Current Regulatory Environment
In the long-awaited guidance on Foreign Corrupt Practices Act (“FCPA”) enforcement, the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) unexpectedly articulated the elements of an effective corporate compliance program for detecting and preventing FCPA violations. The guidance was welcomed because FCPA enforcement has been unrelenting with fines moving into the stratosphere. The guidance forcefully provides that effective compliance programs must be tailored to the risks associated with the business and regulators will give meaningful credit to companies that implement risk-based programs. A similar message was conveyed by the Federal Energy Regulatory Commission (“FERC”), which was recently reinforced in an order directing Barclays Bank PLC to show cause why it should not be required to pay nearly a half-billion dollars in civil and other penalties for alleged manipulation of electricity markets in and around California.
Now that regulators have the attention of general counsel, the challenge for them is to implement a process to (i) identify current and emerging compliance risks that may damage their companies financially, (ii) assess the seriousness of those risks, and (iii) put in place a control framework to manage those risks. Compliance risks are indicators that a negative event (e.g., fraud, bribery, unfair trade practices) has occurred or likely to occur that could severely impact a company’s operations, financial condition, and reputation. Detection of such risks are critical given the recently adopted whistleblower protections that encourage (through the payment of bounties) the reporting of compliance infractions to regulators.
Companies like those engaged in providing financial services, energy, health care and other highly regulated products have made compliance a priority following the adoption of a plethora of stringent regulations that have dramatically increased potential civil and criminal penalties. With regulatory bodies clearly targeting companies that do not have effective compliance controls, such companies would do well to consider the tools outlined below for managing costly compliance risks.
Effective Compliance Programs
An effective compliance program can reduce the risks of heightened regulatory scrutiny and exposure. The DOJ, SEC, FERC and other regulatory bodies have articulated leniency standards for companies that have implemented effective compliance procedures. Importantly, even if regulators do not have leniency programs, the standards for effective compliance programs have become “best practices” in corporate America because they enable a company to self-police its conduct by identifying, assessing and correcting compliance problems before they are discovered by regulators.
Compliance Risk Assessment
Effective compliance programs are grounded on a company’s periodic assessment of risks. This premise underpins the compliance standards delineated in the Federal Sentencing Guidelines, the recent DOJ/SEC guidance and other federal regulatory guidelines. A compliance risk assessment provides an early warning process for detecting compliance threats, thereby enabling a company to address compliance problems before they become violations of law. The risk assessment process identifies and assesses compliance risks, evaluates controls put in place to mitigate those risks, and monitors the effectiveness of controls on an ongoing basis.
Risk identification involves a due diligence process focused on key interviews and document review aimed at surfacing risk activities. Risk assessment focuses on evaluating and prioritizing those risk activities. Risk activities are prioritized based upon the likelihood of generating compliance violations and the severity of such violations to determine the major compliance threats to a company that must be aggressively managed.
An adequate control environment contains many elements, including policies, procedures, standards, systems, processes, audits, people, and training. Under the DOJ, SEC and FERC guidance, management must direct a review of key compliance policies, procedures, and standards, including the code of conduct and specialized compliance controls, to evaluate whether they address the most significant risks of unlawful behavior as determined by a risk assessment. Policies, procedures, and other compliance controls must be adequately communicated to employees, and employees must be held accountable through performance measures for compliance with such controls.
Regulatory Environmental Scan
To ensure that risk assessments address emerging as well as current regulatory risks, such assessments should be complemented by undertaking a regulatory environmental scan. The objectives of a regulatory scan are threefold. First, a scan identifies current and emerging regulatory and legislative initiatives that may challenge the sufficiency of existing controls to manage compliance with new laws and regulations. Second, a scan assesses the likely strategic impact to a company resulting from legislative and regulatory change (e.g., new product or market opportunities, enhanced M&A activity). Third, a scan determines the need for changes to organizational structures to better manage legislative and regulatory risks.
In conducting an environmental scan, sources should be accessed that inform specific risks, e.g., regulatory bulletins and other pronouncements, consumer complaints, attorney general investigations and litigations, national associations of regulators and legislators, industry associations, and competitor information.
Legislative and regulatory watch lists should be developed. The watch list is designed to anticipate the most critical business and compliance impacts. A watch list can enable companies to move quickly to address emerging risks and seize opportunities. Dodd-Frank and healthcare reform will increase compliance costs but will also create opportunities (e.g., change the competitive mix of an industry through enhanced M&A activity).
Finally, as legislative and regulatory changes strain a company’s infrastructure, organizational structures are needed that better align functional capabilities with strategic and compliance demands.
Effective compliance programs will undertake gap analysis to evaluate the effectiveness of a program against compliance best practices and current and emerging industry standards.
The compliance program standards delineated in the Sentencing Guidelines have become the gold standard for measuring the effectiveness of compliance programs. While these standards are not mandatory, most organizations follow them because regulators (including the DOJ, SEC and FERC) use them in making decisions about whether to prosecute a compliance violation or recommend leniency. The standards have become “best practices” in corporate America because they enable organizations to self-police their conduct by identifying, assessing, and correcting compliance problems before they are discovered by regulators.
Further, the Sentencing Guidelines provide that a company’s failure to incorporate and follow applicable industry compliance practices weigh against a finding of an effective compliance program. With that in mind, companies should consider forming compliance best practices groups to share information on industry compliance risks and best practices for achieving industry regulatory requirements.
Oftentimes specific departments within companies have compliance challenges while others have appropriate compliance control environments. In this case, an organizational assessment should be undertaken to evaluate the ability of a specific department (e.g., sales and marketing) to identify and manage compliance risks.
The primary objective of such assessment is to identify compliance gaps that are impediments to efficient and effective operation of a department, and where gaps are found, to outline corrective actions to address those gaps. The assessment may result in recommended changes to the organizational structure to align functional capabilities with compliance needs and demands.
The compliance tools discussed in this article will provide a benchmark for overall compliance effectiveness and will form the basis for further improvements to compliance programs and ultimately business decision making. Senior management should promote these tools and fully embrace any recommendations resulting from their implementation. It is critical that senior management set the right tone-at-the-top to ensure employee buy-in and ultimately good compliance behavior. Compliance is good business and every manager and employee should be accountable for maintaining effective compliance controls.
Jim Bowers heads the Compliance Risk Services group at Day Pitney LLP, a full-service law firm with primary offices in New York City, Boston, Hartford, Parsippany, NJ, and Washington, DC. He practices in the areas of corporate governance, compliance risk management, securities and antitrust law. Prior to joining the firm, Jim was Vice President, Senior Antitrust Counsel and Chief Compliance Officer at Aetna Inc. Before joining Aetna, he held a senior legal position in the Office of the General Counsel at the Securities and Exchange Commission in Washington, DC (working on appellate litigation), and before that taught law at Boston University School of Law and the University of South Carolina School of Law. In addition, Jim has lectured at Yale Law School and the University of Connecticut School of Law. Jim is a graduate of Harvard Law School.