Embed Size (px)
Citation preview
Corporate CounselThe Metropo l i tan
Volume 16, No. 1 © 2007 The Metropolitan Corporate Counsel, Inc. January 2008
®
Participating in this Roundtable are: Focusing on compliance programs is
Jack Holleran, who is a leader in Ernst& Young’s Corporate Compliance Advi-sory Services practice. He advises clientson identifying and prioritizing compli-ance risks, implementing and enhancingcompliance programs, assuring that com-pliance programs are integrated andeffective and measuring their effective-ness. Prior to joining Ernst & Young, hewas the Chief Compliance Officer atPhilip Morris USA. As a former compli-ance officer, Mr. Holleran’s practice isfocused on helping companies to designcompliance risk management infrastruc-tures including programs, processes andcontrols in a way that is very much in linewith their compliance risk profile.
Focusing on the investigation of
compliance violations is StevenKaufhold, who is a partner in the SanFrancisco office of Akin Gump StraussHauer & Feld LLP. He focuses on securi-ties litigation, including shareholderclass actions and derivative claims. Sincethe enactment of the Private SecuritiesLitigation Reform Act (PSLRA) of 1995,he has represented dozens of public com-panies, officers and directors in securi-ties cases. He has represented directors,officers or companies in eight separate“options backdating” investigationsand/or cases. Mr. Kaufhold also handlescomplex business litigation and investi-gations for clients.
Focusing on civil and criminaldefense is Stephen A. Mansfield, partnerin charge of the San Francisco office ofAkin Gump Strauss Hauer & Feld LLPand a member of its firmwide manage-ment committee. An accomplished triallawyer, Mr. Mansfield represents corpo-rations and individuals in trials, arbitra-
tions and government enforcementactions before federal and state courtsand administrative agencies. His practicefocuses on complex fraud litigation, classaction defense, corporate and govern-ment investigations, and white collarcriminal defense. As an assistant U.S.attorney in Los Angeles for 11 years, Mr.Mansfield tried many fraud and corrup-tion cases to verdict. As the head of theU.N. War Crimes Investigations Unit, Mr.Mansfield supervised international inves-tigative teams in war crimes investiga-tions in Rwanda, which led to the UnitedNations’ establishment of a war crimestribunal for Rwanda.
Editor: Mr. Holleran, what approachto compliance risk management createsthe greatest risk?
Holleran: The greatest risk many organi-zations face is having a decentralizedapproach to compliance risk manage-
Compliance Readiness Essentials –Program, Investigation And Defense
www.metrocorpcounsel.com
Stephen A. MansfieldSteven KaufholdJack Holleran
Volume 16, No. 1 © 2007 The Metropolitan Corporate Counsel, Inc. January 2008
negligence and poor management with-out drawing an inference that fraudoccurred.
Editor: Mr. Holleran, there seem to befewer complaints from clients aboutthe burdens and costs of compliance. Isthis attributable to changes in the reg-ulations or are there other factors?
Holleran: The discipline of compliancerisk management has evolved quite a bitover the past 10 or 15 years, and manyorganizations have made significantprogress in integrating compliance riskmanagement practices into everydaybusiness decision-making. The morecompliance risk management is inte-grated into business processes, the lessnoticeable it is, and the more it is seen aspart of the way business is done. Thatsaid, our clients continue to search formeaningful ways to measure the internalrate of return on their compliance invest-ments and to find measurements and met-rics that demonstrate the effectiveness oftheir compliance program. This is aninherently difficult exercise – a success-ful compliance program was oncedescribed to me as “constant vigilance,and nothing happens.” It is impossible tomeasure your effectiveness in preventingnon-compliance, but there are measuresand metrics that, when evaluated overtime, can help organizations get moreefficient in the way they allocate theircompliance resources.
Editor: Mr. Kaufhold, would yourinvestigation focus on metrics thatmight show a dedicated effort on thepart of a company to improve its com-pliance program?
Kaufhold: Yes. The structure and effi-cacy of a company’s compliance programwould be a likely part of most any inves-tigation. This is true for at least two rea-sons. First, from a legal standpoint, theexistence of a good faith compliance pro-gram would be a key fact against a find-ing of scienter in the event that somethinghas gone wrong. Second, from a businessstandpoint, it is important to knowwhether a compliance program is servingthe purpose it has been designed for inorder to protect the company from busi-ness risks and losses separate and apartfrom any legal issues. Certainly, metricswould be a key tool in evaluating theeffectiveness of the compliance program.
ment. Every business has compliancerisks that cut across a number of substan-tive areas, and often the controls that areput in place to manage those risks areimplemented functionally, without thebenefit of an overarching complianceprogram. Although there are advantagesto decentralization, principally that thecontrols are designed and implementedby those employees who are closest to therisks, taking too decentralized anapproach can result in inconsistencies orgaps in overall compliance risk coverage.The companies that manage compliancerisk most effectively are those thatachieve a strong balance between central-ization and decentralization. To comple-ment this balance, it is important tomonitor, or audit, the design and opera-tion of those controls. This role is beingfilled increasingly by an internal audit orcompliance audit function.
