If a tree falls, and no one hears it, does it make a sound? Similarly, if you implement a compliance program and records do not exist or are incomplete, does it really exist? Your company records are the best evidence you have that you have in place a compliance program that has been “reasonably designed, implemented, and enforced [and] is generally effective in preventing and detecting criminal conduct” (US Sentencing Guidelines §8B2.1(a)).
There are many reasons to keep accurate and up-to-date records of your compliance program’s operations: (i) to facilitate day-to-day operational efficiency, (ii) to track the growth and evolution of the program (and to demonstrate an appropriate activity level), (iii) to help identify higher-risk operational or other problematic areas that may need monitoring, (iv) to permit meaningful program audits, and (v) to have the requisite tangible evidence to show enforcement authorities, in the event of an inquiry or investigation, that your company took reasonable steps to prevent and detect the misconduct at issue. More bluntly on the last point, as all who have worked with the Department of Justice (DOJ) officials on a Foreign Corrupt Practices Act case know, their mantra is “if [the program] doesn’t exist on paper, it doesn’t exist.”
What types of records should you keep? At a minimum, consider including (in consultation with counsel) information about the following:
The risk assessment underlying the program
Since risk assessments serve as the critical foundation of a compliance program, and since the program needs to change as the business’s operations and risk profile change, appropriate risk-related documentation is useful for both operational and enforcement authority proof purposes. With the DOJ and other enforcement authorities, it is critical to show that your compliance program is not just an “off the shelf” model, but was created based on an assessment of your company’s particular risks. Therefore, retain records that relate to the facts considered, methodologies used (including operative assumptions), and end products of the risk assessment process.
Your compliance program’s operations
Your core records, of course, relate to the operation of the compliance program itself. Although you likely have policies, procedures, and controls that apply at the global level of your company, some divisions, departments or geographies may also have individual guidelines and procedures applicable to their unique situations. The best and most efficient practice is to have all of these records organized and resident on a software-based platform. In some companies, however, they may exist in hard copies in file cabinets or desk drawers. In either case, these records should be readily accessible by the company’s central compliance function.
Records showing due attention to “the basics” should be maintained. For example, keep records tracking program-related training and communications. This includes records showing that individual personnel (and, where appropriate, outside agents and consultants) (a) have received the policies, procedures, and controls appropriate to them; (b) have certified to their compliance with these policies, procedures, and controls; (c) have received suitable training regarding the compliance program; and (d) have received periodic messaging and communications supporting the program’s primary compliance themes.
Similarly, retain records showing the program is used to guide company actions. For example, a company that has an anti-corruption compliance program should keep copies of any requests for approvals (per company policies and procedures) of gifts, hospitality, travel expenses, donations, and other items of value provided to individuals or organizations outside of the company (especially government officials and their affiliated entities). The records should reflect details about both approved and denied requests.
Records of decisions that go outside of the norm are particularly important to retain. For example, a company concerned about corruption would generally collect certain information about any potential overseas business partner (such as an outside agent) in order to identify issues that may make working with that person risky from a compliance perspective. But just because a yellow or even a red “flag” is present does not always mean that the partner will not be hired; this decision turns on careful consideration of the facts and circumstances. If the company were to hire an agent in spite of issues identified during preliminary or secondary screenings, it would be prudent for it to document why the decision was made (for example, because the agent’s familial relationship to a government official was unrelated to the services the agent was undertaking for the company). And as a litmus test, if the company is hesitant about documenting its reasons for hiring any outside party, it is worth carefully considering why, and revisiting the decision to hire.
As we have mentioned before, enforcement authorities care about whether compliance programs receive adequate resources, both in terms of financial support and personnel. Therefore, think about how (and where) to document information about the resources committed to compliance. This could mean detailing the direct and indirect financial support to compliance that exists in company budgets and other financial records. It also could mean documenting the reasons certain individuals were selected to take on a compliance role (e.g., position qualifications).
Program evaluation and incident response
When a negative incident occurs, there can sometimes be a temptation to minimize its significance and, after resolution, to quickly return to “business as usual.” But this is, in fact, an opportunity for the company to highlight that it has an appropriate framework in place to deal with potential misconduct. In consultation with counsel concerning possible attorney-client privilege issues, retain records showing that allegations were satisfactorily investigated, the misconduct (if any) was appropriately addressed, and, importantly, that your company used the incident as an occasion to evaluate and strengthen the program.
Even if incidents of misconduct do not arise, leading practice companies engage in regular evaluations of how the compliance program is being implemented and operationalized across the company. Retain records of compliance monitoring, reviews, audits, and other assessments – as well as how the results from those analyses are used to improve the program.
Information required by applicable law
Since the primary purpose of a compliance program is, in fact, compliance with applicable legal frameworks, do not forget to check for specific document retention requirements that may exist in certain areas, such as environmental and worker health and safety.
A future blog will discuss another significant compliance program record that needs to be created and maintained: the annual compliance report to the board.