5 practical compliance considerations

One need only look at the daily headlines to know that misdeeds by individual executives, employees, and even third-party vendors, can be a significant cost driver for companies with a presence in the U.S. These costs include not only massive fines imposed by government authorities when such misdeeds are brought to light, but also other significant burdens such as legal fees, internal investigations, the potential of an outside monitor, and lengthy derivative litigation. In addition to these costs, companies suffer non-quantifiable harm in damage to their reputations and distractions from their core business goals. And finally, with the increased focus by U.S. authorities to hold responsible the individual decision-makers within a company, there is increased risk of personal liability and even imprisonment for non-compliant conduct.

Given these dire consequences, it is no surprise that there has been a marked increase in efforts by companies to avoid such issues in the first place through robust policies to ensure compliance with the law. And the good news is that drafting strong compliance policies can be done with relatively little effort or expense. But what is much more difficult to attain is a written policy that is absorbed into the corporate culture and consistently followed. When I was a prosecutor, one of the first things we would ask when investigating a potential corporate fraud was whether the company had an effective compliance program or instead was relying on a mere "paper policy." Below are five practical considerations, in my experience, that are worth thinking about in developing an effective compliance policy that exists beyond mere paper on a shelf, and can help minimize the risk of resulting misconduct, investigations and expenses.

Don't Over-Promise and Under-Deliver

One of the most common mistakes made by well-intentioned companies is to create a compliance program that looks unassailable on paper - with stringent approvals, detailed protocols that will be followed in every instance, and no exceptions. Counterintuitively, such uncompromising language on paper often can lead to a weaker compliance system in practice. A true compliance program needs to align with the business realities and risk profile of the company. This often requires a company to ask: Given how we operate, will employees actually be able to follow these protocols? If the answer is no, then the requirement, even if it looks good on paper, needs to be revised to be effective. For example, a company may not want to put in place a policy that it will include audit rights in all of its contracts with vendors, if the relationship with those vendors is such that they will refuse to include such language or that the company will never be in a position as a practical matter to enforce them. If a written policy will not be enforced because of the business reality, then the policy needs to be changed to be effectively and consistently enforced.

In addition to reflecting the business reality, a "living" compliance policy needs to be written so that it is easily understood and implemented. This sounds simple, but often in practice is anything but. Companies with an international footprint need to use plain language that can be effectively translated and understood in different cultural venues. And companies must avoid highly technical definitions and expositions with legal terms, which likely will not be understood or internalized by nonlawyer employees, with limited time and a need to embrace clear rules in their day to day job.

Tone from the Top

While every company understands the importance of "tone from the top" in ensuring compliance, what is much harder to achieve in practice is converting that messaging from management into a culture of compliance throughout the company. The corporate leadership team needs to show in their actions, not just words, that they value compliance. There are many ways - big and small - to do this. For example, top management can attend the same compliance training session that line employees do, can give personal updates and reminders directly to employees on key compliance issues, and can structure incentives for promotion and remuneration around sound compliance conduct. Most importantly, when an issue of potential non-compliance arises, it must be taken seriously and, to the extent possible, management should make clear that action was taken, without any retaliation to the employee who raised the issue.

Tailored Training

Often the most important factor in whether a policy is actually implemented is training. There are many ways to develop a strong training program, but typically the best training involves interactive guidance and specific real-world examples. It is also important for multinational companies to tailor the training to the areas in which they do business. In addition to language reasons, it is important that employees understand that some conduct that may be common and acceptable in their experience may run afoul of foreign laws applicable to the company. For example, a non-U.S. employee may not be aware that the U.S. Foreign Corrupt Practices Act or U.K. Bribery Act may prohibit conduct that is common and accepted in their country. Finally, companies should document their training efforts; if misconduct is later discovered it may become important to be able to demonstrate the efforts taken to train and implement the written policies.

Trust but Verify

Similarly, it is important that the company document its efforts to audit its compliance. This is true even when gaps or failures in compliance are found; an effective compliance program should have a record of uncovering any insufficiencies, correcting them, and incorporating that process into its assessment of its risk profile. Moreover, effective auditing requires periodic review of existing policies, as regulations and company risk profiles change.

Enforce and Document

Sometimes when I am brought in as outside counsel to assist with strengthening compliance policies, clients will explain that they believe their compliance policies are all being followed because they have never heard about any problems of non-compliance. It is a common misperception that a strong compliance policy is demonstrated by a lack of any known issues of non-compliance. An extensive compliance track record devoid of any complaints, missteps, or issues is the very thing that government authorities often view as the tell-tale signs of an ineffective "paper policy" that looks good and just sits on a shelf. Companies with a realistic set of policy requirements based on the business profile, a culture of compliance, tailored training and auditing, typically will have complaints and issues of non-compliance. It is therefore important to document any such issues (under privilege where appropriate), to elevate and remediate them, and then to use them as learning experiences to improve the policy, training, or risk profile.

Obviously, each company is different and any compliance policy must be tailored to its unique business model, location, and risk profile, with the benefit of informed legal advice. But the above considerations are worthy of discussion for those seeking to transform a paper policy into a practical one.