Medium and Small Company Compliance
“People are doing the best that they can from their own level of consciousness.” — Deepak Chopra
If you travel on the anti-corruption seminar circuit (which is far more enjoyable than the proverbial “rubber chicken” circuit), you will hear from some of the most accomplished compliance professionals working at Fortune 50 companies. They are proud, and should be, about the compliance programs they oversee and helped design and implement. These are the “Cadillac[s]” of compliance programs. Everyone can learn important lessons from these programs. Most of these companies have compliance programs that are well designed, operate efficiently and stand out as model programs.
But for most companies these programs do not have any relevance. Approximately 40 percent of all Fortune 500 companies do not have a specific FCPA program in place, other than general statements of compliance as part of an overall code of conduct or general legal compliance program.
Most companies are designing and implementing compliance programs based on Department of Justice guidance and with the assistance of outside professionals. As companies face these issues, here are some general tips for developing compliance programs.
1. Gradually Roll Out Your Compliance Program: No business one should try and impose a new compliance regime by suddenly announcing the implementation of new policies from top-to-bottom. Buy-in is critical and can only be accomplished by rolling out parts of a compliance program in a careful and calculated way. Communication is the key and taking time to explain the rationale for compliance requirements to sales, regulatory, management and key constituencies will ensure success.
2. Develop a Realistic Schedule for Implementing Your Compliance Program: A company has to be realistic as to the timing for implementing each stage of a compliance program. All too often, I have heard CEOs direct compliance staff to “get the job done” as quickly as possible. While encouraging prompt implementation is a good policy, a company has to be committed to a realistic schedule for effective implementation.
3. Design Your Compliance Program Consistent with Available Resources: Medium and small companies do not have the resources to design and implement a “Cadillac” compliance program. Neither DOJ nor the SEC can hold medium and small companies to a standard of compliance achieved by Fortune 50 (not 500) companies which have access to abundant resources.
4. Make Sure Your Program Includes Basic Compliance Requirements: DOJ has outlined the basic requirements for a compliance program. The Federal Sentencing guidelines include basic principles, which are mirrored in the UK Bribery Act Guidance. Companies know (or should know) each of the required elements and make sure each element is addressed in the overall plan. For example, every program must be based on a “tone from the top” commitment to compliance, and every program should designate a compliance officer at a sufficiently high management level who is responsible for overseeing the program. (Whether the compliance officer is separate from the general counsel’s office can be decided based on specific circumstances). I am not going to list all of the required elements — they have been repeated over and over by the Justice Department, professional compliance advisers and almost every FCPA practitioner.
5. Do Not Get Sidetracked Into Investigating Historical Conduct: Companies need to keep their focus on the objective — designing and implementing an effective compliance program. While doing so, they are bound to uncover potential problem areas — e.g. red flags relating to third party agents. But the focus has to be on going forward, not looking backward. That is not to say the problem should be ignored; rather, a commitment needs to be made to come back and address the problem after the compliance program has been addressed.
For every company, big or small, they must abide by Deepak Chopra’s advice — “do the best you can” and everything will be all right.