Last week I attended the Society for Corporate Compliance and Ethics (SCCE) Energy and Utilities Conference here in Houston. As usual, SCCE put on a great event, the speakers and topics were all first-rate. As you might expect at such an event, the informal conversations with other compliance practitioners gave an opportunity to learn about new and different approaches to compliance. At lunch on the second day, I had such a conversation, which to my surprise, was not with a Chief Compliance Officer (CCO) or even compliance practitioner of an energy company but with a Program Manager for a utility concern.
I admit that I normally do not attend any of the breakout sessions for the utilities at the conference and generally when forced to sit through a session focused on the utility industry, it does not take too long for my eyes to roll up inside my head. However after this lunch conversation, I will certainly have to revise my disdain for listening to the utility presentations. The person is a Program Manager in his company’s Power Plant Process group and he told me about the ‘Mock Audit’ that his company performs in its power plants across the country.
He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization. The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.
To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.
The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.
I thought about this concept of the Mock Audit in the context of ongoing monitoring, annual assessments and auditing under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?
Wear the Same Color Shirt
I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.
Review Your Findings with the Group or Region Being Assessed
One of the more constant complaints that I have heard from business unit folks was that legal and/or compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment ﬁndings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.
The recently released Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance make clear that formal compliance audits, with actionable remediation plans, are a key component of any effective compliance program. But after listening to my colleague from the utility industry, it seems to me that the concept of the Mock Audit is one that may also become a best practice. Whether you call it the Mock Audit, annual assessment or something else, if it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.