In light of the changing conditions and risks a company faces and with best practices evolving, a company should periodically step back and take a fresh look at:
- its compliance programs, including related codes of conduct and
- its procedures to prevent and control serious accidents.
While each compliance program and each set of procedures for prevention and control of accidents requires its own separate analysis, there are similarities and overlaps in basic principles between those programs and those procedures.
Below, we discuss some of the key principles to follow in establishing and maintaining programs and procedures to achieve these goals from a US perspective. We thought it would be useful to put these principles into checklists that can be used to help companies review and evaluate their programs and procedures. We also discuss below what the record should ideally show regarding the related actions of both company management and the company's board of directors.
With respect to compliance programs, the US Department of Justice (DOJ) has recently issued new guidance for evaluating corporate compliance programs. While this new DOJ guidance does not contain surprises, it is helpful because it is detailed and lays out the factors the DOJ looks at in grading a compliance program. This guidance provides an additional and primary checklist for the review of compliance programs in addition to the checklists set out below.
The primary goals of these programs and procedures are generally to avoid a compliance breach or a serious accident and to minimize the costs and adverse effects if any breach or accident does occur, including minimizing any US government fines or third-party US claims. In the case of compliance programs, a robust program, coupled with an effective and visible internal reporting system for potential violations, can also cause employees to report problems internally instead of pursuing lawsuits or making claims directly to regulators.
When putting policies and procedures in writing, the following points are worth keeping in mind:
- writings can provide evidence of the company's intentions,
- writings can provide evidence that the matter is a priority for the company and show that the company is trying to act with due care,
- writings can help channel everyone's efforts in a unified manner and lessen misunderstandings by clarifying exactly what conduct and actions are expected,
- written policies and procedures can reduce confusion over corporate decision making, deter rogue conduct and facilitate clearer chains of command by spelling out who is responsible for approving specific types of conduct and setting out specific procedures for obtaining such approvals,
- maintaining written policies for the conduct of company personnel can show that conduct violating those written policies is rogue conduct and therefore should not be attributed to the company if the company is threatened with fines or penalties and
- written guidelines in advance setting out proposed responses to serious accidents can allow those responses to be calmly and thoroughly planned out rather than being hastily developed in reaction to a sudden emergency.
There is always a potential risk that writings might be used in hindsight against the company or against individuals as establishing standards of care or as defining reasonable or required conduct that was not followed. This risk can be significantly reduced:
- by careful and flexible drafting to provide that variations from the written guidelines may be appropriate depending on the actual circumstances and if appropriately reviewed by the company or its Board and
- by ensuring that personnel receive appropriate training on the written guidelines.
The company must, of course, ensure that the guidelines do not set a lower standard of care than what is currently required by law or expected by regulators, which is an important reason why companies should periodically review their compliance policies.
1. Key elements to be addressed in an effective compliance program for company personnel
(a) Maintain written codes of conduct that set forth the company's policies regarding compliance with legal requirements and with business ethics
(i) Review the compliance policies on a regular basis (yearly or more frequently if circumstances change)
(ii) Obtain input regarding (1) the subjects to be covered (considering the company's current and planned activities and the current and potential circumstances the company faces), (2) the exact rules and principles that should be stated and (3) how best to make the policies effective
- input should come from the heads of various business units (covering different products and services and different locations) and from the heads of various internal functions (such as legal, finance, HR, etc.) as well as from outside advisers
- this input looks not only at the compliance subjects and best practices of peers but also at the company's unique operations, incentives and culture to tailor the rules and principles so that they are clear, understood and effective
- the policies should be discussed and reviewed with the Audit Committee and/or the full Board to receive their input and to inform them about how the company is handling this area of risk management
(iii) Compare the risks and compliance requirements covered in these company policies with those that are identified by the company in its public disclosure documents
- also compare the representations and covenants referring to legal compliance in the company's financing and underwriting agreements
(iv) Consider whether differences in approach or in language are needed for the various jurisdictions in which the company operates
(b) Communicate the policies and related procedures and train employees on proper compliance
- train new employees and periodically provide refreshers for long-time employees
- consider the communication methods that will be most productive -- e.g., live vs. recorded, individual or group, case studies, interactive, testing
- consider how continuing guidance is provided if questions arise
(c) Communicate certain policies to agents and contracting parties as appropriate
- where appropriate, incorporate aspects of certain policies (such as anti-corruption policies) into agreements with third parties (such as agency agreements and joint venture agreements)
(d) Have procedures adapted to the company's circumstances that are designed to detect both (1) situations that may raise increased compliance risks and (2) potential or actual violations
- have effective methods to encourage reporting of potential problems, with an anonymous hotline or other confidential reporting methods to protect persons making the reports
- use internal audits, exit interviews and periodic self-assessments to uncover (1) possible compliance violations and (2) obstacles to uncovering violations
- have in place a reporting system that raises compliance issues up the chain to inform designated people who have the appropriate authority and responsibility
- promote awareness of the reporting system to employees, so that they know how to report potential problems internally
