What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

This was expanded in the DOJ’s 2020 Guidance, in the section entitled “D. Confidential Reporting Structure and Investigation Process”, with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.”

Three Key Takeaways

  1. Internal reporting systems are a clear indicia of a working, operationalized compliance program.
  2. There must be a solid line of communication between the people who are doing the investigation and the people leading the remediation.
  3. Your internal reporting mechanism must be trusted.

Late Monday, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. I have looked at some key big picture themes and the specific tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. Today, I want to consider the changes in the areas of mergers & acquisition (M&A) and your third-party risk management protocols.

Mergers and Acquisitions

Under M&A, the 2020 Update stated: (all changes in italics) “F. Mergers and Acquisitions (M&A) A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed  or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”

The specific questions posed by the 2020 Update are:

  • Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
  • Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
  • Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?

The clear emphasis of the DOJ is around the pre-acquisition phase in M&A work. Were you prevented from engaging in pre-acquisition due diligence because of some rule or regulation? If so, what did you do about it? Did you take the approach of Halliburton, as it did in the resulting Opinion Release 08-02 and seek DOJ input? Was your post-acquisition integration protocol more robust? If so, how? Also, after closure, did you perform a full audit of the acquired entity? For the sake of your compliance program, I hope you did.  Yet the clear emphasis here was on the pre-acquisition phase.

Pre-acquisition due diligence provides an early assessment which will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a lens through which to view the feasibility of the business strategy and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus. 

Third Parties

Even in 2020, third parties still represent the highest risk under the Foreign Corrupt Practices Act (FCPA). Here the DOJ noted, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials…In sum, a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”

The DOJ then posed the following questions:

  • Management of Relationships – How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

It is the new final question, coupled with the new language in the preamble to the section on third parties which is so significant. It makes clear that management of third parties is a process and one that must continue on an ongoing basis throughout the lifetime of the relationship with your organization. This also re-emphasizes the importance of managing the relationship after the contract is executed from the compliance perspective. Your role in the compliance function is not simply to review due diligence and add compliance terms and conditions to the contact. Your role is to oversee the relationship which the business sponsor manages on the ground. This is fully operationalizing your compliance regime.

Join me tomorrow where I take a deep dive into the 2020 Update to explore the updated role of the CCO and compliance function.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The 2019 Guidance further refined this basic requirement for a hotline with inquiries into the effectiveness of your corporate hotline, asking, “Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?” In this podcast, we detail some of the key best practices.

Three key takeaways:

  1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
  2. Train your employees on the use of the hotline.
  3. Use data from your hotline to continually update and improve your compliance program.

Late Monday, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. Yesterday, I looked at some key big picture themes. Today, I want to focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program.

These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1 – Risk Assessments which stated (all changes noted in italics):

  • Updates and Revisions – Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
  • Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?

The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization? Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information?

If you find yourself in this situation how you begin to address it? My suggestion would be to begin with your highest risk activity, most like sales. Go to each point in the sales cycle: (1) Prospecting, (2) Contacting, (3) Qualifying for Tender Process, (4) RFQ and RFP, (5) Contract Negotiation and (6) Contract Execution. Pull compliance related data from each one of these data points and begin your updated risk assessment there. The next question found in the Updates and Revisions subsection ties into the sole question found in the Lessons Learned subsection. They both relate to the single inquiry of how you used the data. Did you incorporate your findings into updating your compliance program?

While there is only one question in the Lessons Learned section, it is a compound question. It not only enquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime? But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade shows or any other gatherings of industry employees.

Also embedded in these two questions is another old theme in compliance; is there sufficient documentation in your compliance program? But here the question is about the documentation of the data garnered and how you utilized that data. I have long preached the mantra of Document, Document, and Document and this mantra is as important now as it has ever been. It is not simply that if it not documented, it never happened in the government’s eyes. It is that if you documented the basis for your decision, then you can explain your decision-making calculus. Remember, no compliance professional, compliance program or even a company under Foreign Corrupt Practices Act (FCPA) investigation or scrutiny has ever been punished for making an incorrect decision where a sufficient and documented business justification was in place. Such entities and persons have been sanctioned when there was no documentation in place.

The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. Here the 2020 Update stated:

  • Design – What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
  • Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

When was the last time your policies and procedures were updated? Perhaps, more importantly under the 2020 Update, what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring or continuous access to operational data and information across functions? Novelly, the 2020 Update asks if you have tracked who is looking at your policies and procedures and where they are located as data points for you to consider in updating your compliance program.

The final area in the 2020 Update for consideration is appropriately called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads:

  • How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?

Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is the phrase are “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every CCO and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.

Join me tomorrow where I take a deep dive into the 2020 Update to explore it from another tactical perspective.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

Is your hotline working for you? In an article, entitled “Promoting Effective Use of the Company Compliance Hotline”, José Tabuena provided an excellent example of the power of a hotline. He provided a case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by IT employees. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT employees indicating where there were two major areas of complaints. The first area regarded family members who were hired and perceptions of favoritism. The second related to allegations that certain managers were manipulating data to maximize their bonuses.

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale. 

Three key takeaways:

  1. Hotlines can be powerful tools for the compliance professional.
  2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues which need review and resolution.
  3. Adequate follow up is a key part of overall hotline effectiveness.