Participating in this Roundtable are:
Focusing on compliance programs is Jack Holleran, who is a leader in Ernst & Young's Corporate Compliance Advisory Services practice. He advises clients on identifying and prioritizing compliance risks, implementing and enhancing compliance programs, assuring that compliance programs are integrated and effective and measuring their effectiveness. Prior to joining Ernst & Young, he was the Chief Compliance Officer at Philip Morris USA. As a former compliance officer, Mr. Holleran's practice is focused on helping companies to design compliance risk management infrastructures including programs, processes and controls in a way that is very much in line with their compliance risk profile.
Focusing on the investigation of compliance violations is Steven Kaufhold , who is a partner in the San Francisco office of Akin Gump Strauss Hauer & Feld LLP. He focuses on securities litigation, including shareholder class actions and derivative claims. Since the enactment of the Private Securities Litigation Reform Act (PSLRA) of 1995, he has represented dozens of public companies, officers and directors in securities cases. He has represented directors, officers or companies in eight separate "options backdating" investigations and/or cases. Mr. Kaufhold also handles complex business litigation and investigations for clients.
Focusing on civil and criminal defense is Stephen A. Mansfield, partner in charge of the San Francisco office of Akin Gump Strauss Hauer & Feld LLP and a member of its firmwide management committee. An accomplished trial lawyer, Mr. Mansfield represents corporations and individuals in trials, arbitrations and government enforcement actions before federal and state courts and administrative agencies. His practice focuses on complex fraud litigation, class action defense, corporate and government investigations, and white collar criminal defense. As an assistant U.S. attorney in Los Angeles for 11 years, Mr. Mansfield tried many fraud and corruption cases to verdict. As the head of the U.N. War Crimes Investigations Unit, Mr. Mansfield supervised international investigative teams in war crimes investigations in Rwanda, which led to the United Nations' establishment of a war crimes tribunal for Rwanda.
Editor: Mr. Holleran, what approach to compliance risk management creates the greatest risk?
Holleran: The greatest risk many organizations face is having a decentralized approach to compliance risk management. Every business has compliance risks that cut across a number of substantive areas, and often the controls that are put in place to manage those risks are implemented functionally, without the benefit of an overarching compliance program. Although there are advantages to decentralization, principally that the controls are designed and implemented by those employees who are closest to the risks, taking too decentralized an approach can result in inconsistencies or gaps in overall compliance risk coverage. The companies that manage compliance risk most effectively are those that achieve a strong balance between centralization and decentralization. To complement this balance, it is important to monitor, or audit, the design and operation of those controls. This role is being filled increasingly by an internal audit or compliance audit function.
Editor: Mr. Kaufhold, how would an investigator go about developing information that might lead to the conclusion that the breakdown of controls was attributable to a decentralized approach?
Kaufhold: The two primary focal points of such an investigation would be the contemporaneous written documents relating to the subject of the investigation and interviews with company employees and others with information relating to the subject matter. Once these two key areas have been explored, an investigator would likely be in a position to consider whether a breakdown of controls has occurred and, if so, whether such a breakdown results from a decentralized structure or some other circumstance or factor.
Editor: Mr. Mansfield, what civil and criminal exposures would follow from the conclusion that the decentralized approach was responsible for the violation and what further information might be developed by the investigation that would mitigate such exposures?
Mansfield: The most serious exposure would follow from evidence that the breakdown occurred as part of an intentional plan or known practice to boost revenues within an organization. But not every breakdown occurs for such a purpose. Communication failures and poor organization controls can occur through negligence and poor management without drawing an inference that fraud occurred.
Editor: Mr. Holleran, there seem to be fewer complaints from clients about the burdens and costs of compliance. Is this attributable to changes in the regulations or are there other factors?
