Appearances can be deceptive when it comes to compliance!

Compliance

December 2008 was a turning point in the history of anti-corruption compliance programs in the United States, with a record fine imposed on Siemens for a compliance program that was deemed too complacent. Since then, the courts have not only inquired into the existence of compliance programs, they have also investigated their quality. Laws have become stricter after so many scandals involving ethics.

Legislation has become stricter

The numerous ethical scandals have led to the distinction, in American legal practice, between the existence of an anti-corruption compliance program on the one hand, and the relevance and effectiveness of this program on the other. American justice is no longer satisfied if organizations simply follow the letter of the law; courts now demand that the spirit of the law be respected.

In other words, companies must now prove that their compliance program is fully implemented and that it is not just a “paper” compliance program. In return, the US Sentencing Enforcement Commission (USSC) promises substantial reductions in sentences or fines for companies that are serious about compliance. It is this distinction between the appearance of compliance (on paper) and actual compliance (in the field) that also allows a company not to pay for the mistakes of unscrupulous employees.

Paradigm shift

The big difference between yesterday and today is that straightforward compliance programs are no longer acceptable to the US justice system. In any anti-corruption procedure, the Attorney General will verify that, on the one hand, the incriminated company has set up a compliance program and that, on the other hand, that the program is real, sincere, suited to the company and its environment, and that it is measurable and scalable. In short, American justice is no longer satisfied with quantity, it wants quality.

From “on paper” to “real life”: The eight principles

A compliance program should be built around eight major associated elements. The difference between a simple paper-based compliance program and a truly effective compliance program lies in how truly committed the business is to each of these eight elements. The following points summarize American Best Practices, which are internationally benchmarked. French companies, even if they are not subject to the FCPA, should look to it when developing and updating their compliance programs because the requirements in terms of integrity and honesty will continue to become more demanding. In addition, the distinction between facade and reality is now part of French business culture, because as noted by the director of the AFA, Charles Duchaine, during a speech at the Assises de la Compliance, his organization “compares appearance with reality” when it audits companies.

1. An unambiguous commitment

The compliance program must correspond to a strong ethical corporate culture driven from the highest level of the organization. A true compliance program requires the commitment of the highest-ranking executives, and must clearly and unambiguously list the points on which no one can compromise. Leaders will also need to bring their actions into line with their public statements and ensure that the compliance program is followed throughout the company at every level.

2. A true corporate charter

A truly effective compliance program must be free from incomprehensible jargon and meaningless verbiage. It must be clear, concise and understandable by all employees. A culture of compliance involves rules and procedures based on a code of conduct signed and, even more importantly, adopted by everyone, from the most senior to the lowest-ranking employee.

3. Human and financial resources allocated to compliance

A compliance program should be under the aegis of a senior manager. It is necessary to provide the program with sufficient financial and human resources. However, simply investing millions, even tens or hundreds of millions of dollars per year in the case of multinationals, is not enough to guarantee, in the eyes of the American justice system, that a compliance program is worthy of the name.

4. Assessing the risks of breaches of integrity and honesty

Companies are required to assess potential breaches of integrity and honesty in all areas in which they operate. This includes in particular the sectoral, geographic, commercial, political, social arenas.

A truly effective risk assessment must therefore focus on the risks inherent in the business in terms of occurrence and severity. If an industrial group employs 100 sales agents abroad and 10 lobbyists here or there, a good risk assessment will focus in particular on the risks specific to each country concerned, the degree of involvement with national authorities, the pay structure for commercial agents and any lobbying safeguards.

In addition, risk assessment and integrity verification go beyond the scope of the company. Indeed, each company must verify that the third parties it deals with have demonstrated their integrity and that they have implemented compliance programs. Likewise, companies must verify, even before a possible merger or acquisition takes place, that their future partners have implemented a structured and effective compliance program.

5. Real training

Too many companies believe that it is enough to appoint compliance officers in such and such a department (accounting, legal, HR, purchasing). This means they are not paying sufficient attention to the essential need for company-wide responsibility on every level, from the lowest to the highest and the equally essential need for continuous training programs. In other words, all relevant departments and all levels of the organization must contribute to the compliance and anti-corruption effort.

The training component must make staff aware of the various aspects of commercial integrity as well as the potential issues arising from them. It is not a question of producing biased figures aimed at relieving the company of responsibility in the event of a breach of integrity, as can be the case with a simple percentage of employees having taken such and such training. Companies should ensure that employees have truly understood the issues relating to integrity and honesty. For example, when measuring the effectiveness of a training seminar, it is strongly recommended that two questionnaires be administered, the first before the start and the second after the end of the training.

6. Exemplary sanctions applicable to all

Compliance is measured at the level of an organization as a whole, from to top management to the lowest-levels of the company.  A compliance policy worthy of the name therefore includes a scale of sanctions applicable to all. Two scenarios demonstrate the artificial nature of some compliance programs. First, when the sanctions apply to the lowest levels of the company but not to upper management. Second, when the incentives and sanctions are so minor as to be meaningless.

7. An effective alert system

To be effective, any compliance program must have a procedure for allegations of fraud to be made via designated channels as well as a procedure for verification and an appropriate response.

Most companies pride themselves on their alert systems, on the grounds that they encourage their employees to contact a hotline in case of fraud or suspected fraud. In fact, in France these systems often lack a mediator or ombudsman with real powers, the creation of a truly anonymous or confidential hotline, the serious verification of allegations of fraud, procedures for the allegations to be channeled to highest level of the company (board of directors or working group mandated by it), the response and any sanctions imposed, the publicity given to it and the measures taken to prevent a similar case from arising. Also note that these famous whistleblower hotlines are of little use when the corporate culture discourages the staff from making waves and breaking the silence.

8. Ask yourself the right questions and seek out the true answers

A compliance program must put in place the structural and analytical tools necessary for a detailed self-assessment. It is about determining which elements of the program are effective, which are not, and to what extent.

American legal doctrine increasingly requires that self-assessments be carried out on a regular or even continuous basis and that they be in-depth, reliable and above all critical. The compilation of figures and statistics is not admissible if these same figures and statistics have no real meaning. To merely say that X number of employees have signed a contract on compliance, that X number of people have attended this or that training seminar, that X number of cases of suspected corruption have been sanctioned is no longer enough. The authorities are now calling for more precise and relevant answers to their questions.

According to Deloitte USA, 70% of companies make an effort to measure the effectiveness of their compliance program, but only a third of them say they are confident they are using the right tools and statistical criteria.

Our comments

That an organization has established and implemented a compliance program is not, in and of itself, proof that the program is effective. Courts will require more than long lists of figures and resources. The only admissible evidence will be proof of the effectiveness and adequacy of the structures and measures put in place.

The effectiveness of a compliance program is measured by the company itself. In other words, to be considered valid, a compliance program must be tailor-made, which means it must correspond to the specifics of the company, and include the means to take into account the real risks involved in operating the company rather than simply following a pre-formatted grid.

A true compliance program should not be limited to passive compliance with legal, accounting or financial obligations. A compliance program must be effective, therefore resulting from a proactive approach driven by the highest level of the company via a two-way vertical path (from top to bottom and bottom to top) and a two-way horizontal path (from the company to its partners and vice versa).

In short, a good compliance program should be everyone’s business, and it should be carried out with objectivity and good judgment. Then the program can truly mobilize and unify everyone in the organization. A true compliance program must make integrity and honesty an essential part of the corporate culture.

by Sésame Consultants