Ethics and Compliance Programs in a Global and Brazilian Context: The 6 Principles of Compliance

In determining what may be required for a Brazilian-based company for anti-corruption compliance, attention must be given to global anti-corruption compliance practices. Among the considerations should be the best practices guidelines of the OECD and other international organizations, as well as the anti-corruption legislation, regulations and guidance of the jurisdictions in which a Brazilian company may be doing business.

A common framework exists in most countries that have implemented legislation as a party to the OECD Anti-Bribery Convention. The FCPA and the U.S. Sentencing Guidelines, the UK Bribery Act and its Ministry of Justice’s Guidance for Commercial Organisations, the French anti-corruption laws and its French Central Service for the Prevention of Corruption Guidelines and, of course, Brazil’s laws on corruption, such as Law 12.846/16, the Brazil’s Clean Company Act¹, its Decree 8.420/15², normatives and related instructions and regulations.

Although there may be peculiarities unique to each jurisdiction, all of these new laws are similar in what they expect in an ethics and compliance program (E&C program). If a Brazilian company really follows the new law in Brazil, it is likely to be in compliance with U.S. and UK law. If a company complies with the FCPA and the UK Bribery Act, they will be in compliance with most anti-bribery laws in most of the world. But for
Brazil, they will still need to cover additional issues to be in compliance with anti-corruption laws in Brazil.

Any E&C program must, at the very least, address what may be referred to as the Six Principles of Compliance. Although these Six Principles are not legally binding in most situations, they reflect the hallmarks of an effective E&C program. A company’s E&C program is an important part of the negotiations as to the disposition of an investigation. Even if an E&C program does not detect or prevent prohibited conduct, an effective
program can still result in a declination or lessen penalties and consequences.

Here are the Six Principles common to an effective global E&C program:

1. Top-Level Commitment

The tone at the top from the highest level of management is the most critical component of an effective E&C Program. Top-level commitment means “walking the walk” and not just “talking the talk.” Legal compliance is not limited to one individual or one group of individuals within a company. It extends to Boards of Directors, audit committees and others in senior positions within the company or its governing Boards or committees.

The commitment from senior management is directly reflected in the behavior and actions of middle management. The tone at the top must reinforce ethics and compliance as drivers of a culture of compliance throughout the company. The effectiveness of top-level commitment will also be measured by whether adequate funding and necessary resources are provided for compliance. Compliance officials must have appropriate stature within the company, as well as adequate independence and autonomy, including the ability to report directly to senior management, the Board of Directors or any audit committee or similar entities with oversight functions.

2. Proportionate Procedures

Companies must design, implement and enforce policies and procedures that are tailored to their structure and to the nature of their corruption risks. Many different factors need to be considered in determining how best to develop a company’s policies and procedures. Such things as sectorial risk, geographical areas of activity, the kind of business, the size of the company and how the company is organized are among the many factors that need to be taken into consideration.

The E&C Program should provide ways to motivate middle management. An effective form of whistleblowing system needs to be created that provides a non-retaliation policy and available channels to encourage and motivate employees who speak up. An E&C program should provide channels for seeking guidance.

Companies should also have in place adequate policies and procedures to handle the information in a proper manner. Companies receive information from countless sources. The inflow of information can be overwhelming. The policies and procedures should ensure that information is carefully considered on a timely basis. Mishandling information can severely harm a company.

3. Risk Assessment

A risk-based approach is a hallmark of an effective E&C program. Brazil adopted the risk-based approach in its guidelines. The effectiveness of an E&C program will be judged by the degree to which it evaluates compliance risks in its decision-making process. Companies must have an ongoing process of assessing their actual risks and the impact of a particular risk.

It is important that an E&C program be tailored not just to address legal risks. The E&C program must be designed to deter and prevent employee or third-party misconduct, whether or not the misconduct constitutes a violation of law. As part of this process of assessing risk, companies need to take steps to mitigate risks within their own organizations. Whether it be a segregation of functions, altering the assignment responsibility or taking a number of other measures, much can be done to lessen the likelihood of a violation.

4. Due Diligence

On an ongoing basis, companies need to re-examine their risk assessment process to ensure that it is focused on relevant risks. Too many companies focus on the risk of a legal enforcement action or the likelihood of being caught. Instead, the risk assessment process should focus on the underlying conduct itself. Effective due diligence should include instances when a company decides not to engage an agent or distributor.