- conduct appropriate due diligence and monitoring when dealing with third parties in certain situations (such as in government contracting or in making an acquisition) that may raise concerns for compliance with certain policies (such as anti-corruption policies)
(e) Consider whether new applications of technology (blockchain, artificial intelligence and other areas of fintech) may be available and appropriate to help (1) ensure compliance with certain legal requirements or (2) detect possible violations of compliance policies or suspicious activity
- technology may help with authentication requirements in complying with anti-money laundering laws and other requirements
- technology may help to sort large amounts of data efficiently and reliably in monitoring compliance
(f) Have procedures in place in advance to deal immediately with any suspected violations of policies
- this includes having in place in advance some form of written guidelines specifying the possible steps to be taken to investigate and respond to suspected problems
- the procedures should provide for immediate investigation of any red flags and of any suspected violations
- investigations should consider the use of internal versus external counsel, consider the need to protect attorney-client and work product privileges (for both internal and external counsel) and consider appropriate disclosures (about the purpose of the inquiry and who the counsel is representing) when interviewing employees and others
- identify in advance the appropriate internal and external persons who will have the necessary skills and be available when needed to handle the investigations
- the procedures should address the handling of related internal and any external communications
(g) Address reporting to the Board and/or Audit Committee
- provide reports in cases of material, recurring or repeated violations of compliance rules or violations showing weaknesses in internal controls over financial reporting or in disclosure controls
- also consider providing the Board and/or Audit Committee with regular periodic reports on the status of the compliance program, including any investigation activity
(h) If there are any potential or actual violations, the company should take the following actions and the record should show that these actions have been taken:
- company management should take any red flags or complaints seriously and demand adherence to the company's policies
- there should be an immediate, impartial and appropriate investigation when potential issues are suspected; the scope of investigation that is necessary will of course depend on the particular situation
- the company should respect privacy rules
- the company should not retaliate against whistleblowers
- if an employee comes forward about a potential problem, it is important that the employee believes the company is taking the employee's concerns seriously; an employee who feels the company has been unresponsive or dismissive about the employee's concerns is more likely to file a lawsuit or make a whistleblower claim to a regulator
- the appropriate company personnel should be kept informed of the progress and results of the investigation and of the company's responses, including any punishments and corrective actions
- the company should consider what, if any, external communications are appropriate or required, including any to regulatory authorities
- there should be appropriate repercussions for those who violate or ignore the policies and, where appropriate, the company should consider internal communications about the repercussions in order to deter similar violations
- prompt steps should be taken in response to problems to reduce the likelihood of future violations, including learning from any violations that do occur
(i) Assess the effectiveness and actual administration of the compliance program
- review the communication and training process and results, review the internal reporting history (looking at both what was reported and who was notified), review how red flags and possible violations were handled, review any investigations, review the follow-up (including any discipline or responses) and review the record-keeping and documentation of these matters
- conduct such reviews periodically
- the assessment would typically include determining whether the above points in this checklist are being observed
- the assessment would also consider how the DOJ would likely view the compliance program under the DOJ guidance referred to at the beginning of this document
- consider occasional audits using appropriate external persons to evaluate the administration of the compliance program's more sensitive policies, such as anti-corruption
2. Key elements of prevention, mitigation and response procedures to deal with accidents, including those that can give rise to third-party claims
The company's compliance program discussed above requires that company personnel must comply with various rules and principles in their conduct primarily to comply with legal requirements and business ethics. The company also needs to have procedures in place to manage various operational and external risks that could create potential accidents (such as fires, explosions, equipment accidents, environmental spills, extreme weather conditions, data breaches and other events), often caused by external forces. For these other risks that could cause a costly incident, some of the same factors discussed above (regarding compliance programs) should be applied in developing appropriate prevention/mitigation/response procedures.
The following self-assessment questions express some of the principles to be followed in the content and administration of these procedures to deal with accidents. Each of the following questions should ideally be answered: "Yes."
(a) Does the company maintain clear written procedures designed to prevent, identify, control, mitigate, respond to and learn from any incidents?
(b) Does the company obtain input from appropriate internal personnel and external advisers (including insurers) in creating and regularly reviewing these procedures?
(c) Do the procedures, at a minimum, address the risks of incidents that the company has identified in its public disclosures or that are the subject of various company representations in financing agreements and underwriting agreements (such as risks relating to cybersecurity)?
(d) Do the procedures address risks that are encountered or planned for by others in the lines of business conducted by the company or at the locations where the company operates?
(e) Are the company's Board and/or Audit Committee provided with appropriate information about these risks and the procedures to deal with them, together with relevant reports on any incidents or potential red flags, so that the Board and/or Audit Committee can exercise their oversight role?
(f) Does the company train and retrain appropriate personnel to carry out the procedures effectively?
(g) Do the procedures provide clear instructions as to which employees have authority to perform or approve tasks that are sensitive or dangerous (and, if so, are those protocols actually known and followed within the company)?
(h) Do the company's procedures provide for monitoring, detecting and investigating, on a timely and early basis, any red flags and any potential, developing and actual incidents?