Holleran: The discipline of compliance risk management has evolved quite a bit over the past 10 or 15 years, and many organizations have made significant progress in integrating compliance risk management practices into everyday business decision-making. The more compliance risk management is integrated into business processes, the less noticeable it is, and the more it is seen as part of the way business is done. That said, our clients continue to search for meaningful ways to measure the internal rate of return on their compliance investments and to find measurements and metrics that demonstrate the effectiveness of their compliance program. This is an inherently difficult exercise - a successful compliance program was once described to me as "constant vigilance, and nothing happens." It is impossible to measure your effectiveness in preventing non-compliance, but there are measures and metrics that, when evaluated over time, can help organizations get more efficient in the way they allocate their compliance resources.
Editor: Mr. Kaufhold, would your investigation focus on metrics that might show a dedicated effort on the part of a company to improve its compliance program?
Kaufhold: Yes. The structure and efficacy of a company's compliance program would be a likely part of most any investigation. This is true for at least two reasons. First, from a legal standpoint, the existence of a good faith compliance program would be a key fact against a finding of scienter in the event that something has gone wrong. Second, from a business standpoint, it is important to know whether a compliance program is serving the purpose it has been designed for in order to protect the company from business risks and losses separate and apart from any legal issues. Certainly, metrics would be a key tool in evaluating the effectiveness of the compliance program.
Editor: Mr. Mansfield, how important would such metrics be in mitigating exposures to criminal or civil penalties?
Mansfield: Metrics can be very important in showing whether a compliance program is real as opposed to something that exists for the most part just on paper.
Editor: Mr. Holleran, no matter how effective a compliance program is there will always be multiple sources of allegations of non-compliance. Companies have an obligation to investigate those allegations and address them. What are some of the leading practices you've seen in the way investigations are addressed?
Holleran: Allegations of non-compliance vary widely, take many forms, and emanate from many sources. Any business wants to make sure that allegations are investigated, resolved and addressed in an appropriate way. As a result, having an effective investigations process is one cornerstone of an effective compliance program. Investigations typically involve multiple stakeholders, including Compliance, HR, Legal, Internal Audit, and perhaps Security and Finance. It is important that the organization establish clearly which function plays what role in conducting investigations. Once roles are agreed upon, the organization should establish the following core processes:
- Intake (the sources from which allegations are received)
- Categorize (the process for determining which allegations are more serious)
- Processing (including escalation within the organization)
- Plan (determining who will conduct the investigation)
- Investigate (actually investigating the allegation)
- Resolve (including feedback to the complainant and disciplinary action if the allegation in substantiated)
- Improve (driving continuous improvement into both the compliance program and the investigations process)
The Chief Compliance Officer often plays a lead role in assuring that these processes are established and executed with quality. The CCO also may play a role in determining who is best situated to conduct an investigation, including when it's appropriate to bring in outside counsel or forensic accountants.
Editor: Mr. Kaufhold, how do you go about investigating the effectiveness of handling allegations of non-compliance? To what extent do emails and voicemail messages and the reaction to them contain allegations of wrongdoing that should be followed up?
Kaufhold: It is crucial that companies identify and respond to allegations of non-compliance. In the course of an investigation, we would view the policies and procedures designed to address such allegations and then evaluate whether they have been effective in ensuring that any such allegations are addressed and handled in a thoughtful, consistent and lawful manner. Email and voicemail messages are a pervasive means of communication at most companies and so it is very common that they are a key part of such an investigation.
Editor: Mr. Mansfield, how important is the nature or absence of any follow-up a factor in increasing exposures to criminal or civil penalties?
Mansfield: Swift and effective response to allegations of non-compliance is critically important. A lack of response or substantial delay in responding can lead to significantly higher exposure and, depending on the facts, can tip the scales towards a potential criminal investigation.Editor: Mr. Holleran, what role does Internal Audit typically play in managing compliance risks?
