Compliance
A Meaningful New Year’s Resolution
Why is compliance so important to business? What are the reasons and consequences for failing to have a compliance program? In this article, Peter J. Comodeca, Esq. with the law firm of Calfee, Halter & Griswold, LLP discusses the legal reasons to comply and costs of failing to comply.
Today’s business environment requires meaningful efforts in the area of compliance. Regulation, oversight, and enforcement make it essential to have an effective compliance and ethics program. Sophisticated companies recognize that state, federal, and international laws impose compliance obligations. Additionally, internal company policies and business contracts often impose further compliance responsibilities. Companies come face-to-face with compliance issues either through the appearance of an urgent compliance problem or as a result of prudent business oversight practices.
Compliance services touch many facets of a corporation. Governance and structure, personnel issues, business operations, and privacy and data management all require business professionals to understand the enterprise risks of their particular industries. Compliance risks should be identified and prioritized. Once those steps are accomplished, then corporate programs and training should be developed to insure that best practices are adopted to achieve an effective compliance program.
There are compelling reasons for developing and improving corporate compliance programs. The altruistic goal is to create a culture of ethical performance and compliance central to the company’s operations and business activities. Practical results of improving a compliance program are to identify and manage those risks that confront the company’s performance and reputation. Additionally, another practical benefit of developing and enhancing a compliance program is to better educate company personnel on the risks and potential exposures that the company faces.
The key step to determining the extent of a company’s compliance policy is to perform an initial audit. This requires a thorough review of operations and the factors that govern those operations. An audit includes interviewing individuals responsible for specific aspects of company operations and involves review of existing corporate compliance policies no matter how dated or inadequate they may be. Things to be careful of during the audit are assurances from personnel that all is compliant. Mere acceptance of such representations could be problematic in that a failure to comply with law could result in administrative, civil, and even criminal penalties. It is not uncommon for companies to operate under the belief that they are in full compliance when such a belief is based upon negligence, willful ignorance, or failure to appreciate what laws govern particular aspects of company operations. This is particularly the case in government contracting, exporting, and environmental aspects of company operations.
Many factors affect a company’s ability and motivation to adopt and implement a compliance program. The board of directors, audit committees, and senior management must be committed to implementing the compliance program and must assign specific responsibility for the program. Management must communicate through policies, verbal communication, and training that there is upper level support for compliance and ethical behavior. A company may also consider developing a written code of conduct applicable to all personnel. Personnel practices and policies must also demonstrate a commitment to compliance policies and ethical behavior. This should be demonstrated throughout all aspects of employment. Recruiting, hiring, and orientation should reflect the company’s commitment to organizational compliance and ethical behavior. The evaluation and promotion of personnel should also be based, in part, on commitment and adherence to the compliance program. Such should be the same in compensation and disciplinary matters.
The structure and culture of a company can also affect the ease with which it develops and promotes a compliance program. A compliance chain of command should be identified by name and responsibility. Whether the company operates in a centralized or decentralized manner will affect the compliance chain of command. The risk tolerance of a company will also affect its ability to encourage and reward adherence to a compliance program.
In the area of corporate governance and structure, the compliance program should be in writing and updated as laws and contractual relationships change. Care should be given to compliance with stock and security issues which might not be obvious in day-to-day operations. Policies should also be initiated regarding transactions where the nature of the contracting partner, location of the contracting partner, and the nature of the product may fall under multiple legal and regulatory requirements such as U.S. export, ITAR, and prohibited entity restrictions.
Personnel issues also require monitoring to insure compliance with applicable laws and regulations. Issues include: applicable federal and state employment laws, pension and benefit plans, labor relations, workman’s compensation, and white collar crime should be addressed in a compliance program and the subject of regular training.
Day to day operations will also require compliance policies depending on the nature of the business. Topics could include antitrust, environmental law, consumer protection, consumer sales practices, anti-kickback provisions, intellectual property utilization, and product labeling and safety. Compliance issues regarding business operations apply not only to a company’s facility and personnel, but also to its products, distributors, and representatives in other jurisdictions or countries.
One highly publicized topic requiring compliance training and practices is privacy and data management. It is regularly in the news that data banks, personnel records, and proprietary information is compromised either through negligence or through aggressive computer hacking. Compliance areas of concern involve the requirements of the Patriot Act, data protection, privacy issues, and record management. Internal compliance policies should be reviewed and updated where necessary in order to thwart e-mail hacking and to ensure that e-mail traffic does not violate export laws or national security laws.
