Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. These metrics for today’s consideration are:
- Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
- Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations.
I think most compliance practitioners understand how a risk assessment fits into the design and creation of a compliance program. Yet Caldwell’s remarks drive home that risk assessments are not a one-time exercise and while she did not remark on the frequency of how often they should be performed, I think the more often the better. However, as a Chief Compliance Officer (CCO) or compliance practitioner, you do not need to perform a full forensic risk assessment to meet the metrics Caldwell has articulated.
Nonetheless, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination and the same is true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.
Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:
- How are the risks in the C-Suite and the Boardroom being addressed?
- What are the FCPA risks related to the supply chain?
- How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
- Is the documentation adequate to support the program for regulatory purposes?
- Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
- Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
- Communication of information and findings – Are escalation protocols appropriate?
- What are the opportunities to improve compliance?
There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.
Caldwell’s second metric, that we are also exploring today, is around compliance discipline and incentives. In her remarks Caldwell further inquired, “Is discipline even handed?” and then went on to add, “The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.”
I think most folks understand the need to discipline employees who may have violated the Foreign Corrupt Practices Act (FCPA) or otherwise engaged in bribery and corruption. However, many CCOs and compliance practitioners do not focus as much attention to compliance incentives. I have developed six core principles for incentives, adapted from an article in the Spring 2014 issue of the MIT Sloan Management Review entitled “Combining Purpose with Profits”, and reformulated them for the compliance function in an anti-corruption compliance program.
- Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
- Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
- Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives is to make the incentives visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
- Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”, that is any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his numbers for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
- Compliance incentive alignment works in an oblique, not linear, way. If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
- Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.
Obviously this list is not exhaustive. Yet it is now more important than ever that you demonstrate tangible incentives for your employees to gain benefits, both financial and hierarchical, thorough doing business ethically, in compliance with your own Code of Conduct and most certainly in compliance with the FCPA. It is also a requirement that such actions must be documented so they can be demonstrated to the DOJ Compliance Counsel if they come knocking and look to employ the metrics which Caldwell has laid out for us all.
Ongoing risks assessments and incentivizing your compliance program are two of the most under-used tools to move forward your compliance regime.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015