As regular readers of this blog know I often cite the three maxims of Paul McNutly as the basis for a good compliance program. They are the questions that the government will ask when they come knocking: (1) What did you do to prevent it?; (2) What did you find when you looked into it?; and (3) What did you do when you found out about it?. One of the keys of these ideas is that if you look for something, through investigation or audit, you cannot be afraid to find something, recognize that it is a problem, then move forward to remedy the problem and use it as a lesson learned going forward. I recently saw an advertisement in the Harvard Business Review for the Columbia Business School which was entitled, “How to realize leadership potential” it occurred to me that it was a way to think through and act upon McNulty’s point 3. So with some modification I present a practical method to implement McNulty.
1. Recognize Compliance Problem
The key here is to provide the tools to company employees through training that allow them to recognize when a compliance problem has arisen. Your compliance program must have a written Code of Conduct or other formation document which clearly articulates what is expected from the compliance perspective. However, because compliance programs also have a requisite financial controls component, as required by the books and records portion of the Foreign Corrupt Practices Act (FCPA), there also needs to be a clear policy statement which employees can read and understand. This does not mean a compliance policy written by lawyers for lawyers, with lengthy citations to the FCPA, direct cut-out quotes from the US Sentencing Guidelines and other terminology on a lawyer can read and understand. The compliance policy needs to written in plain English or at least in language that a business person can understand. There should also be a detailed statement of the compliance procedures which explain the financial process by which your company will manage the compliance risk.
All of this should be encapsulated in a training program. There are various and numerous approaches to training. It can be live, via video, through a Webex, via audio, computer based or any combination thereof. The key is to provide sufficient training to allow employees to recognize compliance problems. I tell employees that they do not have to understand all the nuances of FCPA law or make a decision on whether the FCPA has been violated. I ask them that if something strikes them as wrong; their gut tells them its an issue; or the hair on the back of their neck stands up-recognize this as a problem and move to Step 2…
2. Call for Help
So what should you do if you recognize a compliance problem? I train employees to raise there and escalate the problem. Tell your boss, call the compliance or legal department, use the hotline or do something to escalate the problem so that it can be investigated. Here the actions of the company are critical. A company must provide the training for an employee on what they are to do; where they can go. This message must be reinforced by emails, posters, reminders by management and any other form of media to communicate and keep communicating this message.
But this next part is absolutely critical. Your company must be absolutely, positively committed to accepting the employees concern and there must be NO RETALIATION. I know that every company in America will swear up and down that they embrace this basic of compliance; just as they do for all other areas where employees can bring claims, such as harassment, discrimination, SOX concerns or a myriad of others. But if there is one hint or even a whiff of retaliation, it will end, for all time, employees bringing compliance concerns up the line. All of which leads to Step 3, which is…
3. Address the Issue
There must be a thorough and competent investigation. Do not wait one or two months to perform the investigation. In addition to the mundane concern of evidence becoming stale or disappearing, the reporting employee or other witnesses being harassed; you will lose credibility the longer you wait. Employees who make such reports expect, and I believe reasonably so, for their concerns to be taken seriously. Here I do not mean have the President of your company go in front of the national press to announce the termination of the alleged wrong-doers, well before your President has the correct facts in hand, such as was the case with the recent Renault matter.
My colleague Jim McGrath, author of the Internal Investigations Blog, writes about the use and need for specialized investigative counsel to assist a company at this juncture. Even if you do not follow Jim’s advice, you must get a lawyer on the ground as soon as is possible. This lawyer should be trained in how to investigate; he/she must have an investigation protocol and a good understanding of the facts through a comprehensive review of all documents, before the interviews begin. So perhaps you do need specialized investigative counsel as Jim suggested so as not to any conflict of interest in pursuing any leads in the compliance investigation. With that we move on to Step 4, which is…
4. Apply Resolution
Here your company must be fearless. It must be not afraid of what may be found in the investigation, it must not be afraid to remedy the issue. Remember McNulty’s Maxims? The third question the government will ask is “What did you do when you found out about it?” You must follow your compliance policy. If discipline is warranted, you must administer it. The discipline must be administered fairly but equally across the globe. I once was at a company which fired Brazilian employees for making mis-statements on their expense accounts but gave a US employee a “Letter of Warning”. What kind of message do you think that action sent?
There may be other resolutions which may not require the administration of discipline. It may be that your internal controls need to be strengthened. Although not in the compliance world, how do you think Citigroup is feeling about its internal controls today; as it had an ex-employee charged with embezzling over $19MM for over a year before he was caught? But the key is to resolve the matter. Use it as a lesson learned and as a teaching tool. Do not hide the issue and if it is a FCPA violation, consult with counsel regarding a self-disclosure to the Department of Justice (DOJ) and Securities and Exchange Commission. If all this happened in your UK subsidiary and your complete your investigation after July 1st, self-disclose to the Serious Fraud Office.
I hope you can use these four steps to assist you in implementing McNulty’s Maxims. This is what the DOJ wants to see if they come knocking.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011