(Download above or read below)
“When it comes to compliance, there is no one-size fits all.” So says the Department of Justice and the Securities and Exchange Commission in their “Resource Guide to the U.S. Foreign Corrupt Practices Act” (issued November 14, 2012). The Resource Guide discusses factors the Departments consider when making determinations on whether to prosecute, including the size of the company and particular risks associated with the company.
But that seemingly generous standard comes with an expectation that organizations will tailor their FCPA compliance programs to reflect both the law and the company. The Resource Guide expressly cautions against a “check-the-box” approach.
So what are the “hallmarks” of an effective FCPA compliance program as per the Resource Guide? Here’s a summer-worthy summary and discussion.
1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption.
This point is why we constantly use the verbiage of a “robust compliance program” and “culture of compliance.” The Resource Guide specifically says it will look for a high-level commitment from the Board of Directors and senior executives that sets a tone that is reinforced by middle managers and all levels of employees. While written policies are necessary, they are not enough. Does your incentive plan include compliance metrics along side other strategic objectives, such as productive output, sales, and margin?
2. Code of Conduct and Compliance Policies and Procedures.
Here, the Departments are looking for documents that are “clear, concise, and accessible to all employees and to those conducting business on a company’s behalf.” This hallmark is about making the document part of the workday for everyone. Make it part of a company website. Send internal reminders to refresh and when there are revisions. Translate it into a local language of the business transactions and provide it – multi-lingual – to agents and assignees. Design an on-line expense pre-approval system managed in the US with deadlines, spending tiers and corresponding authorization levels, caution flags, and documentation review. Best-in-class programs utilize on-line policy repositories with workflow notification of new releases, changes and closure to employees. And, policy changes should become a standing agenda item at executive and department level staff meetings and not simply reliant upon “corporate office” memos that escape middle management daily meetings.
3. Oversight, Autonomy, and Resources.
The Departments expect a senior executive to be accountable and resourced. While this, too, is acknowledged as differing from business to business, a position like “Chief Compliance Officer” should have access to the highest levels of corporate governance, even if certain day-to-day activities are delegated to a supporting compliance team. The Resource Guide phrases the Departmental inquiry as the adequacy of staff and resources devoted to the compliance program, relative to company size, structure, and risk profile.
4. Risk Assessment.
When the Departments say “risk,” they provide “high-risk” examples of “large government bids, questionable payments to third party consultants, or excessive discounts to resellers and distributors.” The factors it lists for consideration include “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Such risk assessments are becoming standard in evolving Enterprise Risk Management (ERM) programs, annual internal audit risk assessments, as well as those risk assessments already performed as part of a sales and marketing client acquisition assessment.
5. Training and Continuing Advice.
There is no substitute for in-person training with certification conducted at regular intervals. Web-based training is permissible. Certification is not required. But, if you want a gold star in FCPA compliance, an education program mandatory for every employee and owner will demonstrate good faith to the Departments. Education also means answering questions in a timely manner when they arise. Have policies accessible. Provide regular employee training. And, designate a resource person functioning under Standard Operating Procedures to respond to employee questions and concerns.
6. Incentives and Disciplinary Measures.
Most companies have disciplinary systems in place, including notice to employees that various non-permitted behaviors can result in termination of employment. The Resource Guide also brings out ideas for positive reinforcement of a culture of compliance that rewards ethical behavior as part of the financial bonus or promotion metric. Are your employees publicly rewarded when they go above and beyond the call? Best-in-class programs share openly both positive and negative events to establish a “lead by example” culture. Studies have shown that compliance programs are stronger when the employee base recognizes management’s willingness to stand behind the words written on paper.
7. Third Party Due Diligence and Payments.
The position of the Departments is that third parties are “commonly used to conceal the payment of bribes to foreign officials in international business transactions.” A practical tip to take away from the Resource Guide is to include third parties in employee FCPA training and certification. Furthermore, and given the potential risk in using third parties, risk assessment and due diligence should extend to acquisition of third parties for use in the sale environment.
8. Confidential Reporting and Internal Investigation.
It is appropriate to have an employee hotline, along with a formalized response process. Again, the size of the company will have some bearing on the level and approach to internal reporting, but, even in a small company environment, supporting an anonymous third party vendor hotline is a proven win for encouraging early reporting and demonstrating the importance of compliance at all levels. One of the benefits of the hotline is the opportunity to compile data, analyze that data, and use it to improve upon the systems put in place.
9. Continuous Improvement: Periodic Testing and Review.
The Departments are expressly interested in how companies turn FCPA into a living breathing part of an organization. From hotline data to employee surveys to internal audits, the more pro-active a company conducts itself, the more the company will have to demonstrate in the event of a Department investigation.
Legacy FCPA audit programs relied on after-the-fact audits that discovered undesirable activity when it was too late. Best-in-class programs have turned to real-time Continuous Controls Monitoring that uses real-time technology to evaluate transaction patterns that highlight issues relating to incentive, pressure, and opportunity. Organizations with a centralized ERP system can take advantage of such technology and establish risk dashboards that update instantaneously as each transaction is executed.
10. Mergers & Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration.
This is an area where pre-acquisition due diligence should be thought of as mandatory. The Departments have the discretion to decline to take action against the acquiring company when they discover, disclose, and remediate FCPA violations. And, if a problem should be discovered after acquisition, even if due diligence was conducted, the Departments can use that same approach of prompt disclosure and remediation to bring the acquired company into thorough FCPA compliance.
To review this DOJ/SEC “Resource Guide on the Foreign Corrupt Practices Act” and the Federal Sentencing Guidelines section on “Effective Compliance and Ethics Program,” simply go to the Orchid Advisors on-line research library. This and many other research materials selected specifically for the firearms and ammunition industry are available.