POPULARITY
In this episode of the Diligent Compliance Week 2025 Speaker Preview Podcasts series, Ellen Hunt discusses her two presentations at Compliance Week 2025, “Culture Effectiveness and ROI: How to Move the Needle” and “Assessing Effectiveness: Do the 30-Year-Old Federal Sentencing Guidelines Still Work? “ In her first panel presentation, they will discuss the following: Demonstrate measurable and quantifiable ROI Build psychological safety that drives ethical decision-making and engagement. Navigate matrix environments to expand the influence. Use data to tell compelling compliance success stories. Partner with the C-suite to help them navigate disruptive changes, including deregulation and major economic geopolitical shifts. In her second presentation, she and Carrie Penman, the Chief Risk and Compliance Officer at Navex, will debate whether the US Sentencing Guidelines should be updated. I hope you can join us at Compliance Week's 20th Anniversary National Conference. This year's event will be held April 28-30 at The Mayflower Hotel, Autograph Collection, Washington, D.C. The lineup is first-rate, with some top ethics and compliance practitioners around. Drop by the Diligent booth for some Compliance Podcast Network coffee to gain insights and make connections at the industry's premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 20th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this special episode, I visit with Eric Morehead, the Director of Advisory Services at LRN. We discuss the US Sentencing Guidelines on the 30th anniversary of their enactment and review the recent report on the history of the Sentencing Guidelines. Morehead, a former staff attorney at the US Sentencing Commissions takes a look at the numbers and considers the broader impact of the Sentencing Guidelines on compliance in the US and across the globe. Some of the highlights include: · What are the US Sentencing Guidelines? · Why were the enacted? · How have they been supported by the DOJ and Courts? · What were the two amendments to the US Sentencing Guidelines? · What may be down the road for the US Sentencing Guidelines? Resources LRN Eric Morehead on LinkedIn A Deep Dive Into Organizational Sentencing Data by Eric Morehead on Law360 Learn more about your ad choices. Visit megaphone.fm/adchoices
Watch this episode on YOUTUBE, on APPLE PODCASTS, or wherever you get your podcasts! Helping us get Set for Sentencing, Professor Doug Berman, author of the Sentencing Law and Policy Blog. Prof. Berman helps us make sense of two major sentencing events of the past week - President Biden's blanket pardon for federal marijuana possession and a Florida Jury's non-death verdict in the penalty phase of the trial of Parkland shooter Nikolas Cruz. IN THIS EPISODE: Big picture of Pres. Biden's pot pardon; Historical precedent for “blanket pardons”; What the future may hold for further action; Potential political and practical consequences for state and federal sentencing; Whether pardoned conduct can ever really be expunged from your record; Dissecting the non-death verdicst for Nicholas Cruz, perpetrator of the horrific Parkland school massacre; and What the verdict tells us about the goals of punishment. LINKS: Berman's Blog on Sentencing Law and Policy Set For Sentencing, Ep. 6, "The Devil We Know" another great episode with Prof. Berman doing a deep dive into the US Sentencing Guidelines.
What you'll learn in this podcast episode A few weeks ago, the United States Sentencing Commission (USSC) issued a report titled The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence. The publication summarizes the history of Chapter Eight's development and discusses the two substantive changes made to the elements of an effective compliance and ethics program. So, what does this mean for compliance professionals? In this episode of the Principled Podcast, host Jen Uner, Strategic Communications Director at LRN, talks about the guidelines with Eric Morehead, Director of Advisory Services at LRN. Listen in as the two discuss how these updates—and the wider USSC—impact corporate governance. The purpose of the U.S. Sentencing Commission is to study and develop sentencing policies for the federal courts. The Commission serves as an information resource for Congress, the executive, the courts, and the public on matters relating to federal crime and sentencing. Our episode today focuses on Chapter 8, which addresses organizational sentencing guidelines, not individual sentencing guidelines which is also a significant focus for the USSC. Principled Podcast Show Notes [1:24] – Explanation of the new publication from the U.S. Sentencing Commission and why it matters. [6:42] - How the original standards have held up over the last 30 years. [7:51] - Eric outlines some of the highlights of the most recent publication. [12:53] - The real repercussions for organizations. [14:58] - The relationship of the Sentencing Commission with the DOJ and SEC. [18:33] - Steps organizations should take when crafting their own E&C programs. [21:43] - The role of company culture in determining how effective the program will be. Featured guest: Eric Morehead Eric Morehead is a member of LRN's Advisory Services team and has over 20 years of experience working with organizations seeking to address compliance issues and build effective compliance and ethics programs. Eric conducts program assessments and examines specific compliance risks, he drafts compliance policies and codes of conduct, works with organizations to build and improve their compliance processes and tools, and provides live training for Boards of Directors, executives, managers, and employees. Eric ran his own consultancy for six years where he advised clients on compliance program enhancements and assisted in creating effective compliance solutions. Eric was formally the Head of Advisory Services for NYSE Governance Services, a leading compliance training organization, where he was responsible for all aspects of NYSE Governance Services' compliance consulting arm. Prior to joining NYSE, Eric was an Assistant General Counsel of the United States Sentencing Commission in Washington, DC. Eric served as the chair of the policy team that amended the Organizational Sentencing Guidelines in 2010. Eric also spent nearly a decade as a litigation attorney in Houston, Texas where he focused on white-collar and regulatory cases and represented clients at trial and before various agencies including SEC, OSHA and CFTC. Featured Host: Jen Üner Jen Üner is the Strategic Communications Director for LRN, where she captains programs for both internal and external audiences. She has an insatiable curiosity and an overdeveloped sense of right and wrong which she challenges each day through her study of ethics, compliance, and the value of values-based behavior in corporate governance. Prior to joining LRN, Jen led marketing communications for innovative technology companies operating in Europe and the US, and for media and marketplaces in California. She has won recognition for her work in brand development and experiential design, earned placements in leading news publications, and hosted a closing bell ceremony of the NASDAQ in honor of the California fashion industry as founder of the LA Fashion Awards. Jen holds a B.A. degree from Claremont McKenna College. Principled Podcast Transcript Intro: Welcome to the Principled Podcast brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers. Jen Uner: A few weeks ago, the United States Sentencing Commission issued a report titled The Organizational Sentencing Guidelines: 30 Years of Innovation and Influence. The publication summarizes the history of Chapter Eight's development and discusses the two substantive changes made to the elements of an effective compliance and ethics program. Hello, and welcome to another episode of LRN's Principled Podcast. I'm your host, Jen Uner, strategic communications director at LRN, and today, I'm joined by my colleague, Eric Morehead, director of advisory services solutions at LRN. We're going to be talking about the guidelines, and how it impacts corporate governance and what compliance professionals need to know. Eric Morehead is a real expert in the space as he once worked on these guidelines in a prior role at the US Sentencing Commission. He advises LRN clients now on these topics. Eric, thank you for coming on the Principled Podcast. Eric Morehead: Thanks, Jen. It's good to be here. Jen Uner: So hot off the press is this new publication from the US Sentencing Commission. Tell us about what it is, why it matters, and especially to owners of compliance programs at their organizations. Eric Morehead: Well, it's sort of a look back over the last 30 years. The Sentencing Guidelines for organizations were first promulgated and came into effect in 1991, so technically the 30th anniversary was last year, but the report has just come out now, and over those 30 years, there's been about 5,000 organizations that have been sentenced under the US Sentencing Guidelines. The Sentencing Commission and the Sentencing Guidelines have to do with federal sentencing, so either individuals or organizations who have been charged with a federal offense and find themselves in a federal district court, somewhere in the United States, and they either have pled guilty, or been found guilty by a jury, or found guilty by a judge after a bench trial, and now they're being sentenced. So when you sentence an individual, obviously, that can include a fine in restitution, but also time in a federal penitentiary. You can't jail an organization, but the Organizational Guidelines have put together over the last 30 years standards by which the judge can assess fines, restitution, and also order when necessary compliance reforms and implementation. Since you can't put the organization behind bars, you can however, put the organization on probation and require the organization to make some necessary reforms, if you will. So that's a kind of quick background of what the guidelines are for those of you who weren't sure, and why they matter to us, because the implementation of compliance standards is baked into any kind of probationary sentence or sentence that's handed down to an organization, or can be baked into, I should say. Jen Uner: And you have personal experience at the USSC. Eric Morehead: Yes, I worked at the Sentencing Commission from about 2007 to 2011, and during that period, there have been two amendments to the original guidelines that were first put out in 1991 for organizations. The first was in 2004, partly in response to Sarbanes-Oxley and the legislation that came out at that point around implementing reforms for organizations and their governance, but also there was back at the time in the early 2000s, a task force put together that the Sentencing Commission took some advice from. And so they made some amendments in 2004. The primary thing that happened in 2004 is that these compliance standards that are in the Sentencing Guidelines were put more front and center. They had been what are called application notes before, and they were actually promoted, if you will, to an actual textual listing in the guidelines. Just making them more prominent is really what it boiled down to. Also, putting a little further definition around the components of an effective