A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the “Land of No.” A 360-degree view of compliance gives yhttp://fcpacompliancereport.com/ou the opportunity to build a new brand image for your compliance program. This is important as the 2020 Update mandates that for a compliance program to be effective, it must be understood by a wide variety of stakeholders.

Communications is often thought of as a two-way street, upward and downward, inbound and outbound, or side-to-side. However, it is better to think of it as a 360-degree effort. You simply can no longer effectively communicate in just two ways. You now communicate in a more holistic manner, and in multiple ways. If you are just thinking about communications in the classic form, you are missing something that is happening around you.

The best example I can provide to you is a story told to me by Louis Sapirman, Vice President and Chief Ethics and Compliance Officer at Panasonic Corporation of North America – Panasonic USA. This story happened to him in Argentina when he was the CCO at Dun & Bradstreet (D&B). Argentina has an interesting form of illegal conduct, which is an open black market for the changing of currency. Sapirman was with a colleague who was one of the leaders from the company’s South American operations and they went into a convenience store. The person who was going to sell him the product suggested that he go just around the corner and change money on the black market where he could get a much better exchange rate, almost a 100 percent difference in the exchange rate; he declined to do so. Sapirman paid and received the established bank rate in the small transaction.

He had not considered role modeling that compliance. About six months later one of his team members was in Mexico speaking to the leader of the D&B operation there. The non-compliance function employee said that he was the person who had been with Sapirman. He recounted the story of doing the right thing, when literally no one was watching. That is the power of 360-degrees in communication.

Three key takeaways:

  1. Remember the definition of 360-degrees of communication. It is an effort that moves the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times
  2. What is your objective? What are you trying to do with your 360-degrees of communications and how are you using that mechanism to deliver the objectives of your compliance program?
  3. Evaluate. You need to evaluate three factors: 1) has the message been delivered; 2) has it been heard; and 3) is it being implemented?

What are internal controls? The best definition I have come across is from Jonathan Marks who defined internal controls as:

An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures: 

  • The achievement of the process objectives linked to the organization’s objectives;
  • Operational effectiveness and efficiency;
  • Reliable (complete and accurate) books and records (financial reporting);
  • Compliance with laws, regulations and policies; and
  • The reduction of risk-fraud, waste and abuse, which,

   Aids in the decline of process and policy variation, leading to more predictive outcomes.

The DOJ and SEC, in the 2020 FCPA Resource Guide, stated:

Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.

This was supplemented in the 2020 Update, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing?

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice.

Three key takeaways:

  1. Effective internal controls are required under the FCPA
  2. Internal controls are a critical part of any best practices compliance program
  3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The  2020 Update  made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2020 FCPA Resources Guide, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.

The 2020 FCPA Resource Guide ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedures are applied fairly and consistently across the organization. Institutional fairness demands that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, inconsistent application of your policies and procedures will destroy the credibility of your compliance program. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.

Three key takeaways:

  1. Written compliance policies and procedures, together the Code of Conduct, form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.
  3. Institutional fairness for the application of policies and procedures demands consistent application across the globe.

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in the creation of your company’s Code of Conduct?

The three most important things about your compliance program are “Document, Document, and Document.” The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very publicly announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith.

However, your Code of Conduct is not a static document to be put on a shelf and never reviewed again. For just as your compliance program is a living entity; it should be constantly evolving, the same is true for your Code of Conduct. If your company has not reviewed or assessed your Code of Conduct for five years, do so in short order, as much has changed in the compliance world. All of this has become much more clear in the age of Coronavirus. Some of the questions you should begin with include:

  • When was the last time your Code of Conduct was revised?
  • Have there been changes to your company’s business model since the last revision to the Code of Conduct?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any provisions of the Code of Conduct outdated?
  • What is the budget to revise your Code of Conduct?

Three key takeaways:

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. “Document, Document, and Document” your training and communication efforts.

In addition to a company’s senior management, there is a Board of Directors at the top. Yet the role of the Board is different than that of senior management. For the Board of Directors, the 2020 Update stated:

Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?

 

Having a Board member with specific compliance expertise or heading a Compliance Committee can provide a level of oversight and commitment to achieving this goal. The DOJ enshrined this requirement in the FCPA Corporate Enforcement Policy. This means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific subject matter expertise (SME) on the Board and on that committee.

Another arm of the US government has recognized the need for such expertise at the Board level. In 2015, the Office of Inspector General (OIG), in a publication entitled “Practical Guidance for Health Care Governing Boards”, called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board a compliance member. The presence of a such a compliance professional with SME “on the board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other board members and helps the board better fulfill its oversight obligations.”

All of this means that every Board of Directors needs a true compliance expert. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background, and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and SME that can help all companies with their financial reporting and other finance-based issues. So why is there not such SME at the Board level from the compliance profession?

 Three key takeaways:

  1. The 2020 Update requires active Board of Director engagement and oversight around compliance
  2. Board communication on compliance is a two-way street; both inbound and outbound
  3. Does the Board of Directors have a compliance expert?