Holleran: Internal Audit's role in compliance risk management continues to evolve. Traditionally, Internal Audit played either no role, or a very limited role, in managing compliance risks. Increasingly, however, Internal Audit is seen as an important ally for the Chief Compliance Officer, and one whose experience in monitoring controls can help assure the effectiveness of the compliance program. Examples include:
- Working with the Chief Compliance Officer to drive greater clarity within the organization about who is responsible for what in the realm of compliance risk management;
- Aligning the Internal Audit plan with the outcome of the compliance risk assessment;
- Designing a compliance auditing and monitoring program to assess effectiveness of compliance controls;
- Executing a compliance auditing and monitoring program;
- Playing a lead role in conducting an anti-fraud program.
The better the working relationship between the Chief Compliance Officer and the head of Internal Audit, the more integrated and effective the organization's compliance risk management efforts are likely to be.
Editor: Mr. Kaufhold, would your investigation have revealed failures by internal audit to pick up the subprime breakdown?
Kaufhold: That's a difficult question to answer. My sense is that when all is said and done, many companies will conclude that the subprime breakdown eluded a number of extremely bright and hardworking folks in both internal audit and other corporate functions.
Editor: Mr. Mansfield, would the failure of internal audit to pick up the subprime breakdown be a factor in increasing exposures to criminal or civil penalties?
Mansfield: It's very difficult to answer this question definitively. So much depends on the nature, scope and practice with respect to the internal audit in terms of how it will be evaluated later.
Editor: Mr. Holleran, if you find there is a compliance breach on the part of the client, what is your next step?
Holleran: I think there are really two steps which need to proceed in sequence. The first step is to make sure that the allegation of non-compliance is investigated thoroughly. That is, the right stake-holders within the company are brought together to understand as much as they can about the nature of the allegation and then align the right resources to conduct the investigation. People have got to know how investigations need to be conducted - objectively, independently, discretely, confidentially. And, the investigation needs to be conducted in a way that it drives towards ultimate resolution, that is, either the allegation is substantiated, in which case appropriate action needs to be taken including disciplinary action, or if the allegation is not substantiated, closure needs to be achieved both for the person who raises the allegation as well as for the person, or persons, about whom the allegation is made. So it is important that the process drive towards closure. I think there is a second step that ought to take place, which is that companies look at the investigation from the point of allegation to the point of disposition and see what the process is telling them about the overall compliance program. For example, if you see a continued series of allegations of non-compliance that elevate to the level of an antitrust practice, this might give an organization an indication that it might want to take a fresh look at its antitrust compliance policy or that training be conducted for employees who interact with competition laws and practices.
So the two steps are to conduct the investigation with the right people with the right skill-sets, often including law firms or forensic accounting firms or other third parties. But then once the investigation is closed, it is important to drive continuous improvement both into the compliance program where it can be enhanced but also into the investigation's process to make sure that the investigation is working efficiently and fairly for all concerned.
Editor: Mr. Kaufhold, as you know from some of the public investigations that have been conducted by special counsel, they can take on a life of their own. How do you go about putting reasonable limits on the scope of your investigations?
Kaufhold: Reasonable limits are the joint responsibility of the business person overseeing the investigation and their selected counsel. At the end of the day, investigations remain a means to an end. They are a procedure used to serve the legal and business needs of the company and we never forget that fact. Accordingly, there should be discussion and, hopefully, agreement regarding budgeting, staffing and scope of an investigation. If new issues develop during the course of an investigation, they should be evaluated for materiality and possible follow-up in a collaborative, business-minded manner.
Editor: Mr. Mansfield, what types of restrictions on the scope of investigations would be treated as reasonable?
Mansfield: In my view it helps no organization or individual to simply err on the side of a wide-ranging scope of investigation. It is costly, burdensome and can overwhelm those with responsibility to review it. A reasonable restriction on the scope of the investigation is in effect a fair and focused definition of what specifically must be examined. This is a challenging task because it must be done at a very early stage before all facts are understood and it must demonstrate a fair approach is being taken. Nonetheless, defining an investigation in an overbroad way as a way to appear fair and effective is a mistake in my judgment.
Editor: Mr. Holleran, how should a compliance program be communicated to employees?
