The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance (Guidance), under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program (Hallmarks), the focus was articulated by the title Oversight, Autonomy, and Resources. When it came to the corporate compliance function the Guidance simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
This Hallmark was significantly expanded in both the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). The Evaluation made the following query about the CCO position:
- Autonomy and Resources
Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?
Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?
Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?
The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012.
Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?
In the Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program:
- The resources the company has dedicated to compliance;
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
- The authority and independence of the compliance function and the availability of compliance expertise to the board;
- The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
- The reporting structure of any compliance personnel employed or contracted by the company.
1 and the first half of 3 come from the 10 Hallmarks of an Effective Compliance Program. Points 2, the second half of 3, 4 and 5 come from the DOJ’s FCPA Pilot Program, Part 3 entitled, “Timely and Appropriate Remediation in FCPA Matters”. Clearly the DOJ is articulating that in an operationalized compliance program, it expects true compliance professionals, who understand the way compliance interacts with and supports the business. Companies must compensate and promote compliance professionals within their organization.
Funding and Resources
You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals and the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Budget requests and allocations are always difficult times in any corporation. There is never enough money to go around and most senior management thinks it is their job to slash all budget requests as a simple matter of course. Now such blanket management will be penalized.
If a compliance function is so hampered by resource restrictions it cannot carry out the basic functions needed for a compliance program to operate, it will not find favor under either the Evaluation or the Policy. If there are compliance projects needed to address basic compliance risks which are not funded because management failed to heed a Chief Compliance Officers (CCO) or compliance functions budget request, this could be evidence of conscious indifference by senior management.
Role of Compliance and Empowerment
More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.
But more than simply preventing management over-ride, a corporate compliance function has to be empowered by the Board and Chief Executive Officer (CEO) to intervene in business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the compliance function must have the internal authority to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.
Outsourcing of Compliance
This area of compliance practice has arisen largely since the articulation of the Hallmarks in the Guidance. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly a function as important as compliance. Here a company must not only have a rationale in place, which will largely be cost-savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.
The Evaluation and Policy both demonstrate the continued evolution in the thinking of the DOJ around the compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.
The Evaluation of Corporate Compliance Program and new FCPA Enforcement Policy enhance compliance stature.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2018