Today, I conclude Sherlock Holmes week as I introduce next month’s topic on 31 Days to a More Effective Compliance Program – Written Standards. Today we use the Sherlock Holmes short story, The Adventure of the Beryl Coronet. This is the story of the theft of a priceless gem, stolen from a cupboard. It alludes to the then Prince of Wales as the culprit. It also demonstrates Holmes’ knowledge of not only the London criminal underworld but also his own bank account.
City banker, Alexander Holder, loans £50,000 to a socially prominent client, who leaves a beryl coronet as security. Not wanting to keep the precious jewelry at the bank Holder takes it home. That night he is awakened by a noise and upon entering another room, he sees his son Arthur holding the coronet, trying to bend it. Three beryls are missing from the coronet and in a panic Holder goes to see Holmes, who takes the case.
Despite the case against Arthur seeming unfavorable, yet Holmes is not convinced he is guilty. He assesses several factors including Arthur refusing to give a statement, the fact that he is not strong enough to break the coronet and the possibility of other persons of interest. Holmes must save the case to prevent a national scandal and to save Mr. Holder’s honor.
Holmes reviews the details of the case and the physical scene, examining the footprints in the snow outside. It turns out that Holder’s niece was in league with the notorious criminal, Sir George Burnwell, although she claims to be unaware of his nefarious nature. Mary and Burnwell escape justice. However, Holmes, once again, saves the day and regains the jewels.
All of this started with the simple prescription of the lack of a secure cupboard. It is not clear in the short story if there were written protocols to deal with this situation. It does intone that the cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy.
There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
In the 2019 Guidance , the DOJ has presented us with several questions you can ask around your policies and procedures and your Code of Conduct. For instance, what has been the company’s process for designing and implementing the Code of Conduct and policies and procedures? Other questions include, who has been involved in the design of the Code of Conduct and policies and procedures, have the business units been consulted prior to rolling them out? Another area of inquiry is whether the company has implemented policies and procedures which called out the illegal conduct? Another area for consideration is whether the corporate functions with ownership over the policies and procedures have been held accountable for their implementation and oversight? Finally, are they accessible to employees? How is the company communicating the policies and procedures relevant to bribery and anti-corruption compliance programs and how has the company evaluated the usefulness of these policies procedures and Code of Conduct?
The 2019 Guidance also provides some excellent points for the compliance professional around compliance policies and procedures. It lists out four general areas, with attendant questions.
Design – What is the company’s process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
These are just some of the questions we are going to explore throughout this month’s 31 Days to a More Effective Compliance Program, which begins tomorrow and runs through the month of May. We are going to consider the basis for your Code of Conduct and written standards through a deep dive into the Code of Conduct, the structure, form design and training on the Code of Conduct, of course with operationalization. The same consideration will be given to policies and procedures and then revising policies and procedure. We will conclude with a deep dive into policies that the DOJ has mandated you should have in any best practices compliance program. This will include gifts, travel and entertainment, charitable donations, political contributions, internal controls, facilitation payments, extortion payments and third parties. We will also discuss policies around cybersecurity as that has become such an incredibly important topic.
At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2020