(i) Do the company's procedures provide for immediate handling of any potential or actual problems that may arise or are uncovered, addressing:
- investigation, containment and remediation using internal and external resources and
- appropriate reporting to a superior or superiors within the company and any appropriate or required communication outside the company, with communities, regulatory authorities, partners, customers, suppliers, other stakeholders or the media?
(j) Do the procedures include identifying in advance staff and resources, both internal and external, that will be needed and will be available to respond if an incident occurs?
(k) Does the company in fact take prompt and effective action:
- to try to prevent or minimize the occurrence of potential or actual incidents?
- to respond to any red flags as they arise?
- to respond to, control and mitigate the effects of any potential or actual incidents, as they arise?
- to analyze any incident to learn its causes and what can be improved in the future?
- to make improvements to better prevent and better respond to future incidents (including applying lessons learned)?
- to reflect in the company's records that these actions have been taken?
(l) Does the company have a communications plan in place for public relations crisis events, so that (1) an appropriate spokesperson can be quickly identified, (2) the company speaks with one voice and (3) post-crisis statements can be reviewed for accuracy before dissemination?
(m) In communicating and messaging about how the company will improve its risk management, does the company avoid criticizing its past actions as inadequate or needing improvement and instead focus on the improvements it is making? Note that this is not inconsistent with a company's decision in some crisis management situations to issue some form of an apology as the best communication, with or without more details.
(n) Does the company try, where possible, to independently test the effectiveness of the procedures that are in place to prevent, identify, control, mitigate and respond to incidents?
(o) In general, does the record show that a comprehensive effort has been made and continues to be made by the company to identify and control risks, especially risks that could harm people, assets or the environment, and that it is a company priority to do so?
(p) Put another way, does the record show a company whose management and directors have been careful and diligent to try their best (1) to protect their personnel and other people from harm, (2) to avoid damaging the assets of others and (3) to show respect for preserving and protecting the environment? Does the record show this is more than just a dollars and cents calculation made in specific situations to avoid costly expenses and third party claims and that it is one of the core operating principles of the company?
3. Some key actions by the senior executives of the company in managing the risks referred to checklists 1 and 2 above
With respect to the risks referred to in checklists 1 and 2 above, the senior executives leading the company should take the following actions, among others, and the company's records should show that these actions have been taken:
(a) Pursue comprehensive efforts to identify the risks that could be created or encountered by the company's activities, including any new or developing risks
(b) View the proper identification and control of risks to be an important part of their job
(c) Possess the necessary abilities and have available to them the necessary resources in order to identify, understand and manage those risks or use appropriate persons from inside or outside the company who have the necessary abilities and have access to the necessary resources
(d) Conduct, direct or oversee the actions listed in checklists 1 and 2 above
(e) Show continuing interest in reviewing the effectiveness of the policies and procedures put in place and referred to in checklists 1 and 2 above, including reviewing and (as appropriate) reacting to periodic reports regarding (1) any potential or actual violations or incidents, (2) the responses taken and (3) the implementation of lessons learned
(f) Ensure that appropriate communications channels exist within the organization so that potential problems are disclosed to the executive team in a timely manner and so that the company's public disclosures are accurate
(g) Maintain a consistent tone from the top endorsing and supporting these policies and procedures for all personnel throughout the company, including fostering a culture of compliance with laws, of protection of the safety of persons and assets inside and outside the company and of respect for the environment
4. Some key actions by the directors of the company in managing risks
With respect to the risks addressed to in checklists 1 and 2 above and other risks (such as possible regulatory changes or price changes), the directors of the company acting as the Board and/or acting through the Audit Committee should take the following actions, among others, and the company's records (including board minutes and agendas) should show that these actions have been taken:
(a) View oversight of the company's identification and control of risks to be an important part of the directors' duties
(b) Ensure that the board has the right abilities to identify and understand the risks facing the company and how those risks should be managed or receive help from appropriate persons from inside or outside the company who can properly inform and assist in this oversight role
(c) Question management about key risk areas, controls and potential problems, including whether management has established an effective reporting system that will raise potential problems up to the executive and board levels
(d) Receive appropriate and timely reports at briefings by company management regarding:
- the risks that could be created or encountered by the company's activities, including any new or developing risks
- what steps have been and are being taken in advance to manage these risks, including steps to prevent, deter, control and mitigate the effects of any occurrence
- the occurrence of any material violations of compliance policies, the occurrence of any material potential or actual accidents addressed in checklist 2 above or the occurrence of any other material risk (such as a change in tax rates)
- the expected impact of any violation, incident or other occurrence, what responses are being taken to control it and mitigate its effects, what lessons have been learned and what improvements should be made going forward
(e) Discuss these reports and matters with senior management and ask questions and make comments
(f) React to any red flags by asking questions when appropriate, by requesting more information and by overseeing action to fix or improve the situation
(g) Show continuing interest in reviewing the effectiveness of the policies and procedures put in place to deal with the risks addressed in checklists 1 and 2 above
Open banking around the world
The UK continues to be the global pioneer in Open Banking through the implementation of the EU Payment services Directive (PSD2) and the open banking initiative by the Competition and Markets Authority (CMA).