program, training, governance and oversight, written standards, and procedures in place, reporting mechanisms, that we all know most organizations have an anonymous reporting mechanism, a hotline or helpline out there. That comes out of these standards that were first put together by the US Sentencing Commission. They were the first national standard in the United States anyway that suggested having a reporting mechanism, including with an anonymous option. Enforcement, discipline, and incentives often overlooked, but the Sentencing Guidelines have been talking about incentives for the past couple decades as well. And then in 2010 while I was there, the second amendment to the Organizational Sentencing Guidelines was undertaken, and that also strengthened that relationship between the governing authority of the organization, the board of directors, or whatever the oversight of a particular organization might be, because these guidelines affect not just public companies, but any kind of organization, so nonprofits, governmental agencies. Any kind of organizational structure is contemplated by the guidelines, and the 2010 amendments strengthened that relationship between the people actually responsible for the program and the governing authority of the organization, and also provided some incentives for organizations to come forward and to reform their programs. So those things have all happened over the years. Given the length of time that the Sentencing Guidelines have been in effect, now 30 years plus, to only have gone back and revisited them twice is not that significant. So they've been kind of bedrock standards that have existed and been well known. We often talk about them as the hallmarks of an effective program for this entire time, and the commission gathers data, and so the other big piece of this report that's very interesting is there's 30 years worth of data. And in fact, the majority of the report goes through in much detail about the demographic characteristics of organizations that have been sentenced over the years, how many organizations have received credit for having an effective program. Spoiler alert, not very many out of the 5,000, less than a dozen. So that's the other great thing about this report for those of us who are interested in compliance is you have a great wealth of data to see what the characteristics are, and how organizations have gotten into real serious trouble in the past. Jen Uner: So you were saying there have only been two amendments since inception? Eric Morehead: Yes. Jen Uner: That's pretty interesting, because it kind of speaks to how enduring. Eric Morehead: Yeah, they got it right, and the primary takeaway in this report in the executive summary in the beginning is that the biggest impact that the commission sees for its work is that these standards have become so universally accepted, and that's not just in the United States. That's across the world. These standards are seen to be when you're talking about effective compliance programs, they're seen to be sort of the bedrock, if you will. There are obviously other international standards out there in Europe, and Asia, and other places where government agencies and international agencies like the OECD Good Guidance that came out well over two decades ago itself. They all kind of trend and follow the same path, if you will, that the Sentencing Guidelines started 30 years ago. So it really has been the guiding light for not just individual organizations that want to build a better program, but also other regulators out there, whether that's the Department of Justice, or other agencies here in the United States, or international organizations that are adopting compliance standards. Jen Uner: So the most recent publication, it provides great historical context about the commission and its impact. Can you outline some of those highlights? I remember that the report is chock full of charts, data, as you were saying, which is great if you're needing to report about program effectiveness, for example. What do you think is most salient for leaders in that report? Eric Morehead: Yeah, as far as those particular pieces of data, nothing here if you've been paying attention to the sentencing guideline data over the years, and every year, I should mention that the Sentencing Commission puts out what they call the Sentencing Source Book, and that has a lot of data about not only individual's sentencing, which is the primary thing that the Sentencing Commission collects data on is the actual, real living human beings that are being sentenced year in, year out in federal courts around the nation, but it also includes data on the organizations that have been sentenced in that prior year. So if you've been paying attention over the years and looking at these source books, you will have noted that pretty much year in, year out, the vast majority of organizations that are sentenced, 70% of them have less than 50 employees, and 12.1% have 99 to 400 employees. And just a very small percentage, 8%, have more than 500 employees. So the vast majority of organizations that get sentenced are very small, but if you think about it, that makes logical sense, because smaller organizations tend to have less governance structure, probably have less resources, probably don't have a compliance program, and that's certainly the finding that courts when they review these cases 89.6% of the time, so almost 90% of the time organizations have been found not to have a program in place, or what was in place was not significant enough to be considered a compliance program. So those two figures seem to correlate well, right? The organizations that face the most serious repercussions are small and also don't have a program, so probably hadn't even contemplated having a program before misconduct occurred. The other real striking piece of information that comes out of this report and is also something that's been consistent through the years is the number of actual living human beings that are being sentenced along with the organizations in these cases. When we look at these cases, often we're talking about the demographics of the company, how many employees they have, what sort of crimes they have been found guilty of, how big the fines are, et cetera, but sometimes what gets lost in that discussion is the fact that if there's misconduct that's occurred, very often, there are individuals who are charged right along with the company for violations of the law. And in fact, over time, 53% of these cases include at least one other individual, and sometimes multiple individuals, who've also been charged with crime. The other really striking piece of data out of this that I think a lot of people don't realize is the vast majority of individuals who are charged are not considered "high level", so these are folks that have some authority to engage in whatever behavior underlies the conduct that led to a criminal offense. So they probably are not at the very lowest level of the organization most of the time, but they are not necessarily in the C-suite. Only 25.7% of the individuals charged with an offense along with an organization were considered high level. So almost three quarters of those individuals who find themselves facing criminal sanction, potentially going off to the federal penitentiary are folks that are not considered high level in their organization, and I think that is perhaps counterintuitive, because we oftentimes hear the headlines of executives and other senior folks in organizations getting in trouble and facing criminal sanction, but the reality is the opposite of that. Jen Uner: That's kind of scary, I got to say. I mean, it makes me as an individual in the company really want to pay attention to my compliance training. Eric Morehead: Certainly. Anytime an organization... And granted these cases are not as numerous as situations where organizations may have an investigation and might settle with either the Department of Justice or an agency, like have a civil settlement, something short of a criminal conviction, and there are a lot of situations where organizations might receive a subpoena or have some sort of investigation that occurs, that just ends without any kind of charges or settlements being attained. So there's a lot of data that we don't have, right? Where things may not go perfectly, but don't go quite as bad as ending up with a criminal conviction, but it is scary to consider that there are individuals that are being charged right along with these organizations for this misconduct. Jen Uner: It's really interesting, because so often inside organizations, you've got pressure on one side to perform or deliver in a certain way, and then you can find maybe shortcuts. I mean, I don't know how else to describe it, but a quicker way to get there that maybe is potentially outside the law. So it's true that there are real repercussions for taking those shortcuts, and also for not speaking up, if you see something. Eric Morehead: Yeah, and the real repercussions here for organizations, again, you can't jail a company. You can only fine them. You can order restitution. A federal judge can order them to implement compliance reforms, put together a program if they don't have a program. Those are all things they can do, but the other thing to consider here too is if you take a federal felony conviction, and you are an organization that does any amount of work with the federal government, you can be debarred from future federal contracting, so that can very often... Taking a federal conviction beyond the fines and the costs associated with having to defend the organization against those charges, if it actually ends up with a conviction, and your organization relies heavily or primarily on government contracting, that's the end of the organization. I mean that's the death penalty. The best example of that that we all can probably remember is Arthur Andersen. When they took the federal conviction in Houston for conduct involving Enron, that was the end of Arthur Andersen. They could no longer audit public companies, and they were debarred from government contracting, obviously, after that point too, and that was just the death sentence. Oftentimes when we're looking at these cases, when we look at the data, those are organizations that just had no options, because if there were any options before that to settle the case, to make reforms, to have some sort of civil settlement, those on-ramps just weren't available to them. Jen Uner: I do remember that whole upheaval. My father was in accounting at I think Ernst & Young at the time. I can't even remember, but I do remember that massive upheaval for Arthur Andersen, and how they had to completely pivot the entire business. Eric Morehead: Yeah. The consequences reputational and lost opportunity, real bottom line business costs involved in having misconduct, even if it doesn't rise to the level where we're talking about Sentencing Guidelines or having to implement Sentencing Guidelines for the organization, just an investigation can really derail an organization in a significant way. Jen Uner: I'm going to ask kind of a uninformed question now. It's because I'm not a lawyer. This is going to be maybe really obvious for others, but in case you're like me, can you describe what the Sentencing Commission's relationship is with the DOJ and the SEC, and how do these organizations sort of interrelate? We so often hear about DOJ guidance, for example. How is that different from Sentencing Commission? Eric Morehead: Over the years, we've seen more and more guidance both here in the United States and abroad from prosecuting entities like the DOJ, but also other regulatory agencies like SEC, and many of these regulatory organizations have compliance standards they put together. As far as I'm aware, they're pretty universally based on the same basic standards that we talk about in the Sentencing Guidelines. The DOJ guidance, and primarily we're talking about the memoranda that the criminal division has put out periodically since I think 2017 with the most recent iteration being the 2020 summer one, I believe, that guidance is based and explicitly cites the Sentencing Guidelines as its fundamental basis. Now, obviously there's a lot more detail and specificity within the DOJ guidance. The difference between guidance from the Department of Justice, other guidance that you might see in other agencies, but particularly the memoranda that we're talking about from the DOJ, is that can be withdrawn at any time, and as we've seen over the past few years, it can be amended at any time. It's only a few years old, and it's been amended twice. The DOJ, if there's a change of administration or a change within the hierarchy of the criminal division, those new officials that come in may want to make a change. The former deputy attorney general in the prior administration had talked about doing away with memoranda from the department altogether and codifying everything in as much as you can codify it in the US Attorney's Manual. So there are various things that could potentially happen at any time. Because the US Sentencing Commission is a rule making organization, there's a whole process that the commission has to go through before there are changes made to the Sentencing Guidelines. That's one of the reasons why there have been very few amendments to the Organizational Sentencing Guidelines over the years is because there's a whole process involved. The commission first has to publicly publish its intention to make any changes. It'll often, if there are proposals to make changes, it will seek public comment, often have a public hearing, and then it votes. And once a commission votes, if a new amendment is promulgated, then it's sent to Congress to both the House and the Senate, and they have a period of time to either make changes or not allow those guideline amendments to come into effect, but if they don't do anything, they automatically come into effect and basically have the force of law as the Sentencing Guidelines. Now, granted the Sentencing Guidelines don't officially apply to your organization except when you're in front of a federal judge being sentenced, right? So if there's no sentence, there's no criminal offense where the sentence is being determined, the guidelines don't have any official capacity, but we've all taken them as the standards by which we measure the effectiveness of a program. So I guess what I'm saying here is I think any guidance is helpful guidance. Certainly the DOJ guidance has been very helpful and added more detail into what regulators are looking for when they peer into an organization, but just the sort of bread and butter basic pieces of a compliance program are always going to reflect back to those seven hallmarks of an effective program within the Sentencing Guidelines, because they're pretty immutable. Jen Uner: So if you're building an E&C program, what are the steps that organizations should be taking to lower their risk? Can you go into a little bit more detail on that? How do you unearth all the rules that apply, and how can you effectively transmit them to the people in your organization? Eric Morehead: Yeah. Whether you're using the Sentencing Guidelines, looking at the guidance from the Department of Justice, or guidance from international organizations like the OECD or others, I feel like, and this is backed up by the specific guidance that the department has given over the past few years of what they look for, every organization is unique. It's its own unique snowflake, right? And so you're going to have your own unique risk profile, and you're going to have to develop your own unique compliance program to be an effective control for those risks. So you evaluate all of these standards, but you put together a program, and you put together standards that really address what your program needs. One of the key provisions of the Sentencing Guidelines, by the way, is what I would call the not one size fits all provision. The guidelines from the very beginning stages of when they were developed had this notion that not every program is going to look the same, not every program is going to be as extensive as other programs. Smaller organizations that are purely domestic here in the United States, for example, and maybe are smaller probably don't have the same exposure to anti-corruption concerns, for example, foreign bribery anti-corruption concerns that international organizations might have for just as an example. So really the best advice is to make sure that your program meets your needs, and so the first step along that process is evaluating and figuring out what your needs are. What are compliance risks that your organization faces, and how are you addressing those risks, and do you need to reform those controls, put more resources behind training or monitoring and auditing, or whatever it might be to address those particular risks? So it's really an investigation of what you face as an organization, what are the risks you face, looking at all these standards, reading the guidance from the department, reading specific guidance that might apply to your organizations, for example, if there are particular compliance requirements. If you're a government contractor, you have to have a written code of conduct. You have to post certain reporting materials if you're a government contractor. So there are some particularized compliance requirements, depending on who you are, and how your business is operating, and you have to be aware of all those standards, but you develop a program that fits your organization, that is very specific and customized to the risks you face, the resources you have to use, because not everybody has the same resources. So you have to make some tough calls sometimes as a compliance officer or the person responsible for compliance at an organization, because you may not be able to do all the things you really want to do, but you have to figure out and prioritize the things you need to do. Jen Uner: Which makes me think about corporate culture, right? Because every company's culture is also unique and completely attuned to its own size and position of the marketplace, and where it trades, and who it does business with, and all of those pieces. Eric Morehead: Yeah, the ethics side of compliance and ethics is the determining factor very often, right? The culture of the organization really tell the tale as to how effective or ineffective ultimately you're going to be. You may need more controls. You may have some potential risks that need to be addressed. Even if you have a super strong culture, you can't just get by on culture alone, because organizations are made up of a lot of individuals, and some of those individuals may have bad intent, but it's hard to imagine how you could properly resource an organization that had a poisonous culture, right? If you don't have values, if you don't have an effective ethical framework that everybody is primarily operating under, you can pour money onto systems, controls, tools, and it may not make any difference whatsoever. You can have a compliance budget that is the top budget out there, but if the culture is ruined or ruinous, then it's going to be really hard to have an effective program. Jen Uner: Yeah. I think they famously have said, "Culture eats strategy for breakfast." Eric Morehead: Yeah, and that's really true. I've seen different ends of the spectrum, right? I've seen organizations where the culture was hard to know how you would start to climb back up that hill and reform the culture, and how you would be able to have an effective program without having a positive, ethical culture, but I've also seen the other end too, which is less frequent, but also potentially problematic, where organizations... And sometimes I see this, for example, a good example of this would be a nonprofit where mission is really important, and everybody has a very ethical outlook, and they wouldn't be working at a nonprofit and particularly in difficult circumstances unless they really were all about the mission and had a very positive, ethical attitude, but they don't have a lot of structure. They don't have a lot of resources. And so there's always the potential that there could be failures and misconduct, because for instance, they might be a good target for an outside data privacy issue, right? Because they don't have strong data security systems. Jen Uner: I was just going to say data privacy. Eric Morehead: So you can be at both ends of the spectrum as far as that culture piece goes, and still have some serious compliance risks. Jen Uner: So there's definitely always a need for E&C training for sure. Eric Morehead: Yeah, training in Sentencing Guidelines, and the guidance from the Department of Justice, both are really clear about we are not interested in one size fits all. We are not interested in how big your budget is. We just want to make sure your budget is right, that the governing authority and the organization has addressed this properly and is serious about compliance, but if you're a smaller organization or an organization where the risks are being properly addressed without spending a lot of money, that can be perfectly fine. Again, depends on the individual organization, and what is their risk profile, how are they addressing those risks, and are they meeting the other big picture criteria of having some standards that everybody knows about, training where appropriate, having proper governance and oversight, and monitoring and auditing, having a reporting process, where people can ask questions and report concerns, properly enforcing the rules, and disciplining people, and having incentives. And that's the one that often gets missed. That's been in the Sentencing Guidelines for years now, and has is mentioned in the guidance. How do you incentivize proper behavior at your organization? That's really important too. Jen Uner: There is so much that goes into building an effective E&C program. I'm sure we could be talking about this all day, but we are running out of time. I am so glad you could join me today to talk about this report and why it matters to every organization. I know we'll be including a link to that report in our show notes at LRN.com. My name is Jen Uner. I want to thank you, Eric, for joining me today. Eric Morehead: Thanks, Jen. It was my pleasure to be here. Jen Uner: And I want to thank everyone for listening to the Principled Podcast by LRN. Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at LRN.com to learn more, and if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen, and don't forget to leave us a review.
Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In 2021, Everything Compliance was honored by W3 as a top talk show in podcasting. In this episode, we have the quartet of Jonathan Marks, Jonathan Armstrong, Jay Rosen and Matt Kelly on a variety of topics. We conclude with our fan Shout Outs and Rants section. 1. Jay Rosen looks at a recent report about the number and quality of SEC whistleblower awards. Rosen shouts out to scientists who are trying to create Oxygen from CO2 so that life can exist on Mars. 2. Matt Kelly discusses the Mudge whistleblower allegations regarding Twitter. Kelly shouts out to NASA engineers who scrubbed the space shuttle launch due to safety concerns. 3. Jonathan Marks considers the role of internal audit in M&A work specifically and how the Board should utilize internal audit more generally. Marks shouts out the 30the anniversary of the US Sentencing Guidelines. 4. Tom Fox shouts out the American League leading Houston Astros. 5. Jonathan Armstrong looks at the newly released Lloyd's regulations around denial of coverage for cyber-attacks made by foreign governments and state actors. He shouts out to the British television show “Have I Got News” for skewering Boris Johnson with his own words. The members of the Everything Compliance are: • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com • Jonathan Marks is Partner, Firm Practice Leader - Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Welcome to theShout Outs and Rants from the Everything Compliance gang. In this episode, we have the quintet of Jonathan Marks, Jay Rosen, Tom Fox, Jonathan Armstrong and Matt Kelly on a variety of shout outs. 1. Jay Rosen shouts out to the firm Moxie who are trying to create Oxygen from CO2 so that life can exist on Mars. 2. Matt Kelly shouts out to NASA engineers who scrubbed the space shuttle launch due to safety concerns. 3. Jonathan Marks shouts out the 30the anniversary of the US Sentencing Guidelines. 4. Tom Fox shouts out the American League leading Houston Astros. 5. Jonathan shouts out to the British television show “Have I Got News” for skewering Boris Johnson with his own words. The members of the Everything Compliance are: • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com • Jonathan Marks is Partner, Firm Practice Leader - Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com The host and producer of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
Post By: Adam Turteltaub Cataloguing everything your compliance program does isn't easy, but Susan Roberts (LinkedIn), who recently retired from full-time corporate life after serving as Chief Compliance Officer at three different companies, did just that. And in this podcast she advocates for doing the same for your compliance program. She made it a habit to create what she and her team referred to as, simply, “the book.” It is designed to be a comprehensive resource should the government (or even management) want to know whether the company has an effective compliance and ethics program. To make your book both useful and complete, she advocates breaking the book into several sections including: An introduction Background Executive Summary Relevant expectations for compliance programs from government, industry groups and elsewhere (US Sentencing Guidelines, DOJ Fraud Section compliance program guidance, FCPA Resource Guide, and so on) A description of the compliance program including sections on: Program oversight Tone at the top Risk assessment Monitoring and auditing Standards, policies and procedures Training, communication and awareness Confidential reporting systems Investigations Corrective actions Discipline and incentives Employee and other screening Third-party management Continuous improvement In sum, it should provide a full and rich picture of the compliance program including screen shots of training, the code of conduct and helpline posters. Having all that data in one place has paid off twice in very significant ways for Susan and the companies she worked for. In one case it helped convince the Department of Justice that a monitor would not be needed after trouble was discovered at a recently acquired business unit. The book helped demonstrate that the company was already doing everything listed in the Corporate Integrity Agreement. In another case, it helped an acquiring company have faith that there truly was an effective compliance program already in place. The book can also provide insight into where the program needs to improve, acting as something of a self-assessment tool. If you have much less to say in one section, it may be a sign of a program gap. List in to learn more about creating a book of your own, including how often to update it.
Post By: Adam Turteltaub Cataloguing everything your compliance program does isn't easy, but Susan Roberts (LinkedIn), who recently retired from full-time corporate life after serving as Chief Compliance Officer at three different companies, did just that. And in this podcast she advocates for doing the same for your compliance program. She made it a habit to create what she and her team referred to as, simply, “the book.” It is designed to be a comprehensive resource should the government (or even management) want to know whether the company has an effective compliance and ethics program. To make your book both useful and complete, she advocates breaking the book into several sections including: An introduction Background Executive Summary Relevant expectations for compliance programs from government, industry groups and elsewhere (US Sentencing Guidelines, DOJ Fraud Section compliance program guidance, FCPA Resource Guide, and so on) A description of the compliance program including sections on: Program oversight Tone at the top Risk assessment Monitoring and auditing Standards, policies and procedures Training, communication and awareness Confidential reporting systems Investigations Corrective actions Discipline and incentives Employee and other screening Third-party management Continuous improvement In sum, it should provide a full and rich picture of the compliance program including screen shots of training, the code of conduct and helpline posters. Having all that data in one place has paid off twice in very significant ways for Susan and the companies she worked for. In one case it helped convince the Department of Justice that a monitor would not be needed after trouble was discovered at a recently acquired business unit. The book helped demonstrate that the company was already doing everything listed in the Corporate Integrity Agreement. In another case, it helped an acquiring company have faith that there truly was an effective compliance program already in place. The book can also provide insight into where the program needs to improve, acting as something of a self-assessment tool. If you have much less to say in one section, it may be a sign of a program gap. List in to learn more about creating a book of your own, including how often to update it.
James Doty, former Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control. In the FCPA Resource Guide, 2nd edition, in the Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board. Three Key Takeaways A Board must engage in active oversight. A Board should review the design of internal controls on a regular basis. Failure to do so could form the basis for an independent legal violation under SOX.
The cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy. There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations. At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization. Three key takeaways: The cornerstone of any best practices compliance program is its written protocols. Written standards work to prevent, detect and remediate. What are the specific written protocols you should have in your compliance program?
Jonathan and Lex discuss the new United States Sentencing Guidelines amendments taking effect on November 1, 2018.
In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System – Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the FCPA Corporate Enforcement Policy it states, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred”. Under Hallmark Six of the Ten Hallmarks of an Effective Compliance Program it states: In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences. However, I believe that the 2012 FCPA Guidance’s best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.” One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. This is more than financial incentives for ethical behavior but institutional objectivity for your employees. Institutional objectivity comes from procedural fairness. This is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by, processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program. Administration of Discipline One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed. Similarly and as was re-emphasized in the FCPA Corporate Enforcement Policy, there must be real consequences to employee who violate your compliance program. If the regulators come knocking and you have not disciplined any company employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude pretty quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is with the organization. Employee Promotions In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle. Internal Investigations The third area the Fair Process Doctrine is critical in, is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair. This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess. An often-overlooked role of any CCO or compliance professional is to help provide employees procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program. Three Key Takeaways The DOJ and SEC have long called for consistent application in both incentives and discipline. The Fair Process Doctrine ensures employees will accept results they may not like. Inconsistent application of discipline will destroy your compliance program credibility. This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
On November 26, 2017, the Justice Department announced adoption of its new FCPA Corporate Enforcement Policy. Deputy Attorney General Rod Rosenstein announced the new policy at an FCPA Conference in Washington, D.C. Under the new policy, corporations that voluntarily disclose potential FCPA violations, fully cooperate with the investigation and implement timely and appropriate remediation will earn a presumptive declination, subject to the absence of aggravating factors. If the company does not earn the declination, presumably because of the presence of one or more aggravating factors, the company can still earn a 50 percent reduction from the lower end of the US Sentencing Guidelines range and will probably avoid the imposition of a corporate monitor. In this episode Michael Volkov review the new enforcement policy and provides his insight on the impact of the Justice Department's new program.
Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation. A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance: Corporate Compliance Policy and Code of Conduct - A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate. Risk Assessment - A Board should assess the compliance risks associated with its business. Implementing Procedures - A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Training - There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program. Monitor Compliance - A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. Three Key Takeaways GTE compliance internal controls are low hanging fruit, pick them. Compliance internal controls can be both detect and prevent controls. Good compliance internal controls are good for business. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”. The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs. Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission. What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I've reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee's decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward. Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust. Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation. Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale. Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it's effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint. Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust. Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns. Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization's reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly. Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk. Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously? Three Key Takeaways What are today's three key takeaways? Well, number one, you must not retaliate. That is probably the biggest destroyer of credibility and trust in a reporting mechanism reporting. There must be ongoing communications and there must be follow up with the employees who made the anonymous reports. Celebrate your reporting mechanism. Let employees know that it is acceptable to raise your hand because that is all you are doing at the end of the day, raising your hand. It is incredibly important and it is something that will make your reporting mechanism work much better. Learn more about your ad choices. Visit megaphone.fm/adchoices
In this episode, I visit with Roy Snell about his recent announcement that he is stepping down as head of the SCCE. We review the current state of the SCCE and how the Roy has seen the compliance evolve from its start after the 1992 US Sentencing Guidelines. We discuss where Roy sees compliance going in the next several years and where the SCCE may go to support the profession. This announcement comes when the SCCE has grown to 50 staff members and one of the has one of the strongest boards in the professional association world. the SCCE has a strong footprint in the US and is a material player internationally with 17,500 members in 95 countries. It has a great reputation and its success to date has been quite remarkable. The call for applications will close on August 20th 2017. A detailed job description and position summary are available at http://www.corporatecompliance.org/CEO. SCCE plans to complete the interview and selection process in the Fall of 2017 and onboard a Deputy CEO in early 2018. The Deputy CEO will likely assume the role of the CEO sometime in 2019. Roy will stay on with the organization for roughly one year to work on special projects. To be considered for the CEO of SCCE and HCCA, please fill out the questionnaire with return instructions available at: http://www.corporatecompliance.org/CEO. Learn more about your ad choices. Visit megaphone.fm/adchoices
Day 14-Miranda and Internal Investigations: What Rights Does an Must an investigator warn an employee that concealing information from company lawyers conducting an internal FCPA investigation could be a federal crime? Even if the company attorneys handling the investigation provided the now standard corporate attorney Upjohn warnings, does a company attorney asking questions morph into a de facto federal agent during an internal company investigation regarding alleged FCPA violations and is the attorney thereby required to provide a Miranda warning to employees during a FCPA investigation? In a recently released paper entitled “Navigating Potential Pitfalls in Conducting Internal Investigations: Upjohn Warnings, “Corporate Miranda,” and Beyond”[1] Craig Margolis and Lindsey Vaala, of the law firm Vinson & Elkins, explored the pitfalls faced by counsel, both in-house and outside investigative, and corporations when an employee admits to wrong doing during an internal investigation, where such conduct is reported to the US Government and the employee is thereafter prosecuted criminally under a law such as the FCPA. Margolis and Vaala also reviewed the case law regarding the Upjohn warnings which should be given to employees during an internal FCPA investigation. Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many US businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.” Moreover, such a corporate policy may permit a company to claim to the US government a spirit of cooperation in the hopes of avoiding prosecution in “addition to increasing the chances of earning meaningful credit under the US Sentencing Guidelines or the FCPA Pilot Program. Where the US Government compels such testimony, through the mechanism of inducing a corporation to coerce its employees into cooperating with an internal investigation, by threatening job loss or other economic penalty, the in-house counsel’s actions may raise Fifth Amendment due process and voluntariness concerns because the underlying compulsion was brought on by a state actor, namely the US Government. Margolis and Vaala note that by utilizing corporate counsel and pressuring corporations to cooperate, the US Government is sometimes able to achieve indirectly what it would not be able to achieve on its own – inducing employees to waive their Fifth Amendment right against self-incrimination and minimizing the effectiveness of defense counsel’s assistance. So what are the pitfalls if private counsel compels such testimony and it is used against an employee in a criminal proceeding under the FCPA? Margolis and Vaala point out that the investigative counsel, whether corporate or outside counsel, could face state bar disciplinary proceedings. A corporation could face disqualification of its counsel and the disqualified counsel’s investigative results. For all of these reasons, we feel that the FCPA Blog summed it up best when it noted, “the moment a company launches an internal investigation, its key employees -- whether they're scheduled for an interview or not -- should be warned about the "federal" consequences of destroying or hiding evidence. With up to 20 years in jail at stake, that seems like a small thing to do for the people in the company.” Let’s keep on skipping down the lane and see where we go. What if the company gets its investigation wrong and wrongfully identifies an employee? At least in a few states, a wronged employee can sue for defamation. Yet not in Texas and a recent Texas civil case demonstrates why companies and internal investigators need to be aware of local laws, regulations and requirements. The Texas Supreme Court in Shell Oil Co. v. Writt, held that an internal investigation report Shell provided to the U.S. Department of Justice about potential FCPA violations is “absolutely privileged” in a defamation proceeding and cannot be used to form the basis of a defamation claim. Writt had alleged that Shell defamed his character when the company "voluntarily” reported to the DOJ on the findings of an internal investigation the company conducted into its relationship with Panalpina -- an investigation that culminated in the company’s 2010 FCPA settlement with U.S. enforcement authorities. Writt claimed that Shell’s internal investigation report falsely implicated him in the payment of bribes and accused him of providing inconsistent statements during multiple interviews conducted in the course of the investigation. The trial court initially granted summary judgment in favor of Shell, dismissing Writt’s suit on the basis that Shell enjoyed an "absolute privilege" to make statements to the DOJ regarding its internal investigation. The Texas Court of Appeals overturned this decision, refusing to characterize a “voluntary” pre-prosecution internal FCPA investigation as a judicial proceeding. Instead, the Court of Appeals held that Shell was only entitled to qualified privilege, under which a speaker can still be liable for defamation if the speaker "knows the matter to be false or does not act for the purpose of protecting the interest for which the