Ten top tips for encouraging good compliance
An effective compliance programme is key to avoiding risk. In this article we set out ten top tips for encouraging good compliance, including spotting and dealing with issues when they arise.
1. Assess the risk
It is well known that it is necessary to conduct an effective risk assessment to assist with designing and maintaining controls which are proportionate to the risks. The Ministry of Justice’s Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (the “MoJ Guidance”) is a useful starting point in determining the risks to be assessed. External risks include the sectors and countries in which an organisation operates and the types of transactions and business it may be involved in. An organisation should also look inward and consider the potential risks posed by the level of employee training, skills and knowledge; the reward and incentives structure; gifts and hospitality policies and procedures; financial controls; and the tone from the top.
2. Ensure procedures are proportionate, tailored and targeted correctly
It is not necessary – or practical - for a business to institute procedures against every conceivable compliance risk. Rather, an organisation’s compliance programme must reflect the risk profile that applies to its own unique circumstances. Policies should be designed to mitigate identified risks as well as to prevent deliberate unethical conduct on the part of associated persons. Specific issues to consider may include the prevalence of gifts and hospitality as a means of conducting business or whether facilitation payments or charitable or political donations are routinely expected in any jurisdictions. Where the use of agents is common, additional due diligence policies will need to be developed.
3. Know your counterparties
A properly-performed risk assessment should throw up any risks associated with the need for third party involvement and the likely extent of due diligence required. Where, for example, local law or convention requires the use of local agents to secure a transaction, the importance of thorough due diligence and risk mitigation prior to any commitment cannot be overstated (it is notable that many of the corporate cases brought so far under the Bribery Act 2010 have involved the use of agents on the ground). Where a business is considering a corporate merger or acquisition, thorough due diligence on the past activities and conduct of the counterparty will be vital to ensure that any previous misconduct is identified and dealt with.
4. Keep the programme under review
Given the changing nature of a company's risk profile, a compliance programme should be regularly scrutinised and improvements implemented to ensure it remains fit for purpose. As well as using ongoing monitoring and following a periodic assessment routine, it is also appropriate to reconsider the programme in response to certain events, whether internal, like a whistleblowing incident, or external, like a new law or measure signalling material changes.
In addition, it is common to use external sources and resources to benchmark a programme against best practice in the relevant industry. Some organisations may go even further and seek certification to provide comfort that their anti-bribery procedures are operating effectively.
5. Demonstrate top-level commitment
It is vital that those in authority in the business create and demonstrate a culture in which all members of the business understand that financial misconduct is never acceptable. Locally it may be the day-to-day managers who represent the top-level leadership, but they will in turn take their lead from the board or business owners. The tone, therefore, needs to be genuine and start right at the top.
6. Ensure that tone permeates through the organisation
Effective communication and training, targeted at the appropriate people and delivered in an accessible and suitable way, should be undertaken regularly to ensure all managers and employees are aware of what is expected of them and how to deal with problems should they arise. While online training may be easier and cheaper to deliver, face-to-face training may be needed in high-risk markets and jurisdictions Communications may need to be repeated regularly; personnel change, laws evolve and complacency can set in if the message is not frequently reinforced.
7. Implement procedures to identify potential issues early
Effective whistleblowing procedures – increasingly seen as fundamental to a good corporate culture - allow problems to be identified early, providing an opportunity to remediate any failings and to prevent harm from escalating. Uncovering issues at an early stage also allows a company to manage any disclosure obligations and/or consider whether a voluntary self-report to the authorities might be in the company’s interests.
8. Put in place effective document management controls
Although far-reaching, the authorities’ powers to compel the production of information and documents (including the SFO’s ‘section 2 powers’) do not extend to the production of legally privileged material. When a potential issue comes to light, care should therefore be taken to ensure that relevant communications are drafted, addressed and circulated in a way that preserves privilege as far as possible.
That said, there is an increasing expectation that companies which are cooperating with an investigation will disclose privileged material under a limited waiver. Doing so, particularly over initial investigative material such as early witness accounts, has been cited by the SFO as a “strong indicator of cooperation” and an important factor in the SFO’s considerations of whether to invite a company to enter into DPA negotiations.
9. Recognise the potential for individuals to come under scrutiny
Although recently we have seen several high-profile cases where former directors have been acquitted of corporate wrongdoing following a DPA (Tesco PL and Sarclad Ltd, to name but two), the reputational and other consequences of a drawn-out criminal investigation, even where no charges follow, can be severe for both individuals and corporate employers.
To prevent future unwarranted attention from investigators and regulators, who may later seek to analyse events with no proper context and with the benefit of hindsight, best professional practice is paramount. It is wise to ensure that communications are always expressed carefully, that exaggeration and overstatement are avoided and opinions are not presented as fact. And while a failure to register a red flag in a communication may later be misinterpreted, openly taking discussions “offline” may also raise suspicions.
10. Understand the risks and rewards of cooperating with the authorities if things go wrong
Given the level of international co-operation between authorities and the move towards DPA systems in more jurisdictions, a company considering whether to self-report must ensure that it considers the risks and benefits of doing so on a global basis and with a clear understanding of the authorities’ expectations as to further co-operation.
Full cooperation with an investigation will almost certainly increase the chances of securing a DPA and/or a reduction in financial penalties and it may also bring long-term reputational advantages by demonstrating good corporate behaviour. However, even in the context of a DPA, an investigation typically takes several years to conclude. The level of cooperation expected (with associated costs and business disruption) will be onerous and long-lasting, and may even include a complete board overhaul and significant enhancements to the compliance framework.
In our fourth and final article in The Rule of Ten series we will examine what the next ten years may hold for corporate criminal enforcement, both in the UK and elsewhere.
A longer and more detailed version of this article was published on our Client Knowledge Portal, available here.