Editor: How do the factors to be considered when implementing a well run compliance program vary from company to company?
Chan: Identifying the steps needed to implement a highly effective compliance program can be a time consuming and ever evolving process. I have worked in different industries and for organizations of different sizes. In each of these situations, I have found that a compliance committee works best for coordination among the company's business groups. Once the compliance committee is in place, commitment from each business group is needed to ensure that the right people and necessary resources will be available.
The role of the company's human resources group is particularly important to examining the labor and employment issues associated with a compliance program, identifying the appropriate vehicles - such as drafting and amending provisions of internal codes of conduct - for documenting the program's requirements, developing training programs to communicate the program throughout the company and providing effective enforcement.
Citigroup has had an effective compliance program in place for years. Ethics has always been a part of that program. The banking industry has a long history of close scrutiny by the regulators.
Lankler: The pharmaceutical industry is also highly regulated. We have specific considerations that we must take into account when implementing a compliance program. For instance, there are FDA regulations that do not require intent in order to trigger criminal liability. Hence, the standards are high, and it isn't always clear what is and what isn't illegal.
At the same time that liability has become greyer, the sales and marketing activities of the pharmaceutical industry have also come under increased scrutiny from prosecutors and state attorneys general. In addition, federal whistleblower statutes are resulting in qui tam actions. These and other factors are addressed in our compliance program.
Companies should take a good look at their culture when implementing any compliance program. For example, even though corporate communications within all companies these days rely on computers, e-training may not make sense for all organizations. For the industry's large organizations with global operations, working closely with the company's IT experts when rolling out a program is especially important. In short, though, your approach obviously has to take into account your culture. If your training doesn't feel like everything else at your company, it won't be as effective.
Developing a culture of compliance within the company requires creative ways of helping employees to recognize and adopt best practices. A code of conduct alone is never enough because most employees will not consider it until there is a crisis.
We have used interactive video training conferences and luncheon programs designed to facilitate discussion among workers around hypothetical situations that deal with potential hazards. These activities keep compliance on our colleagues' minds and let them know that we are serious about it.
Editor: Once an effective program is in place, is the company secured against future misconduct?
Chan: I used to believe that a well run compliance program and the impact of a regulatory or governmental investigation were enough to minimize the risks of future misconduct. That is not the case. I worked for a company that underwent a Department of Justice investigation for alleged kickbacks. Even with that large-scale scandal, a few individuals nonetheless attempted to circumvent our program. That is why a compliance officer needs to know the program well and create oversight mechanisms that provide vigilant monitoring.
Editor: How do you decide whether an investigation should be conducted internally or externally?
Chan: Oversight is very important when working with external auditors because you do not want to duplicate efforts and information. Even when the investigation is conducted internally, I have found that it is often helpful to have a third party monitor the investigation to make sure that everything was covered. If you are in a particular industry, you should have experts in that practice area working on the investigation.
Editor: Should the compliance function be centralized or decentralized?
Chan: That depends on what makes sense for your organization. Companies with separate business functions tend to use a decentralized approach where each group manages its own compliance program and reports directly to a central compliance department. Regardless, there should be consistency in the way that the function is implemented because that is what the Federal Sentencing Guidelines require.
Problems can arise if, for example, a senior manager is verbally reprimanded for wrongdoing while a lower level employee is terminated for the same conduct. Any difference in the severity of reprisal must be explainable. It is helpful to keep a centralized repository of disciplinary actions and reported violations that you can easily access and produce in case you are asked to explain disparate treatment.
Editor: How can the effectiveness of a compliance program be measured?
Chan: Companies need to run routine quality assurance programs at least once a year or every 18 months. The process should be monitored by the company's top management to ensure that work is not duplicated.
The due diligence conducted for any acquisition should include a review of the target company's compliance program both before and after the deal is completed. You need to understand the culture that is being brought in after a merger and consider how well it meshes with the culture already in place.
Editor: What about protecting the attorney client privilege?
Lankler: The attorney client privilege is becoming a large issue for many companies. In these situations, it helps to walk investigators through your compliance program and employee training programs. Many times they are pleased if you go over each step and answer the questions they have. They are never satisfied if you simply state that you have a training program in place because misconduct has taken place. They want to make sure that your procedures are adequate enough to prevent future misconduct. We have found that in most cases, prosecutors are being more than reasonable about the privilege. If you are in a cooperative mode, there will often be, at least, an attempt to let you produce non-privileged material in the first instance.
Editor: How are international operations integrated within the compliance program?
Chan: Whenever an organization engages in international business, it should take the Foreign Corrupt Practices Act into account. Sometimes cultural differences may lead to tough decisions about maintaining the company's ethical policy and not offending a client.
Another policy, such as a Gifts and Entertainment Policy, can play a role when international business is involved. When I worked for another multinational company, a group of executives flew to Japan to meet with executives from another global company. When they arrived, they were greeted, and each employee was offered a personal media player. If the gifts were not accepted, our hosts would perhaps be offended. We had to be creative about our approach to maintain our ethical policy. We accepted the gifts, but when we returned to the U.S., we spoke with the company's counterparts in its U.S. operations who agreed to take them back and donate them to charity. That demonstrates the importance of discussing with either counsel or the compliance officer the potential hazards that may present themselves during a business trip and how they can be best resolved.
Lankler: The Foreign Corrupt Practices Act is also very important for our industry. The DOJ and SEC are very interested in certain transactions or dealings that could be perceived as payoffs to government officials. Sometimes we participate in presentations where doctors or hospital representatives are invited to speak. When those speakers are also government officials, any payments to them may be perceived as an illegal payoff. You have to have not only a policy, but also delineated procedures, to help address any international compliance exposures. The government will want to see that, and it will want to be satisfied that you are training on those polices and procedures.