privilege exists." The Texas Supreme Court held “at all relevant times” Shell had been the target of a DOJ FCPA investigation and asserted that this investigation, which eventually resulted in a criminal settlement with Shell, satisfied the standard that “the possibility of a proceeding must have been a serious consideration at the time the communication was made.” The Supreme Court also highlighted “the DOJ’s leverage over Shell vis-à-vis the FCPA and its somewhat draconian penalties…,” which “compelled [Shell] to undertake its internal investigation and report its findings to the DOJ.” The court specifically pointed to the dramatic increase of FCPA enforcement actions before mid-2007 when the DOJ notified Shell of its investigation, noting that “businesses that chose not to cooperate were subject to substantially greater punishments….” At a time when the DOJ and SEC have become increasingly vocal in calling for companies under investigation to secure and provide evidence of individual culpability, a decision that did not provide Shell with absolute privilege could have had a far-reaching impact on how companies conduct internal investigations and cooperate with enforcement authorities. As it stands, the Texas Supreme Court’s decision in Shell Oil Co. v. Writt may incentivize cooperation by companies in the early stages of the enforcement process by providing certainty to potential corporate defendants, particularly those located in Texas, that good faith efforts to disclose the results of internal investigations and expose individual culpability will not leave them open to defamation claims. Three Key Takeaways Make sure you provide an Upjohn warning. If an employee demands counsel to represent them during an internal investigation, who bears the cost? Always check state law requirements around internal investigations. Learn more about your ad choices. Visit megaphone.fm/adchoices
Mara Senn and a colleague, Michelle Albert, published in the FCPA Report, Volume 3, Number 1, entitled “Internal Investigations, How to Conduct an Anti-Corruption Investigation: Developing and Implementing the Investigation Plan”. I interviewed Senn on her thoughts about handling a cross-border investigation. Offer Interview Translations While many people outside the US have various levels of capabilities in a non-native language, when you get into the very detailed questions in an interview, they may have enough English skills that you assume they understand everything, but in fact, they do not. You may ask a key question, for example, about expense reports, maybe they understand conversational English, but there's no reason for them to know expense reports. This makes it important to have someone present in the interview that speaks the witness’s native language, and just assume that there are going to be times where you’re going to need to call on that person. Avoid Cultural Pitfalls Cultural pitfalls are really truly pitfalls and, unfortunately, they can be big deep holes that you do not know anything about, but you can fall into pretty easily. She provided the issue of personal privacy as an example, where most countries have a different concept of privacy, particularly about whether your work area is your own versus what really belongs to the company. You should seek local counsel guidance to understand what needs to be done and also explain to you the best way to do it without offending people. Observe Data Privacy Restrictions Most American lawyers are aware of different data privacy restrictions and requirements in countries governed by the European Union (EU) and the US. The point under this best practice is that your analysis and response must go much further to satisfy the US Department of Justice (DOJ) if you want to claim that you cannot get certain information out of a country because of data privacy restrictions. Comply with Labor Requirements Similar to the long-standing Weingarten right of unionized employees in the US to have a representative present for interviews, in many countries outside the US there are Works Council and similar analogs in other countries, where, basically, the Works Council is responsible for the interactions between the employers and the employees. Moreover, employees have certain statutory or labor code based rights as employees, regardless of whether they are members of a labor union or not. These rights can drill down into the types of questions that you can ask or even prevent you from meeting with or interviewing certain employees. Be Aware of Other Local Requirements Points three and four certainly lead into best practice No. 5. It is incumbent that you work with local counsel in the country you are performing the interviews to garner an understanding of the witnesses rights and your obligations during any investigation. She explained that many ways a US lawyer would think about doing an investigation could be problematic in other jurisdictions. She gave the examples of taking pictures or physically removing documents from a location, which could be issues that you might face. You certainly need advice and counsel on what is legal and what might not be going forward. Put Forms in Native Translations There are times that the only way an investigation can collect an employee’s personal information is to obtain affirmative assent. Such information might include work documents, work emails, or similar information. However she cautioned that in this situation it is even more important to put the consent form in the native language. You do not want the employee to later claim they did not understand the consent form or thought they were executing something different. It can be critical that you have informed consent, because if you do not have informed consent, that consent could well turn out to be void. Preserve the Attorney Client Privilege The rules outside the US can be quite different and perhaps a little bewildering. In many European countries there is no privilege from an in-house counsel, so if a General Counsel (GC) of a company speaks to the President or Chief Executive Officer (CEO) there is absolutely no privilege under basically any circumstances in Europe. Senn then noted that other jurisdictions have other kinds of laws, each with a slightly different parameter, leading to different attorney-client expectations. Prepare for Local Enforcement Actions Many countries are becoming more aggressive in their enforcement actions for bribery and corruption, sometimes based upon local and domestic anti-bribery laws. This means the information which one government knows, whichever government that is, you should expect and assume that multiple governments are cooperating in some way. This then makes it more likely that there could well be some sort of local enforcement action against your client while you are investigating matters around a FCPA claim or potential FCPA claim. Prepare for Security Risks This means personal security, physical and health safety. Simply consider the recent situation when Ebola was going around Western Africa or Central Africa. If you are conducting an investigation in such ravaged areas you should not send your employees to Liberia at that time to interview people. The same can be true in worn-turn areas like Syria or similar locales. The better plan would be to remove the people you are interviewing and bring them to you or to a local hub outside of the impacted areas. That avoids a whole host of issues, as you do not want to have to pay for extra security, for example you do not want your employees to have to walk around with loaded machine guns protecting them; you have to make a judgment call as to where and whether these potential threats need to be addressed in some way. Protect Whistleblowers Here Senn had some very practical advice, which while it might seem counter-intuitive on the surface due to certain legal decisions, it might actually provide more protections for companies in the long run. Senn began by noting the 2nd Circuit Court of Appeals ruling in the Liu case, which essentially found that the Dodd-Frank retaliation provisions that protect whistleblowers in the US do not apply abroad, so in other words, a foreign whistleblower brought a case saying, “I was retaliated against and I bring a case under the retaliation provisions of Dodd-Frank,” and they said, “No way, you can't bring it.” Senn believes that companies that use the Liu decision as a basis to retaliate against whistleblowers outside the US are wrong for several reasons. First, is that the Securities and Exchange Commission (SEC) has announced they will still pay whistleblower outside the US, who come forward and meet the requirements, the Dodd-Frank bounty of up to 30% of the penalty. This means that even if courts determine that the Dodd-Frank provisions do not apply for retaliation for foreign nationals, the SEC can still honor the communication and compensate the foreign whistleblower. The second reason is the US Sentencing Guidelines make clear that part of an effective compliance and ethics program includes having a publicized system for employees or agents to report potential or actual criminal conduct without fear of retaliation. These Sentencing Guidelines apply to all US companies, both domestic and internationally. If your company retaliates against foreign whistleblowers, the US government can take that into account, which could be viewed in a negative way, meaning that you don’t have an effective compliance and ethics program. Three Key Takeaways Use translators and translations of key documents in witness interviews. Use local counsel to facilitate the investigation and to help navigate any local anti-corruption investigation issues. Never, never, never retaliate. The SEC will pay whistleblower bounties for non-US citizens. Learn more about your ad choices. Visit megaphone.fm/adchoices
In an article in the Compliance and Ethics Professional Magazine, entitled “Foxes and henhouses: The importance of independent counsel”, Dan Dunne discussed what he termed a “critical element” in any investigation, which he denominated as “fair and objective evaluation.” Dunne wrote that a key component of this fair and objective evaluation is the WHO question; that is, who should supervise the investigation and who should handle the investigation? Dunne’s clear conclusion is that independent counsel should handle any serious investigation. There are three reasons for a company to retain independent counsel for internal investigations of serious whistleblower complaints. First, André Agassi was right, perception is reality. This means that for any corporate ethics and compliance program to be effective, it must be perceived to be fair. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. Secondly, if regular outside counsel investigates their own prior legal work or legal advice, a very large and potentially messy numbe of loyalty and privilege issues can arise in the internal investigation. It is a rare legal investigation, where the lawyer or law firm which provided the legal advice and then investigates anything having to do with said legal advice, finds anything wrong with its legal advice. Dunne also notes that if the law firm which performs the internal investigation has to waive attorney client privilege, it may also have to do the same for all its legal work for the company. The third reasons is the relationship of the regular outside counsel or law firm with regulatory authorities. If a company’s regular outside counsel performs the internal investigation and the results turn out favorably for the company, the regulators may ask if the investigation was a whitewash or at the very least, less than robust. If the Securities and Exchange Commission (SEC) or Department of Justice (DOJ) cannot rely on a company’s own internal investigation, it may perform the investigation all over again with its own personnel. Further, these regulators may believe that the company, and its law firm, has engaged in a cover-up. This is certainly not the way to buy credibility. Mara Senn has explained that it is the lawyer or law firm representing the company that can go a long way towards establishing credibility, noting, “For those of us who regularly appear before the government, we already have credibility, and they understand that the client may or may not agree with recommendations we make, and they know that we’ll be a straight shooter once we’re in front of them, however we get in front of them.” But is more than the lawyer or law firm that brings credibility; it is actions of the company as well. Of course this means the steps the company has taken and its cooperation with the government during the pendency of any FCPA investigation. Despite the fact that using specialized investigation counsel is a best practice that is worth the money, one of the more difficult things is convincing decision-makers of this advantage. This is particularly so when speaking with mid- or small-sized companies that are part of larger supply chains. While general counsels and compliance officers may be up to speed on outsourcing critical inquiries, managers in business segments often are not and frequently reply that they “got someone” in the company who “takes care of that stuff.” However, it is clear that such an approach will be more costly to a company in the long run. Moreover, if there are serious allegations made concerning your company’s employees engaging in criminal conduct, a serious response is required. Your company needs to hire some seriously good lawyers to handle any internal investigation. These lawyers need to have independence from the company so do not call your regular corporate counsel. Hire some seriously good investigative lawyers. This may well mean you need specialized outside counsel. James McGrath and David Hildebrandt wrote about the use of specialized outside counsel to lead an independent internal investigation as compliance and ethics best practices in an article entitled, “Risks and Rewards of an Independent Investigation”. This is based upon the US Sentencing Guidelines, under which a scoring system is utilized to determine what a final sentence should be for a criminal act. Factors taken into account include the type of offense involved and the severity of the offense, as well as the harm produced. Additional points are either added or subtracted for mitigating factors. One of the mitigating factors can be whether an organization had an effective compliance and ethics program. McGrath and Hildebrandt argue that a company must have a robust internal investigation. The authors suggest that in such a situation, a company should engage specialized counsel to perform the investigation. There were three reasons for this suggestion of the utilization of specialized counsel. The first is that the Department of Justice would look towards the independence and impartiality of such investigations as one of its factors in favor of declining or deferring enforcement. If in-house counsel were headed up the investigation, the DOJ might well deem the investigative results “less than trustworthy”. A second reason came from the company perspective. Many companies have sought protection of investigations behind the shield of the attorney-client privilege and attorney work-product doctrine. If an in-house attorney is utilized, many courts are skeptical of a company asserting the privileges because of the mixed responsibilities of counsel in a corporation; that of legal and business work. Additionally, obstructionist attempts by corporations to improperly assert the privilege have led courts to refuse to allow the privilege to be asserted. However a company will usually not face these arguments if outside counsel is utilized. Even if the company is willing to waive its attorney-client privilege, McGrath and Hildebrandt offer a third reason for the use of specialized outside counsel to handle an investigation. If a company’s regular outside counsel were retained to conduct the investigation, the DOJ might feel the results had less than full credibility due to the fact that the law firm knew “who buttered its bread” and that the law firm would not want to bring bad news to client and endanger the ongoing business relationship between the law firm and the client. The authors end by concluding that by employing specialized counsel comports with the expectations under the US Sentencing Guidelines, gives a company the protections of the attorney-client privilege and the work-product doctrine and finally “assures the government of the integrity of the internal investigation.” Three Key Takeaways Serious allegations demand a serious response, with seriously good lawyers leading the investigation. The biggest thing that any person or company brings to the table when sitting across from the DOJ or SEC is credibility. Use of regular corporate counsel can negatively impact your investigation because of the issues of loyalty and privilege. Learn more about your ad choices. Visit megaphone.fm/adchoices
How can you determine if Human Resources (HR) can meet the needs of a best practices compliance program? One place to start is with a gap analysis to determine what HR has in place that can facilitate your company’s compliance program. According to Bright Hub Project Management, a gap analysis “compares actual performance (or status) with the desired performance (or status). A gap analysis takes into account where the company is and where it wants to be. Any review of a company and its goals should include a thorough gap analysis - especially when wanting to improve productivity, processes and products.” From the HR and compliance perspective the four steps to undertaking a gap analysis are: (1) understanding the compliance and HR environment in your organization; (2) taking a holistic approach to understanding the compliance and HR environment; (3) determining a framework for analysis, and (4) compiling supportive data to test the program. Yet before beginning this exercise it is incumbent to understand that the first element of an effective compliance program under the U.S. Sentencing Guidelines is to have Established Policies and Procedures to protect and detect non-compliance with regulations. While the US Sentencing Guidelines specifically target “criminal conduct”, companies would be wise not to limit their “risk assessment” or “gap analysis” to only criminal conduct. Most, if not all, companies possess several corporate policies that govern employee behaviors. The person in charge of corporate compliance function should first identify the policies in place by utilizing a gap analysis to catalog the existence of corporate policies across the company, noting policy gaps and inconsistent application of policies across various locations. The business units and functional disciplines should be tasked with filling the gaps and standardizing conflicting polices. This exercise allows you to move forward to what is required to operationalize compliance as you have to know what you must be compliant with going forward. So how does one work with the business units and the functional disciplines to structure the identification of legal and compliance risks in a way that can be managed and utilized with some degree of ease? Here are a few questions that a compliance practitioner may pose to the HR department to perform a gap analysis regarding policies and procedures: Does the HR department have an inventory of policies, procedures, laws and regulations covering employees and employment related matters applicable to the company’s business? If yes, do you have a specified person who is in charge of updating the inventory? If no, what system does the HR department utilize to ensure that it is aware of the various compliance laws and regulations and has a process to comply with them? What evidence would the HR department be able to produce to the government to support a finding that the company has a solid compliance program for applicable labor and employment laws and regulations? What types of compliance training are mandatory for all employees, which are optional and how does HR track and document completion? How is the training performed? Is it provided in the native language of the employee or only in English? What types of enforcement actions predominate in the compliance arena for your industry or where your organization does business? How is such data tracked in your company? Are employees within the HR department specifically trained to understand compliance requirements applicable to your organization? Does the HR department provide senior management with periodic updates on the monitoring of results, key risks, and compliance violations within HR? Has the HR department established some type of escalation criteria to ensure that high-risk compliance issues are reviewed at the corporate level? Does the HR department have compliance monitoring standards in place? Does the HR department perform periodic audits to ensure that the policies and procedures are being complied with? These are only a few of the questions that you may want to ask to begin the process of assessing how compliance and the role of HR apply to your company. My final suggestion is to work with HR to create a consolidated Human Resources Compliance Audit Checklist that can be used to audit (and document) the company’s HR Compliance Program. The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and document, document, and document. Three Key Takeaways A gap analysis is a key component in the risk assessment process. The ultimate responsibility should lie with the business units and functional discipline to fully operationalize compliance. The role of the compliance department is to oversee, provide subject matter expertise and coordinate. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System – Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the Department of Justice’s (DOJ) 13 point minimum best practices compliance program, Item 10 states: Discipline. A Company should have appropriate disciplinary procedures to address, among other things, violations of the anti-corruption laws and the Company's anti-corruption compliance code, policies, and procedures by the Company's directors, officers, and employees. A Company should implement procedures to ensure that where misconduct is discovered, reasonable steps are taken to remedy the harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct, including assessing the internal controls, ethics, and compliance program and making modifications necessary to ensure the program is effective. However, I believe that the DOJ best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.” One of the areas which Human Resources (HR) can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. Procedural fairness is one of the things that will bring credibility to your Compliance Program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program. Internal Investigations The first area is that of internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair. This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess. Administration of Discipline and Employee Promotions However, as important as the Fair Process Doctrine is with internal investigations, I have come to believe it is more important in another area. That area is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed. In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle. Three Key Takeaways The DOJ and SEC have long called for consistent application in both incentives and discipline. The Fair Process Doctrine ensures employees will accept results they may not like. Inconsistent application of discipline will destroy your compliance program credibility. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
