How Strong Is Your Compliance Program? Will It Buckle Under FCPA Pressure?
There’s no one-size-fits-all compliance program. Depending on a variety of factors such as size, type of business, industry and risk profile, an organization should determine what is appropriate for its own needs regarding FCPA compliance program best practices. The following are 10 tips meant to provide insight into what the SEC looks for in a compliance program.
Sr. Management Commitment and a Clearly Articulated Anti-Corruption Policy:
It starts at the top; organization leaders need to walk-the-walk and lead by example. When involved, the SEC will assess if an organization has a culture of compliance, not just on paper, but a program that is in full swing and led by senior management. A strong compliance program is dependent on a strong ethical culture. If senior management adheres to ethical standards, their actions will inspire middle management to help reinforce those standards right down the line. The SEC evaluates if senior management has clearly articulated company standards, communicated them in clear terms, adhered to them thoroughly, and circulated them throughout the organization.
Code of Conduct and Compliance Policies and Procedures:
A Code of Conduct has long been seen as the foundation of a company’s overall compliance program. But a Code of Conduct and a company’s compliance policies need to be clear and concise. If a company has a large number of employees who are not fluent in English, the COE and Compliance Policies/Procedures need to be translated into those native language. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some risk examples are the nature and extent of transactions with foreign governments, use of third parties, gifts, travel and entertainment, and charitable and political donations.
Oversight, Autonomy, and Resources:
An organization needs to assign a senior level executive to oversee and implement its compliance program, and provide enough resources to ensure that the organization’s compliance program is implemented effectively. The compliance function should also report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. If involved, the SEC will consider if an organization has devoted appropriate staff and resources to the compliance program based on size, structure, and risk profile of the business.
Risk assessment in all areas of an organization’s business is key to developing a strong compliance program. Some risk assessment examples are the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. If the SEC looks at a company’s overall compliance program, they take into account if and what degree a company inspects and addresses the particular risks it faces.
Training and Continuing Advice:
Communicating a compliance program is the basis of any anti-corruption compliance program. If it gets involved, the SEC will evaluate if a company has taken steps to ensure that its policies and procedures have been communicated throughout the organization. This includes training for directors, officers, employees, and any business partners. Training should reflect the risk assessment based on its business model. And the organization should should devote training and resources to provide its employees the guidance and advice it needs on how to comply with its own compliance program.
Incentives and Disciplinary Measures:
Nobody should be beyond the compliance program’s reach, no matter where they sit in the organization’s hierarchy. There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. The SEC recognizes that positive incentives can drive compliant behaviour. Incentives can include personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments:
Companies should engage in risk based due diligence to understand the qualifications and associations of its third-party partners, including their business reputations and relationships with foreign officials. An organization should articulate a business rationale for the use of their third parties. This includes an evaluation of the payment arrangement to determine if compensation is reasonable and will not be used for corrupt payments. There should also be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation:
It’s more than just installing a hotline. Anonymous reporting should be in place for employees to report allegations of corruption or violations of the FCPA. It is just as important what a company does after an allegation is made. Once an allegation is made, organizations should have an efficient, reliable, and properly funded process in place for investigating allegations and documenting response, including disciplinary or remediation measures taken.
Continuous Improvement: Periodic Testing and Review:
Compliance programs that are followed in practice should uncover compliance weaknesses and require enhancements. The SEC evaluates if organizations review and improve their compliance programs on a regular basis, and not allow them to become stale. Organizations should think seriously about their weaknesses and risk areas. Internal controls should be periodically tested through targeted audits.
Mergers and Acquisitions – Pre and Post Due Diligence:
An organization should attempt to perform as much thorough compliance due diligence that it can do before purchasing a company. After a deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance program.