CCOs: The Importance of Documenting a Compliance Program
Tom Fox (here) frequently reminds every one of the importance of documentation to the integrity of a compliance program. A compliance program is only as good as the documents show. This principle is especially critical when a company has to respond to a regulatory inquiry or to an enforcement action.
As we anticipate the testimony of former FBI Director James Comey in our current national political drama, the importance of contemporaneous documentation of significant events is dramatically about to play out. When internal investigations are conducted, investigators often place significant weight on the value of contemporaneous documents that record facts at or close to the time of an event.
It is important, however, to remember that documenting a compliance program serves a number of positive purposes critical to a company’s compliance program. When a decision-maker has to document the reasons for a specific action, a documentation requirement promotes consistency and critical thinking and analysis. In some cases, it leads to better decision-making and more effective consideration of competing interests.
A rigorous documentation program also promotes protection against potential commercial and contract disputes with third parties and vendors/suppliers. The existence of a document can be critical to protecting a company from litigation or disputes over pricing, terms and other significant issues.
At the board level, members of a compliance program committee depend on documentation and accurate reporting of significant program developments. If a compliance program is built on robust documentation, then reporting metrics and accomplishments are more easily verified and accurately presented to the board committee. If inaccurate information is given to the board, the chief compliance officer, along with other senior executives can be held responsible for misleading the board and creating potential risks.
To the extent a company adheres to documentation requirements, the auditing function in the company can conduct audits in a more reliable and timely fashion. When a fact is disputed, documents often resolve such a dispute as a more reliable indicator of events and actions taken by specific individuals.
Just to take the contrary view on the importance of documentation, a company has to balance the downside from a resource allocation perspective of documenting everything. There are times when a CCO has to say enough is enough, and when the value of the documentation is outweighed by the cost of such a requirement.
There is such a thing as too much documentation. Some issues do not require documentation given the risk and the remote need to preserve proof. While such an approach may itself create some slippery slope problems, CCOs have to balance the documentation requirements to ensure that he/she does not overburden business, legal and compliance actors. It is a fine line between proper documentation and unjustified documentation, but it is an issue that needs to be considered.
Also, a CCO has to be careful of creating burdensome requirements on his/her own compliance staff. A compliance department cannot be overburdened with documentation requirements that bring little benefit to the company.
In the end, as always, a company has to find the proper balance between documentation requirements and risk. Where there are real risks, a company should adhere to proper documentation requirements so that a program can be protected, assessed and audited so that the program can be continuously improved as conditions change.