04/20/2011 06:21:00 PM EST
Testing Your FCPA Compliance Program
One of the areas which has received considerable
attention in the compliance world over the past six months is that of
assessment. Today, we would like to focus on a smaller facet of assessment
which we considered when reading a recent article in the Harvard Business
Review, entitled "Failing By Design" by Columbia Business School
Professor Rita Gunther McGrath. Professor McGrath's article focuses on trials
in the business world to experiment on how companies can learn from
errors. She advocates that with a properly managed system, companies can learn
through failure. She cites to the term of "intelligent failure" which she
believes can help companies evolve.
This idea of learning from failure struck me as a useful
lesson in how a company might test the effectiveness of the components of
its compliance system. One area that would seem to be ripe for testing is to
set up a test for reporting a compliance violation or incident, either through
a company's hotline or other reporting mechanism. McGrath advocates four
principles of intelligent failure.
what you are trying to do and be specific.
explicit about the assumptions you're making and have a plan for testing
the initiative in small chunks so that your team can learn quickly.
a culture that share, forgives and uses failure as positive learning tool.
Based upon these four principles McGrath then lays out
seven tenets which she believes "can help your organization leverage from
failure." We adapt them here for the testing of your compliance program.
what success and failure would look like prior to launch. Define what will
constitute success, or failure from your test.
assumptions into knowledge. Record your assumptions before you begin the
testing so that everyone assessing the overall effectiveness will
understand the basis of the actions and steps taken throughout the
quick about it, act fast. Here a company needs to understand that if a
problem arises, it should be dealt with sooner, rather than later.
the downside risk-fail cheaply. This is a direct benefit of testing your
compliance program. If you determine that there is a flaw, it can be
resolved much more inexpensively if it is discovered early.
the uncertainty in your testing. A company needs to sufficiently define
the testing so that it can understand, digest and then remedy, if
necessary, the results.
a culture that celebrates intelligent failure. A company has to create a
culture which allows the lessons of testing to be learned in a positive
manner. If there is a failure discovered through testing, learn from it,
do not punish based upon it.
and share what you learn from the testing. A company needs to share the
results of the testing with the appropriate group involved.
All of this would come into play in the testing of the
reporting component of a compliance program. You can provide an anonymous tip
to your company hotline and determine what the response is at every level, both
from the compliance department and other relevant groups, in the organization.
From such a start, you can have the relevant players develop an investigation
protocol which they would follow. To whom and what notifications should you
make and at what point in the testing? All of these questions can be evaluated
if you not only perform such a test but learn from it, without pointing fingers
of blame. Here it is important to remember that one should "report facts, not
assess blame" if company is to learn from any failure or testing.
A few years ago I heard Paul McNutly speak to a group of
General Counsel after he had left the position as former United States Deputy
Attorney General and was beginning his life in private practice. He gave his
perspective on the three general areas of inquiry the Department of Justice
(DOJ) would assess regarding an enforcement action. First: "What did you do to
stay out of trouble? Second: "What did you do when you found out?" and Third:
"What remedial action did you take?" By testing your compliance program and
learning from any failures your company can go a long way towards satisfying
points two and three.
The key to this testing is not to be afraid of the
results. If there are components which need to be enhanced, you will have the
opportunity to do so. If additional or supplemental training is called for;
then take the opportunity to provide. In short, do not be a afraid of the
results and use Paul McNulty's maxims of "what did you find" and "what did you
do about it".
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2011
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
For more information about LexisNexis
products and solutions connect with us through our corporate site.