Roundtable: Is Your Global Compliance What It Should Be?

Editors Note: In advance of the 2007 Global Compliance Conferences in New York City and Livingston, New Jersey, organized by Eversheds in collaboration with MCC and ACC's New York and New Jersey chapters (Oct. 17 and 18, see p. 22 for more info), we asked select conference speakers a few questions. Each of the speakers that participated in the discussion leads either a compliance or a legal function for a major global company. We hope you will find valuable guidance in their sage advice.

Editor: What, in your view, are the most pressing issues today for corporate law departments and compliance functions for companies like yours, regarding implementation and assurance of adequate global compliance?

Carr: The FMC Legal Team helps maintain and align the ethical compass of the company and, in doing so, protects and promotes our values which are among our most important assets. We are merely one part of what must be a holistic, enterprise-wide approach. Setting, communicating and reinforcing the "tone at the top" view on ethical behavior and appropriate business conduct appropriately are probably the most important issues.

Cultural sensitivity is critical for those of us that operate within a large multinational organization. While there is usually broad agreement on "doing the right thing," there is often a lack of clarity around what precisely that means in diverse contexts and cultures. We must take care to avoid overly legalistic or nationalist precepts and instead focus on the basic values those precepts and our company's culture reflects. Perhaps most important, the legal team cannot in and of itself ensure global compliance - but we can and should act as a guide to help our businesses exercise judgment, assess impacts and consider the effects of their actions.

Gilbert: My list is as follows:

(a) Culture. Working with the management of the business to make sure that ethical and lawful behavior is seamlessly embedded in the way that the firm does business rather than externally imposed;

(b) Globalization presents a number of challenges for a compliance department. These include developing an adequate but efficient compliance organization to keep track of the regulatory requirements and address the needs of regulators in many jurisdictions; addressing and resolving conflicts of law; and implementing uniform global standards that are tailored to local business structures, products and regulatory requirements.

(c) Risk assessment. Corporations need to understand proactively their compliance-related risks by regularly engaging in a comprehensive risk assessment that follows a reasonably rigorous process that encourages candid discussion about risks and how to mitigate them.

(d) Communication and learning. It is always a challenge to find fresh, effective ways of reinforcing fundamental values and teaching colleagues how to spot compliance issues and to address them.

(e) Monitoring and measuring. Monitoring allows an organization to understand how well controlled its risks are and to make informed judgments about where it should spend its resources to minimize risk. It is a challenge to determine what to measure, how to do it, and how to report the results in a way that stimulates action rather than fosters bureaucracy.

(f) Investigation. When an allegation of misconduct is made, it needs to be investigated and, if the allegation is sustained, appropriate remedial action must be taken. In the era of email, investigations can be enormously costly, disruptive, and time-consuming. The amount of investigation that may be required is often a judgment call.

Sibery: Companies are being much more proactive. We are seeing increased activity both in risk assessments on the front end of compliance implementation and in monitoring efforts. Risk assessments are being used to highlight areas that may need additional focus or simply to make the best use of limited resources. Monitoring is becoming even more important. Many of our clients have excellent compliance programs that include detailed policies and training but are lacking in their monitoring of those policies. Compliance-specific reviews testing the adequacy of the compliance program are one of the tools used to help increase global compliance.

Winter: It's probably the same challenge that many business functions face: share of mind of employees. You've got to find ways to keep the idea of compliance and self-governance in people's minds as they go about their daily work. The issue is not only keeping the general idea of good business ethics in employees' minds, but finding a way to reach out to specific groups of employees with communications, training, etc. that is relevant for their job in their part of the world.

Editor: An effective program of education, controls and reporting to ensure compliance with laws and regulations globally costs a lot of money. What resources do you draw on most to implement global compliance, and how do you respond to the inevitable cost pressures?

Carr: Unfortunately, a company can spend vast sums without having any impact on fostering and maintaining an ethical and compliance culture. So it's not all about the money. We need only look at recent history to see that playing out in the U.S., the EU and elsewhere. Similarly, a very effective program can be done with internal resources, off the shelf or free content and very little monetary spend. Of course, those "soft costs" are very real.

The key is matching a program with one's culture, industry, and value system. In our case that means a multifaceted approach where we use every opportunity to educate and reinforce those values, learn from and leverage our experience and address issues if they do arise. Those include: codes of conduct, communication programs, hands on/in person training sessions, webinars, on-line issue specific and targeted training, email blasts, individual certifications, annual top down compliance reviews, quarterly financial representation letters, internal and external audit, hotlines, internal and external investigations, remedial measures and a vigorous after action approach to foster continuous improvement. That being said, budgetary pressures are real and making the case for investment in compliance spending can be a challenge. Until a company has suffered the impact and potentially high costs of a compliance lapse, the focus must be on an investment to avoid somewhat speculative costs and reputational risk.

Gilbert: Most of our compliance resources are deployed at the operating company level. A small corporate team with expertise in particular areas is leveraged for the whole company, and centers of excellence at the operating company level also provide services for the whole company. We work closely with the legal organization and our internal audit staff.

