Can you synthesize and reconcile the world's leading
laws, regulations and commentaries on the best practices an anti-bribery
and anti-corruption compliance program? I recently saw one such approach by
Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have
developed what they term the five essential elements of a corporate compliance
program. These five elements are based upon the best practices as set
out in the seven elements of a corporate compliance program under the US
Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls,
Ethics, and Compliance; the FCPA Guidance's Ten Hallmarks of Effective
Compliance Program and the UK Bribery Act's Six Principles of an Adequate
Procedures compliance program. The five elements are:
The point means more than simply "Tone-at-the-top"; a
successful compliance program must be built on a solid foundation of ethics
that are fully and openly endorsed by senior management. There should be an
unambiguous, visible and active commitment to compliance. But even more than
support or the right tone, compliance standards require that companies must
have high-ranking compliance officers with the authority and resources to
manage the program on a day-to-day basis. And compliance officers must have the
ear of those ultimately responsible for corporate conduct, including the board
Some of the questions you might think about in connection
with the leadership of your compliance program are the following: How is board
oversight implemented? Is there an ethics or audit committee reporting to the
full board? What is the role of the Chief Compliance Officer? What is the role
of the General Counsel? How do the legal and compliance departments interact?
Does the CCO have "real power"? Is she or he treated as a second-class citizen?
Equally the Board of Directors has a key role to fulfill.
The Board must ensure compliance policies, systems and procedures are in place
and it should monitor implementation and effectiveness of the compliance
The implementation of an effective compliance program is
more than simply following a set of accounting rules or providing effective
training. Compliance issues can touch many areas of your business and you need
to know not only what your highest risks are but where to marshal your efforts
in moving forward. A risk assessment is designed to provide a big picture of
your overall compliance obligations and then identify areas of high risk so
that you can prioritize your resources to tackle these high risk areas first.
What are some of the areas where you need to assess your risks?
In addition to an initial risk assessment to either (1)
inform your compliance program or (2) help you to identify high risks and
prioritize their remediation, risk assessments should be a regular, systemic
part of compliance efforts rather than an occasional, ad hoc exercise cobbled
together when convenient or after a crisis. They should be conducted at the
same time every year and performed by a consistent group, such as your internal
audit department or enterprise risk management team. Such annual risk
assessments act as a strong preventive measure if they are performed before
something goes wrong as it avoids a "wait and see" approach.
Standards and Controls
Generally, every company has three levels of standards
and controls. (1) Code of Conduct. Every company should have a Code of Conduct
which should express its ethical principles. However, a Code of Conduct is not
enough. (2) Standards and Policies. Every company should have standards and
policies in place that build upon the foundation of the Code of Conduct and
articulate Code-based policies, which should cover such issues as bribery,
corruption and accounting practices. (3) Procedures. Every Company should then
ensure that enabling procedures are implemented to confirm those policies are
implemented, followed and enforced.
FCPA compliance best practices now require
companies to have additional standards and controls, including, for example,
detailed due diligence protocols for screening third-party business partners
for criminal backgrounds, financial stability and improper associations with
government agencies. Ultimately, the purpose of establishing effective
standards and controls is to demonstrate that your compliance program is more
than just words on a piece of paper.
Another pillar of a strong compliance program is properly
training company officers, employees and third parties on relevant laws,
regulations, corporate policies and prohibited conduct. Simply conducting
training usually is not enough. Enforcement officials want to be certain the
messages in the training actually get through to employees. The Department of
Justice's (DOJ) expectations of effectiveness are measured by who a company
trains, how the training is conducted and how often training occurs.
There are several key elements to training. First is that
you need to train the right people. You must prioritize which audience to
educate by starting your training program in higher risk markets and focus on
directors, officers and sales employees who may have direct contact with
government officials or deal with state-owned entities. Again, focus initially
on training country managers in your company's high-risk markets, then expand
geographically and through the ranks of employees.
Second, in high risk markets and for high risk employees
or third parties you should conduct live, annual training. Enforcement
officials have made it clear that live, in-person training is the preferred
method in high-risk markets and also that it should be regular and frequent.
Another benefit of live training is the immediate feedback from employees that
would be much less likely to occur during a webinar or other remote training.
Lastly, during live training, employees are more likely to make casual mention
of a potentially risky practice, giving you the opportunity to address it
before it becomes a larger problem.
It is important that you pay attention to what employees
say during training. This is because training can alert you to potential
problems based on the type of questions employees ask and their level of
receptiveness to certain concepts. For example, during training employees might
ask specific questions about important compliance considerations such as their
interactions with government officials or gift-giving practices. Such questions
can raise red flags and uncover issues that should be reviewed and addressed
Oversight - including monitoring, auditing and responses
The issue your company should focus on here is whether
employees are staying with the compliance program. Even after all the important
ethical messages from management have been communicated to the appropriate
audiences and key standards and controls are in place, there should still be a
question of whether the company's employees are adhering to the compliance
program. These ongoing efforts demonstrate your company is serious about
Monitoring is a commitment to
reviewing and detecting compliance programs in real time and then reacting
quickly to remediate them. A primary goal of monitoring is to identify and
address gaps in your program on a regular and consistent basis. Auditing
is a more limited review that targets a specific business component, region or
market sector during a particular timeframe in order to uncover and/or evaluate
certain risks, particularly as seen in financial records. However, you should
not assume that because your company conducts audits that it is effectively
monitoring. A robust program should include separate functions for auditing and
monitoring. While unique in protocol, however, the two functions are related
and can operate in tandem.
Finally, what are your remediation efforts? Your company
should remediate problems quickly. A key concept behind the oversight element
of compliance is that if a company is policing itself on compliance-related
issues, the government will not have to do it for them. Remediation, then, is
an important component of oversight. It is not enough to just gather
information and identify compliance problems through monitoring and auditing.
To fulfill this essential element of compliance, you also have to respond and
fix the problems.
I have found that the Baker 'Five Essentials' approach is
an excellent way to think through your obligations under a wide variety of
anti-corruption and anti-bribery requirements. It allows you to put in place a
program which should meet virtually any legal requirements you may come up
against by doing business anywhere in the world. Lastly, the five-step approach
is an excellent way for you to benchmark your current compliance program.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2013
For more information about LexisNexis
products and solutions connect with us through our corporate site.