When Things Go Wrong: A Compliance How-To Guide

The right response to the discovery of a potential issue — either resulting from an internal report or government action — should include the necessary correction, mitigation, and implementation of a compliance program to prevent a future reoccurrence. Any existing compliance program must be reviewed and updated to ensure its effectiveness.

A Compliance Program Is Essential

• The U.S. Department of Justice (DOJ), the Securities and Exchange Commission (SEC), and other federal enforcement agencies place a premium on compliance.
  • Prosecutors consider the adequacy and effectiveness of a company’s program when determining whether to bring criminal charges.
  • A robust compliance program may contribute to cooperation credit or to a mitigating factor in a damages analysis.
• An effective compliance program works and plays a critical role in preventing and rooting out criminal conduct. It will also help prevent business and reputational harm.
• A well-tailored compliance program is proactive, enabling better results than solely defensive measures.

A Compliance Program Must Be Thorough

Stakeholders must ensure that comprehensive compliance programs are developed and implemented.

CUSTOMIZATION

A company should tailor its compliance program to its specific business and industry.

• Cookie-cutter or “canned” compliance programs pulled from a search engine result or copied from another business are inadequate.
• A company must think critically about their sources of compliance risk, why they exist, and what can be done to mitigate and monitor them. A company’s size, locations, structure, business practices, and industry will impact its analysis.
  • This includes traditional business risks and developing risks introduced by new business technologies, such as the company’s approach to employee use of personal devices and “off channel” messaging platforms, as well as the preservation of other communication, collaboration, and messaging platforms used by employees.
• The mere existence of a program is not enough: companies must have processes and dedicated resources to ensure their programs are implemented. Essential questions for consideration include:
  • Does senior and middle management incorporate compliance into the company’s culture? The “tone at the top” and middle are equally important.
  • Is compliance incorporated into the evaluation and compensation processes?
  • Are investigations independent, thorough, and prompt? Is misconduct met with appropriate consequences?
• Document the program’s development, use, and whether it is designed to meet the company’s needs.

THIRD-PARTY MANAGEMENT

A company must focus on compliance before, during, and after engagement.

COMPLIANCE UPDATES

A proper corporate compliance program is subject to periodic evaluation and improvement.

• An instance of past misconduct is a sign that a compliance program should be updated.
• A company should conduct root-cause analysis designed to identify the gaps in the compliance process.
• A company should undertake proactive measures to identify areas in need of improvement before misconduct occurs, including periodic internal audits of control and tracking systems, and engaging with employees to identify areas of weakness.
• An evaluation should be data-driven and tailored appropriately to higher-risk activities. Factors to consider include risk assessments, audits, and prior investigations.
• Companies should implement a schedule for periodic reviews of compliance training, policies, and controls to ensure that the program is not stale and aligns with the most current risks facing the company and the industry.

A Compliance Program Must Be Effective

Stakeholders must ensure their program works and addresses their particular compliance concerns.

CUSTOMIZED TRAINING

Implementing a generalized training program will fail to provide necessary information and strategies. Training must be tailored to maximize its effectiveness.

• The audience determines the substance and method of delivery of training sessions:
  • New employees should receive a basic, high-level compliance training prior to being provided with more thorough sessions on the details of the program.
  • Existing, long-term employees would likely benefit from “refresher” training sessions that focus on recent compliance events or newly revised compliance policies.
• The substance of training on certain compliance topics should be varied based on the employees’ levels within the organization. Employees in supervisory roles, for example, must be provided with the tools to investigate and address internal reports of potential compliance issues.
• Employees should be required to demonstrate their comprehension through on-the-job simulations.

IMPORTANCE OF INTERNAL REPORTING

Internal compliance reporting should be actively encouraged to avoid creating whistleblowers.

• Implement multiple mechanisms that allow employees to report compliance violations, including one or more methods for anonymous reporting. Examples include a hotline, a lockbox for hardcopies, or an email account or portal that anonymizes the sender’s identifying information.
• Implement a system to quickly conduct thorough internal investigations of all complaints received, including reviewing relevant documents and interviewing potential witnesses.
• Implement safeguards to prevent retaliation, including strict policies that forbid retaliation against whistleblowers. This may include placing employees accused of misconduct on administrative leave pending the completion of an investigation, particularly employees in positions of authority.

PUNISHMENTS AND REWARDS

Stakeholders should use incentives and disciplinary action to drive compliance-promoting behavior and prevent compliance violations.

• Implement disciplinary policies that empower leaders to create deterrents that maximize their impact. In at least certain circumstances, ensure that the company also has flexibility to determine the appropriateness of a companywide communication regarding the incident.
• Incentivize employees to prioritize compliance, including, for example, linking a compliance metric to employee compensation, bonuses, performance reviews, or career advancement. Examples include requiring a clean compliance record; and completing compliance training for the eligibility of an annual bonus or promotion. Document the impact of these factors on decisions, such as discretionary raises, bonuses, or promotions.
• Hold wrongdoers accountable by developing tailored policies for clawing back compensation and bonuses.

The Bottom Line

Robust, well-tailored, and adequately resourced compliance programs are vital, and companies should resist the temptation to take shortcuts. It is important that companies act quickly when a potential issue arises to understand the problem and how it occurred, while incorporating lessons learned to strengthen the compliance program moving forward. The process must include thoroughly developing, implementing, and revising compliance programs to ensure that they address a company’s unique concerns and risks.