WMACCA Small Law Department Initiative. Scaling a Compliance Program To Your Organization And Small Law Department

Transcription

1 WMACCA Small Law Department Initiative Scaling a Compliance Program To Your Organization And Small Law Department

2 Michael C. Hardy, II Womble Carlyle Sandridge & Rice, LLP Mike Hardy has extensive experience representing private equity and venture capital funds and emerging growth and middle market companies in a wide range of corporate transactions, compliance and regulatory issues. Mike s clients come from many industry segments, including digital media, telecommunications, cyber security, health care and life sciences, data analytics, e-commerce, real estate development and entertainment. Matthew Selander ICF International, Inc. Matt.Selander@icfi.com At ICF, Matt handles the company s overall development, updating, and corporate training on key aspects of corporate compliance. He is responsible for the annual compliance risk assessment, including anti-corruption and other key international compliance risk assessments. Prior to joining ICF in 2013, Matt was Manager, Advisory Services, for TRACE International Inc., a compliance consulting firm. Stephen Polozie Attorney spolozie@gmail.com Steve Polozie is an experienced general counsel, chief legal strategist, and executive-level business partner for successful and growing organizations. From , Steve was in-house with The Brickman Group, serving as General Counsel, VP and Corporate Secretary from At Brickman, he proactively built, improved, and led internal compliance processes in a highly regulated environment.

3 The Iron Triangle: The Mandate for Having A Compliance Program Practice Preventative Law: Compliance Compliance is the minimum. Aim High! Work like you are about to go through litigation, a merger, or a federal investigation.

4 "Good Housekeeping 101" Basic documents Entity Formation and Maintenance Bylaws, Operating Agreement, etc. Board Management Employees Contractors Money Information Customers, Partners, Industry Federal and State Location & Organization Paper Cloud Organization Spreadsheet with Links Dashboard

5 What internal controls and procedures do we have to have in place to manage the organization? Guide: Certified Compliance and Ethics Professional (CCEP) Core Competencies: 1. Standards, Policies, and Procedures 2. Compliance and Ethics Program Administration 3. Communication, Education, and Training 4. Monitoring, Auditing, and Internal Reporting Systems 5. Investigation and Response, Discipline and Incentives 6. Risk Assessment

6 When does a compliance "program become appropriate? The answer is immediately. Why? Because all of the types of documents and compliance, governance, and ethics issues require legal attention. The real question is how formal does the program need to be. Rules of Thumb: Time Complexity Consequences How do you speak to management about it? Compliance, Governance, and Ethics are issues that enable an organization to reduce risk and increase effective utilization of resources by aligning all of the key functions of management in a coordinated fashion. Governance requires compliance and ethics. Formalization occurs when the time and complexity become necessary to have an effective program.

7 If the impetus is coming from Legal, how do you make the business case for it? Cost reduction: costs resulting from non-compliance, include fines, penalties, potential debarment from working with the government, legal fees, loss of employee morale and productivity, retention costs, and brand degradation. If it's coming from the Board or C-suite, what is concerning them most, and what are they missing? Board and C-suite officers want to reduce risk, avoid uncertainty, and ensure that business objectives are not interrupted A compliance, governance, and ethics program may take resources that could be used elsewhere. It is far better to have an effective program than deal with the vastly larger expense of failing to comply. Justifying and implementing a program requires making a business case and having cooperation and buy in from colleagues in the c-suite. Failure is not an option.

8 Federal Sentencing Guidelines Buy Insurance: if a company self-reports, cooperates with the government, and has an effective compliance and ethics program, it receives a 95% reduction in fines. Required Compliance Program Action Elements 1.ESTABLISH 2.OVERSEE 3.ASSESS 4.ASSIGN 5.SCREEN 6.COMMUNICATE 7.MONITOR 8.ENFORCE 9.DOCUMENT

9 Laying Things Out The Issue of Scaling Foundation is in Place You now have: Successfully made the business case, received a mandate, or decided to press on anyway! Basic documents and control in place Good Housekeeping 101 A few simple internal controls to manage the organization Made a determination to improve or create a compliance program So What s Next? Photo by Maria Ly Before starting on Essential Tasks ask: What's your industry? Nature of work? Size is the company? What are the relevant laws, regulations, and risks? Which jurisdictions? What does the organization's history tell you about your risks? How do you prioritize them?

