Two of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program are policies and training. Policies tie together a company, its business environment, the risks it faces and the compliance requirements. Policies are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the FCPA Guidance it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.”
The importance of training is noted in the US Sentencing Guidelines where, “Conducting effective training programs” is listed as one of the factors the Department of Justice will take into account when a company, accused of an FCPA violation, is being evaluated for a sentence reduction or declination. The Sentencing Guidelines mandate states “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”
But more than simply having policies and training is the need to manage the use of these compliance related tools. An ethics and compliance policy management best practice is to review your anti-corruption compliance policies annually. There should be an organization of accountability and process that enables any policy review process. The end product should be a decision to either (1) retire the policy, (2) keep the policy as it is, or (3) revise the policy.
Well-known policy maven Michael Rasmussen of GRC 20/20 has articulated five steps that a policy owner should evaluate as a part of the ethics and compliance policy management process. First is information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed to determine if the policy is being followed. Second is an analysis to determine an appropriate level of policy understanding by employees. Third is that any exceptions taken Cleto the policy be documented. This demonstrates that the policy is vibrant but if there are too many exceptions, this could mean that the policy needs to be revised. Fourth is that when a policy governs and authorizes internal controls; these internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. Fifth and finally is the environment in which your policy exists. A company’s risks, business strategy, relevant laws and regulations all change and your policies should be reviewed in the context of a company’s overall situation and revised accordingly.
But what is an “effective training program”? The key word is “effective.” It’s not enough to publish the employee Code of Conduct and the anti-bribery policies; you must train your employees in a way so they will remember the information and apply it when necessary. There are two general approaches to ethics and compliance training, the “ethics approach” vs. the “values approach.” The first approach focuses on knowledge of the rules “as clear and sharp as barbed wire” so that the cowboys in the company will not run wild. This is the approach most US in-house lawyers feel is required for their company’s operations teams and is generally designed to help avoid criminal liability.
The second is to train on ethical values and is more prevalent in Europe where ethics and compliance are more designed to communicate a company’s underlying corporate values in its operations. This approach anticipates that most employees are decent and law-abiding and will not knowingly engage in bribery and corruption. Additionally, you can never create enough rules to govern every situation and train each employee on every rule so a company must hire trustworthy people and give them sufficient information to make the correct ethical and compliant decision.
So what should a company’s training focus on to be “effective” under the Sentencing Guidelines? It appears that effective ethics and compliance training should emphasize both approaches. Americans are long taught what the rules are in whatever life they choose. They expect to be told what the rules will be so that they know where the line is drawn that they should not step over. Probably the single comment I have heard the most when putting on ethics and compliance training in the US is “Just tell me what I can and can’t do”. However, really effective training requires that employees be able to apply the rules to the incredibly wide and ever-changing situations, which confront them in the real world. This is where communicating a company’s values are important.
Whichever training your company chooses, or perhaps a blending of the two types, there are several key components that you should make certain you have incorporated into your FCPA compliance training. It should be clear and concise so that all employees will understand it. The training itself should have some defined metrics, which should be achievable. The training program itself should be relevant and focused on the risk rankings of the employees involved.
Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. Similarly with training, you need to assess your training at regular intervals to determine if the message is getting out to your employee base and sticking with them. If your companies risk profile changes, your employees should be trained on managing these emerging risks.
About the Author:
Thomas Fox has practiced law in Houston for 30 years. He is now an independent consultant, assisting companies with FCPA and compliance issues. He was most recently the general counsel at Drilling Controls Inc., a worldwide oilfield manufacturing and service company. He was involved with compliance investigations, audits, and drafted policies, and he led training on all facets of compliance, including FCPA, export, anti-boycott, and commercial operations training. Fox has the award winning Blogsite, FCPA compliance and ethics blog, and podcast, “The FCPA Compliance and Ethics Report.”