There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.
You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.
One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, Senior Counsel Data Protection Law at Johnson & Johnson Consumer Health has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”
You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “To get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs; such as shareholder lawsuits, claims and other post-resolution costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take these allegations seriously. They actually saved money, because they didn’t have to write as big a check, because they took these allegations very seriously.” The bottom line is that your ROI here is going to be very high if you put the resources into remediation and do it well. This is easier with the information that was provided by the DOJ in the FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the U.S. Sentencing Guidelines for remediation.
One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation requires output from the investigation to understand where the risk points and gaps are, both in the compliance program and the internal controls. There is a tension there and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.
Dan Chapman, former CCO at Parker Drilling and Cameron International and Founder of Presyse Consulting, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. Chapman noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management because “if senior management has to commit 20% of their time, that is 20% of their time that is not going towards revenue generating, shareholder value-protecting activities.”
Yet, how can you communicate this point to somebody who has not gone through a full-blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. “One example would be, during my first week on the job at previous employer, the company had a worldwide conference for all of the senior managers from around the world,” he said. “At that meeting, I asked all the senior, C-level executives, ‘Over the last few years, have you spent 5% of your time on the matter?’ They raised their hands. Then, I kept escalating it: 10%, 15%, and the hands didn’t go down until about 20%. Then I explained to them, and to the audience, ‘If you got 5%, 10% or 15% more from your senior management, where would this company be? What would it be worth? What bonuses would you have gotten?’ I think this point resonated with all of them, but there was still no great way for them or for anyone to quantify these costs. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of management’s time?”
You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had a clear plan of action dictated by a policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e., recruiting and retention.
About recruiting Chapman posed the following for consideration, “Where do your new hires, especially recent college graduates, get their information about your company? They get it from the internet. If your company has been in trouble for bribery, what is one of the first things they see when they Google your company’s name? At the very top of their search results will be a news article about the wrongdoings or penalties. Now, how likely is a recent graduate to take his first job with a company that pays bribes, and, if he or she is willing, is that really the type of person you want to hire?” He also points out the negative impact of non-compliance on the retention of current employees by asking, “Ask yourself, is a good employee more or less likely to consider other job opportunities before or after she learns that her company pays bribes or may ask her to pay bribes?”
Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal at the highest level of the organization; to make it as personal to your audience as possible. He suggests asking the Board and senior management “How would you feel about being involved in bribery? Rather than being something that’s only involving the company, your name and your reputation will be associated with it. How do you feel about being there?”
Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level, which failed.”
You cannot find gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as the ultimate stress test. Berland noted, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.
While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because “you’re just going off suppositions and guesses.”
He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.