Surprise! “I need In-house counsel and a compliance and ethics professional” is generally not a business’s first thought when dreaming of how to grow or create more business. At some point though, the business team realizes that adding these types of advisors makes sense. When you have been brought on board as an in-house counsel responsible for corporate compliance and ethics, you are likely tasked with building out a program to fit your company’s needs. This article presumes you have been given very little budget and few other resources to accomplish this objective. It also presumes that you are the only person dedicated to building this program as the rest of the legal team (if there are any others) doesn’t have the bandwidth to assist you substantively.
1. Believe Building the Program Matters
First, you need to believe a compliance and ethics program represents a commitment to an ethical way of conducting business and a system for helping individuals do the right thing for and with the company. Contrary to some popular business assumptions, an effective program is a lot more than a hotline. If the company has taken on the challenge of building out the program because its senior most leaders truly believe having a robust program is good for business, your job will be considerably easier. Alas, this is not always the case. However, you can still make a positive impact. Some items to consider when it comes to the language of framing your program and gaining support from your colleagues: how the program is named - “ethics and compliance” or “compliance and ethics.” What suits the company’s emphasis and where does the program need to make an impact? Compliance tends to be more rules-based focusing strictly on right and wrong while putting the term ethics first may signal more focus on behavior and a willingness to talk about the situations where the lines are not as clearly defined (grey).
This article will use “Compliance and Ethics” or “C&E” for consistency with ACC’s other resources. So, as the person in charge of creating, building, improving, and evolving the program, you must believe in its foundational importance to ensure initial and ongoing engagement. You must be honest and transparent with other members to get buy-in. If you are disingenuous, it will show. Consider talking to compliance and ethics professionals in your industry to find your way to authenticity for the value of a C&E program; if you do not believe in its value, not only will your sales pitch be ineffective with the rest of the company, your challenge in building the program will likely become insurmountable.
2. C&E Programs Change Over Time
Second, as alluded to above, a C&E program does not remain static. Policies are written, curriculum developed, third parties screened, and disclosures rolled out and those all must evolve over time. Your C&E program needs to include education, communication, prevention, collaboration, compliance, incentive and enforcement measures. To be effective, your C&E program must live within the fabric of the company; it must continually develop and be a commitment from every part (functionally and geographically) of the business to doing what they do ethically, every day, every time.
3. Colleagues Within Make the Program Work
Third, as in-house counsel you should act not only with understanding of the C&E program, but also with compassion for the people with whom you work. Here are some tips to gain understanding and trust:
– Take stock: understand your colleagues and your company’s current state. Go on a “listening tour” by setting up 30-45 minute meetings with key leaders and their direct reports. If in-person is not an option, video calls work. Be present to develop rapport, understand their challenges with C&E and in the business generally, provide some level of education about C&E. Ultimately, this will help you to get to know the team and be better at appreciating what they do in the context of C&E.
– Consider the listening tour an informal assessment but make sure you have an agenda for each of these meetings: introductions (including a specific ask about when they joined and what brought them to the company); business role and team challenges – local team and broader company team; opportunities for C&E to be helpful; insist that the C&E program is more than just a “hotline”, integrate time for development and education; then next steps/follow-up.
– Between the listening tour meetings and with the “results” of completed meetings in mind, look at existing C&E program elements to identify what is in place and where the gaps exist. Locate those documents within your company; study their information and compare them to what you learned from your colleagues and continue to realize about the company. The history and existing elements might reveal what works, what doesn’t and what has been tried.
– Be realistic and avoid the temptation to take on every gap at the same time. Choose 2-3 areas where you think you can make headway, areas with gaps that pose heightened risk to the company or are concerns of leaders – maybe even all three. Lay out goals in each area.
– Communicate and socialize the goals with people you are meeting with and visit the goals again with some stakeholders as you adapt and change them; ask for input from leaders, business teams and other stakeholders to prioritize. During your discussions address those areas that you are not tackling and explain why you are not currently working on them. For instance, you could meet with the head of Internal Audit, and recall that the last time you spoke she was particularly worried about working with you on an anti-corruption project. You both know you cannot tackle everything so maybe you offer to help with interviews and policy review related to her project scope, but since your third parties are operating primarily in lower risk countries with no known red flags, you suggest adding review of third-party transactions to her project in 12-18 months. (This is one example of internal collaboration where you develop the understanding of the C&E priorities outside of the legal group while also concentrating on your own C&E goals.) Engage other stakeholders and teams such as Human Resources (HR) and Operations to collaborate and figure out ways to build C&E education, awareness and expectations into the business.
