My colleague Tom Fox is a fountain of wisdom on ethics and compliance issues. If you know Tom and hear him speak, you know he has seen a lot of corporate compliance situations – good and bad. With this perspective, it is always worth it to listen to Tom and heed his advice.
Tom and I share a common perspective (or so I would like to think). We respect federal prosecutors and law enforcement, we understand their thinking and what they are trying to accomplish. We may disagree here and there on the Justice Department’s handling of issues but by and large we acknowledge the hard work and dedication of federal prosecutors, especially in an environment of dwindling resources and political controversy surrounding FCPA enforcement.
Federal prosecutors credit and truly want to see increased compliance by companies. They know a good compliance program when they see it – even if a company identified a violation. They also know and have seen too often when a “paper compliance” program looks like. If I were still a prosecutor, I would feel as frustrated as they probably do when a company violates the FCPA and had a compliance program which did nothing more than exist on the company’s website.
As a result, prosecutors start out in an investigation skeptical of a company’s compliance program. I cannot blame them and I am sure I would share the same skepticism.
One technique that Tom Fox repeats often as his compliance mantra is simple and straightforward: document, document, and document. I could not agree more. When a company claims that they acted in a specific way in response to a risk, or took some action to ensure compliance, federal prosecutors will ask a simple question – Where is the document which confirms you took that action?”
If the company responds like Ralph Kramden in The Honeymooners (A Hum-Dah-Hum-Dah-Hum-Dah), and has no document to cite, the company’s credibility will be shot. Federal prosecutors want to see proof and they want to see either an email, a document or some appropriate recording of the company’s actions.
Because of this basic requirement, companies should review their compliance programs from top to bottom and ask themselves where can a documentation requirement be built in to record the steps taken to ensure compliance?
Companies should document decisions made in a number of areas, examples of which include:
(1) Important legal or policy interpretations which inform a compliance program, the steps taken to ensure compliance and how the company followed this interpretation;
(2) Important compliance decisions based on factual reviews such as due diligence of a third-party or a potential acquisition, the results of the due diligence and the actions taken during a due diligence review, as well as the ultimate approval, the basis for the approval and the information on which the company relied to support the approval;
(3) Risk assessments and risk ranking decisions which are used to assign compliance responses such as type and amount of compliance and financial audits or other monitoring techniques; and
(4) Allocation of compliance resources among competing projects or programs in a compliance program and the reasons for the assignment of such resources.