10 Laying Things Out - The Issue of Scaling Risk Assessment: Know Your Enemy Key to starting and scaling is a basic Risk Assessment Many free resources out there to get started Can be formal or informal Internal and external resources, or combination Even the smallest, most informal assessment adds value Risk Assessment maturity model (next page)

11 Laying Things Out The Issue of Scaling Risk Assessment Maturity Model: It takes time, your assessment process will scale with your compliance program

12 Laying Things Out The Issue of Scaling Risk Assessment Basics Consider industry risks benchmarking, peer networking, peer codes of conduct, news, SEC documents, internal history, etc Jurisdictions and applicable laws map out states and countries where working, applicable risks Company size peers of comparable size, not just industry Scope the assessment based on the company culture and goals Collaborate with internal stakeholders Rank risks to enable prioritization of tasks Remember: Privilege issues You ve now created a record

13 Scaling Laying Things Out The Issue of Scaling To climb; ascend but also: A progressive classification and to rise in steps or stages and adjust in calculated amounts Scale and Prioritize Based on Risk Assessment Compare risks against regulatory guidance: Federal Sentencing Guidelines, OECD guidance, DOJ/SEC guidance Prioritize tasks based on risk, value against guidance, and effort Create a plan, make goals, be conservative and incorporate other stakeholders (board, execs, other business functions)

14 Laying Things Out The Issue of Scaling Start Somewhere and Start Now! Don t let perceived workload weigh you down Focus on incremental, defensible progress Tap resources within the company

15 Essential Tasks: Define a Vision Standards Driven Ideological: Spend whatever it takes to fully comply. Proactive Resource Allocation / Lower Risk Tolerance Leadership Requirements: Executive-Level Compliance Champion and Focus Consistent Emphasis at all Organization Levels Reliable Compliance Measures and Accountability Resources Driven Pragmatic: How much compliance do we truly need or can we afford? Reactive Resource Allocation / Higher Risk Tolerance Leadership Requirements: Compliance Coordinator Constant Risk and Reward Balancing at all Levels Instant Feedback System and Accountability Best Practices / Competitor Driven Model and Improve Standards and Processes Beware Cultural, Structural, and Resource Differences Among Organizations

16 Implementing a Compliance Vision Standards Driven??? Resources Driven If all compliance functions are Resource Driven or Standards Driven, then you are probably wasting money, time, and BUSINESS CREDIBILITY

17 Highly Centralized Essential Tasks: Choose a Model Central Control over Design, Implementation, and Execution Central Prioritization, Budget Choices, Training, Evaluation, and Records Pros: Consistent, Coherent, Clear View from C-Suite (?) Cons: One Size Never Quite Fits All, Rigid, Corporate-Level Resources Highly Decentralized Local Control over Design, Implementation, and Execution Local Prioritization, Budget Choices, Training, Evaluation, and Records Pros: Specialized Design, Stronger Program-to-Reality Alignment Cons: Inconsistency, Complexity, Training, Not my problem True Hybrid Central Prioritization, Budget Choices, Training, Evaluation, and Records Local Design, Implementation, and Execution Pros: Consistent Priorities with Specialized Design Cons: Implementation Challenges, Complexity, Ownership/Finger-Pointing

18 Implementing a Compliance Model Centralized Decentralized Hybrid If all compliance functions are Highly Centralized or Highly Decentralized, then you are probably wasting money, time, and BUSINESS CREDIBILITY