Kim: Compliance officers have to be able to leverage across the assets and resources of a company to address certain needs. Beyond that, however, line managers themselves have to view and be held accountable for ensuring compliance within their business unit. This not only helps company-wide compliance efforts scale efficiently, when compliance is owned by individuals within the business, it is much more likely to become a part of the culture of the company and in turn to be successful.

Sibery: Cost is always a significant concern when we assist a company with a compliance project. Often on global projects we use our international network to assist on a region-by-region or country-by-country basis. While we may have a core team working with the compliance department at headquarters, we can increase the efficiency and lower the overall costs by using professionals with local knowledge and experience.

Winter: The basic processes that support compliance cut across industry or size boundaries, but the way you implement those processes is going to be uniquely determined by your company's infrastructure, organizational structure, resources, and beliefs. At our company, the approach is to leverage our internal resources by partnering with business functions such as legal, internal audit, and human resources. That allows us to create a program tailored to who we are as a company, and selectively use external resources to support our compliance program where needed

Editor: What are the areas of global compliance that Boards of Directors are most attuned to today, and what are the areas where they perhaps should increase their focus?

Carr: The two areas I see are international operations and internal financial controls. I think the area that merits the most attention is making sure there isn't too much of a focus on checklists and procedures and a failure to identify a broader issue while counting grains of sand.

Gilbert: I find that the focus of a Board of Directors varies by jurisdiction, industry and the company's immediate experience. A Board of a UK financial services company, for example, is very focused on the FSA, its principles, rules and current areas of focus. Boards in sectors that have been through some regulatory turmoil have had to focus on the issues that generated the regulatory response. In general, Boards should make sure management is proactively identifying compliance risk and taking the steps to mitigate those risks. In the U.S., I think Boards are moving beyond focusing on Sarbanes-Oxley and are looking more broadly at enterprise risk.

Kim: Across businesses, Boards of Directors have paid much attention in recent years to issues relating to conflicts of interest and misuse of company assets and information, and rightly so. Looking forward, however, companies should be attuned to the risks that are accentuated from ever-increasing globalization.

Sibery: In recent years we have seen a focused interest by Boards of Directors on bribery and corruption. Given the increased FCPA enforcement, news items such as the U.N. Oil-for-Food scandal and information provided by groups such as Transparency International, this hasn't been much of a surprise. Boards have started to ask more questions and have been involved in increasing the focus on strengthening the global compliance function

Editor: What are the job conditions or requirements that you would suggest for any colleague taking on global corporate compliance responsibilities?

Carr: First, there must be a clear understanding of the company's core values and commitment to acting ethically and in compliance with those values and legal requirements. That requires an assessment of the company's senior management to the tone at the top insistence on not just "talking the talk but also on walking the talk." Second, is knowledge coupled with the independence and freedom to fulfill the demands of the function.

Knowledge requires access to decision making venues and inclusion in processes to make sure compliance and risk considerations are acknowledged and appreciated. Independence manifests itself in many aspects of the job including: access to the board, reporting directly to the CEO or perhaps the GC, coordination and cooperation with internal and external auditors, and control over counsel and advisors. Third, there must be a commitment of appropriate resources - human, organizational and monetary - to accomplish the clearly stated and agreed goals and mission of the function. If one or more of those three legs are lacking, then I'd counsel running, not walking, away.

Gilbert: The chief compliance officer can be most effective if he or she has independence and reports to the CEO and to the Board. The compliance function needs to have adequate resources, i.e. its own budget, and must maintain a collaborative, close working relationship with other key functions, such as the legal organization, human resources, and the finance organization (particularly internal audit).

Kim: Anyone considering heading up a compliance function should spend time ascertaining the views of the executives and the Board of Directors regarding the ultimate ownership of the company's compliance program. Are they truly engaged and understand that they have personal responsibility on a macro level and that on an everyday operational level each employee has responsibility to manage the affairs of the company in a way consistent with the company's agreed values and principles? Is compliance integrated into the company's operational business or is it viewed as something ancillary? Any compliance officer will need the support of executives and the Directors who understand that compliance is not a hindrance to business, but rather a manner in which a well-run business operates and is a key to long-term success.

Editor: In what ways have you found outside counsel to be most helpful in the global compliance function, and in what ways the least helpful?

Kim: Outside counsel can be most useful to corporate compliance officers by drawing upon the experience they have obtained assisting other clients across industries in formulating the specific advice they render to a particular client. This is a perspective that combined with the compliance officer's in-depth knowledge of the company itself can help ensure that whatever course of action is decided both benefits from the experience of others and is tailored to the specific company.

Outside counsel needs to be careful, however, in assuming that recommendations that worked for some clients will work for all clients. While there are general principles that have wide applicability, one should not overestimate how critical it is to have a detailed knowledge of how each company operates and a deep understanding of that company's unique corporate culture.

Carr: As inside counsel we are often far more attuned to practical emerging compliance issues because we understand our business culture and the industries in which we operate. Outside counsel are most helpful when they provide real world counseling and have a view into what other firm clients are doing. Outside counsel are critical if a compliance issue erupts into an internal investigation, response to governmental inquiries or an actual dispute. They are least helpful when their emerging threat radar raises irrelevant issues and when they provide no guidance that is actionable in the real world.

Status and Options