Today I continue a five-part series on the soft skills a Chief Compliance Officer (CCO) needs to employ when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance roles at Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step four: when you are done?
On this point Chapman was clear, you can never be done until after you have settled. Yet even at that point, your task is not fully completed as “Enforcement officials want to see continuous improvement, then monitoring.” He went on to note, “They want to see that a compliance program developed to the point it is sustainable and that it performs sufficiently. In other words, you have all your controls in place. Your controls have been tested and retested and retested, and retested – then improved after every testing cycle. It’s about laying the correct foundation and then continuously improving.”
Obviously, your remediation will begin with benchmarking, with industry peers and others to update your compliance with new policies and procedures, perhaps a Code of Conduct update and internal controls. All of this can be handled directly by the CCO as Project Manager (PM) or using outside specialists as an additional resource. Chapman believes it would largely depend on the subject matter and on the sensitivity. There are certain things the CCO and compliance function should accomplish, and there are tasks that could be outsourced out of the compliance department. Chapman’s mantra to overlay on all of this was “keep it simple”.
Chapman provided some examples. He said, “if we needed to update our chart of accounts to make it simpler or to prevent misleading entries, I would certainly get Finance involved. It would not be appropriate to demand that Finance do it without my input, and it would not be appropriate do it myself without Finance’s involvement. It would be a combination of efforts. If I needed to develop a due diligence program for third party representatives, that would probably be driven mainly by compliance personnel. On the other hand, if I needed to implement an onboarding training module, I may design the content but I may outsource its implementation and its management to HR. It really depends on the subject matter and the risk involved.”
Moving from internal communications with stakeholders to communications with the Department of Justice (DOJ) or the Securities and Exchange Commission (SEC), Chapman noted, “it’s wise to provide an update on remediation, even if brief, at every opportunity you get to talk to the government.” Given the expectations laid out in the written guidance released in conjunction with the Pilot Program, it appears that the DOJ want very focused and robust communications around your investigation and remediation. Chapman believes that you will very rarely, if ever, be in a situation where the government is purely focused on your investigation and at some later point, purely focused on your risk assessment or remediation. He said, “I think that every time you meet with them to talk about the investigation, you also should talk about the Company’s risks and how you’re remediating them.” Chapman also said that one thing which will come up in discussion with the DOJ is “you will be asked to discuss your compliance program, as it existed prior to or at the time of the wrongdoing and then any improvements and changes you’ve made.”
So, when are you able to go to the government and tell them you are “done” and you are ready to settle? Chapman responded that it is not his experience a company informs the government it is ready to settle but “what you can do is you can give the government a green light, but it’s up to the government to decide when they want to proceed to a final resolution.” He did note he believes a company can indicate to the government that the company is not yet ready to settle, stating, “You can say, “No,” but you can’t say, “Yes.” Settlement from the government side is often driven by their perspective of what you should do and, in many cases, their current caseload.”
Another question which may arise at this point is whether the government will require the company to employ an external monitor for some period after resolution. Chapman believes, if the company has demonstrated a commitment to compliance during the pendency of both the investigation and remediation and if the FCPA violations were isolated and not systemic to the organization, there is a lower chance of a monitorship being required by the government. Some of the indicia would include the amount of time and resources the company has devoted to developing its compliance program, whether the compliance program has reached the point of testing and monitoring, and whether that testing information results in compliance program improvements.
Chapman concluded with what he called the “Number One” thing to show the government: that you can monitor yourself. You do this by demonstrating “that you have advanced your compliance program to the point that you are testing yourself, and, not only are you testing yourself, you can demonstrate to the government that you have fully implemented corrective actions based on the results of that testing. In other words, you’ve created a feedback loop that shows continuous improvement.”
The ‘when are you done’ question may be one of the trickiest as it has so many moving parts. Understandably, there will be pressure from stakeholders to achieve closure and move forward. However, you do not want to represent to the government that you are ready to settle at a point when the government still does not believe you are ready. If you do, you may well risk receiving an independent monitor.
Tomorrow I will consider issues around post-resolution in the remediation process.
[View source.]
