Jessica Sanderson, a Partner at The Volkov Law Group, re-joins us for a posting on her perspective on proactive compliance strategies. Jessica can be reached at [email protected].

I’m old enough to remember when seat belts were optional. And I remember people up in arms when seatbelt laws first passed. But now, my young adult children and their friends simply get in the car and buckle up without thinking (after fighting for shotgun). This is how I’ve come to think of compliance programs, and specifically good compliance policies and procedures. When risk-based, properly conceived, and well-implemented, compliance controls become second nature, invisible yet invaluable. Nearly every CEO, entrepreneur, and salesperson I know cannot fully comprehend the need for formal policies and procedures – aka “seatbelts” – they want to drive wild and free. But that attitude quickly fades after they experience their first fender bender and the traffic cops arrive.

The reality is that with hard work and good fortune, start-ups grow, perhaps expanding globally, employing hundreds of individuals, and engaging numerous third parties. In that environment, it’s not a question of if, but when. Even the Department of Justice recognizes that “no compliance program can ever prevent all criminal activity by a corporation’s employees.” In other words,  “accidents” – e.g., theft, fraud, corruption, sanctions violations, or export control infractions – are bound to happen. But when someone suddenly comes from behind and rear-ends them, companies that acted proactively and imposed strong internal controls from the outset – i.e., simply put on their seatbelts when they got in the car – are far more likely to survive the crash, possibly without injury.

For all the in-house compliance professionals reading this blog, try sharing this hypothetical with your CEO when arguing for additional resources, struggling to implement new or stronger policies and procedures, and striving to act proactively:

Ask your CEO what would happen if one of his or her trusted managers was accused by a credible whistleblower of taking kickbacks. We all know that a person demanding or accepting kickbacks is going to be careful and most likely won’t leave incriminating evidence in emails or other documents. Sure, sometimes they slip up; that’s unfortunate but easy to handle. If there is supporting evidence of wrongdoing, we can confirm the whistleblower’s allegations, stop the misconduct, and evaluate an appropriate response and remediation. But what if we cannot find a smoking gun or corroborating evidence? How, if at all, do we satisfactorily close the investigation and convince the CEO he or she may continue to trust the accused?

My partners and I have conducted dozens of internal investigations where this hypothetical is reality, and it is difficult to prove the negative – i.e., thatthe accused was innocent and the allegations were false. But, when the company has implemented, and the accused has followed, proper compliance procedures, we can at least obtain reasonable assurance of ethical, lawful conduct. If we can show proper segregation of duties, and suitable review and approval, for example, then multiple individuals will have probed and approved the transactions at issue and propriety of the manager’s conduct. Perhaps we can also confirm that the manager followed competitive bidding procedures and selected the most attractive bid. If the manager accepted a gift, perhaps we can show that it was within acceptable limits in terms of value and frequency, disclosed on a gift register, and/or reviewed and approved by the Compliance department. In these or similar situations, we may rely on objective evidence of transparency and oversight, making the allegations far less likely to be true. Under these circumstances, we may reasonably conclude that the credible whistleblower, even if well-intentioned, was mistaken. Perhaps the whistleblower was unaware of all of the procedures that were followed or of all of the people who reviewed and approved the transaction, i.e., others who made an independent determination that the transaction was in the best interest of the company and consistent with the manager’s obligations to the company. It’s not “proof” of innocence, but it’s reasonable assurance that goes a long way towards absolving the accused.

By contrast, if the company had poor controls in place and/or the manager failed to follow established procedures, all we have is the otherwise trusted manager’s word against the credible whistleblower’s word, and doubt will always remain. Why didn’t my manager disclose the gifts he received? Why didn’t my manager solicit competitive bids and instead represent that only the selected vendor was appropriate? Why did my manager sign the purchase contract without obtaining approval from Legal? Why did my manager approve a transaction with a potentially sanctioned entity or PEP without obtaining approval from Compliance? When these circumstances exist, there sure is a lot of smoke. Plus, other individuals, perhaps even the CEO in this hypothetical, may be at fault for a failure of oversight or willful blindness. Then suddenly the trusted manager’s conduct has cast doubt on other individuals within the company, including the trusting CEO. Things always look worse in hindsight when controls are not implemented and enforced.

I guess what I am saying is buckle up, so you can enjoy the ride.