How to Build a Strong FCPA Compliant Compliance Function – 8 Core Components

Author: Ketan Dholakia

All businesses irrespective of size face some degree of compliance and it has never been more important to have a corporate compliance program in place that is fit for purpose. An effective compliance program helps identify and mitigate critical risks and is a key component in safeguarding the business.

Compliance burdens are compounded as organizations attempt to meet ever-increasing dynamic regulatory demands with limited resources. Compliance functions are expected to manage an increasing range of risks and at the same time enable the first line of defense to undertake a higher compliance responsibility.

Effective compliance programs promote ethical organizational culture, encourage good business behavior, and increase adherence to the law.

Fit for purpose compliance programs help protect reputation, assets and relationships with customers, suppliers, and investors and in detecting and preventing fraud and misconduct including FCPA (Foreign Corrupt Practices Act) violations.

The DOJ or SEC consider organizational behavior as part of its review and investigation. Was the violation self-reported, what was the level of cooperation and what steps were taken to remediate the problem.

Furthermore, the DOJ and SEC, may decide to curtail penalties or not pursue charges against the organization based on the effectiveness of its compliance program and may even go so far as to reward a company for its program, even if that program failed to prevent the specific underlying FCPA violation that gave rise to the investigation. This possibility alone is enough incentive for any organization to want to develop a strong compliance and ethics program.

Consideration is also given to whether the organization’s compliance program is fit for purpose when deciding on the level of sanctions and penalties.

The fit for purpose or adequacy test is not formulaic but relies on 3 key questions:

  1. "Is the corporation’s compliance program well designed?"
  2. "Is the program being applied earnestly and in good faith?" "In other words, is the program adequately resourced and empowered to function effectively?"
  3. "Does the corporation’s compliance program work in practice?"

Source FCPA Guidance - JM 9-28.800.

  1. Effective Compliance
  2. Compliance programs differ based on the type of organization and industry and no ‘one program fits all’ as organizations have differing needs. For instance, a bank or financial institutions will have different risks than energy companies and healthcare entities will have different risks compared to manufacturers. For compliance programs to be effective they need to address the different business requirements.

    Large corporations will have many more elements to take into consideration compared to a small or medium-sized business. However, a check-box approach is just not detailed enough to satisfy regulators irrespective of the size or industry of the organization.

    Regulators will be looking for a well-designed, well implemented and purposefully enforced compliance program which would help the organization detect violations that do occur and help make appropriate fixes.

  3. Ethos
  4. Compliance programs begin at the top of the organization with directors and senior management, setting the tone from the top for the rest of the organization. After all, if senior management is seen not to obey or enforce the rules then how can proper behavior filter down the organization? The compliance program must be robust, enforced in good faith and clearly articulated to every single employee. Where regulators feel improper behavior is being encouraged or overlooked this will be considered when evaluating possible violations. Just like bad behavior, adherence to ethical standards filters down the chain of command from senior management and down to every employee.

  5. Relevant Code of Conduct
  6. When assessing the effectiveness of the Code of Conduct regulators expect a code that is clear, concise, and easily accessible to every employee including third parties doing business with the organization irrespective of where they are based globally. It is important that the Code of Conduct is up-to-date and commensurate to the risks associated with the size and type of business. Risks that companies must assess include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations. The standards apply across the organization to every employee at every in every location.

  7. Risk-Based Approach
  8. Organizations are living not static entities and are ever-changing over time. Mergers, acquisitions, buyouts, divestments all create risk exposures that need to be evaluated in light of the current regulatory regime. Policies developed and implemented several years prior will not be effective.

    Businesses must regularly evaluate their compliance policies and codes using risk assessments that address the needs of the company at that time and into the near future.

    A risk-based compliance approach will ensure that optimal resources and investments are directed towards the risks and regulations that matter most. Although all the three lines of defense are tasked to identify and mitigate risks, it is for compliance to identify and manage compliance risks proactively, while also helping the business avoid potential regulatory or policy & compliance violations.

  9. Resources and Training
  10. Training and communication are key factors regulators consider when evaluating the strength of the compliance program and the commitment of the business and senior management.

