Documenting Your Compliance Program
I know I am like a broken record (ask my wife and kids). Sometimes I know I am repeating myself but I enjoy telling the same story or giving the same advice. I understand that can be frustrating for people.
A compliance program requires comprehensive documentation. We all know that. Tom Fox, my colleague, repeats the mantra of “document, document and document.” He and I are broken records. (I have not asked his wife if the same goes for Tom and his story telling).
There are two important reasons for documenting a compliance program.
First, a compliance record is valuable to a company’s compliance team as a reference to specific actions taken by compliance professionals and business. It is a vital internal control that provides information needed to measure, audit and manage a compliance program.
Second, in the event of an inquiry by prosecutors or a regulator, a company can provide important information as to specific actions taken, the reasons for the action, and the people involved in making decisions and implementing certain actions. Prosecutors routinely approach investigations with their own mantra – “if it is not documented, it did not happen.”
Documents can be a two-edge sword – they can implicate and they can exonerate. No one can predict at the time a document is prepared (unless it is a stupid document outlining criminal conduct) whether a document will tend to incriminate or exonerate a company or an individual. It usually has to be put into context as part of an overall series of events.
In designing and implementing an effective ethics and compliance program, the question of when to document usually comes up. It is hard to adhere to a disciplined rule for documenting specific issues and events.
My general rule of thumb for documenting events and circumstances is very simple – a company or individual should document every significant event where the company or individual exercises discretion with respect to a specific action or inaction related to a compliance program.
That is quite a mouthful but lets break it down. When a decision is made in a compliance program that results in a specific action or inaction, that decision should be documented. Many decisions are routinely documented pursuant to a company’s compliance program.
For example, a decision to approve a third party after conducting due diligence is often documented. However, on some occasions, the reasons for that action may not be documented. That is where the rule should come into play.
Similarly, if a company decides to apply a risk-ranking formula to its third parties or categories of third parties, the reasons for applying a formula and the discretion in factors cited for the formula should all be documented.
I hate to reply on the old Justice Potter Stewart refrain for defining “obscenity” but CCOs and other corporate actors know when to document, they just need to do it.
Documenting a compliance program does not require lengthy stream of consciousness memos on reams and reams of paper. In fact, in my view, the shorter the document the better. Document your discretion; keep your reasons brief and to the point; and ensure that the document is preserved.
We all have encountered the phenomena, in our personal or business life, when we say to ourselves – “I wish I had written down what I did.” The same goes for those subject to a government investigation. Looking back on a series of events where there is no documents to corroborate a witness’ version of events, we all mutter to ourselves – I wish I wrote it down.