Getting Compliance Right

Nearly every day brings news of another company caught in the crosshairs of government enforcement agencies. Despite a less regulatory-minded administration coming into power earlier this year, government enforcement activity is stronger than ever—and it is likely to remain so. Attorney General Jeff Sessions has stated that corporate fraud and white collar-crime will remain a priority for the Department of Justice.

Given that enforcement efforts are seemingly here to stay, what can officers and directors do to protect their companies—and themselves—from the risk of liability for compliance failures? One obvious answer is to enhance the company’s compliance program, which both reduces the likelihood of a compliance failure and mitigates potential liability in the event that a failure does occur.

Today, many companies go about compliance the wrong way. Too often companies treat all compliance risks the same or take a reactionary approach—responding to issues as they arise or when news of a competitors’ compliance problem breaks. These approaches, however, tend to cause companies to spend a lot of money on compliance with little impact.

A more effective and efficient approach is to start with an assessment of which compliance risks are greatest for the company. Simply put, compliance is about risk reduction, not risk elimination.

“companies are going about compliance the wrong way. Their approaches tend to cost a lot of money with little impact.”

Assess and Analyze
Risk has been defined many ways. In the security lexicon, risk is the combination of threat, vulnerability and consequence. “Threat”, in the corporate fraud context, would be the incentives employees have to engage in a particular kind of misconduct. “Vulnerability” would be the ease with which such an employee can circumvent or defeat the company’s compliance program to commit the misconduct, while “consequence” would be what would happen to the company if the misconduct occurs and results in a government enforcement action.

Using this tripartite analysis—or another framework for assessing risks—can help a company determine which compliance issues pose the greatest risk. While any such risk analysis is inherently highly subjective, an attempt to quantify risks and categorize them based on relative levels of risk (such as through a numeric system, a color-coded system or a more general “high, medium, and low” set of categories) will enable the company to allocate its limited resources more effectively.

Divide and Conquer
Once the company identifies its biggest risks, resources can be divvied up accordingly, with more time and effort being spent on those risks that are greatest. This may include reviewing not only written policies and procedures, but also how the compliance program addresses those risks in practice. For example, the company can assess messaging from top leaders, employee training methods, how allegations or evidence of misconduct are addressed and how areas of risk are monitored on an ongoing basis. This allows the company to uncover gaps in its compliance program—many of which can be filled fairly readily once the gaps have been identified.

It is important to understand there is no one-size-fits-all solution to compliance issues. Rather, the most effective compliance programs are those that are tailored to the company’s operations, structure and culture. For example, some companies have more centralized compliance programs, which are run at the corporate level. Others have more distributive models, in which there is some central coordination at the corporate level, but leaders throughout the company’s business units are tasked with the responsibility for implementing compliance measures and are held accountable for doing so.

A proactive risk assessment is one of the best ways to initiate or enhance a risk-based compliance program. While such a program cannot eliminate all risk of employee misconduct, it is the most effective and efficient manner of reducing risk. And when something inevitably goes wrong, the existence of a proactive risk assessment system, coupled with documented efforts to address the risks identified, will go a long way toward protecting the company—and its officers and directors—from liability.

SHARE
John. F. Wood
John F. Wood is a partner in the Washington, DC, office of Hughes Hubbard & Reed, where his practice focuses on internal corporate investigations and compliance. He previously served as US Attorney for the Western District of Missouri and chief of staff of the US Department of Homeland Security.