During the last few years, there have been quite a few articles written on the subject of "corporate compliance." In doing part of my research for this one, I also did a quick search on Google and it came up with 128 million hits, in 0.18 seconds! Needless to say, no one has time to read all that.
This article is an attempt to get back to the basics: the big issues and the big solutions and how compliance is working in the real corporate world.
At Eversheds we are called upon to address such issues and to help formulate practical solutions for them, virtually every day. We are one of the largest law firms in the world (with more than 2,000 lawyers and more than 4,500 in staff overall). We have 28 offices worldwide, including offices in Doha (Qatar) and Kuala Lumpur (Malaysia).
The Big Issues
Global. The "world" is actually what it comes down to. Very few general counsel of large international public traded companies today only have concerns about compliance in just one country. Nobody has the time or the resources to look at all the available information for all the countries but good compliance needs to work in all of them.
What Is "Compliance"? The term compliance can cover a variety of situations. At the top range it can mean a requirement of strict obedience to a specific law (non-compliance would be illegal). The next level includes what in many countries are called "comply or explain situations" (it is not illegal not to comply but you must alert the reader and explain why, if you do not comply). Somewhere even further down the scale is adherence to some kind of voluntary standard of industry best practices. The lines between these ranges of obligations can sometimes get a bit fuzzy but what we uniformly find with our clients is that they want to adhere to the highest standards in every country where they operate, whether such compliance is legally required in each locality or not.
Our online service, called " Directors' Law of Europe, " is designed to give specific answers to compliance issues, for 29 European countries (all European Union Members, plus Bulgaria, Norway, Romania and Switzerland). The compliance coverage includes issues relating to accounting, corporate crime, employment law, antitrust, environmental law and stock market regulations. Each answer is supported by a specific citation to a specific relevant local law (cited in the local language and in our English translation). The unique database structure of this online service allows the client to see the same question answered for many countries at the same time, such as "What, under local law, is a 'conflict of interest' affecting a director?", which is answered online, here by way of example, for: Austria, Bulgaria, Finland, Hungary, Poland, Spain and the UK. The database can then generate a PDF of the specific answers to the specific question or multiple questions, for immediate electronic distribution within the client's organisation. The answers are written with lawyers and compliance officers in mind, as the intended readers, and any legal jargon is explained in plain language for each country. Most of the questions are inspired by specific issues addressed in the two-volume ALI/ABA Restatement-style study "Principles of Corporate Governance: Analysis and Recommendations" (2005) but all the answers are given in their European legal context.
Will One Size Fit All? Not exactly but, in the main, "yes," it will. We recently did an in-depth study of the corporate governance codes and various related compliance regulations in 55 countries, worldwide. We found that, for the big issues, that is, the make-or-break issues, the rules are pretty much the same, although of course actual compliance with the rules and enforcement may differ, depending upon the jurisdiction and the specific facts involved. We published our findings in our booklet "Global Compliance: An Eversheds Guide to Worldwide Codes, Laws and Summaries." This allows the reader to make easy comparisons between the "comply or explain" approaches in, for example, Australia, Austria, Hong Kong, Portugal and Singapore.
Accounting and Accountability. Many compliance issues boil down to proper accounting and proper accountability. The rules for both are becoming more uniform, worldwide. In the European Union, for instance, within the past several months there have been enormous moves towards uniform international accounting standards, including numerous and extensive new EU accounting regulations, such as Regulations 1606/2002, 1725/2003, 707/2004, 2086/2004, 2236/2004, 2237/2004 and 2238/2004. There is now also a specific set of accounting rules for WEEE (Waste Electrical & Electronic Equipment, EU Directive 2002/96 itself and special accounting rules in new EU Regulation 108/2006 ).
Risk Assessment, Metrics and Training. In order to comply and to comply well, you need to be able to measure and adjust what you are doing. There are detailed guidelines about such metrics (for example the various detailed guidelines in the Red Book and Brown Book of OCEG, the Open Compliance & Ethics Group). However, much of the process in the day-to-day world mainly involves correctly using the information which is available to management through internal controls which will be in place, anyway. Moreover, an effective compliance training program needs to learn from the past, predict the future and be ongoing and adaptable to whatever size and shape a problem might take.
Fail safe. Even if you do everything that is humanly possible to meet the highest standards of compliance, the unexpected must always be expected. Every company needs a crisis and disaster management plan and team.
Attorney-Client Privilege. In a number of European counties, no attorney-client privilege protection is afforded to communications between the client company and its in-house counsel. This raises issues of obvious concern locally, of course, but especially for multinationals with subsidiaries doing business in such jurisdictions. The ability to set up an effective compliance programme across the entire organization (as indicated by the US Sentencing Guidelines) obviously assumes the ability to have open and safe communications between the parent organization and all its subsidiaries and corporate affiliates, worldwide.
We have recently published our study into these matters, "Attorney-Client Privilege: An Eversheds Introduction to the Different Duties & Issues Across Europe," in which we address the issues of attorney-client privilege in 38 European counties, from Albania to the United Kingdom, and also including Iceland, Russia and Turkey.
Rankings. Curiously, the rankings arranged within my Google search did not even closely match what we have found are the top issues, as ranked by our multi-national clients. The top ten "hits," as ranked by the Google search engine index, were all commercial and educational organizations, all offering some kind of compliance service but without specifying much beyond the idea that "if you hire us, we will help you comply." I had to scroll down to Google entry number 15 and then to entry number 21 before I found some specifics about actual compliance by specific multinationals. Their rating of the key issues of relevance to their business closely matched our clients' experience.
Our experience with our multinational clients shows that the real world rankings are based upon quite specific compliance sector concerns, not just a general desire to comply: our top ten issues have been (in alphabetical order):
antitrust and competition issues
compliance responsibility overall (the general counsel? the chief compliance officer? the board of directors?)
conflicts of interest (at various levels of the organization and with outside persons and entities)
ethics codes and codes of conduct in general and their implementation
protecting confidential information (including attorney-client privilege issues)
risk assessment, training and metrics (including specific matching of the compliance spend against measurable performance targets)
securities and stock market regulations (including prospectus and proxy disclosures, communications with analysts and members of the media, and various types of insider dealing prohibitions and disclosures)
workplace bias, discrimination, harassment, substance abuse and violence
workplace safety in general and in specific industries
However, many other compliance issues are seen as very important too, including detailed accounting standards and PCAOB issues, audits and internal controls and a variety of Sarbanes-Oxley issues (including Section 404 compliance by non-US issuers), data protection, customer privacy (including data breach security notification issues), hotlines and whistleblowing, export controls, foreign corrupt practices, merger and acquisition notification thresholds, crisis management planning and media relations, internal investigations and diversity compliance. (As to the latter, please see my recent MCC article entitled Diversity and Eversheds in the March, 2006 issue.)
The Big Solutions
Have a plan that works not just as a legal document but that involves the departments and the people that will need to make it practical and effective.
Implement a code of ethics and compliance that is comprehensive but also will be read and understood and that your people will live by.
Take account of local legal and cultural sensitivities.
Global compliance means best standards of compliance.
Communicate to comply (good governance should trump attempts to invade attorney-client privilege).
Connect all your virtuous circles (transparent and effective compliance will be noticed and will be rewarded).
Measure and adjust and, just in case ...
Have a back-up plan and a crisis management team and contingency solutions.
Good compliance is good law, good business, good management and good sense.
Published June 1, 2006.