Much has been written about how to conduct an internal investigation. Not as much has been written about the steps leading to an internal investigation. Difficult judgment calls can arise when determining whether to launch an internal investigation. In many respects, it is much like a preliminary inquiry to determine whether to launch a formal investigation.

As part of the due diligence process, agreements with third parties should include clauses that address compliance concerns. Among the the standard clauses include representations and warranties that the agent or distributor: (1) has not in the past, and will not in the future, violate anti-corruption laws, (2) is not affiliated with any government official (directly or through a close family member), (3) will permit access to the company to conduct audits when needed to ensure compliance with corruption laws and contractual requirements, (4) can be terminated if the company has reason to believe that the agent or distributor has violated (or intends to violate) an anti-corruption law, and (5) will check and address conflicts of interests on an ongoing basis.

5. Communication and Training

A zero-tolerance policy on corrupt practices must be clearly conveyed within and outside the company. Senior management must ensure that its leaders provide strong, explicit and visible support for corporate compliance policies. Communications and other messaging must reinforce and promote compliance policies through in-person meetings, emails, telephone calls, incentives and bonuses.

Anyone who may be potentially exposed to corruption situations must be trained to understand what characterizes corruption, the risks associated with corruption and the best practices to prevent corruption.

Comprehensive policies and procedures will not by themselves demonstrate an effective E&C program. To be effective, the polices and procedures must still be actively enforced, must promote awareness and understanding of the E&C program’s purpose and importance, emphasize personal accountability and responsibility and integrate company values into a framework for employee decision-making.

6. Monitoring and Review

A company should regularly review its compliance program to ensure that it is kept current for addressing evolving risks and circumstances. Appropriate controls must be put in place to ensure that the corruption-prevention policies are properly enforced. Mechanisms must also be put in place to incentivize compliance and discipline violations.

A company should “sensitize” its third parties to the company’s expectation of compliance with its policies. A company must take action if a partner or third party acting on its behalf fails to abide by its policies.

Conclusion: Preventive vs. Curative Action

These Six Principles are the hallmarks of an effective E&C program. Companies with a culture that focuses on values, risk management and innovation are more likely to succeed. Similarly, the independence of compliance officials is critical to the effectiveness of an E&C program.

The most important role of compliance is to prevent and deter fraud and non-compliant behavior. It is essential that compliance officials be involved before major business decisions are made. More successful programs are those where management and compliance officials have built ethics and compliance into the regular functioning of their companies as opposed to just another layer of controls.

Successful E&C programs echo the clear tone at the top and help reinforce the even more important tone in the middle. These people celebrate the ethical leadership that they embody. They outbehave, and they outperform. They work together to help to accomplish their goals in a compliant matter.

In short:

Set the Program Goals:

• Increase employee comfort with speaking up
• Ensure employees use the company values as a framework for decision making
• Strengthen the ethical culture
• Improve risk management capabilities
• Strengthen ethical leadership
• Meet all regulatory requirements for effective E&C programs and best practices and
• Improve third-party oversight and management

Set the Education and Communication Goals:

• Reinforce the code of conduct, ethical standards and company policy
• Promote awareness and understanding of the E&C program’s purpose and importance
• Emphasize personal accountability and responsibility
• Influence employee behavior and the ethical climate in the organization
• Promote alignment between core values and day-to-day operations and
• Integrate company values as a framework for company decision making.

Less effective E&C programs are led by those who check their boxes and look away. As a practical matter, all they create is a paper program in the hope of mitigating a penalty that may be imposed at some future date.

In contrast, effective E&C programs are led by those who hit their marks and lean in. Effective ethics and compliance leaders set ambitious goals, seek useful resources and use rigorous metrics in to inspire change and elevate behavior. They weave their programs through their companies to enhance the effectiveness of the E&C program.

¹ Lei 12.846/2013 in English at http://commonplace-­‐renatafa.blogspot.com.br/2015/08/law-­‐1284616-­‐brazils-­‐company-­‐clean-­‐act.html

² Decree 8.420/2015 in English at http://commonplace-­‐renatafa.blogspot.com.br/2015/08/decree-­‐84202015-­‐in-­‐english-­‐related-­‐to.html