Holleran: We have seen a number of successful program communication efforts of an overall compliance program. One of the best is town hall meetings in which the senior executive responsible for the compliance programs convenes employees, pulls together an agenda of preexisting departmental meetings and spends face-time in front of a group of employees talking about the program from a business perspective and why compliance makes good business sense. This helps to instill a sense of individual ownership and accountability in employees for complying with the laws and regulations that apply to their individual job, making sure they do the right thing day-in and day-out. I think that is probably the most important type of communication because it puts a face on a human dimension to a compliance program that web training and website communications and email often do not. Those types of communications are very important, and I think particularly so today with the use of email, the use of pop-up screens on company intranets, the use of home pages, and all sorts of electronic types of communication. Another tool is compliance reminders: the compliance question of the week; the compliance column that shows up weekly on the compliance webpage on an organization's internal website - all those types of communications are very important as part of an overall communications strategy. But what should not be lost is the very tangible asset of spending time talking to employees, not only about the program but listening to employees about what their concerns are, what enhancements they would like to see to the compliance program or questions they might have about how it operates.
Editor: Mr. Kaufhold, do your investigations record the tone at the top where senior executives demonstrate their commitment to compliance?
Kaufhold: Yes. Both company directors and regulators have an interest in the tone at the top of an organization and many will tell you that the attitude of senior executives and culture of a company are more important and effective indicators of compliance than all of the processes in the world.
Editor: Mr. Mansfield, would the failure of senior management to caution brokers and sales people about high- pressure selling tactics in connection with the subprime breakdown be a factor in increasing exposures to criminal or civil penalties?
Mansfield: Possibly. It depends on what is meant by "high pressure selling tactics." Enthusiasm and passion are the essence of sales. On the other hand, misrepresentation and omission of material facts are the hallmarks of fraud. These are fact-specific determinations.
Editor: Mr. Holleran, are there compliance issues with respect to agents and suppliers, including those overseas?
Holleran: It is a problem that organizations face both domestically and internationally, which is that your ability to influence diminishes the farther you get away from the core of your employee base. So your ability to influence third parties who are employed by vendors or suppliers or other agents is limited - you have some ability but less directly than with your own employees. It is a problem companies face certainly for those who operate within the U.S. and the problem becomes even more complex outside of our nation's shores because you run into language issues, into cultural issues, into issues of local law and regulation or custom or practice. That is why I think the Foreign Corrupt Practices Act and similar types of anti-corruption and anti-bribery laws have become such an important area of enforcement for agencies like the Department of Justice and the SEC. Having robust compliance programs in place and effective tools and processes and methods of communicating the company's expectations to third parties is about the best anyone can do, provided they have on the back end some mechanism to conduct third-party monitoring or auditing to assure that employees of other organizations and agents are complying and meeting their client's expectations. So at the end of the day you have a less direct ability to influence others' behavior, but there are measures you can take by way of contract, by way of policy and by way of monitoring and auditing to make your expectations clear. Measure periodically whether third parties are meeting your expectations and, importantly, when you discover noncompliance, make sure that measures are actually taken to appropriately discipline agents or third parties who are not meeting expectations.
Editor: Mr. Kaufhold, would your investigations of the subprime mess include determining whether foreign employees and agents were involved in the compliance program?
Kaufhold: For global organizations, we would certainly look at the possible role of foreign employees and agents in the situation as well as the effectiveness of company compliance programs on the conduct of such employees and agents. Jack is absolutely right about the generally diminishing ability to influence employees and agents the farther you get from your core employee base, and that is why it is so important to include these folks in a comprehensive investigation.
Editor: Mr. Mansfield, would the failure to include in the compliance program foreign employees and agents later determined to be involved in the subprime breakdown be a factor in increasing exposures to criminal or civil penalties?
Mansfield: So much depends on the particulars of how the organization operates. However, a compliance program would certainly be benefited by having provisions that include foreign employees and agents as a way to demonstrate that a global business practice is subject to a global compliance program.
Published January 1, 2008.