There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.
The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2012 FCPA Guidance, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.
Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.
There are five general elements to a compliance policy, which should stake out the following:
- Identify who the compliance policy applies to;
- Set out the objective of the compliance policy;
- Describe why the compliance policy is required;
- Outline examples of both acceptable and unacceptable behavior under the compliance policy; and
- Lay out the specific consequences for failure to comply with the compliance policy.
The 2019 Guidance went further by requiring an assessment whether a company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations, through a design which is appropriate to the organization, based upon that organization’s assessed risks.
Design – What is the company’s process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
The 2019 Evaluation mandated there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners.
Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
This means that it more than simply having appropriate policies and procedures. They must be operationalizing into your compliance program, down to the business unit level. How can you do so? Compliance training is only one type of communication. This is a key element for compliance practitioners because if you have a 30,000+ global work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be posting Frequently Asked Questions (FAQs) in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.
The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedures are applied fairly and consistently across the organization. Institutional fairness demands that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, inconsistent application of your policies and procedures will destroy the credibility of your compliance program. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.
Three key takeaways:
- Written compliance policies and procedures, together the Code of Conduct, with form the backbone of your compliance program.
- The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.
- Institutional fairness for the application of policies and procedures demands consistent application across the globe.