Last week I attended the Society for Corporate Compliance
and Ethics (SCCE) Energy and Utilities Conference here in Houston. As usual,
SCCE put on a great event, the speakers and topics were all first-rate. As you
might expect at such an event, the informal conversations with other compliance
practitioners gave an opportunity to learn about new and different approaches
to compliance. At lunch on the second day, I had such a conversation, which to
my surprise, was not with a Chief Compliance Officer (CCO) or even compliance
practitioner of an energy company but with a Program Manager for a utility
concern.
I admit that I normally do not attend any of the breakout
sessions for the utilities at the conference and generally when forced to sit
through a session focused on the utility industry, it does not take too long
for my eyes to roll up inside my head. However after this lunch conversation, I
will certainly have to revise my disdain for listening to the utility
presentations. The person is a Program Manager in his company's Power Plant
Process group and he told me about the 'Mock Audit' that his company performs
in its power plants across the country.
He explained that his industry is heavily regulated at
both the state and federal level. Power plants are subject to numerous levels
of oversight including various ISO standards to which they must comply. ISO is
the International Organization for Standardization and it develops and
publishes International Standards for various industries and organization. The
ISO 9000 standards provide guidance and tools for companies and organizations
who want to ensure that their products and services consistently meet
customer's requirements, and that quality is consistently improved. One of the
components of ISO 9000 compliance is an internal audit to check how a quality
management system is working. But, for the utility industry, there are
additional, more formal audits by various state and federal regulatory bodies,
including both North American Electric Reliability Corporation (NERC) and the
Federal Energy Regulatory Commission (FERC). In other words, the utility
industry is subject to numerous rules and regulations which require compliance
audits.
To help prepare for these formal internal and external
audits, his company employs the Mock Audit. In the Mock Audit, his team will go
through the factors which will be reviewed in a formal audit at a power plant.
But the thing that struck me was that he said that when goes into a plant, he
tells the plant personnel "we all wear the same color shirt" and by this he
means they are all on the same team, trying to achieve the same goal of doing
business in compliance with the rules and regulations that the power industry
is required to operate under. Coming from the energy service industry, the
'color of one's shirt' is a powerful concept. I worked at Halliburton which is
known as "Big Red". Halliburton's competitor, Schlumberger, is known as "Big
Blue". Once in an employment interview someone asked me if I could work under a
person who came from "Big Blue" and I knew instantly what they meant.
The Mock Audit is a mechanism by which a compliance team
can go into a facility and not only try to determine what might need
remediation but, equally importantly, help the employees in that facility to
move towards greater compliance. The team members who perform these Mock Audits
are not lawyers but are engineers or other process focused team members. These
Mock Audits help to uncover gaps that need closing before any of the regulatory
mandated audits by external audit teams. As this Program Manager explained to
me, they are a powerful compliance tool.
I thought about this concept of the Mock Audit in the
context of ongoing monitoring, annual assessments and auditing under the
Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual
assessments are done by lawyers. One thing that I think we as lawyers bring to
this process too often is an adversarial relationship. It sometimes feels and
sounds like we are trying to find a violation or something wrong regarding a
company's compliance program. We are not there to try and help employees learn
from their mistakes (if any) and we do not present ourselves as 'wearing the
same color shirt'. While there certainly is a fine line that must be trod in
monitoring and annual assessments, if the compliance practitioner could adopt a
bit of the tone of the Mock Audit it might open things up for a more useful and
constructive exercise going forward. This is not to say that a more formal
compliance audit should be conducted with such a tone, as it is a different
type of activity. But, just as the Mock Audit is there to uncover any gaps and
help fill those gaps, monitoring or annual assessments can also be used to help
close compliance gaps before a biennial formal compliance audit. So what are
some of the steps that a compliance practitioner can take?
Wear the Same Color Shirt
I once worked in a corporate legal department where the
attitude was very much 'us against them'. The legal department was
viewed as the last bastion between the business guys doing something to put the
company at risk. The attitude was not cooperative at all. I would suggest that
even if the legal department feels like it has to maintain that attitude, the
compliance department is not required to have that attitude, at least not all
the time. Just as my new found colleague from the utility industry can help
power plant employees to do their work more in compliance with the rules and
regulations that they are required to follow, the compliance department can
work with employees rather than simply dictate the rules which are to be
followed. An annual assessment is the perfect opportunity to learn more about a
region or group's compliance challenges and how those challenges are being met
and might be met going forward. But it will not work if it starts out with the us
against them or I am here to get you attitude. You have to wear the
same color shirt and be on the same team.
Review Your Findings with the Group or Region
Being Assessed
One of the more constant complaints that I have heard
from business unit folks was that legal and/or compliance did not share the
results of any assessments or audits with them. Not only was there no
transparency at the end of the process but there seemed to be no simple desire
for local participation or input to resolve any outstanding issues uncovered.
So another step I gleaned from the Mock Audit is to review any assessment
findings with the senior management team of the group or area being assessed. If
warranted, the management team from the group or area reviewed should be a part
of any corrective action plan that addresses a specific gap in compliance. You
can use this opportunity to demonstrate that the overall goal is to drive
towards compliance and that use of local input may be one of the best paths to
positive change over the long term. As with anything, else if people feel like
they have input into the process, they will be more likely invested to make
sure the process succeeds. When you return to the corporate office you can
collaborate with the group or region until issues are fully addressed.
Conclusion
The recently released Department of Justice (DOJ) and
Securities and Exchange Commission (SEC) FCPA Guidance make clear that formal
compliance audits, with actionable remediation plans, are a key component of
any effective compliance program. But after listening to my colleague from the
utility industry, it seems to me that the concept of the Mock Audit is one that
may also become a best practice. Whether you call it the Mock Audit, annual
assessment or something else, if it is a process designed to help your
employees do business in a more compliant manner it is a tool that should not
be overlooked.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2013
For more information about LexisNexis
products and solutions connect with us through our corporate site.