address their individual needs, and contemplate the particular risks associated with their business. In the end, the most important inquiry is, “Does it work?” Id. at 56.

Based on experience designing and running compliance programs in-house and assisting companies as outside counsel, we offer some thoughts about “what works.” We evaluate the government's hallmarks and try to distill them into practical takeaways. We also identify a tenth attribute, which we call “embeddedness.” It considers whether compliance activities have been embedded inside the business, where they are more likely to be effective ' or layered on top, weighing the business down. Embeddedness reflects the reality that accountability for compliance must rest with the people doing operational work. This is crucial to achieving the ultimate goal ' helping the corporation to manage legal and regulatory risks and safeguard integrity, without sacrificing a high performance culture.

What Is the Compliance Function?

Generally, “compliance” refers to the efforts by a company to maintain substantial compliance with the laws and regulations that govern its operations, wherever it does business. That sounds like Legal's responsibility, and for many businesses it is. However, for large corporations in the most highly regulated industries, such as financial services and pharmaceuticals, and for multinationals struggling to expand their business in a competitive global economy, like Wal-Mart, compliance is not so simple. To instruct thousands of employees undertaking highly regulated (and often highly scrutinized) tasks concerning the right and wrong ways to conduct business is an enormous undertaking; yet, that is just where the work begins.

The Compliance Department must then monitor the company's operations to assess progress and protect the corporation against inevitable violations, inadvertent and otherwise. All of this work is undertaken within an environment made all the more difficult by unrelenting financial pressures, ruthless international competition, and enigmatic cross-cultural differences. It is no surprise that companies like GSK and Wal-Mart find themselves in the government's crosshairs.

The government's Guide acknowledges that “individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses.” Id. at 57. In that spirit, the nine hallmarks should be seen as component parts of a larger system, each of which may be adjusted to meet a company's individual circumstances.

1. Commitment from Senior Management

While DOJ/SEC are right to insist that compliance “must start at the top” with the board of directors and executives, that top level commitment must be more than mere lip service. Few long-term benefits will be derived from compliance programs that are “strong on paper” but short on actual implementation.

2. Clear, Concise, and Accessible Policies and Procedures

To drive accountability, companies must promulgate policies and procedures that are “clear, concise, and accessible.” Id. Programs built on legalese and technical SOPs often cost less to develop, but you get what you pay for ' employees rarely read them, let alone take them to heart.

There is no substitute for building policies and procedures from the ground up by involving those governed by these materials in their initial development and ongoing maintenance. The result will be an employee base that is more meaningfully “bought into” rulebooks and processes that reflect the company's actual business operations and risks, rather than merely a lawyer's sense of that business. Once those materials have been developed, don't let them sit on the shelf. Make them easily accessible and searchable by electronic means, so that no employee may claim she didn't understand, or couldn't find, the rules.

3. Oversight, Autonomy, and Resources

Although the government prefers ' perhaps at times may mandate ' having a separate compliance function, where the Compliance Department is housed and how the function is structured must fit a company's culture, risk profile, and the circumstances under which it operates. The primary goal is ensuring that the company's management team respects the ability of the senior compliance professional(s) to communicate directly with the company's governing authority, such as the CEO and members of the board of directors, and to escalate credible concerns
to those levels, if appropriate.

4. Risk Assessment

“DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” Id. at 59. Taken at face value, this is a valuable statement from the DOJ because it suggests realistic acceptance of the fact that compliance is an imperfect endeavor. A company that builds a smart compliance program within its business and focuses it in good faith on key risks is more likely to prevent or discover major violations than a company that imposes a technical, rules-based program on its business, driving bad actors or violative activities underground.

5. Training and Continuing Advice

The standard of “clear, concise, and accessible” for policies and procedures should also apply to compliance training. In most companies, this requires a multi-functional effort, including representatives from Human Resources, Communications, and each affected operations team. No person or function should be exempt; however, a risk-based approach will result in more training resource being applied to the highest risk areas.

The second component ' continuing advice ' is equally critical, especially for companies with smaller budgets to invest in the latest e-training tools. Even if littered with case studies, compliance training will never anticipate every risk scenario. Compliance programs should be structured and staffed so that, when business operational teams have questions or concerns, they have somewhere to go for guidance ' before those questions ripen into complaints or whistleblowing.

6. Incentives and Disciplinary Measures

A graduated discipline policy recognizes that not all compliance violations are equal. They range from inadvertent, technical mistakes to whopper legal violations, and each should be dealt with proportionately. It is easy for companies to put such a policy in place, but many do not. Do not neglect this opportunity for quick and easy improvement.

