How can a global company ensure that it generates a meaningful, international, compliance policy? Such polices need to be applicable across the corporate universe but encompass local differences adequately. This might seem to be a simple question but it often presents a raft of difficulties for compliance officers. There are several approaches to the design and application of compliance policies in an international context. This article sets out some of the key factors to consider and some of the strategies that Eversheds has found useful in this regard.
Developing Compliance Policies
The review and creation of a suite of comprehensive compliance policies is the starting point for many compliance officers. Key, clear, messages are often the point of departure. An example of these is the Global Sullivan Principles, one of the first statements of corporate responsibility. A cluster of fundamental principles that inspire sound conduct and delineate the limits of corporate tolerance have the potential to deeply influence corporate culture.
Core principles alone, however, are insufficient. There is an expectation that this is backed up by policies detailing the relevant law in that jurisdiction and examples of how this law applies in corporate practice. A full policy statement is a recognised cornerstone of compliance programs and features in all critical statements of compliance expectations from the US Sentencing Guidelines (§8B2.1. Effective Compliance Program (b) (1)) through to the Australian Standard on Compliance Programs (AS 3806-2006, Principle 2). While compliance policies can and should incorporate a transformative statement, the fact is that the world is a dense crowd of regulations and compliance perspectives with limited harmonisation.
This is a difficult balance to strike and can be a lengthy and expensive process, but corporations with a cross jurisdictional reach must take steps to localise their policies. Compliance policies, where not effectively spanning the issues, can be relegated to the filing cabinet after circulation. This means that the time and effort put into preparation is not rewarded with close review and understanding of the policy by anyone other than regulators in the event of an incident.
The core reason for having a policy is that it produces particular compliance results by asking employees and intermediaries to take particular actions. Compliance professionals know, though, that differences in action come not from instruction but by generating a new perspective about the range of ways to do business and the development of sound judgement.
Some organisations miss the chance to use the rich vein of insights possible in a wider approach to policy making. Compliance policies provide an outstanding opportunity and a genuine foundation for organisational change. The policy-making process can be a tool in itself, both to generate a document that states the corporate position and a mechanism to uncover and address fundamental assumptions and perspectives about compliance. Without this, the policy integrity is undermined by becoming the mere box ticking exercise that we discourage in employees performing compliance processes.
Policies can gain breadth and depth in the course of any international localisation process. Eversheds is often asked to review and localise compliance policies over a range of jurisdictions. Principally this encompasses Europe, Middle East, Africa, China and India, but it can also include other parts of the Asia Pacific region and extend to Latin America.
In terms of review, we are asked to take one of three main approaches - amendment of the policy to eradicate any terms that would be unacceptable in the relevant jurisdictions, adding a comment to articulate the relevant legal principles in that jurisdiction and integration of multi-jurisdictional approaches within the policy.
Approaches To Localisation
The first approach, a request for removal of any inappropriate or legally unacceptable clauses, allows for quick turnaround and cost effective advice. It has the benefit of minimal change to the overarching policy. The challenge here is that this leaves an enormous amount of the intellectual framework behind the policy statements unstated. What remains may not have the same meaning and be understood in the same way across the organisation. This is insufficient to show employees how they might achieve compliance, particularly where local practice commonly deviates from the espoused ideal. For example, in Switzerland, there is significantly less legislation in the area of public security because the country is far less exposed to external dangers. Accordingly, the development of law relating to terrorism and understanding of these issues insofar as they introduce a regulatory burden is materially different from that in the U.S. While this might mean limited change to a corporate policy, legislation such as the USA PATRIOT Act may need to be explained in greater detail to these audiences.
In addition, in most global companies the choice is not between two different sets of legal principles, such as the U.S. or Swiss law. Employees and senior management need to have an understanding of both areas and how to balance the response to both. This produces a more complete appreciation of legal principles and improves the ability to exercise good judgment in response to compliance issues. It is essential in the context of legislation with cross jurisdictional scope such as the Foreign Corrupt Practices Act or U.S. Export Control laws.
A second approach includes general review of the policy together with a request to detail the relevant principles that apply in that jurisdiction. Commonly, the policy remains in place, with an addendum according to the relevant jurisdiction. This is a clearer and more complete strategy.
The difficulty with this form of policy design is that it is challenging to graft one series of principles and practice on to a more general policy that could be founded on a series of quite different assumptions.
When we send out a request for policy comment and the addition of a relevant domestic legal statement to our international firms without more detail, there are often vast differences in the responses obtained. In some jurisdictions, the same request that elsewhere produces a raft of detail is met with a glancing overview. This can be either because it is not recognised that there is a need to state the underpinning assumptions or because in order to begin at all, it might be necessary to return to first legal principles and to explain the context in which the regulatory regime applies.
Certain countries are able to easily detail their regulatory framework and place the comment within an overall picture. In the UK or the U.S. for example, a request to set out at a general level the scheme applying to the law of health and safety would be relatively easy. Other jurisdictions such as Bulgaria, the Russian Federation and certain countries in the Middle East have, by UK or U.S. standards, a far less structured series of relevant laws or enforcement of the law in place is an entirely different proposition.
It can be difficult to comprehensively detail and in some cases to even locate the relevant laws where they are not centrally compiled on an accessible database. Even where information is obtained, this detail is meaningless without understanding not just the laws and how they are applied but the overall legal framework.
Where the law has divergent underpinning principles from the norms on which the policy is based, it is immensely challenging to graft a sensible comment on to the policy that will provide useful information to employees within that jurisdiction.
It is also important to think broadly about the implications of the relevant compliance issues across a range of policies that might not be immediately evident. For example, the Italian 231/2001 decree that introduces a regulatory framework for administrative and criminal responsibility in Italy has implications not just for policies concerning bribery and corporate crime but also for contracting requirements and mergers and acquisitions due diligence.
Strategies For Management
Eversheds uses a number of mechanisms to support the incorporation of different perspectives into global compliance policies and improved integration of jurisdictional specific information into the compliance field. A cornerstone of Eversheds' approach is the use of project management across legal services provision and particularly in management of work across jurisdictions. This goes beyond mere coordination of information. It is about exploring gaps or areas that need to be addressed and training international teams to consider and address international perspectives.
Eversheds has also increasingly used technology to support well-organized and cost effective dialogue and the synthesis of a range of perspectives. We have learned through using our Global Accounts Management System (GAMS) that driving consistency is essential if meaningful data is to be obtained from multiple jurisdictions. In general, we would start with a clear template for the form of response needed. In multi-country legal work the time spent working towards consistent information provision often reveals a range of detail that it was assumed was already understood.
Other tools such as the use of electronic questionnaires, joint teleconference with the advising lawyers, the client legal advisers, and, where relevant, the businesses, can also assist greatly in focusing the advice and development of common understanding. We are also looking for other mechanisms to support joint working such as the use of open source software that allows collaborative working. This provides a crucible for comment with legal advisers being able to see the thinking and commentary of the rest of the team. Ultimately, technology can also provide a forum for a living policy
Differences in legal approach and regulation are challenges to be addressed in formulating an effective global compliance policy. There are a range of strategies that support this process. By using tools such as project management, a range of technical solutions and the opportunity for discussion of context to allow for the generation of shared understanding, compliance policies can provide fully developed statements to support the governance direction of the organisation.
Published June 1, 2008.