4. Focus on the Elements of Effective Programs
Looking at the approaches taken by various enforcement authorities and respected C&E commentators will help you improve your C&E program. Consider using the most stringent requirements that apply to your company as the ones to organize your program around for consistency across the company. Enforcement authorities across the globe generally have moved beyond pure compliance and in favor of emphasizing the importance of establishing robust and risk-based corporate compliance programs. The United States Securities and Exchange Commission continues to stress individual accountability with a broad range of violations. While the precise formulation and detail of the guidance issued varies, for example, under the United States Sentencing Guidelines, the United Kingdom's guidance regarding the UK Bribery Act, Mexico’s privacy requirements, or the European Commission’s guidelines regarding competition law, there are key common enforcement elements you should be aware of and integrate into your program:
– Leadership and governance. A successful C&E program includes well-articulated, easy to understand internal policies and procedures built on a solid foundation of ethics endorsed by the board of directors. People associated with the C&E program, whether the Chief Ethics and Compliance Officer (CECO) or someone without that title, need to have high-ranking visibility, adequate authority, and sufficient resources to manage the program on a day-to-day basis. The CECO must also have the ear of those ultimately responsible for corporate conduct, including the board of directors. Ideally, the person reports directly to the board and may not be released from the company without approval from the board
– Risk assessment. Understanding the nature and extent of risks everywhere the company does business is a critical first step in implementing your C&E program (remember your listening tour is an informal assessment). Evaluate enterprise risks as well as C&E risks. Collaborating with the risk management team or finance and audit team(s) often helps support the credibility of both risk assessments; and can often be accomplished simply with a weekly working session. Board members and enforcement authorities now expect more formalized processes (meaning more proactive, documented and regular methods) for assessing the risks to which a company may be exposed. Develop a solid plan for implementation – it does not always have to be today/now. Yet, without such a process it will be difficult to credibly claim to have an effective or robust and risk-based program.
More than 15 years ago, the US Federal Sentencing Guidelines included risk assessments as a foundational element of and a useful way to inform the other parts of ethics and compliance programs. Also, it is part of the Anti-bribery guidance for multinational enterprises developed by the Organisation for Economic Co-operation and Development (OECD) , UK Bribery Act, etc. Risk assessments help us decide if we need different or additional policies, other communications and training, enhancing both auditing protocols and monitoring tools as well as other items. Risk assessments add to our ability to focus on improving our auditing and monitoring. The US Sentencing Guidelines require “Monitoring, auditing and evaluation of program effectiveness”.
5. Tips to Develop the Compliance & Ethics program
– Policies, procedures, standards, and controls. Create detailed, well-written, easy to understand policies but also clear procedures and protocols for ensuring those policies are implemented and followed. Avoid sounding like a lawyer. Focus on encouraging a result, behavior, or discussion. Shall is very traditional and often shuts off your reader; use it sparingly if at all. Adopt policies appropriate for your business. For example, a company that no longer does business in high-risk countries likely does not need as robust a program around corruption prevention as one that has people and operations in risky areas of the world.
– Internal compliance audits and monitoring within business teams help evaluate whether a particular provision – policy, procedure, contractual or other requirement – is being followed in practice by employees. They can help us measure and maintain non-financial aspects of business operations. Managers use the results to improve processes or change operations. Internal audit typically tests to specific financial requirements and controls, and overlap with a C&E audit may exist, especially in the anti-corruption transaction testing realm. It is important to plan and collaborate with other teams such as HR and Finance. (This should sound familiar from the Risk Assessment phase.)
– Training and communications. Targeted training programs are no longer just a best practice, they are becoming the standard. A study from 2017 found over half of the participating companies assign training based on risk or role. Who do you reach? On what topics? How often do you reach employees, and how do you know they understand? Consider whether the audience needs a recitation of the rule’s language, or simply the expectation about how to act. Make the message short and meaningful. These messages are harder to write but worth the investment. Keys to effective programs include live, annual training for high-risk personnel; localizing programs to each country where a company operates; and frequent updates that demonstrate an understanding of evolving trends and new legislation. How are C&E communications managed and delivered, internally and externally? Which leaders and managers are actively involved in engaging employees? What scripts and examples are shared and discussed?
– Oversight and reporting. Maintain continuous oversight of your programs (anti-corruption, anti-harassment/anti-discrimination, inclusion and diversity, no retaliation, records retention and fair competition might all fall within C&E). Retaliation happens even in the most ethical cultures. Enable confidential reporting of concerns regarding misconduct; third-party systems have more credibility and are generally preferred. In addition to establishing a monitoring system to catch problems and address them quickly, are there managers in each country of operation to make compliance reports, and to establish protocols for internal investigations and disciplinary action? What data analytics are available? Dashboard or reporting to the board?
– Response, improvements, and resources. Understand what the assessments tell you. Integrate that data with employee incident/misconduct report trends, discipline consistency, and implement changes that could help prevent or detect bad behavior. Prioritize implementation based on your business. Try to identify easy areas of improvement. What incentives are in place to encourage ethical behavior? What program modifications are called for based on investigatory findings? Where could periodic testing be implemented in partnership with internal audit? What resources are available – people, technology, counsel? Where are the opportunities to partner with Information Security/IT and Finance teams regarding records or intellectual property? What gets measured gets done.
As you build and provide data on the program, make your case for the critical resources and support first. Understand what will improve your ability to continue building and growing C&E in the company.
Additional ACC Resources:
“Creating a Compliance and Ethics Program from Scratch”, by Nirupama Pillai, ACC Docket, Volume 36, Issue 1, January-February 2018, pages 24-32.
“Checklist: Best Practices for Creating a Robust Anti-Corruption Compliance Program”, July 30, 2019, by Ogletree, Deakins, Nash, Smoak & Stewart, P.C., published by Association of Corporate Counsel, www.acc.com