“Nobody’s perfect” – the adage goes. And, as any chief compliance officer or general counsel knows, no company is perfect, either. This is why policies, procedures, and controls aimed at preventing and detecting wrongful conduct are so critical to any company compliance program. As we discussed in our last post, a company’s response to reports of misconduct by its personnel says a lot about the company’s commitment to compliance issues. This post discusses some considerations for responding to compliance concerns.
For starters, accept that discovering misconduct is a normal, expected part of having an effective compliance program. Of course, no company wants to discover that its personnel have taken actions that violate the company’s compliance program (or worse, violate applicable laws). But US enforcement authorities recognize that the existence of occasional offenses does not mean the program is not working. As the US Sentencing Guidelines (USSG), the de facto US standard for evaluating organizational compliance programs, state, "the failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct."
The first step after discovering that misconduct has occurred is to put together an appropriate response team. For a minor overseas infraction, for example, the responder may simply be a local manager, reporting to the compliance team. For more serious offenses, you may need a team of outside professionals to get to the bottom of the situation. A critical initial consideration in these situations is whether or not the matter should be handled by counsel under the attorney-client privilege. Depending on the facts and circumstances, the members of this team might also include forensic accountants and/or IT professionals (to access electronic data, if needed), in addition to outside counsel. Be prepared for unexpected twists and turns in the investigation, and modify the team composition accordingly.
Second, investigate. Regardless of the severity of the offense, the response team’s goals should be to understand (1) what happened, (2) why it happened (so that the company can take appropriate action to prevent a similar offense from happening again), and (3) whether or not the offense was isolated versus possibly indicative of larger, systemic problems. In the case of minor infractions, this may simply require interviewing the individual(s) involved. Perhaps an employee simply did not understand his or her obligations under the policy, an issue that can be remedied with a combination of policy revision, training, and corporate communications. More complex situations may require tracking payments, reconciling accounts, reviewing documents, and/or conducting interviews of persons inside and outside the company.
Next, take steps to take deal with the incident at hand. Depending on the type of misconduct discovered, there may be some difficult choices. For example, should you keep a contract your company obtained through bribery? What if a senior executive communicated that it was imperative that the company win the contract “at all costs” and/or was aware of the offending activity? Should you report the issue to government authorities? Such decisions are best made with the assistance of experienced legal counsel, in view of all of the facts and circumstances.
Handle personnel issues appropriately. Disciplinary action may be in order for any employee(s) involved in the wrongdoing, as dictated by the results of the investigation. Any disciplinary action should be fair, consistent with company policy, and proportionate to the offense. The same principles apply to outside agents and representatives involved in an incident.
Apply “lessons learned.” Finally, use what you have learned about the root cause of the violation to revisit and improve the compliance program. The Sentencing Guidelines state the following:
After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization's compliance and ethics program.
Was this event both material and a surprise – suggesting that the risk assessment and related policies, procedures, and controls all need adjustment? Or was it one individual’s creative attempt to avoid existing controls – an attempt that had a minor impact and can readily be addressed by slight tweaks to existing procedures and controls? And, as part of the root cause analysis in any such situation, the question needs to be asked whether other similar situations may exist, that is, whether the problem may be broader than the one offense alone?
In this final stage of responding to a compliance concern, do what is required to understand the facts and manage the issues “once and for all.” Serious questions about program effectiveness are likely to be raised by regulators, senior management, the board, and other stakeholders should a similar situation arise in the near or mid-term future.