It is more difficult to incentivize compliance leadership. However, nothing speaks louder than the decision to incorporate compliance metrics into performance reviews and compensation decisions from the shop floor all the way to the executive suite. By doing so, companies reward actions and innovations that protect and advance the company's reputation, thereby reinforcing the relative importance of corporate integrity.

7. Third-Party Due Diligence

Although third-party due diligence is an important component of an effective compliance program, it is better understood, and sold more effectively, as a fundamental good business practice.

Yet, the government's enforcement record reflects that many companies not only neglect this diligence, but actually deploy third parties, including agents, consultants, and distributors, to conceal corrupt business practices. To prevent this, an effective compliance program will insist that appropriate risk-based diligence takes place prior to contracting, and then will provide assistance in getting the diligence done. Just as importantly, it will educate employees and agents concerning the legal and ethical standards to which they will be held accountable.

8. Confidential Reporting and Internal Investigation

The most effective way to stay out of the government's crosshairs is to foster a culture that encourages employees to report compliance concerns or misconduct internally, rather than take those disclosures directly to the government as a whistleblower. This requires that mechanisms for internal disclosure, such as anonymous hotlines or ombudsmen, be conspicuous, accessible and easy to use. They must also be supported by credible guarantees of responsive follow-up, appropriate confidentiality, and protection from retaliation.

9. Continuous Improvement

Compliance is dynamic. Laws, regulations, and business standards change. Government enforcement priorities shift. And, perhaps most critically, businesses evolve, with increasing risks in some areas and diminishing risks in others. Compliance programs must adapt accordingly. To drive continuous improvement in a well-functioning, risk-based compliance program requires both real-time monitoring systems and traditional spot audits. The monitoring systems should produce practical compliance Key Performance Indicators (KPIs), demonstrating whether compliance resources are being allocated effectively. The audits should be targeted at key risk activities, ensuring that companies stay smart and avoid complacency.

10. Embeddedness

We submit “embeddedness” is a worthwhile tenth component. An embedded compliance program is integrated with the business, collaborating with functional teams on operational support requirements, and with more senior managers on how to evaluate strategic risks and allocate resources accordingly.

Too often, this is not the case. An adversarial relationship may even exist between compliance department and the business, causing Compliance to become the department of “No.” Then, when the company comes under pressure to strengthen compliance, adding more compliance resources and autonomy take a situation from bad to worse. In their zeal to demonstrate enthusiasm for “doing the right thing,” executives build a compliance monster that consumes corporate resources and may even foster dissent and distrust in the organization.

The first step toward preventing this outcome is to acknowledge that, just as the finance department is not expected to generate revenue, one should not expect Compliance to ensure operational employees always follow the rules. Only the employees themselves can provide such assurance.

Embedding compliance within the business brings the compliance program closer to real business dynamics, improving risk assessment and monitoring. It also diminishes adversity, repositioning compliance professionals as “best practice consultants,” rather than internal police officers, as they collaborate with their business colleagues on achieving corporate integrity.

'Conclusion

By these recommendations, we certainly do not mean to diminish the compliance role. To the contrary, the approach outlined here only works if compliance professionals have meaningful independence and are highly respected in the organization.' “Compliance cannot ensure compliance.” With that understanding in place, companies will be able to assess what resources and systems their compliance department requires to support and monitor the business in pursuit of the shared objective of a culture of compliance contributing to a high performance business.

Jeffrey Hessekiel is Senior Counsel in the FDA and Healthcare practice group in the San Francisco office of Arnold & Porter LLP. Alex Toy is an Associate at the firm.

The year 2012 was another banner year for Department of Justice (DOJ) officials charged with prosecuting corporate enforcement actions. The DOJ recovered $4.9 billion from False Claims Act cases, the most ever in a single year.

Although there was a small relative decrease in Foreign Corrupt Practices Act (FCPA) cases, the head of the DOJ's Criminal Division commented that “robust FCPA enforcement has become part of the fabric of the Justice Department” and a “reality that companies know they must live with and adjust to.” To his point, consider Wal-Mart, which has been accused of civil and criminal violations of the FCPA for allegedly bribing officials in Mexico to expedite the rapid construction of new stores, including one on top of an important archeological site.