Editor: Mr. Kaufhold, how would aninvestigator go about developing infor-mation that might lead to the conclu-sion that the breakdown of controlswas attributable to a decentralizedapproach?
Kaufhold: The two primary focal pointsof such an investigation would be thecontemporaneous written documentsrelating to the subject of the investigationand interviews with company employeesand others with information relating tothe subject matter. Once these two keyareas have been explored, an investigatorwould likely be in a position to considerwhether a breakdown of controls hasoccurred and, if so, whether such a break-down results from a decentralized struc-ture or some other circumstance or factor.
Editor: Mr. Mansfield, what civil andcriminal exposures would follow fromthe conclusion that the decentralizedapproach was responsible for the viola-tion and what further informationmight be developed by the investiga-tion that would mitigate such expo-sures?
Mansfield: The most serious exposurewould follow from evidence that thebreakdown occurred as part of an inten-tional plan or known practice to boostrevenues within an organization. But notevery breakdown occurs for such a pur-pose. Communication failures and poororganization controls can occur through
Editor: Mr. Mansfield, how importantwould such metrics be in mitigatingexposures to criminal or civil penal-ties?
Mansfield: Metrics can be very impor-tant in showing whether a complianceprogram is real as opposed to somethingthat exists for the most part just on paper.
Editor: Mr. Holleran, no matter howeffective a compliance program is therewill always be multiple sources of alle-gations of non-compliance. Companieshave an obligation to investigate thoseallegations and address them. What aresome of the leading practices you’veseen in the way investigations areaddressed?
Holleran: Allegations of non-compliancevary widely, take many forms, andemanate from many sources. Any busi-ness wants to make sure that allegationsare investigated, resolved and addressedin an appropriate way. As a result, havingan effective investigations process is onecornerstone of an effective complianceprogram. Investigations typically involvemultiple stakeholders, including Compli-ance, HR, Legal, Internal Audit, and per-haps Security and Finance. It is importantthat the organization establish clearlywhich function plays what role in con-ducting investigations. Once roles areagreed upon, the organization shouldestablish the following core processes:
- Intake (the sources from which alle-gations are received)
- Categorize (the process for deter-mining which allegations are more seri-ous)
- Processing (including escalationwithin the organization)
- Plan (determining who will conductthe investigation)
- Investigate (actually investigatingthe allegation)
- Resolve (including feedback to thecomplainant and disciplinary action if theallegation in substantiated)
- Improve (driving continuousimprovement into both the complianceprogram and the investigations process)
The Chief Compliance Officer oftenplays a lead role in assuring that theseprocesses are established and executedwith quality. The CCO also may play arole in determining who is best situated toconduct an investigation, including whenit’s appropriate to bring in outside coun-
Volume 16, No. 1 © 2007 The Metropolitan Corporate Counsel, Inc. January 2008
sel or forensic accountants.
Editor: Mr. Kaufhold, how do you goabout investigating the effectiveness ofhandling allegations of non-compli-ance? To what extent do emails andvoicemail messages and the reaction tothem contain allegations of wrongdo-ing that should be followed up?
Kaufhold: It is crucial that companiesidentify and respond to allegations ofnon-compliance. In the course of aninvestigation, we would view the policiesand procedures designed to address suchallegations and then evaluate whetherthey have been effective in ensuring thatany such allegations are addressed andhandled in a thoughtful, consistent andlawful manner. Email and voicemail mes-sages are a pervasive means of communi-cation at most companies and so it is verycommon that they are a key part of suchan investigation.
Editor: Mr. Mansfield, how importantis the nature or absence of any follow-up a factor in increasing exposures tocriminal or civil penalties?
Mansfield: Swift and effective responseto allegations of non-compliance is criti-cally important. A lack of response orsubstantial delay in responding can leadto significantly higher exposure and,depending on the facts, can tip the scalestowards a potential criminal investiga-tion.
Editor: Mr. Holleran, what role doesInternal Audit typically play in manag-ing compliance risks?
