An effective compliance program must be tailored to the commercial activities of the company, the industry in which it competes, its customers, and the geographic regions where the company does business. Certain hallmarks of an effective anti-corruption compliance program are universal:
1. Commitment of Senior Management. The tone at the top matters. For a compliance program to succeed, senior management must be stakeholders in its success. Indeed, the guidelines followed by federal prosecutors emphasize that the integrity and commitment of senior management are vital to the effectiveness of a company's internal controls—and to regulators' views regarding the company's overall compliance posture.
2. The Tone in the Middle. For the majority of companies, the tone at the top is clearly established, but equally important and often overlooked is the tone in the middle. And it is at this level of corporate management that significant anti-corruption risks arise. The company's compliance program must fully integrate middle management and make them internally accountable for designated compliance implementation and monitoring.
3. Comprehensive Compliance Program. Effective compliance requires the effort of employees throughout the organization, from management through to sales, marketing, accounting and finance. An integrated program should include the following:
- Tailored Risk Assessment. The company needs to identify the specific risks it faces in light of its industry, geography and business structure. For example, if a company does substantial business in China, there may be heightened risks relating to entertainment and meals. Similarly, if a company participates in joint ventures, additional precautions may be necessary.
- Effective Anti-Corruption Policies and Procedures, Regularly Updated. The company must have written policies and procedures that provide clear guidance to its employees regarding the anti-corruption rules of the road. A company's policies must evolve and adapt as dictated by the ever-changing enforcement landscape. For example, a three-year old anti-corruption policy may have serious shortcomings. Does the policy consider the UK Bribery Act and its ban on “facilitation” payments? Does the policy calibrate risk in light of regulators' recent focus on travel, entertainment and gifts, even where such undertakings are of a nominal value? Does the policy adequately reflect the growing regulatory emphasis regarding so-called commercial, or private sector, bribery?
- Anti-Corruption Training and Messaging. Well-trained employees are the first line of defense in the anti-corruption setting. While it is tempting to train employees once, effective training requires an ongoing commitment. As an initial step, each relevant employee should receive training tailored to the company's geography, industry and structure. Thereafter, the company should follow up with routine anti-corruption updates to its employees as part of its overall continuing compliance education. Finally, the company should institute periodic employee certifications documenting completion of anti-corruption training and inquiring whether they are aware of any compliance issues.
- Periodic Anti-Corruption Program Audits. From time to time, the company should stress test its anti-corruption program. While such undertakings vary based on the circumstances, examples include transactional audits in high-risk jurisdictions, programmatic audits of the company's anti-corruption policies and procedures, and targeted reviews of high-risk legal relationships (e.g., state-owned or government entities, third party sales consultants, or joint venture partners).
- Whistleblower Protections. Effective whistleblower protections and procedures play a key role in ferreting out potential wrongdoing at an early stage. The company should establish—and communicate—a dedicated whistleblower procedure, including a toll-free hotline, anonymity, and protections for employees who come forward with credible allegations. The more credible the program, the more likely the whistleblower will take advantage of the internal reporting option, and the less likely the whistleblower will feel compelled to bypass the company reporting chain in favor of direct disclosure to regulators.
- Data Privacy Considerations. The data privacy environment is undergoing a revolution throughout Europe, Asia and Latin America. An effective compliance program must account for the unique data privacy challenges resulting from the jurisdictions in which the company does business. Proactive measures, such as incorporating certain provisions in the employment contracts of foreign employees, may position the company to easily navigate the challenges posed by foreign data privacy laws. Failure to do so could impede a company's ability to investigate red flags or certain allegations, as well as its ability to gather information necessary to maintaining an effective anti-corruption compliance program.
- Local Labor Law Aspects. Similarly, the company's compliance program should incorporate local labor law concerns across jurisdictions of operation. Should misconduct be uncovered, the company needs the flexibility to move quickly against the wrongdoers. Foreign employment contracts should therefore include provisions that account for local labor laws while maintaining the company's prerogative to take decisive action against culpable employees.
- Enforcement. The company's compliance program must have teeth to be effective. It is important that the program identify sanctions, up to and including termination of employment, for employees who fail to comply with the company's policies and procedures. Of course, the company must then have a record of implementing such enforcement provisions.
4. Relationship with Experienced Anti-Corruption and Enforcement Counsel. The company should develop its comprehensive anti-corruption program with knowledgeable outside counsel, experienced in both compliance and enforcement. In the event that the company discovers potential misconduct, it is critical that the company engage seasoned anti-corruption counsel as soon as possible. In our experience, companies often compound a potential problem by initially responding without the benefit of outside counsel. Myriad issues can quickly develop. For example, company counsel may not have the requisite resources to conduct a credible inquiry. Moreover, internal company reports, such as those prepared by internal auditors, may be discoverable. Interviews conducted by in-house legal counsel may not be considered sufficiently independent by regulators down the road, and are potentially discoverable in many jurisdictions, including most European nations. Outside counsel is better equipped to handle these issues and provide a level of credibility, protection and insight that maximizes the company's protections and defenses, while preserving the company's options.
Download: 12 Tips on How to Build a Comprehensive Anti-Corruption Compliance Program