Jason Hungerford and Andrew Reeves explore some of the myths they encounter in advising on compliance issues. This article was originally published by Thomson Reuters Accelus in March 2015.
01 | A company can implement a compliance policy instantly and with minimal cost
A compliance policy can be drafted in a matter of hours, but without proper implementation as part of a compliance programme such a policy may not be worth the paper it is written on. Regulators focus less on whether your compliance policy looks glossy or sounds impressive; they want to know if it actually works.
Failure to properly implement compliance systems is the key compliance risk to senior management as the policy is their commitment. Senior management needs to ensure that the policy is being lived out in practice throughout the organisation. Doing a little can be dangerous; not only will money be wasted on implementing an inadequate system, but people will then take undue comfort from it.
To work, a compliance programme needs to be properly implemented. This takes time. Although the roll-out period may be relatively quick in small organisations, in most organisations it is likely to take a significant commitment, in terms of internal staff, external resources and technology, particularly to make compliance lean, efficient and part of business as usual. That is not to say that money or human resource should simply be thrown at the problem: resources need to be allocated efficiently, focusing the majority of those resources on key risk areas or weaknesses.
02 | Finding problems is bad news; not finding problems is good news
If your company’s compliance programme is highlighting potential issues, this is in one sense good news: raising issues is one of its key functions. There is no embarrassment in having compliance issues; the test is how they are dealt with and how your compliance programme adapts to any weaknesses exposed by those issues.
If you operate in higher-risk jurisdictions and/or in higher-risk sectors and you have not dealt with compliance issues, you must ask yourself: is your company lucky, good, or has it not seriously looked? What has arisen from risk assessments, ongoing third party due diligence and whistleblower reports? Companies stating they have had no or few known compliance breaches tend to be those with the most issues – lurking behind the scenes.
03 | My company needs to have proof of a compliance breach before it can act
If a company waits until it has proof of compliance failures, it will never act. Consider, for example, a payment of US$1 million to a consultant, Mr X, ahead of the award of a key government contract or licence. However many red flags there are surrounding the payment, it is unlikely that the company will find conclusive evidence of a bribe.
As lawyers, the conclusions or inferences that we draw in relation to compliance issues are often challenged by executives on the basis that there is no ‘evidence’. Our response is usually along the lines of ‘what more evidence do you expect there to be?’ or ‘what evidence can you find to disprove the conclusion?’. The reason for this response is twofold. First, companies and their lawyers do not have prosecutorial powers; they are unlikely, for example, to be able to compel the third party agent to open up his bank account. Second, corporate enforcement is heavily dependent on negotiated settlements – such as deferred prosecution agreements – in relation to which the ‘standard of proof’ is malleable. In that context, the more pertinent question is generally ‘given these facts, can you tell me a better story?’
04 | Compliance is about designing and following rules that remove the capacity for human error
Rules and systems are important in certain areas, especially for the first line of defence, but ultimately compliance is about adjusting attitudes and equipping, informing and supporting judgments. Systems and controls, however sophisticated, are open to manipulation. Sophisticated compliance is about developing employees’ attitudes to deal with potential compliance issues head-on. Ethical leadership is crucial here; so is building a sense of fair play, and corporate and individual responsibility to do the right thing in borderline situations.
05 | The compliance department or the business is responsible for my company’s compliance programme
Everyone is responsible for compliance: from the sales team to the board. This is not to say that everyone has to become a compliance manager, but everyone has to discharge their duties properly, which often means referring issues to compliance and/or legal and ensuring that lessons are learned. There is a balance to be struck between the compliance function attempting to control everything, and delegating everything to the business. Central control risks losing the on-the-ground business savvy; but a decentralised business led implementation is often ineffective. The compliance function needs to maintain overall control and oversight, but trust the business to perform its own role.
06 | Well-drafted contractual clauses significantly mitigate the risk to my company
If a company is in a position where it is trying to get comfortable with the compliance risk of a transaction or agreement solely on the basis of contractual clauses, it should question whether the transaction itself is sound. While lawyers have traditionally been paid to document transactions rather than question them, this is no longer sufficient; internal and external lawyers have to look at the substance of arrangements being entered into rather than their form, both to protect their company and to avoid a risk of their being complicit in any wrongdoing.
07 | An e-leaning programme, rolled out to every employee in my organisation, is an adequate compliance training solution
While there are certain attractions to e-training – it is cheap to roll out once it has been designed, provides an instant record of completion, and can train a lot of people quickly – it will not adequately equip employees to deal with difficult situations or judgment calls. Training on such difficult situations, which are the nub of ethical and compliance issues, needs to be done in-person for senior or higher-risk groups, using real-world case studies.
08 | Compliance software can largely automate my compliance programme
Compliance software handles certain tasks brilliantly, for example spotting unusual expense or payment patterns, organising information, and providing high level statistics on a compliance programme. Automated systems are, however, no replacement for human judgment or common sense and depend entirely on the quality of inputs. Further, because automated systems by their nature deal with the form, rather than substance of a matter, they can nearly always be gamed.
09 | Presuming I am not actively involved in the corrupt activities of my third parties, I am unlikely to be held responsible for their actions
The application of the FCPA, UK Bribery Act and other jurisdictions’ analogous legislation to the actions of a company’s third parties is well-documented. What is easily forgotten is that even if primary offences under anticorruption legislation are not made out, serious offences can also be committed under predicate offences such as conspiracy, books and records or accounting offences and money laundering legislation.
10 | Compliance, unlike investigations, is not a legal issue
Compliance is ultimately about managing risks. While compliance seeks to manage various different risks (reputational, shareholder, stakeholder expectation etc.), legal risk is chief among these and generally the bottom line. This is not to say you need an army of lawyers doing compliance, but legal has a strong role to play, not only when problems are discovered but also in their prevention. It can be dangerous to separate the two – compliance personnel need at a minimum to be trained to spot legal risks and refer them accordingly. Equally, legal and investigations functions need to ensure that issues raised by investigations or legal matters are fed into compliance – lessons need to be learned and seen to be learned.