In May, Wal-Mart reported that in the first year it had already spent over $225 million merely responding to the government and conducting its own internal investigations. These facts highlight the growing importance of what has become known in most corporations simply as “Compliance.” The function's undistinguished name masks its weighty responsibility, as the government has described, “to protect a company's reputation, ensure investor value and confidence, reduce uncertainty in business transactions, and secure a company's assets.” DOJ and SEC, Resource Guide to the U.S. Foreign Corrupt Practices Act at 56 (Nov. 14, 2012).

How to Approach Compliance

How should corporations approach the task of compliance and the organization of a Compliance function? In its Resource Guide to the U.S. Foreign Corrupt Practices Act, issued last November by the DOJ and the Securities Exchange Commission (SEC), the government identified nine “Hallmarks of Effective Compliance Programs.” Id. at 57-62. The list offers no surprises, but we are intrigued by the government's acknowledgement that “[w]hen it comes to compliance, there is no one-size-fits-all program.” Id. at 57. Companies are encouraged to design programs that will reflect their culture, address their individual needs, and contemplate the particular risks associated with their business. In the end, the most important inquiry is, “Does it work?” Id. at 56.

Based on experience designing and running compliance programs in-house and assisting companies as outside counsel, we offer some thoughts about “what works.” We evaluate the government's hallmarks and try to distill them into practical takeaways. We also identify a tenth attribute, which we call “embeddedness.” It considers whether compliance activities have been embedded inside the business, where they are more likely to be effective ' or layered on top, weighing the business down. Embeddedness reflects the reality that accountability for compliance must rest with the people doing operational work. This is crucial to achieving the ultimate goal ' helping the corporation to manage legal and regulatory risks and safeguard integrity, without sacrificing a high performance culture.

What Is the Compliance Function?

Generally, “compliance” refers to the efforts by a company to maintain substantial compliance with the laws and regulations that govern its operations, wherever it does business. That sounds like Legal's responsibility, and for many businesses it is. However, for large corporations in the most highly regulated industries, such as financial services and pharmaceuticals, and for multinationals struggling to expand their business in a competitive global economy, like Wal-Mart, compliance is not so simple. To instruct thousands of employees undertaking highly regulated (and often highly scrutinized) tasks concerning the right and wrong ways to conduct business is an enormous undertaking; yet, that is just where the work begins.

The Compliance Department must then monitor the company's operations to assess progress and protect the corporation against inevitable violations, inadvertent and otherwise. All of this work is undertaken within an environment made all the more difficult by unrelenting financial pressures, ruthless international competition, and enigmatic cross-cultural differences. It is no surprise that companies like GSK and Wal-Mart find themselves in the government's crosshairs.

The government's Guide acknowledges that “individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses.” Id. at 57. In that spirit, the nine hallmarks should be seen as component parts of a larger system, each of which may be adjusted to meet a company's individual circumstances.

1. Commitment from Senior Management

While DOJ/SEC are right to insist that compliance “must start at the top” with the board of directors and executives, that top level commitment must be more than mere lip service. Few long-term benefits will be derived from compliance programs that are “strong on paper” but short on actual implementation.

2. Clear, Concise, and Accessible Policies and Procedures

To drive accountability, companies must promulgate policies and procedures that are “clear, concise, and accessible.” Id. Programs built on legalese and technical SOPs often cost less to develop, but you get what you pay for ' employees rarely read them, let alone take them to heart.

There is no substitute for building policies and procedures from the ground up by involving those governed by these materials in their initial development and ongoing maintenance. The result will be an employee base that is more meaningfully “bought into” rulebooks and processes that reflect the company's actual business operations and risks, rather than merely a lawyer's sense of that business. Once those materials have been developed, don't let them sit on the shelf. Make them easily accessible and searchable by electronic means, so that no employee may claim she didn't understand, or couldn't find, the rules.

3. Oversight, Autonomy, and Resources

Although the government prefers ' perhaps at times may mandate ' having a separate compliance function, where the Compliance Department is housed and how the function is structured must fit a company's culture, risk profile, and the circumstances under which it operates. The primary goal is ensuring that the company's management team respects the ability of the senior compliance professional(s) to communicate directly with the company's governing authority, such as the CEO and members of the board of directors, and to escalate credible concerns
to those levels, if appropriate.

4. Risk Assessment

“DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” Id. at 59. Taken at face value, this is a valuable statement from the DOJ because it suggests realistic acceptance of the fact that compliance is an imperfect endeavor. A company that builds a smart compliance program within its business and focuses it in good faith on key risks is more likely to prevent or discover major violations than a company that imposes a technical, rules-based program on its business, driving bad actors or violative activities underground.

