When Kara Brockmeyer, head of the Foreign Corrupt Practices Act unit at the US Securities and Exchange Commission, told the business press in mid-July that her group was developing a series of cases and actions, she merely made public what chief compliance officers had already seen anecdotally. The SEC had gotten almost as much attention for its “declinations” – decisions not to prosecute companies when they voluntarily brought individual misdeeds to regulators’ attention – as it has for its prosecutions and penalties. What Brockmeyer made clear though is that the commission is as eager to expand its collaborative efforts as it is to nail the bad guys.
That leaves compliance professionals more eager than ever to be proactive, but not entirely sure of the next best steps. There has been a great deal of attention lately on best practices for drafting, reviewing, and executing compliance policies and procedures. Industry groups, think tanks, and advisory services have published at length on the topic. But thinking ahead, compliance officials are starting to wonder not how to create sound procedures, but how to test them, and how to know they are working.
Conversation fodder
“The experts are always going to have a black-and-white view,” says one US-based chief compliance officer on anti-bribery compliance policies.
“Simplicity is essential,” he continues. “A successful program will be simple and digestible.” He notes that a good program will be broadly applicable to make it easy for people to do the proper things and difficult to the improper things. That is the foundation, but as a dynamic program the focus should be on “issue spotting and escalation. There should be thresholds, red-flag mandates, reports, forms.”
The CCO hastens to add that those triggers and tools are not just to create a paper trail and a record of compliance, but also “you want to mandate discussion. Complete prohibitions tend to be ignored, so you want to have the option for exceptions. Even if you have a practice of denying exceptions, you always want that option because it fosters discussion.”
In effect, appeals for exceptions are a form of self-reporting from the field, perhaps the best form of feedback. “You want to move the decision-making closest to the business managers who are closest to the external forces,” says the CCO. “The business units must follow the process of seeking guidance, and there must be an escalation process if the business units want to override the guidance, but ultimately the company must hold the business units responsible for compliance. If they are not responsible, they can market the information in a way that can lead responsibility back to the organization as a whole.”
As an example of simplicity he recalls, “we prohibited ‘facilitating payments’ long before the UK Anti-Bribery Act. That was because the differences between those and bribes are so gray as to be indistinguishable.” In another example, he says many firms capture travel and expense information that is much too low to make any difference, thus flooding themselves in data that cannot provide any insight. “A common reporting level is $50, but no $50 lunch is going to win your firm a million-dollar contract.”
Goals determine measurement
Carole Switzer, president and co-founder of the Open Compliance and Ethics Group, a nonprofit think tank, says that testing and ensuring that a program is working depends upon what the original objective of the program was. “Is it a defensive program, one to establish a safe harbor and prove to regulators that you have taken all the steps you are required to take, or is it an active program, designed to prevent or mitigate non-compliance because of the direct and indirect costs of non-compliance? What you measure depends on your goals.”
Switzer illustrates her point with two case scenarios. In case one, the defensive program, Switzer says, “you have to have a good audit trail. Show that you have analyzed your risks and made appropriate responses. What has been put into place should be well thought-out and you should be able to show how the design operates.”
In case two, the active program, the key is financial measures – follow the money. “Look at how achieving a sale or goal affects an individual. Incentives can drive bad behavior just as much as they can drive good behavior.” She is not an advocate of running a sting to uncover bad actors, but much more favors analytics. “You want to monitor activities and results: compensation, bonus, promotion, perks.”
There is a fairly broad understanding that changes in reports, actions, or violations – either more or fewer – do not necessarily translate directly to better or worse compliance. That is why it can be difficult to determine if a program is working. “It takes repeated reinforcement,” says Switzer. And it takes commitment and example from the top. “In companies with endemic problems, that is typically structural. Senior management is implicitly or even explicitly known to accept that behavior.”
Given that management has bought in, and that a robust compliance program is in place, one good approach to monitoring and oversight is a scaled or phased approach, says Thomas Fox, a former attorney who is now an independent consultant on anti-bribery compliance. “Monitoring is shallow but wide. Think big data. You want all travel and expense reports from all overseas operations so you can scan for outliers. Anything that gets flagged gets closer oversight, even an audit. That is deeper but narrower.”
Fox recently published a four-part series on anti-bribery compliance best practices on his website foxlaw.com. “Internally I always advise: document, document, document.” There are costs associated with all of that, but nothing near the costs of an investigation or worse, a prosecution.
“Many years ago I worked with a company that paid what was at the time a record fine: $27 million. Today that sum would not even be in the top 20. In terms of total cost to a business, the rough calculation is three to six times the cost of the fine, so there is a clear incentive to deal with problems early. You really have to be systematic because you are looking at really horrendous costs otherwise.”
Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks, Fox notes. “If you throw in the complexities from an inter-connected global business, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies current, they need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place.”
Beware the false baseline
There is an old adage that absence of evidence is not evidence of absence. That is what makes testing so fraught for compliance officials. A lack of reports or investigations hardly means there is nothing bad going on. Likewise, a spike in reporting or even actions in the wake of a new or revised program can come simply from heightened awareness.
Returning to the idea that compliance is not just black and white, the US-based CCO suggests that “increases in non-compliance from year one to year two of a program can show just increased awareness or from less fear of retaliation.” Under the idea that a robust program will encourage discussion, individuals may be more willing to come forward with questionable practices if they believe they can get a fair hearing or the benefit of the doubt.
“Of course, increased actions can mean an actual increase in problems,” the CCO adds dryly. “Whatever the cause, you always have to review quantitative data with a qualitative eye. The timing is also important, whether you have recently conducted training.” Timing, context, and causation are essential in combating the false baseline – just because a series of measurements starts someplace does not make that starting point average or even normal. “That is why it is so important to benchmark,” he urges.
In contrast, The US-based CCO is dubious of revising practices as an exercise. “People love to update policies,” he cautions. “People who too narrowly define risk in terms of compliance may be misallocating resources.”
Anthony Miller, is today co-founding partner and chief operating officer of a new private-equity firm The Vistria Group, where he is on the front lines of compliance. But before that he was executive vice president for operations at LRN, a firm that provided compliance, ethics, and corporate governance training that came to the fore in the wake of Sarbanes-Oxley.
His key to compliance is anecdotal. Literally. “We tell stories,” says Miller. “What has worked, what has not. What you should and should not do. The companies where we trained, the best ones kept compliance fresh by telling stories, not just by sending out updates to the compliance manual.”
He adds that the top companies also monitored the volume of whistleblower calls to their internal line. “A culture of compliance is a common theme, and one way you know that is happening is a culture of ringing.”
That is hugely important, Miller stresses, “because, from a governance stand point, it is almost impossible to deter someone who is willful and purposeful about breaking the law. What you can do to mitigate that is create that culture of compliance. That is not just behavioral norms to do the right thing, but also for others not to be uncomfortable saying something.”
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: