Volume 1, Number 1
|Table of Contents|
Is it Really So Hard?
Sarbanes-Oxley. Increased media scrutiny. Probing regulators. An outraged public. Today’s corporations face challenges like they have never faced before. Yet complicated corporate wrongdoing continues to shock. But it can be prevented, with simple rules
The very culture of the corporation, as it is experienced from the CEO to the receptionist, must reflect the simple, firm and clear message that the corporation must comply with the law and honor its ethical obligations because it is the right thing to do. But how is this simple message successfully incorporated into a corporation’s culture so that a new, revamped or revitalized corporate compliance program is successfully hatched? By breaking it down into even simpler messages. Elementary messages. Even kindergarten-like messages.
As best-selling author Robert Fulgham noted, "Wisdom was not at the top of the graduate school mountain, but there in the sand pile..." (Robert L. Fulgham, All I Really Need to Know I Learned in Kindergarten: Uncommon Thoughts on Common Things 4 (1986). This article offers similar thoughts: rules for achieving corporate compliance that have their genesis in the sandbox.
Rule No.1: The message has to come from the top.Just as the teacher sets the classroom tone through words and actions, the corporate compliance message must also be set at the top.
The CEO must convey a message that employees who do not adhere to appropriate standards will be held liable for their failure to do so. Impermissible actions must result in meaningful sanctions including loss of compensation, demotion, suspension or termination.
Performance goals must also reflect that compliance is as important as production. "Making your numbers" is important. However, making them in an appropriate way is more important. Managers should be held responsible for conveying that message all the way down to the lowest level employee by not only talking the talk, but walking the walk. Appropriate company resources — budget, staff, systems, technology — must be dedicated to compliance.
The board must convey this same message, albeit with a twist. The board should also make it clear within the corporation and to its shareholders that it is an independent body that ultimately is both the legislator and adjudicator of compliance with legal and ethical standards to whom even the CEO must report. To do so, the board — and particularly the audit committee — must demonstrate that it is active, engaged, knowledgeable and available.
Rule No. 2: Keep it simple. Essential to the transmission of the message is that it must be simple and clear. Don’t hit anyone. Don’t take things that aren’t yours. Share your toys. In the past, not all corporate activities or guidelines have been a study in coherence or cohesiveness. This must change in several respects.
First, the role of the compliance office in a large corporation (or that of a sole officer in a smaller entity), and its relationship to other corporate components must be made clear. The questions answered by the traditional organizational chart, such as who answers to whom, and how offices relate, is an important step in that direction.
Second, the scope of the office(r)’s duties must be made apparent. Is it legal matters, corporate ethics, human resources, or a little bit of all of the above? Is it legal advice, training, monitoring, enforcement or some of each of those as well? Answers to all of these questions matter to those who come into contact with the office and help determine its effectiveness.
Third, in all respects, employees should be made clearly aware of what is expected of them. Clear standards of conduct and other applicable policies and procedures must be made available. Standards should cite both the rules and examples of activities that break the rules. Information as to where advice regarding the standards may be obtained and how violations may be reported should be made clear.
Many companies that went wrong had great programs on paper. However, their failure to implement a real program does not justify throwing the paper out with the bath water.
Rule No. 3: Learn the rules and play fair. All employees, top to bottom, must be trained in the standards that they must meet in order to assure that they know how to play fair.
Care should be taken to keep training relevant. One size does not fit all. Materials should be customized, and case studies should be real. And the human element should not be lost. Software and Web-based study, although valuable, cannot take the place of live, subject-matter experts who are able to answer questions in both training and everyday business contexts.
Finally, once is not enough. To have an appropriate effect, regular systematized training must be the norm because even the most committed people simply forget.
Rule No. 4: Play well together. No corporate compliance program functions effectively in isolation. The compliance office(r) cannot have sole responsibility for corporate compliance. Rather, as must be spelled out in the message from the top, it is a part of everyone’s duties.
First, essential to the proper functioning of any corporate compliance plan are the lawyers with subject-matter expertise. Whether in-house or outside counsel, these lawyers are the ones who are serving in the trenches, working with the clients everyday. They are also interpreting and applying the laws — in short, establishing the appropriate legal standard. And they are also engaged in the day-to-day education of their clients and very valuable in designing more formalized training. Finally, they are able to provide essential insight in identifying, assessing and addressing risk.
Second, the heads of business practices must work closely with the compliance officer. Corporate compliance is not a stagnant legal standard. Rather, it is the living and breathing embodiment of the message from the top that must permeate the corporation’s business core.
