Imagine the following scenario: You are CEO of a company that is under investigation for a corruption-related issue. With your General Counsel, Chief Compliance Officer (CCO), and outside counsel, you are meeting with U.S. federal law enforcement authorities to discuss a possible settlement agreement. You hope to leverage the fact that you have a compliance program in order to eliminate or mitigate the possible financial and other penalties.To start the meeting, the government asks your CCO, “In your professional judgment, does your company’s compliance function have adequate resources? And what kind of benchmarking or other research have you done to support this belief – one way or the other?”
What would the answer be?
According to the US Sentencing Guidelines, for an “effective” compliance program to exist, the individuals at a company with “day-to-day operational responsibility” for the program must have adequate resources (as well as appropriate authority and direct access to senior management). In other words, the compliance function needs the means by which to do its job.
If a compliance function is starved, it will do little to help a company, either (i) in its operations, that is, by actually helping detect and prevent corruption, or (ii) if it gets into a scrape – and the company is immediately on the defensive with the authorities for having an obviously under-resourced program.
As we mentioned in a previous blog, the compliance function can be viewed as either a cost center or as a business partner. Companies with a mature compliance program recognize that supporting the compliance function helps generate “good business” and “clean sales.” By allocating appropriate resources to compliance, senior management demonstrates a true commitment to the function and its goals – a commitment that is sure to be noticed within the ranks. And by properly resourcing the compliance function (including employee salaries), the company will be able to recruit better-qualified compliance professionals to come on board, strengthening the overall program.
Certainly, there are costs associated with good compliance: for example, personnel must be paid, overhead must be allocated for IT and compliance management systems, and additional sales efforts may be required as certain contract opportunities are forgone due to the company’s adherence to its policy of not paying bribes.
But non-compliance has far greater costs, such as (a) investigation expenses (including outside counsel and forensic accountants); (b) identified program weakness response and remediation costs; (c) potential suspension and debarment (if the company is a government contractor or participates in a World Bank-funded project); (d) reputational loss that may drive away prospective clients, business partners and employees; and (e) settlement or judgment costs, including possible fines and penalties, as well as the possible involvement of an outside compliance monitor (which in turn may involve continued engagement of outside counsel, forensic accountants, or other outside experts).
Naturally, the resources devoted to the compliance function will depend on the unique characteristics of the business and the associated risk profile – the breadth of the company’s geographical reach, the complexity of its transactions, the types of high-risk activities engaged in (e.g., interacting with foreign state owned entities or hiring local agents), and company size. In a recent speech, Assistant Attorney General - Criminal Division Leslie Caldwell recently acknowledged this latter factor when she said, “Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.”
Many companies outsource a large part, if not all, of the compliance function. Without question, experienced outside experts can provide value to a program; however, accountability for compliance cannot be outsourced. Management is ultimately responsible. Management’s internal point of visibility must retain visibility into and engagement with the program, and should remain singularly focused on the company’s business facts, circumstances, and risks.
Former SEC Commissioner Luis A. Aguilar once explained, “One of the most important lessons I learned when I was a compliance officer is that an effective compliance program begins at the top. ... And, to state the obvious, management must also provide the firm’s employees with the necessary tools and resources to fulfill their compliance functions, such as hiring the right people, developing effective compliance controls, and designing appropriate policies and procedures.”
These words ring true for all companies. Whatever your company size, industry, or complexity – or your compliance program’s stage of maturity – an important part of the way senior management communicates “tone from the top” and otherwise contributes to an effective compliance program is through providing adequate resources to the compliance function.