Tag: Policies and Procedures

Categories
31 Days to More Effective Compliance Programs

Day 31 to a More Effective Compliance Program: Day 13 – Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly the first line of defense when the government comes knocking. The 2023 ECCP made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well-thought-out and articulated policies and procedures against bribery and corruption, all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

Three key takeaways:

1. Written compliance policies and procedures, together with the Code of Conduct, form the backbone of your compliance program.

2. The DOJ and SEC expect a well-thought-out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.

3. Institutional fairness for the application of policies and procedures demands consistent application of your policies and procedures across the globe.

Categories
Blog

Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2023 ECCP made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures against bribery and corruption; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. According to the 2020 FCPA Resource Guide 2nd edition, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials); use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy, which should stake out the following:

  • Identify who the compliance policy applies to;
  • Set out the objective of the compliance policy;
  • Describe why the compliance policy is required;
  • Outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • Lay out the specific consequences for failure to comply with the compliance policy.

The 2023 ECCP went further by requiring an assessment whether a company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations, through a design which is appropriate to the organization, based upon that organization’s assessed risks.

Design––What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?

Comprehensiveness––What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?

The 2023 ECCP Evaluation mandated there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third parties and business venture partners.

Accessibility––How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Responsibility for Operational Integration––Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?

Moreover, just as risks evolve, your policies and procedures should evolve. The 2023 ECCP asked the following questions:

  • How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices?
  • Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training?
  • What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
  • Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?

The bottom line is that the DOJ expects updates to your policies and procedures needed to be reviewed on a regular basis and updated as your risks evolve.

Finally, the 2020 FCPA Resource Guide, 2nd edition, ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedures are applied fairly and consistently across the organization. Institutional fairness demands that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. Moreover, inconsistent application of your policies and procedures will destroy the credibility of your compliance program. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the U.S. with the same quality of discipline.

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.

Categories
Compliance Into the Weeds

Compliance into the Weeds: A Deep Dive into Policies and Procedures

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt deeply dive into the recent enforcement action against Deutsche Bank for AML violations and greenwashing to consider best practices for policies and procedures.

In the complex business world, the importance of tailored policies for compliance and risk management cannot be overstated. Tom Fox and Matt Kelly bring their unique perspectives to this topic, emphasizing the need for well-designed, specific policies and procedures to mitigate compliance risks and potential harm.

Drawing from his experience, Fox believes that generic policies are insufficient and stresses the need for policies specific to a company’s needs, risks, and operations. On the other hand, Kelly criticizes copying and pasting policies from regulations without considering the organization’s unique characteristics and needs. He underscores the importance of conducting risk assessments and gap analyses to design effective policies. Join Tom Fox and Matt Kelly as they delve deeper into this topic on this episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • The Importance of Tailored Policies and Procedures
  • Risks and Consequences of Generic Policies
  • Tailoring Policies and Procedures for Compliance
  • Ongoing Monitoring of Policies and Procedures

Resources:

Matt in Radical Compliance

Tom 

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Written Standards: Day 10 – Policies and Procedures on Gifts and Business Entertainment

If one were to reflect upon the providing of gifts and business entertainment to foreign governmental officials, one might reasonably conclude that after 40 years of the FCPA, companies might follow its prescriptions regarding gifts and business entertainment. However, there have been some notable FCPA enforcement actions in this area.
The 2012 FCPA Guidance clearly stated the FCPA does not ban gifts and entertainment. Indeed, it specified, “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”
These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.
And, as always, do not forget the gut check test.

Three key takeaways:

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 8: Revising Your Policies and Procedures

More than simply having a Code of Conduct, compliance policies and procedures are required. As former Assistant Attorney General Lanny Breuer articulated, “Your compliance program is a living entity; it should be constantly evolving.” The 2012 FCPA Guidance stated, “When assessing a compliance program, DOJ and SEC will review whether the company’s Guiding Principles of Enforcement have taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

After considering these issues, you should benchmark your current policies and procedures against those of other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures. These points are a useful guide to not only thinking through how to determine if your policies and procedures need updating but also taking practical steps to tackle the problem. You should begin the process now if it has been more than five years since the last update. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

Three key takeaways:

  1. You should do so now if you have not revised your compliance policies and procedures in the past five years.
  2. Set a timeline and budget and stick to it in the compliance policy and procedure revision process.
  3. Document your process of revision to demonstrate a more complete operationalization of your compliance program.

Check out The Compliance Handbook, 4th edition, here for more information.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 7 – Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2020 Update made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.

This statement made clear that the regulators will take a strong view against a company that does not have well-thought-out and articulated policies and procedures against bribery and corruption, which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital communication layer and acts as an internal control. Together with a signed acknowledgment, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well-known and long-established. According to the 2020 FCPA Resources Guide 2nd edition, some of the risks companies should keep in mind include the nature and extent of transactions with foreign governments (including payments to foreign officials), use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments. Policies help form the basis of expectations for standards of conduct in your company. Procedures are the documents that implement these standards of conduct.

Three key takeaways:

1. Written compliance policies and procedures, together with the Code of Conduct, form the backbone of your compliance program.

2. The DOJ and SEC expected well-thought-out and articulated compliance policies and procedures to be adequately communicated throughout your organization.

3. Institutional fairness for the application of policies and procedures demands the consistent application of your policies and procedures across the globe.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 2 – Clearly Articulated Written Standards

The written standard requirements have long been memorialized in the U.S. Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA issued. These requirements were incorporated into the 2012 FCPA Guidance and brought forward in the 2023 ECCP and FCPA Corporate Enforcement Policy. The U.S. Sentencing Guidelines assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e., a Code of Conduct.

Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.

Three key takeaways:

  1. A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one another, so consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 1 – Introduction to Written Standards

The cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy.
There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.

At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization. 

Three key takeaways: 

  1. The cornerstone of any best practices compliance program is its written protocols.
  2. Written standards work to prevent, detect and remediate.
  3. What are the specific written protocols you should have in your compliance program?

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Compliance Into the Weeds

300th Anniversary Episode – Policies Policies Policies

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this special 300th Anniversary episode, we consider a recent academic paper that suggests that policies play a small role in persuading employees not to engage in bribery and corruption. Highlights include:

·       What did the paper conclude?

·       What is the role of procedures?

·       Tom details the one function of policies.

·       How does an operationalized compliance program work?

·       What is the intersection of policies and internal controls?

 Resources

Matt in Radical Compliance