What should you do when an event or series of events is so overwhelming that it staggers your ability to evaluate, plan and respond to it or them? I thought about that question when I read an article in the New York Times (NYT) about the role of the Mayor of Rio De Janeiro in the upcoming World Cup this summer and the 2016 Olympics, entitled “Rio’s Mayor, Shepherd of the City’s Rebirth, Feels the Strains, Too” by Simon Romero. In the article, the Mayor, Eduardo Paes, discussed the strains he is under in tearing and then rebuilding his city in anticipation of the globe’s two greatest sporting events. He was quoted as saying “Don’t ever in your life do a World Cup and Olympic Games at the same time. This will make your life almost impossible.”
What if something happens in your company, corruption-wise, and your life as the Chief Compliance Officer (CCO) or compliance officer is turned upside down, much like Paes?. My colleague Stephen Martin advocates having a 1-3-5 year plan in place to fall back upon. Martin believes that such a document would be an important item to produce to a prosecutor, who might be reviewing your compliance program in the event of a voluntary self-disclosure, a Dodd-Frank or other whistle-blower event, which has led your company to receive a subpoena or letter of inquiry or an industry sweep. He believes that such a strategic plan could well lead to the development of credibility for your company and your compliance program in the event of one of the aforementioned eventualities.
But, if you do have such a plan, how can you implement it in the face of something as overwhelming as is facing the current Mayor of Rio? In his book, “Achieving 100% Compliance of Policies and Procedures”, author Stephen Page discusses ‘Creating a Review and Communication Control Plan.’ In this section he sets forth several steps for the compliance professional to use in reviewing, creating and implementing updated compliance procedures. A review plan should be created to enable policies and procedures to “remain an integral party of the daily work lives of the target audience.” Page breaks down the process into three main categories: (1) General Review; (2) Ongoing Communications; and (3) Training Campaign.
The CCO or compliance practitioner should keep track of “external and internal events which may cause change to business process, policies and procedures.” He lists two examples of where new laws applicable to your business organization and internal events drive changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. In several Deferred Prosecution Agreements (DPAs) announced this year, the DOJ listed several different areas to review, including:
- Interaction with types and levels of Governments;
- Industrial Sector of Operations;
- Involvement with Joint Ventures;
- Licenses and Permits in Business Operations;
- Degree of Government Oversight; and
- Customs and Immigration.
Communications of the overall policies and procedures should not be a single event but continuous and ongoing. In other words, do not simply post your new policy on your company’s business policy website and let it sit there for years. You should make the announcement of policy implementation more public and such communication should be followed up. Page gives several examples of how policies can be communicated.
- Via company-wide email;
- Posters placed through the physically facilities;
- Strategic placement of information on company bulletin boards;
- In company meetings; and
- In newsletters.
Finally, ongoing training is a key component of an effective compliance program. He recognizes that training is constrained by budgetary realities. However there are various formats and media that can be used for training. These include in small workshop groups, presentations at company-wide conferences, smaller departmental meetings, internal webcasts/video casts and training DVDs.
The author concludes by noting that a review plan “is a great tool” for the compliance analyst as it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes which are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game for compliance program upgrades and updates that Stephen Martin advocates.
Another approach is one articulated by Jan Farley, the CCO at Dresser-Rand, which basically is ‘don’t spread yourself too thin”. Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA, then the DOJ may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.
The Guidance also makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
Another approach was set out by Bruce Rector, in an article in the Houston Business Journal (HBJ), entitled “Strategic planning needs constant follow-up to be successful”. In the article Rector sets out steps to assist in utilizing a strategic plan. He recognizes that while a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. Rector notes “if your company and management team have expended the time and resources to pull together a strategic plan, the next logical step is to follow up and keep things on track.” Revising Rector’s steps for the compliance practitioner I have set out the following.
- Review the Goals of the Strategic Plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan. Rector advises that to the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
- Design an Execution Plan. Here Rector advises that the “Keep it Simple Sir”, or KISS method, is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Rector notes that any “plan must be specific with clear tasking and deliverables and a definite timeline for delivery.”
- Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability also includes a “follow-up mechanism to ensure that these vital goals are achieved.” This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
- Schedule the Next Review of the Plan. Most interestingly, Rector recommends a review of the foregoing process on a weekly basis. While noting that this may seem time consuming, he believes that once the group assigned with this responsibility gets “into the rhythm, it can go smoothly.” While I would not necessarily agree that weekly meetings are required, Rector does correctly note that such regularity allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.
If you face a challenge as great as Mayor Paes, you will indeed need something to assist you in moving forward. While starting from scratch or implementing a compliance regime in the midst of an internal investigation or Foreign Corrupt Practices Act (FCPA) enforcement action can be daunting, the basic advice to put down a plan and follow that plan with reasonable actions and steps is solid advice. But keep in mind Jan Farley’s counsel as well and do not spread yourself too thinly. Focus on your entity’s risk and then manage or, if need be, remediate your risk.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014