Holleran: Internal Audit’s role in com-pliance risk management continues toevolve. Traditionally, Internal Auditplayed either no role, or a very limitedrole, in managing compliance risks.Increasingly, however, Internal Audit isseen as an important ally for the ChiefCompliance Officer, and one whoseexperience in monitoring controls canhelp assure the effectiveness of the com-pliance program. Examples include:
- Working with the Chief ComplianceOfficer to drive greater clarity within theorganization about who is responsible forwhat in the realm of compliance riskmanagement;
- Aligning the Internal Audit planwith the outcome of the compliance risk
assessment;- Designing a compliance auditing
and monitoring program to assess effec-tiveness of compliance controls;
- Executing a compliance auditingand monitoring program;
- Playing a lead role in conducting ananti-fraud program.
The better the working relationshipbetween the Chief Compliance Officerand the head of Internal Audit, the moreintegrated and effective the organization’scompliance risk management efforts arelikely to be.
Editor: Mr. Kaufhold, would yourinvestigation have revealed failures byinternal audit to pick up the subprimebreakdown?
Kaufhold: That’s a difficult question toanswer. My sense is that when all is saidand done, many companies will concludethat the subprime breakdown eluded anumber of extremely bright and hard-working folks in both internal audit andother corporate functions.
Editor: Mr. Mansfield, would the fail-ure of internal audit to pick up the sub-prime breakdown be a factor inincreasing exposures to criminal orcivil penalties?
Mansfield: It’s very difficult to answerthis question definitively. So muchdepends on the nature, scope and practicewith respect to the internal audit in termsof how it will be evaluated later.
Editor: Mr. Holleran, if you find thereis a compliance breach on the part ofthe client, what is your next step?
Holleran: I think there are really twosteps which need to proceed in sequence.The first step is to make sure that the alle-gation of non-compliance is investigatedthoroughly. That is, the right stake-hold-ers within the company are broughttogether to understand as much as theycan about the nature of the allegation andthen align the right resources to conductthe investigation. People have got toknow how investigations need to be con-ducted – objectively, independently, dis-cretely, confidentially. And, theinvestigation needs to be conducted in away that it drives towards ultimate reso-lution, that is, either the allegation is sub-stantiated, in which case appropriate
action needs to be taken including disci-plinary action, or if the allegation is notsubstantiated, closure needs to beachieved both for the person who raisesthe allegation as well as for the person, orpersons, about whom the allegation ismade. So it is important that the processdrive towards closure. I think there is asecond step that ought to take place,which is that companies look at the inves-tigation from the point of allegation to thepoint of disposition and see what theprocess is telling them about the overallcompliance program. For example, if yousee a continued series of allegations ofnon-compliance that elevate to the levelof an antitrust practice, this might give anorganization an indication that it mightwant to take a fresh look at its antitrustcompliance policy or that training be con-ducted for employees who interact withcompetition laws and practices.
So the two steps are to conduct theinvestigation with the right people withthe right skill-sets, often including lawfirms or forensic accounting firms orother third parties. But then once theinvestigation is closed, it is important todrive continuous improvement both intothe compliance program where it can beenhanced but also into the investigation’sprocess to make sure that the investiga-tion is working efficiently and fairly forall concerned.
Editor: Mr. Kaufhold, as you knowfrom some of the public investigationsthat have been conducted by specialcounsel, they can take on a life of theirown. How do you go about putting rea-sonable limits on the scope of yourinvestigations?
Kaufhold: Reasonable limits are the jointresponsibility of the business personoverseeing the investigation and theirselected counsel. At the end of the day,investigations remain a means to an end.They are a procedure used to serve thelegal and business needs of the companyand we never forget that fact. Accord-ingly, there should be discussion and,hopefully, agreement regarding budget-ing, staffing and scope of an investiga-tion. If new issues develop during thecourse of an investigation, they should beevaluated for materiality and possible fol-low-up in a collaborative, business-minded manner.
Editor: Mr. Mansfield, what types of
Volume 16, No. 1 © 2007 The Metropolitan Corporate Counsel, Inc. January 2008
restrictions on the scope of investiga-tions would be treated as reasonable?
Mansfield: In my view it helps no orga-nization or individual to simply err on theside of a wide-ranging scope of investiga-tion. It is costly, burdensome and canoverwhelm those with responsibility toreview it. A reasonable restriction on thescope of the investigation is in effect afair and focused definition of what specif-ically must be examined. This is a chal-lenging task because it must be done at avery early stage before all facts are under-stood and it must demonstrate a fairapproach is being taken. Nonetheless,defining an investigation in an overbroadway as a way to appear fair and effectiveis a mistake in my judgment.
