by Josh Roseman and Evan Singer
Business is booming at the Department of Justice (DOJ) and at other government enforcement agencies. Last year alone, the DOJ negotiated 35 corporate non-prosecution agreements and deferred prosecution agreements. And always lurking in the background of this corporate criminal enforcement activity is the DOJ’s September 2015 “Yates Memorandum” that incentivizes companies seeking cooperation credit from the DOJ to turn over evidence implicating individuals. In short, this is a new era of heightened government enforcement and the risk to companies, directors, officers and employees has never been higher.
The good news for companies is that the enormous financial and reputational risks associated with corporate misconduct can be mitigated by the implementation of an effective corporate compliance program. In this regard an effective corporate compliance program serves two important purposes:
First, an effective compliance program decreases the opportunities for misconduct and increases a company’s ability to detect misconduct when it occurs.
Second, the existence of an effective compliance program is a factor that prosecutors consider in determining whether to bring charges, in negotiating plea agreements, and it is also a mitigating factor for purposes of criminal sentencing under the United States Government’s Federal Sentencing Guidelines. And in some countries outside the United States, the existence of an effective corporate compliance program even serves as an affirmative defense to corporate criminal liability altogether.
Yet, at least one recent survey reveals that one-fourth of the companies surveyed had no dedicated budget for compliance training and that, in general, the companies surveyed had implemented fewer compliance steps this year compared to last. This is stunning given the enormity of the risks to be mitigated—risks that have been widely publicized by several recent high profile corporate criminal scandals.
One of the hallmarks of an effective compliance program is that a company adequately fund and resource its compliance program. The hard truth, however, is that compliance is a cost center and most compliance programs could stand to use bigger budgets, more senior management commitment, and additional resources.
In a perfect world all companies would appreciate the myriad of ways that good compliance can be good business and even drive profits. Until then, as compliance budgets are squeezed, it is imperative that companies and compliance professionals wisely allocate their compliance dollars, resources, and energy. To that end, below are some tips for how a company can get more bang for its compliance buck.
Appreciate the Hidden Value of the Risk Assessment. The DOJ does not use any formula in evaluating a compliance program. Instead, as the DOJ stated in its February 2017 guidelines on evaluating compliance programs: “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.” In other words, the DOJ expects that a company assess its risks using a sound and reasonable methodology and then tailor its compliance program to reasonably address those risks.
The obvious value of such a risk assessment is that it helps direct compliance resources towards mitigating the company’s biggest risks. Too often, however, companies fail to appreciate that a risk assessment also provides an enormous cost savings opportunity by providing the justification for where to not commit time, money, and resources. Consider, for example, the issue of FCPA training. Many well-intentioned companies “over train” huge numbers of extremely low risk, lower level employees while at the same time failing to train a much smaller number of higher risk accounts payable personnel who control the outflow of money.
Piggyback on to Existing Processes and Pick the Low Hanging Fruit. Compliance measures are most effective, and less costly to implement, when they are embedded into existing business processes. Although company-specific, there are countless opportunities for this.
If the company has an annual meeting of the work force, for example, it can add live compliance training to the agenda. Or, for example, if the company distributes a periodic newsletter, it can include a compliance related topic. Another example is that the company can add adherence to compliance policies when conducting employee performance evaluations. Similarly, the company may be able to perform the required auditing and monitoring of the compliance program by enlisting the help of internal audit personnel. Companies and compliance personnel would be well served to identify other examples applicable to their own business environments.
At bottom, implementing and maintaining an effective compliance can be a daunting and expensive exercise, but at most companies there exists plenty of untapped opportunity to do more with less.