In late August, Houston and much of south Texas survived a 1,000-year storm, courtesy of Hurricane Harvey. Florida and the southeastern United States faced the ravages of Irma shortly afterwards, with the Florida Keys facing its fiercest winds since the Hurricane of 1935. I found these seminal events to be more than weather-related events. They were wake-up calls about the virtues of crisis management.
While you may not have put plans in place for 1,000-year floods or historic winds if you live on the Gulf Coast, you can certainly prepare for the eventuality of a hurricane. Along the same lines, compliance practitioners can prepare for a potential unknown claim of a Foreign Corrupt Practices Act (FCPA) violation which suddenly becomes public. An equally plausible event could be an internal whistleblower report of similar conduct. It might even be a blog post from a former employee detailing illegal or unethical conduct in plain sight at your organization. Equally hair-raising for the General Counsel, could be the situation where the Department of Justice, with FBI agents in tow, show up at your company offices, search warrant in hand.
These are the kinds of things that beg compliance teams to prepare a crisis plan. But you must do more than prepare for a compliance emergency by preparing beforehand; you must also practice that preparedness. Secretary of Defense James Mattis made this clear in his Memo, entitled “Ethical Standards for All Hands”, which was released in August. One of the key lines was “To ensure each of us is ready to do what is right, without hesitation, when ethical dilemmas arise, we must train and prepare ourselves and our subordinates.”
In this sentence Mattis seemed to almost echo the Department of Justice’s Evaluation of Corporate Compliance Programs around training. In Prong 6 Training and Communication it asks, Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?
For your compliance organization, practice taking an emergency call regarding a major compliance violation. Start with the basics, does your hotline work in every country where you do business? Do you have persons who can speak the language of the caller? Finally does your compliance receive accurate reports of hotline reported incidents?
For your compliance organization, practice taking an emergency call regarding a major compliance violation. Start with the basics, does your hotline work in every country where you do business? Do you have persons who can speak the language of the caller? Finally does your compliance receive accurate reports of hotline reported incidents?
Go through your investigation and notification protocols. When was the last time you updated your contact list for the compliance department; both primary and secondary? How about the same question for senior management, the compliance or audit committee and full board of directors? How about your key third-party sales agents and suppliers? Now do the same for your primary outside counsel investigative firm and make sure they are ready to respond.
A key issue for the Department of Justice will be document security. You need to have your IT function ready to lock down computers, cloud storage, and messaging apps. This is critical for the regulators going forward, as it will impact the integrity of any investigation and subsequent findings.
After you have thought about all these questions go through and practice. Send a message through your hotline and see how it is tracked all the way up to the compliance committee on the board. Now go through the same exercise with your outside investigative counsel. Finally make sure your entire team is working off the same playbook. Finally take advantage of the pronouncement in the Justice Department’s Evaluation of Corporate Compliance Program and perform a root cause analysis on the training. If there are any gaps they should be identified and remediated.
Next, loop in your company’s internal controls team to find out what might be required to remediate a control to stop illegal conduct if there is evidence that there was an internal controls failure or some type of management override.
Using these training sessions and practices will also give you the opportunity to pressure test the structure of your compliance program. Of course, if the compliance function is sufficiently operationalized, this testing would provide you documentation should a regulator ever come calling.
No comments yet