19 Essential Tasks: Program Elements and Resources Key Inside Resources Business Credibility Demonstrated Understanding of the Enterprise s Goals and Priorities Clear Link Between Compliance and Achieving those Goals and Priorities Relationship Building at All Levels Understanding Roles and Responsibilities / Perceptions and Reality Understanding Communication Networks Making a Face-to-Face (or at least Voice-to-Voice) Connection Available Outside Resources U.S. Sentencing Commission Guidelines ACC.com Compliance Portal Trade Organizations Outside Counsel (e.g., wage and hour compliance) Auditors Compliance Consultants (e.g., tools, software, and standards) Comprehensive Compliance Risk Assessment

20 Implementing and Maintaining the Program Implementing the Program and Living with it: Training and Communication How do you measure success? How do you address shortcomings? How do you communicate challenges back to management and the Board?

21 Setting the Tone and Corporate Culture A successful compliance program sets the tone from the top. Promotes an organizational culture that encourages ethical conduct and a commitment to compliance within the law. (Federal Sentencing Guidelines) Starts with the law department Managers at all levels of the organization drive communication Written Communications Plan Multi-year in scope Tailored to the organization s risks To be updated based on periodic reviews (discussed below) Demonstrates a strong message and commitment from executive leadership

22 Board and Management Training and Communication Informing the Board and Training Management General Training Guidelines Relevant training topics Targeted training Tailored communications Be innovative Create a compliance culture

23 Training and Communication for Board Members Culture starts from the top Board role is oversight Must understand the system and obligations to carry out its responsibilities Faithful exercise of this role can reduce/eliminate liability Compare to accounting controls

24 Ensuring Effective Program at the Board Level Foster Board engagement by mandating training on the code of conduct and individual and industry-specific risk areas Emphasize that training will help protect both the organization and the individual directors from civil or criminal liability (Note: Federal Sentencing Guidelines) Communicate regularly with the Board

25 Training and Communication for Management Management bridges the gap Know the program and live the program Provide management with the tools and resources necessary to monitor and oversee the program on a daily basis

26 Ensuring Effective Program at the Management Level Targeted communications to specific branches of management Delegate to and empower management team to address compliance issues Report regularly to the Board

27 Employee and Staff Training and Communication Key Features of a successful program include: Regular and periodic training Straightforward communications and thorough learning aids Readily available policies and procedures Frequent communications Emphasize employee responsibility

28 Timing Regularity and Clarity Frequency of Risk Assessments Conduct risk assessments periodically If the methodology and process is adequately defined can reasonably be conducted on an annual basis No less frequently than every 2 years Schedule follow-up reviews upon completion

29 Measuring Success Regularly monitor and audit business activities in order to detect misconduct, as well as assess the effectiveness of the program Appropriate monitoring and auditing will vary with each organization Conduct periodic risk assessments

30 What Should You Measure? Best Tools for Measuring Success Administering Surveys (anonymous to encourage candor) Monitoring an employee hotline Measure 4 critical components Knowledge of reporting process Willingness to raise concerns Perception of the organization s tolerance for retaliation Belief in management s commitment to compliance

31 Employee Hotline Institute a hotline mechanism for employees to either ask questions or report suspected legal or ethical misconduct Mitigate fear of retaliation Information provided should be treated confidentially Calls generate internal reports Internal reports should be reviewed and monitored on a regular basis

32 Addressing Shortcomings Review by the Board and management of any periodic risk assessments and employee surveys conducted Evaluate the overall program and policies in light of these results Make changes wherever necessary and appropriate Deal with violators seriously and consistently Detect and rectify deviations promptly Take active steps to prevent similar misconduct

33 Communicating Challenges to Management and the Board Direct access to the Board is critical Prevents potential filtering or influence of senior members of the organization Two types of critical information which should be presented to the Board on a regular basis: Reports on the current features and performance of the program Reports of top-level executives involvement in or support for inappropriate conduct Consider compliance issues as a regular agenda item and invite a member of management to present an update to the Board Propose suggested modifications to existing program as necessary to address areas of concern