    Policies and programs must be seen to have been communicated throughout the organization right through the ranks, bottom to top (every director, officer, employee, agent and business partner) raising awareness and instilling knowledge.

    Training should be appropriate and relevant, not just a computer-based program pushed out to all employees. Executives need to aware of procedures when dealing with foreign officials, likewise, front-line staff who are more likely to come into contact with bribery and corruption from foreign officials need to be educated more comprehensively and frequently in order to prepare them and to protect the organization from risk exposure.

    Adequate resourcing is also a key factor as an under-resourced program is likely perceived as lacking proper commitment to compliance by senior management. Inadequate training and resources also send the message across the organization that compliance is just not a priority. For compliance programs to succeed they must be positioned appropriately across the company.

  11. Reporting, Investigation and Discipline
  12. Red flag incidents are incorrectly seen as negative indicators only. They could be a byproduct indicating a strong compliance program, as a well thought out compliance program is going to, no doubt, raise red flags that require looking into.

    It’s important that the organization has a mechanism in place for individuals to come forward and anonymously communicate any suspicions of wrongdoing and illegal acts that can harm the organization. Such a reporting program must be efficient, reliable, and properly funded.

    Once reported, the organization’s response to allegations must be properly documented. Organizations must demonstrate the existence of an established, effective, and well-communicated process sufficiently resourced for responding to, investigating, and documenting allegations of violations. Lessons from previous incidents and investigative outcomes used to update internal controls and compliance programs, making them stronger, clearly show regulators that appropriate time and resources have been allocated to ensure the overall efficacy of an organization’s compliance program.

    On completion of the investigation, it is imperative that incentives and discipline for those who do the reporting and those who participate in the misconduct, are documented respectively. Regulators will expect to see what steps were taken to discipline those who perpetrated the violation and whether the level of discipline was commensurate. At the same time, it is equally important to recognize those who do something right. Such recognition will help promote the culture and communication of compliance throughout the organization.

  13. Third Parties
  14. Global supply chains and outsourcing are the norms of doing business and not exceptions in today’s modern world. The vast majority of FCPA enforcement actions involve payments of bribes made, not by employees or officers of large companies doing business in foreign countries, but by the third parties. Compliance should ensure that all business stakeholders - vendors, agents, consultants, and foreign officials are acutely aware of the importance of non-compliance – compliance programs do not stop at the four walls of the organization. Regulators will assess the effectiveness of an organization’s compliance program as it extends beyond company boundaries out to third parties; therefore, risk-based due diligence is critical.

  15. Continuous Improvement
  16. Compliance is not static, policies and programs must be continuously reviewed and improved. A decade-old compliance program will not be sufficient to protect the organization today. A fit for purpose compliance program will need to reflect the demands on your organization today, based on growth, relationships, governmental regulation and so on.

    Furthermore, regulators are increasingly looking at the integrity of your compliance program in every aspect – data integrity, data degradation, access privileges, audit trails, exceptions, approvals, and reporting.

    Credit is given to organizations that make the effort to create meaningful, relevant and sustainable compliance programs. After all, A is for Effort!

Summary

Looking from within the organization, you might perceive that everything is running smoothly, and all employees have been fully trained on your compliance program. However, regulators will give no consideration to how robust you view your own compliance program, but how it fares under their scrutiny, how would an outsider view your compliance program and how it’s been disseminated throughout the organization. To build a strong compliance program, try to think like an outsider, the regulators, and what their perception of your program would be. If you’ve covered all the factors of an effective compliance program, then your organization will be in a better position for regulatory readiness.

After years of unrelenting regulatory change and new risks, compliance is now entering a new era of opportunity and growth. The coming years call for greater teamwork between the business and other assurance functions, as stakeholders increasingly rely on compliance to guide them through the regulatory complexities and risk headwinds. Building a strong compliance program based upon clearly defined processes and underpinned by targeted technological investments will be crucial in meeting these demands.

If your organization is learning more about How to Build a strong Compliance function, we invite you to explore KaizenEvo® and the Maclear GRC Suite™ by visiting https://www.maclearglobal.com. Our comprehensive range of solutions is designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making.

To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to contact@maclear-grc.com.