Testing Your FCPA Compliance Program

One of the areas which has received considerable attention in the compliance world over the past six months is that of assessment. Today, we would like to focus on a smaller facet of assessment which we considered when reading a recent article in the Harvard Business Review, entitled  "Failing By Design" by Columbia Business School Professor Rita Gunther McGrath. Professor McGrath's article focuses on trials in the business world to experiment on  how companies can learn from errors. She advocates that with a properly managed system, companies can learn through failure. She cites to the term of "intelligent failure" which she believes can help companies evolve.

This idea of learning from failure struck me as a useful lesson in how a company might test  the effectiveness of the components of its compliance system. One area that would seem to be ripe for testing is to set up a test for reporting a compliance violation or incident, either through a company's hotline or other reporting mechanism. McGrath advocates four principles of intelligent failure.

• Decide what you are trying to do and be specific.
• Be explicit about the assumptions you're making and have a plan for testing them.
• Design the initiative in small chunks so that your team can learn quickly.
• Create a culture that share, forgives and uses failure as positive learning tool.

Based upon these four principles McGrath then lays out seven tenets which she believes "can help your organization leverage from failure." We adapt them here for the testing of your compliance program.

1. Decide what success and failure would look like prior to launch. Define what will constitute success, or failure from your test.
2. Convert assumptions into knowledge. Record your assumptions before you begin the testing so that everyone assessing the overall effectiveness will understand the basis of the actions and steps taken throughout the process.
3. Be quick about it, act fast. Here a company needs to understand that if a problem arises, it should be dealt with sooner, rather than later.
4. Contain the downside risk-fail cheaply. This is a direct benefit of testing your compliance program. If you determine that there is a flaw, it can be resolved much more inexpensively if it is discovered early.
5. Limit the uncertainty in your testing. A company needs to sufficiently define the testing so that it can understand, digest and then remedy, if necessary, the results.
6. Build a culture that celebrates intelligent failure. A company has to create a culture which allows the lessons of testing to be learned in a positive manner. If there is a failure discovered through testing, learn from it, do not punish based upon it.
7. Document and share what you learn from the testing. A company needs to share the results of the testing with the appropriate group involved.

All of this would come into play in the testing of the reporting component of a compliance program. You can provide an anonymous tip to your company hotline and determine what the response is at every level, both from the compliance department and other relevant groups, in the organization. From such a start, you can have the relevant players develop an investigation protocol which they would follow. To whom and what notifications should you make and at what point in the testing? All of these questions can be evaluated if you not only perform such a test but learn from it, without pointing fingers of blame. Here it is important to remember that one should "report facts, not assess blame" if company is to learn from any failure or testing.

A few years ago I heard Paul McNutly speak to a group of General Counsel after he had left the position as former United States Deputy Attorney General and was beginning his life in private practice. He gave his perspective on the three general areas of inquiry the Department of Justice (DOJ) would assess regarding an enforcement action. First: "What did you do to stay out of trouble? Second: "What did you do when you found out?" and Third: "What remedial action did you take?" By testing your compliance program and learning from any failures your company can go a long way towards satisfying points two and three.

The key to this testing is not to be afraid of the results. If there are components which need to be enhanced, you will have the opportunity to do so. If additional or supplemental training is called for; then take the opportunity to provide. In short, do not be a afraid of the results and use Paul McNulty's maxims of "what did you find" and "what did you do about it".

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

For more information about LexisNexis products and solutions connect with us through our corporate site.