Last week was the 50th anniversary of one of the seminal Beatles’ albums, Rubber Soul. Even a half-century later, it remains one of the most critically acclaimed LPs in history. As noted in the Wall Street Journal (WSJ) article by Marc Myers, entitled “Crafting a Better Beatles”, it “marked rock’s shift from formulaic pop to studio experimentation and high art.” Furthermore, it changed “the direction of American pop.” However, I was surprised to find that the British album had 14 songs while the American version only had 12. There were four songs dropped from the UK version: Drive My Car, What Goes On, Nowhere Man and If I Needed Someone. Added in the US were I’ve Just Seen a Face and It’s Only Love. These changes resulted in a “more cohesive album” which turned “an unfocused album into a taut acoustic story of self-awareness and romantic confusion.”
I thought about the refocused nature of the American version of Rubber Soul when contemplating how to keep your compliance program not only up to date but also in the operation nature, as articulated by Department of Justice (DOJ) Compliance Counsel Hui Chen at the recent New York University Program on Corporate Compliance and Enforcement public forum. Chen made clear it is the operation of your compliance program, which is one of the key indicators of whether it would meet a best practices standard, under her review.
Especially in light of the compliance related events and announcements this fall, you should keep track of external and internal events which may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events that drive changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.
The FCPA Guidance makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any Foreign Corrupt Practices Act (FCPA) investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
The DOJ emphasized again with the Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:
- On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
- Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
- Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
- A review of the books and records of a sample of third party representatives which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.
Capital Records in the US took a very good Beatles album and tinkered with it to make it one of the greatest rock and roll records of all-time. Rubber Soul certainly stands the test of time. By keeping your compliance ear to the ground, you can respond to changes in the regulatory schemes and in your business operations that allow your compliance program to be nimble and a winner.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015