James Doty, Acting Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program. Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement. I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board. Three Key Takeaways A Board must engage in active oversight. A Board should review the design of internal controls on a regular basis. Failure to do so could form the basis for an independent legal violation under SOX. Learn more about your ad choices. Visit megaphone.fm/adchoices
Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture. At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks. The Board Compliance Committee should begin its inquiry with a basic: ‘How do we know it is working?’ In other words, is a company’s compliance program living up to the hallmarks of an effective compliance program in the eyes of the government. Here I lay out four areas of more specific inquiry. The Board Compliance Committee should obtain information on the processes to carry out the compliance function, rather than details on specific compliance issues. They need to understand that there is a single individual or internal corporate discipline keeping track of the compliance function and making sure that it is being handled properly. They need to understand that there is a system in place that keeps track of compliance requirements. Another area the Board Compliance Committee interest should be in is the area of hotlines or other internal reporting mechanisms. Here, the Board Compliance Committee needs to know details about both inbound issues and the responses thereto. In the inbound side this means details about who answers the reports, that come in either via email or phone, how this information is triaged and in what time frame. It also requires an understand of whether the reporting system is truly anonymous, with no use of caller-ID or GPS tracking. The next series of questions deals with the responses to any information which comes to the attention of the company, including such basic inquiries as how are the reports classified and routed? Who gets notified for what types of calls? How the investigative process is divided among various functions or is it outsourced? Finally, what is the response rate and response time? The Board Compliance Committee must know who is accountable and responsible for each segment of a compliance program. They should obtain assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability. While it is true an effective Board Compliance Committee will allow management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy. Strategic planning is another area well suited for oversight by a Board Compliance Committee. For such a committee to be both effective and informed it must have an appreciation of where the corporate compliance function stands not only at the present moment, but also has a strategic plan for how the compliance and ethics program can continue to grow. Similarly, Stephen Martin, a partner at Arnold and Porter, has long advocated a 1-3-5-year compliance game plan. However, a Board Compliance Committee should demand the compliance function be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, you want to get your board’s attention on the changes which may need to happen with the [compliance] program. Today’s regulatory climate band hyper-transparency in social media make a Board Compliance Committee’s task seem Herculean. But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Boards of Directors. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage. A Board Compliance Committee is a good place to start. Key Takeaways This committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO. This committee should work to hold the CCO accountable to hit appropriate metrics. This committee is ideal for leading the efforts around strategic planning. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Case Law As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.” According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses. FCPA Guidance and US Sentencing Guidelines A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement. From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute. Three Key Takeaways The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions. Note the obligations of the Board under the 10 Hallmarks of an Effective Compliance Program. The US Sentencing Guidelines also require Board involvement and oversight. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance”, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government. The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidelines for the creation of the modern compliance profession. These guidelines included credit for “the specific elements of an effective compliance and ethics program. Companies that embarked on such programs would be eligible for more lenient sentences. To qualify as “effective,” a company’s compliance program would not only have to establish standards and procedures to prevent and detect criminal conduct, but would have to actively promote a culture encouraging ethical conduct and compliance with the law. The implementation of those guidelines in 2004 reflected the need for corporate boards to demonstrate knowledge of compliance programs and fulfillment of oversight responsibilities as part of monitoring the effectiveness of companies’ compliance and ethics programs.” The next major step was the financial accounting frauds and scandals of the late 1990s and early 2000s including Enron, WorldCom and Tyco. These scandals were so wide-ranging, with senior executive participation, if not directing of the corporate fraud that a new legislative response was required and this response was the passage of the Sarbanes-Oxley Act of 2001 (SOX). Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code”, said, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness…” SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.” This strengthened the compliance professional who was called upon to design these internal controls. The next major legislation which enhanced the compliance function was the Dodd-Frank Act of 2010, passed in response to the 2008 financial crisis. MacKessy pointed to the downfalls of Bear Stearns and Lehman Brothers as drivers of more compliance because they both “demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value.” The legal and legislative response has been that companies should design effective compliance programs which use risk based programs as a basis to design, create and implement effective compliance programs. Joe Howell, Executive Vice President (EVP) for Workiva Inc., has gone further, drawing a straight line from the FCPA to SOX to Dodd-Frank in the development of the compliance function. All of this means compliance is not going away, no matter what the law enforcement priorities of the new administration. Companies understand that compliance and business ethics have a role in not only driving business strategies and initiatives but that more compliant companies are better run companies and at the end of the day more profitable because they have better controls. MacKessy ends his piece by stating the compliance programs “can provide multiple rewards - from risk mitigation, to reputational enhancement, to business strategy development.” The compliance discipline is where the harmonic convergence occurs in a corporation. Whether it be specific tasks of making sales, vetting relationships or the spade work of creating policies and procedures, it is compliance that drives the discussion of how we should do business. The corporate compliance profession fulfills the business obligation in doing things the right way for, at the end, it will be the compliance profession which implements the requirements of compliance whether those requirements are anti-corruption laws such as the FCPA, the UK Bribery Act, Anti-Money Laundering (AML), export control, anti-trust regulations, or any other regulation that you can name. Equally importantly, the compliance profession is teaching corporations how to evaluate risks and the compliance profession leads that discussion. It is the compliance profession that is the most innovative in not only protecting corporations, but actually helping corporations do business, do business more efficiently, and do business more profitably. Three Key Takeaways Doing compliance is Doing Business. Properly accomplished, compliance makes a business more efficient and more profitable. Use the Robert Gates as a great example of how the FCPA means more business for US companies. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Continuous improvement requires that you not only audit third parties but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. Yet ongoing monitoring is not limited to the financial component of compliance. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company. The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations. Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” Three Key Takeaways Ongoing employee monitoring is a standard tool of an effective compliance program. Focus your email sweeps on a high risk product, business unit or region. Use your findings. Review, analyze and act. Learn more about your ad choices. Visit megaphone.fm/adchoices
No area has become more challenging in compliance than continuous improvement. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following: Review the Goals of the Strategic Plan. Design an Execution Plan. Put Accountabilities in Place. Schedule the Next Review of the Plan. Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” Key Takeaways Where has your compliance program been, where is your compliance progam now and where is your compliance program going. Determine what technological improvements might help improve your compliance program. You should have a one, three and five year compliance plan that you update regularly. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
The FCPA Guidance has about as clear, concise and short a statement about hotlines than any other Tenet of an Effective Compliance Program. It states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns. The reason is that its own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the US Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline. What are some of the best practices for a hotline? I would suggest that you start with at least the following: Availability. Anonymity. Escalation. Follow-Up. Oversight. In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair. I would emphasize, yet again, that after your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed. What is your FCPA Investigation Protocol? With the advent of the Securities and Exchange (SEC) Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do. The following is a suggested starting point. Step 1: Opening and Categorizing the Case. Step 2: Planning the Investigation. Step 3: Executing the Investigation Plan. Step 4: Determining Appropriate Follow-Up. Step 5: Closing the Case. Three Key Takeaways 1.Pre-taliation is becoming a more important SEC enforcement tool. 2. Test your hotline on a regular basis to make sure it is working. 3. Utilize social media for both tips and reports and to spot trends. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
In Episode 7 of In Plain Cite, our hosts, Jonathan and Lex, take a look at amendments to the US Sentencing Guidelines that were proposed in August 2015. Those amendments would overhaul the definition "crime of violence" in the wake of the Supreme Court's recent decision in Johnson, some in ways that would benefit defendants and others in ways that would not. We also catch up on the progress (or lack thereof) of criminal justice reform in Congress as we head into 2016.