5. Training and Continuing Advice

The standard of “clear, concise, and accessible” for policies and procedures should also apply to compliance training. In most companies, this requires a multi-functional effort, including representatives from Human Resources, Communications, and each affected operations team. No person or function should be exempt; however, a risk-based approach will result in more training resource being applied to the highest risk areas.

The second component ' continuing advice ' is equally critical, especially for companies with smaller budgets to invest in the latest e-training tools. Even if littered with case studies, compliance training will never anticipate every risk scenario. Compliance programs should be structured and staffed so that, when business operational teams have questions or concerns, they have somewhere to go for guidance ' before those questions ripen into complaints or whistleblowing.

6. Incentives and Disciplinary Measures

A graduated discipline policy recognizes that not all compliance violations are equal. They range from inadvertent, technical mistakes to whopper legal violations, and each should be dealt with proportionately. It is easy for companies to put such a policy in place, but many do not. Do not neglect this opportunity for quick and easy improvement.

It is more difficult to incentivize compliance leadership. However, nothing speaks louder than the decision to incorporate compliance metrics into performance reviews and compensation decisions from the shop floor all the way to the executive suite. By doing so, companies reward actions and innovations that protect and advance the company's reputation, thereby reinforcing the relative importance of corporate integrity.

7. Third-Party Due Diligence

Although third-party due diligence is an important component of an effective compliance program, it is better understood, and sold more effectively, as a fundamental good business practice.

Yet, the government's enforcement record reflects that many companies not only neglect this diligence, but actually deploy third parties, including agents, consultants, and distributors, to conceal corrupt business practices. To prevent this, an effective compliance program will insist that appropriate risk-based diligence takes place prior to contracting, and then will provide assistance in getting the diligence done. Just as importantly, it will educate employees and agents concerning the legal and ethical standards to which they will be held accountable.

8. Confidential Reporting and Internal Investigation

The most effective way to stay out of the government's crosshairs is to foster a culture that encourages employees to report compliance concerns or misconduct internally, rather than take those disclosures directly to the government as a whistleblower. This requires that mechanisms for internal disclosure, such as anonymous hotlines or ombudsmen, be conspicuous, accessible and easy to use. They must also be supported by credible guarantees of responsive follow-up, appropriate confidentiality, and protection from retaliation.

9. Continuous Improvement

Compliance is dynamic. Laws, regulations, and business standards change. Government enforcement priorities shift. And, perhaps most critically, businesses evolve, with increasing risks in some areas and diminishing risks in others. Compliance programs must adapt accordingly. To drive continuous improvement in a well-functioning, risk-based compliance program requires both real-time monitoring systems and traditional spot audits. The monitoring systems should produce practical compliance Key Performance Indicators (KPIs), demonstrating whether compliance resources are being allocated effectively. The audits should be targeted at key risk activities, ensuring that companies stay smart and avoid complacency.

10. Embeddedness

We submit “embeddedness” is a worthwhile tenth component. An embedded compliance program is integrated with the business, collaborating with functional teams on operational support requirements, and with more senior managers on how to evaluate strategic risks and allocate resources accordingly.

Too often, this is not the case. An adversarial relationship may even exist between compliance department and the business, causing Compliance to become the department of “No.” Then, when the company comes under pressure to strengthen compliance, adding more compliance resources and autonomy take a situation from bad to worse. In their zeal to demonstrate enthusiasm for “doing the right thing,” executives build a compliance monster that consumes corporate resources and may even foster dissent and distrust in the organization.

The first step toward preventing this outcome is to acknowledge that, just as the finance department is not expected to generate revenue, one should not expect Compliance to ensure operational employees always follow the rules. Only the employees themselves can provide such assurance.

Embedding compliance within the business brings the compliance program closer to real business dynamics, improving risk assessment and monitoring. It also diminishes adversity, repositioning compliance professionals as “best practice consultants,” rather than internal police officers, as they collaborate with their business colleagues on achieving corporate integrity.

'Conclusion

By these recommendations, we certainly do not mean to diminish the compliance role. To the contrary, the approach outlined here only works if compliance professionals have meaningful independence and are highly respected in the organization.' “Compliance cannot ensure compliance.” With that understanding in place, companies will be able to assess what resources and systems their compliance department requires to support and monitor the business in pursuit of the shared objective of a culture of compliance contributing to a high performance business.

Jeffrey Hessekiel is Senior Counsel in the FDA and Healthcare practice group in the San Francisco office of Arnold & Porter LLP. Alex Toy is an Associate at the firm.