So your company has been accused of committing a fraud, or of violating the Foreign Corrupt Practices Act. You have attracted investigation by the US Department of Justice. You are negotiating whether to enter a plea, or to try to head off charges. What will help you in these negotiations? Each case is different, but the DOJ’s recent “Evaluation of Corporate Compliance Programs” suggests courses of action in light of DOJ’s typical inquiries:
Did the company have prior warnings which would allow it to detect misconduct? Were compliance procedures lacking? If present, misapplied or willfully ignored?
What specific changes did the company make to reduce risk? Were senior leaders vocal in discouraging misconduct ? Did the board hold private sessions with internal and external gate-keepers?
How important did the compliance program appear within the company as compared with “other strategic functions?” Did the company fully staff, fund and give autonomy to internal compliance functions?
Were policies communicated below, and to third party vendors, and integrated into the risk management? Did employees and customers have a reporting mechanism so that violations could be flagged?
Were people punished for infractions? Did the company test its own programs by review of controls and by interviewing employees and others?
In acquisitions, did due diligence address risks in this area?
Many factors seem applicable to larger companies but fraud prosecution, and FCPA enforcement, occur even in smaller companies. What should such companies do to protect themselves, where company structure is flat, and boards meet infrequently and are not in the habit of holding management accountable?
Every company needs a compliance policy. Distribute it. Every company can have periodic meetings or programs to educate and remind sales people, inside people, all employees of their obligations. A file can be kept of compliance inquiry made of third parties: outside vendors, contractors, sales channels. A modicum of attention at the board level may go a long way here: calendar quarterly meetings and put compliance on the agenda a couple of times a year. Keep summary minutes. Have zero tolerance for violations; take action to re-mediate and punish. Ask your auditors or attorneys in writing to look in areas problematic in your industry, or where you had problems in the past, or where your scale does not provide layered controls. No one will hold a small company to the standard applied to a multi-billion dollar company but, when under investigation, even the smaller company needs to show that it paid such attention as it size and financial resources permit.