This doesn’t mean organizations get
off scot-free. Ideally, the company must
still conduct a thorough investigation and
remediate any compliance program weaknesses. Neither action comes cheap.
The Justice Department is also more
strictly punishing bad behavior. For example,
if the violation includes “aggravating circumstances,” criminal charges and monetary
penalties remain likely. Aggravating circumstances can include senior executives involved
in the misconduct, significant profits gained
from violations, or pervasive misconduct
within the company.
If companies don’t disclose violations, but
then do cooperate and remediate weaknesses
after the Justice Department begins its own
investigation, the company will be eligible
for a 25% reduction in fines based on the U.S.
If a company wants to avoid the assignment of a compliance monitor, then according
to the Enforcement Policy, it must have an
effective compliance program in place by the
time the FCPA investigation is resolved. If the
company already has a compliance program in
place, any weaknesses identified as part of the
investigation must be remediated.
Five compliance program priorities
The priorities for an effective compliance
program can be boiled down to five key
Make risk assessments contextual
Where and how the company operates should
inform how these assessments are done. For
example, if the company relies heavily on
third parties in emerging markets, it should
know which parties are most at risk for corruption. Or, if the company has decentralized
approvals for spending, it should know which
executives handle transactions in high-risk
Make the connection between risks and
policies, procedures, and controls
If the company identifies third parties as a significant risk, how is due diligence performed?
If spending approvals are decentralized, how
do the company’s payment systems allow a
comprehensive review by senior executives,
audit personnel, or others?
Compliance programs should put steps in
place to reduce the risks identified above.
What does the Enforcement Policy mean by
“cooperation”? It means turning over all facts
related to a violation, including attributing
those facts to specific sources whenever possible. So, the company needs strong policies
for litigation holds, e-discovery, and data preservation. Even if the investigation itself is done
by auditor or outside counsel, the compliance
program must foster an environment that supports strong investigation ability.
Communicate a strong compliance culture
From clear language in the Code of Conduct,
to executive communications stressing ethical behavior, to stern discipline for employees
or third parties who engage in corruption
anyway — these are all aspects of a culture of
compliance. Foremost, a strong culture of compliance leads to what the FCPA Enforcement
Policy wants above all: self-disclosure of FCPA
Find and fix weaknesses
According to the Enforcement Policy, companies are required to demonstrate a thoughtful
root cause analysis of why misconduct
happened and, where necessary, remediate
those weaknesses. So an effective compliance
program (possibly working with Internal Audit,
outside counsel, or other advisers) must have
a “diagnostic capability” that can lead to new
policies, procedures, or controls as warranted.