Everyone loves top-10 lists – even before David Letterman turned them into something funny each night (the old Letterman shows, not the new, when Letterman was young were much funnier).
Top-10 lists help to prioritize tasks and activities. In the compliance arena, there are some basic top-10 questions which every chief compliance officer should ask themselves (in a moment of rest and reflection, if such is possible).
Let’s consider the 10 questions every CCO should ask themselves:
1. Does the company have a strong commitment to compliance from senior management and the Board of Directors?
Every CCO starts to evaluate their companies with the Board and the CEO’s commitment to compliance and ethics. Many CEOs know how to say the right words – it is another to follow-up and make sure the company’s commitment matches the pronouncements of compliance and ethics. If a Board and a CEO communicate the company’s commitment to compliance and ethics, and hold people accountable for such standards, that will go a long way to advancing compliance and ethics in a company.
2. Does the CCO have adequate authority (meaning is the CCO independent) and sufficient resources?
A tell-tale sign of any compliance program is the CCO’s location on the organizational chart, and the amount of assigned to the CCO to support the compliance program. A company’s commitment to compliance and ethics is quickly undermined when the CCO is sitting in the legal office, or the audit office, reporting to the General Counsel or the Chief Auditor. Similarly, the CCO is immediately ineffectual if there is no one assigned to support the CCO’s activities and responsibilities.
3. Does the CCO have a seat at the business table?
If the CCO does not know what plans the business has for expansion, whether internal growth or acquisition, and has to learn business plans second-hand or through happenstance, this is a reliable indication that compliance is not a priority for the company. Innovative and forward-thinking CEOs recognize the importance of the CCO perspective on all business operations.
4. Does the company conduct an annual risk assessment process to identify and relatively rank risks?
A company’s commitment to compliance and dedication of resources is quickly reflected in its willingness to engage in a robust risk assessment process. Companies which conduct such risk assessments are often committed to following the results, recognizing the importance of allocating resources among competing risks based on some ranking.
5. Does the company encourage reporting of violations and concerns, promptly investigate such complaints/reports and fairly dispense discipline, if warranted?
A company can set up a hotline, publicize the hotline, sit back and count and categorize the complaints as they come in. If that is all the company does, watch out – “dashboards” of complaints and classifications are meaningless unless the information is used to inform the compliance function, to follow up on important issues of concern and to investigate issues when required and hand out appropriate discipline, no matter who the offender.
6. Does the company conduct a robust initial due diligence process before authorizing a third-party to assist the company in a foreign country, and does it continue to monitor its third parties based on a risk-ranking formula?
If a company does not have a robust due diligence process, you can rest assured that the company is in violation of the FCPA if it relies on third parties to conduct business in high-risk countries, especially China, Russia and India. Almost every enforcement action under the FCPA has involved third party misconduct and a company would have to have its head in the sand, no pun intended, in order to ignore the need for third party due diligence.
7. Does the company conduct regular live and on-line training, coupled with certifications of compliance and reminders throughout the year?
Training is one of the most – if not the most – important means to communicate the compliance message to managers and employees in an organization. A commitment to training means a mix of live and on-line training programs. Another indication of the importance of training is whether a company conducts annual training of senior management (the C-Suite) and the Board. If training is not conducted annually, the company’s so-called tone-at-the-top may be deficient.
8. Does the company conduct a self-assessment of its compliance and ethics program each year?
It is often said that one’s harshest critic is oneself – that goes without saying when it comes to compliance professionals. CCOs hold themselves to a high standard, sometimes too high. A CCO brings a unique and critical perspective to a compliance program, always challenging themselves to do better and to do more. If that process is formalized and conducted on an annual basis, there is no doubt that a CCO will know what to do with that information and how to improve the company’s compliance program.
9. Does the company have state-of-the-art information technology to support a vibrant compliance and ethics program?
In today’s high-tech environment, every company has to devote more attention to information technology – not for just compliance with privacy and information laws and regulations – but as a backbone of every compliance and ethics program, as well as basic business functions. If the company has outdated information technology, every aspect of the business operations, including compliance, will suffer. In some cases, such deficiencies, if not addressed, can prevent CCOs from conducting some of the most basic functions in a compliance program.
10. Does the company adhere to a thoughtful documentation program as part of its compliance program?
In the government’s mind, if a document does not exist, the event did not occur. Government prosecutors always ask for proof in an email, a memo or some other writing to support a company’s claim as to the handling of an issue. That principle applies in many other contexts in the business world. A documentation requirement, even if minimal, promotes careful thinking and can be used effectively to corroborate a company’s good faith efforts to comply with the law rather than a sinister motive to evade legal requirements.