In the end, the business heads make the choice not to divide markets, nor enter into deceptive agreements, nor submit misleading financial figures, regardless of the short-term appeal of the result. The business heads convey and live the message from the top and make it "safe" for employees, without retribution, to raise concerns. Without their cooperation, even the strongest compliance program will fail. And their cooperation will only be secured if within the corporation’s culture "doing it right" is as important as "making the numbers."
Third, internal auditors and their outside counterparts are an important part of the compliance team. In most instances, corporate compliance will not be staffed to conduct its own examinations and will need audit’s assistance. Auditors are also experts in the establishment and analysis of process. Today’s corporate compliance is often more about having good processes then engaging in "got you" activities.
Finally, the message from the top must be lived by the lowest level employee. Like the business heads, they too make the decision to comply in their everyday efforts. They must make the time to take the training that the corporation should afford them and then apply it. Employees also serve as the eyes and ears of the corporation. They must have the courage to point out wrongdoing and seek redress and the corporate compliance officer must make it safe for them to do so.
Rule No. 5: You have to work hard. Establishing a successful compliance program takes hard work and an enthusiastic and analytical attendance to task. Primary among those tasks must be to identify risk areas in the company and establish the standards for compliance.
Some of these will be obvious. A wide array of statutory and regulatory requirements generally apply to corporations — such as the antitrust, securities or employment laws. Applicable foreign requirements must be assessed as well. Other requirements may arise from the regulatory framework applicable to a corporation’s specific business operations such as government contracting, or environmentally hazardous activities, or health care. Finally, the need for appropriate standards may arise from the common law or by remedial statute where matters such as consumer protection or patients’ rights are being addressed.
While compliance in all applicable areas obviously must be achieved, establishing a priority of efforts based on risk assessment is fundamental. These priorities should reflect: (1) areas where there is incomplete compliance; (2) areas where a regulatory framework is pervasive and invasive; and (3) areas where, given the nature of the business, failures to comply are most likely to occur.
In making this assessment, the compliance office must work carefully with its partners. For any corporation, the compliance program’s success will largely be based on a thorough understanding of the business at hand. These partners will be able to help the compliance officer acquire that vast knowledge.
Rule No. 6: Tell the truth. Compliance efforts should be designed to seek "the truth " (that is, what is really happening in the corporation), to make it safe to tell the truth, and to put processes into place that allow the truth to be told.
As a general matter, however, all employees must be told about and given access to reporting systems including those that totally protect their anonymity. Where an anonymous complaint is received, provisions should be made for obtaining additional information from the informant on the same basis through the use of confidential voice mail or third-party assistance.
The absence of reporting by employees should not necessarily be viewed as indicating that there are no problems. Rather, that would be a reason to explore whether the system is operating.
And such measures should not be undertaken at just the lower levels. Opportunities to speak truth to power, including to the CEO and the audit committee of the board of directors, should be made available. Compliance officials should have access to the CEO. They also should report directly and regularly to the audit committee.
Rule No. 7: Clean up the mess and put things back where they should be. No matter how careful you are and how much you plan ahead, sometimes the milk spills. While achieving compliance perfection is a worthy goal, it is simply not realistic. Fortunately, the prosecution bar is not set at perfection. When the milk spills, compliance officials must analyze and determine what went wrong with the system, where the process was inadequate and how to fix it. Then they must, in fact, fix it! This includes taking appropriate action against any wrongdoers and, where appropriate, reporting the wrongdoing to the authorities. The measure of a good compliance program is as much about what you do when something goes wrong as it is about avoiding those wrongs.
Rule No. 8: Playing hard can be fun. Studies have shown that children who are able to delay gratification are much more easily able to achieve their goals and are more successful overall. True compliance reaps similar benefits. If investors and shareholders trust a corporation, its ability to operate and raise capital is significantly enhanced. Affirmative benefits also include the ability to recruit and retain a work force that has respect for itself and the work it performs.
Corporate compliance is not rocket science. The rules of kindergarten are easily applied. Simple, important messages geared to doing the right thing, implemented by people working together, identifying, facing and correcting errors along the way will make for a successful program. In the meantime, as Fulgham says, "When you go out in the world, watch out for traffic, stick together and hold hands."
Copr. (C) 2004 West, a Thomson business. No claim to orig. U.S. govt. works. This article is reprinted with permission from West, a primary sponsor of the General Practice, Solo and Small Firm Division.