A compliance audit is a valuable tool to be considered by any incoming CEO, COO, or General Counsel. It provides the incoming executive with a snapshot of the organization and the tools to make a meaningful impact on the company. Based on the expertise of management, a compliance audit can be done in-house or by using outside counsel or consultants. The use of outside counsel or consultants is usually performed in one of three ways. One option is to have a comprehensive initial meeting that discusses the entire business. From that meeting, a list of compliance related issues can be developed for each segment of the business, both operationally and administratively. Company internal personnel can then address the open issues. A second option could be to have the first comprehensive meeting followed up by subsequent “check-ups” by outside counsel or consultants to evaluate progress made by the company; to address any new questions that arise, or to otherwise assist where the company lacks the internal compliance expertise in certain areas. The last option would be to engage outside counsel or consultants to evaluate, prioritize, implement, and train the company on applicable compliance procedures. Of course, all of these strategies are available as tools to existing corporate management as a need is realized.
A compliance program is not a static tool that once created does not change. A compliance program should be routinely and periodically reevaluated. Company departments or segments should routinely perform risk evaluations to identify changes in the business or practices of the company. Periodic risk evaluations will also allow the company to identify areas where compliance practices have weakened. In performing the risk evaluations, it is critical that persons with day-to-day responsibilities assist senior management so there is good feedback and input to encourage program improvement. Asking for input from subordinates and, where beneficial, incorporating that input also creates buy-in within the corporation at levels that permeate the company beyond senior management level. Periodic risk evaluations should also include coordination and discussion across multiple functions of the company to further increase understanding of how one non-compliant area can affect multiple aspects of the business.
While companies have had compliance programs historically, it has generally been segmented into specific areas of the business that had specific compliance requirements. The trend today is to integrate all applicable corporate compliance programs under one function within an organization. This is similar to recent trends regarding corporate safety programs and corporate whistleblower programs. Such a program does not sacrifice the special expertise required for business segments, such as manufacturing or administrative. Rather, it educates the company regarding the across-the-board compliance policies within the corporation. It also demonstrates to customers, contract partners, and government overseers that the company has an active and comprehensive compliance program. Such a program could be a significant mitigation factor in any government allegation of non-compliance. In fact, the United States government considers a compliance program as a mitigating factor when evaluating potential administrative and civil penalties in the areas of export compliance and federal contracting compliance. A compliance program is also a valuable tool for company management to identify more specifically where responsibility lies for compliance failures.
A compliance program including standards of ethical behavior is desired from the perspective of doing the right thing and acting responsibly in business practices. However, a comprehensive compliance program is important from an economic perspective if the company, for example, does federal contracting, exporting, or complex manufacturing. Companies engaged in such businesses certify to their customers and to the federal government that they are acting in compliance with governing laws and regulations or in compliance with approved processes to achieve product quality. Misrepresentation of compliance with such governing procedures could result in termination of contracts, false claim allegations by the government, and the costs of hiring outside counsel and expert witnesses to evaluate and defend the company practices. Even a negligent failure to comply with governing law and procedures can result in substantial civil monetary penalties and potential loss of business. Where the failure to comply results in criminal conviction, the existence of a thorough and comprehensive compliance program could insulate the company from exposure for the criminal actions of its employees. Also, the existence of a comprehensive compliance program is a mitigating factor under the Federal Sentencing Guidelines.
The benefits of a comprehensive compliance policy are many. It enhances the ethical behavior of the company, it increases the education of the company regarding what policies must be followed, it encourages communication within the company to achieve best practices in its particular business, and it provides a good faith defense to allegations that the company has either negligently or intentionally misbehaved. All of these are good reasons for companies to begin the new year by reviewing and improving their existing compliance programs.
Mr. Peter J. Comodeca (“Pete”) offers analysis with respect to dispute resolution of matters of domestic and international commercial contracts, distributorship agreements, construction issues, and government contracts. He also counsels international and domestic clients regarding U.S. Customs port-of-entry and compliance programs. Mr. Comodeca negotiates and facilitates federal lease agreements, commercial and construction contract claims and disputes, and federal agency regulatory issues.
Mr. Comodeca can be contacted at: (216) 622-8830 or e-mail to: PComodeca@calfeee.com.