Editor: Mr. Holleran, how should acompliance program be communicatedto employees?
Holleran: We have seen a number of suc-cessful program communication effortsof an overall compliance program. One ofthe best is town hall meetings in whichthe senior executive responsible for thecompliance programs convenes employ-ees, pulls together an agenda of preexist-ing departmental meetings and spendsface-time in front of a group of employ-ees talking about the program from abusiness perspective and why compliancemakes good business sense. This helps toinstill a sense of individual ownershipand accountability in employees for com-plying with the laws and regulations thatapply to their individual job, making surethey do the right thing day-in and day-out. I think that is probably the mostimportant type of communicationbecause it puts a face on a human dimen-sion to a compliance program that webtraining and website communications andemail often do not. Those types of com-munications are very important, and Ithink particularly so today with the use ofemail, the use of pop-up screens on com-pany intranets, the use of home pages,and all sorts of electronic types of com-munication. Another tool is compliancereminders: the compliance question ofthe week; the compliance column thatshows up weekly on the compliance web-page on an organization’s internal web-site – all those types of communicationsare very important as part of an overallcommunications strategy. But whatshould not be lost is the very tangible
asset of spending time talking to employ-ees, not only about the program but lis-tening to employees about what theirconcerns are, what enhancements theywould like to see to the compliance pro-gram or questions they might have abouthow it operates.
Editor: Mr. Kaufhold, do your investi-gations record the tone at the topwhere senior executives demonstratetheir commitment to compliance?
Kaufhold: Yes. Both company directorsand regulators have an interest in the toneat the top of an organization and manywill tell you that the attitude of seniorexecutives and culture of a company aremore important and effective indicatorsof compliance than all of the processes inthe world.
Editor: Mr. Mansfield, would the fail-ure of senior management to cautionbrokers and sales people about high-pressure selling tactics in connectionwith the subprime breakdown be a fac-tor in increasing exposures to criminalor civil penalties?
Mansfield: Possibly. It depends on whatis meant by “high pressure selling tac-tics.” Enthusiasm and passion are theessence of sales. On the other hand, mis-representation and omission of materialfacts are the hallmarks of fraud. These arefact-specific determinations.
Editor: Mr. Holleran, are there compli-ance issues with respect to agents andsuppliers, including those overseas?
Holleran: It is a problem that organiza-tions face both domestically and interna-tionally, which is that your ability toinfluence diminishes the farther you getaway from the core of your employeebase. So your ability to influence thirdparties who are employed by vendors orsuppliers or other agents is limited – youhave some ability but less directly thanwith your own employees. It is a problemcompanies face certainly for those whooperate within the U.S. and the problembecomes even more complex outside ofour nation’s shores because you run intolanguage issues, into cultural issues, intoissues of local law and regulation or cus-tom or practice. That is why I think theForeign Corrupt Practices Act and similartypes of anti-corruption and anti-bribery
laws have become such an important areaof enforcement for agencies like theDepartment of Justice and the SEC. Hav-ing robust compliance programs in placeand effective tools and processes andmethods of communicating the com-pany’s expectations to third parties isabout the best anyone can do, providedthey have on the back end some mecha-nism to conduct third-party monitoring orauditing to assure that employees of otherorganizations and agents are complyingand meeting their client’s expectations.So at the end of the day you have a lessdirect ability to influence others’ behav-ior, but there are measures you can takeby way of contract, by way of policy andby way of monitoring and auditing tomake your expectations clear. Measureperiodically whether third parties aremeeting your expectations and, impor-tantly, when you discover noncompli-ance, make sure that measures areactually taken to appropriately disciplineagents or third parties who are not meet-ing expectations.
Editor: Mr. Kaufhold, would yourinvestigations of the subprime messinclude determining whether foreignemployees and agents were involved inthe compliance program?
Kaufhold: For global organizations, wewould certainly look at the possible roleof foreign employees and agents in thesituation as well as the effectiveness ofcompany compliance programs on theconduct of such employees and agents.Jack is absolutely right about the gener-ally diminishing ability to influenceemployees and agents the farther you getfrom your core employee base, and that iswhy it is so important to include thesefolks in a comprehensive investigation.
Editor: Mr. Mansfield, would the fail-ure to include in the compliance pro-gram foreign employees and agentslater determined to be involved in thesubprime breakdown be a factor inincreasing exposures to criminal orcivil penalties?
Mansfield: So much depends on the par-ticulars of how the organization operates.However, a compliance program wouldcertainly be benefited by having provi-sions that include foreign employees andagents as a way to demonstrate that aglobal business practice is subject to aglobal compliance program.
