Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – The Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly, and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:
 Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?
 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

In a presentation, Jay Martin, and Jacki Trevino discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.
Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – Triage of Internally Reported Allegations

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. In the 2012 FCPA Guidance, there is a short but succinct statement, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” This is considered in more expansive language in the 2020 Update to the Evaluation of Corporate Compliance Programs.  Under Part 1, Section D. Confidential Reporting Structure and Investigation Process, it stated in part, Properly Scoped Investigation by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation?
Appropriate triage of allegations has several different impacts for any matter which comes to the attention of compliance. Obviously, it will help you to initially determine the seriousness of the matter. From there you can allocate an appropriate level of resources. It will also aid in your discussion with the DOJ if you must go that route. Finally, in the situation where facts come in, it provides the required documented evidence that a process was followed that you can show the government that a claim was properly scoped, as required under the Evaluation. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before an allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing.

Three key takeaways:

  1. Compliance can learn from M*A*S*H about the need for triage.
  2. Initial triage allows you to separate the wheat of serious allegations from the chaff of more inconsequential allegations.
  3. A robust triage process allows for greater credibility with government regulators.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Internal Reporting and Whistleblowers During Layoffs

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming, it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for various complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

These actions allow you to demonstrate that any laid-off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However, it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you lay off the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also, demonstrating that you are sincerely interested in a meritorious hotline complaint may keep this person from becoming an SEC whistleblower.

Three Key Takeaways:

  1. An employment separation is critical if an internal report has been made.
  2. Have appropriate language in your separation agreement.
  3. Treat terminated employees with dignity and respect.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Answering DOJ Questions on Confidential Reporting

What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

This was expanded in the DOJ’s 2020 Guidance, in the section entitled “D. Confidential Reporting Structure and Investigation Process,” with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for submitting complaints, and processes to protect whistleblowers.”

Three Key Takeaways:

  1. Internal reporting systems indicate a working, operationalized compliance program.
  2. There must be a solid communication line between the people doing the investigation and those leading the remediation.
  3. Your internal reporting mechanism must be trusted.
Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – Internal Reporting System Best Practices

What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The 2019 Guidance further refined this basic requirement for a hotline with inquiries into the effectiveness of your corporate hotline, asking, “Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not?  How is the reporting mechanism publicized to the company’s employees?  Has it been used?  How has the company assessed the seriousness of the allegations it received?  Has the compliance function had full access to reporting and investigative information?” In this podcast, we detail some of the key best practices.

Three key takeaways:

  1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
  2. Train your employees on the use of the hotline.
  3. Use data from your hotline to continually update and improve your compliance program.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Specific Benefits of a Hotline: A Case Study

Is your hotline working for you? In an article, entitled, Promoting Effective Use of the Company Compliance Hotline, José Tabuena provided an excellent example of the power of a hotline. He provided a case study of a company that had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by IT employees. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT employees indicating that there were two major areas of complaints.

The favoritism problem. HR led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manager hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department’s morale.

Manipulation of data for bonuses. The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question.” It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls.

Basic tenets of an effective hotline. This case study provided three key tenets of an effective internal reporting system:

• First, a helpline is of no value if the workforce is not aware of it.

• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) which likely influenced the success of the training and communications delivered by the ethics and compliance staff.

• Third, the awareness of the helpline is not sufficient to ensure success as you must make sure that issues and allegations are addressed and investigated.

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct.

 Three key takeaways:

1. Hotlines can be powerful tools for the compliance professional.

2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues that need review and resolution.

3. Adequate follow-up is a key part of overall hotline effectiveness.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Advantages of an Internal Reporting System

While it is clear that the government expects companies to have an internal reporting system, there are benefits far beyond putting you in the government’s good graces. Companies with a more robust internal reporting system generated more reports. Dr. Welch found a group of companies he termed “power users”, which were high-level users of whistleblower reporting systems who had more activity than the average entity. These “power user” companies have several interesting characteristics. First, they are typically firms with higher quality earnings reporting. They are more profitable entities. Finally, these “power user” companies were firms with higher quality governance, as rated by the Entrenchment Index, which is used to measure how entrenched management is in a company.

Conversely, companies which were observed to be a more limited user of whistleblower reporting systems are companies that were seen to have poor governance. They are more prone to financial accounting issues, such as discretionary accruals, which could prove problematic. These tend to be smaller and less mature firms. Their overall compliance programs were generally not seen as robust or as effective as those in larger, more mature organizations. Finally, these firms, probably because they were smaller and less mature, are more prone to extreme growth and the problems associated with trying to scale up quickly.
All of this points to one unmistakable conclusion, a robust whistleblower reporting system facilitates a company’s resolution of problems before they become major problems or legal violations bringing the Securities and Exchange Commission (SEC) or DOJ calling.

Three Key Takeaways

  1. Companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets.
  2. There were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur.
  3. There were fewer external whistleblower reports to regulatory agencies and other authorities.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Introduction

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond. This chapter will provide you with the steps you will need to consider going forward.
This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline, or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

Three key takeaways:

  1. A robust internal reporting system will be one of the key indicia the DOJ considers.
  2. Hotline reporting can bring a visibility to problems.
  3. Hotline reports must be treated fairly and justly.
Categories
31 Days to More Effective Compliance Programs

Day 21 – Continuous Improvement in a Compliance Program

The 2020 Update was clear about the need for continuous improvement in any compliance program. It succinctly stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. Implementing controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale.”

Continuous improvement through monitoring or similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would be best to build a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program.

 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complimentary tools for continuous improvement.
  3. Cultural assessment and monitoring are also now required as well.
Categories
31 Days to More Effective Compliance Programs

Day 20 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management’s attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations, “We are an ethical company.” However, it may be time for a very serious reality check.

 

You may find yourself in a position where you will have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “tricky because you get your fifteen minutes to get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

Three key takeaways:

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. Be prepared to deal with the dreaded “where else” question.