I wrote last December that the markedly rising tide of criminal sanctions under the U.S. Foreign Corruption Act and the coming into effect of the UK Bribery Act should inform corporations implementing stringent corporate anti-corruption and compliance programs and policies. Such policies are critical; when properly managed, they trickle, with active oversight, from the enterprise level to business units and departments, and then to individuals. In addition to articulating corporate culture, policies establish in writing the exact parameters of required individual business conduct — standards to which the corporation may be held legally liable. Whereas risk governance for decades had to be handled with traditional resources (e.g., information distributed across antiquated legacy systems or even paper files) that could result in unintended, disparate results within an enterprise, corporations can now employ technology platforms to safeguard their interests more effectively.
Before turning to how such systems may be used, it is important to examine how organizations often manage corporate policies and the effect thereof. Creating policies is not — nor should it be — a routine. Processes may need to meet highly specific regulatory requirements, create a corporate ethos, or back up social responsibility statements (e.g., a one-third reduction in the use of plastics in bottled products). Moreover, it is not always easy to identify where other policies might be warranted. According to Scott Giordano, Corporate Technology Counsel for Mitratech, a provider of legal and compliance solutions, “[a]n organization needs an active risk and regulatory intelligence process to identify when a process needs to be created.”
Procedures: The Backbone of Corporate Policies
Policies are only as strong as their underlying procedures, which should be as precise as possible; procedures with teeth are less prone to misinterpretation. Such precision also goes directly to potential corporate liability. Because policies can establish liability, mismanagement of policy and procedures can introduce liability to the organization given the duty of care that policy or procedure may establish. Given the import of such policies, it is critical that organizations avoid the following potential (and common) pitfalls.
First, policies should not be dispersed. Rather, they should fall under the authority of one source where all policies and procedures are consolidated, maintained, and managed, ideally using technology-based collaborative platforms, as discussed below.
Second, policies should not exist only on paper, even if they are maintained as such in a centralized repository. Nor should they be distributed electronically across systems that are not integrated.
Third, policies cannot afford to be outdated. They must be reviewed and updated as necessary on a consistent basis. The speed with which the regulatory landscape changes demands nothing less in order to protect the corporation.
Fourth, policies must have an official owner or steward within the enterprise. When stewardship falls to the department level, the appointee must be highly skilled in that area. Electronic discovery is a perfect example. In levying harsh sanctions, a federal court recently took particular note of the fact that the e-Discovery custodian testified that he was “about as computer illiterate as they can get.” See Green v. Blitz U.S.A., Inc. (E.D. Tex. Mar. 1, 2011).
Fifth, policies must implement means by which behavior is monitored, and violations both investigated and addressed.
Sixth, policies must be mapped to standards and regulations. This should seem obvious — the parameters of regulations guide corporate actions. However, according to Giordano, this important element of policy often does not receive the attention it requires. He states: “It is a time-consuming, labor-intensive and error-prone effort to validate compliance for auditors, regulators or other stockholders. The organization does not have the ability to easily assess the impact of new or changing regulations that affect policy.”
Seventh, attestation and certification must be integral parts of policy management. It is not enough for corporations to put even the most sophisticated policies in place. They must also be able to attest to the policy training they provide, as well as certify by employees’ signatures and performance that they have been trained and understand the materials and consequences of violating policy, as verified by having passed tests on subject matters relevant to compliance. Attestation and certification provide great reassurance that policies are defensible in situations with regulators and in legal actions.
Eighth, policy management cannot be isolated within the enterprise. Corporations with departmental compliance programs that either (a) exist in informational silos, or even (b) communicate with (but only with) the Legal Department, may be at greater legal risk than necessary, as well as sacrificing potential business efficiency, effectiveness, and agility. By contrast, corporations that forge compliance programs at the corporate level through collaboration produce the sort of harmony across organizational functions that eliminate anachronistic and ineffective compliance programs not aligned to business needs. The combination of both centralized and departmental enforcement can also reduce accountability by demonstrating that a given policy is properly enforced.
Developing Corporate Policy
Once a corporation identifies that a corporate policy related to a specific issue is needed, it must then formulate that policy. Before any writing occurs, the corporation must be absolutely clear who has ownership of the policy and at which corporate level it will be owned and administered. From there writing ideally should occur collaboratively, as discussed above. Each new policy must be approved by the Legal Department, the departments it affects, and, ideally, senior management and even the Board of Directors. According to Giordano, “[t]his phase is iterative, as the approvers may send back the policy requiring changes before it is approved and everyone comes to an agreement that is the right policy for the organization.”
Once an approved policy is in place, it must be published and distributed to all stakeholders, including employees and business partners whose actions it now governs. While this can be done alone in myriad ways, technology now affords corporations the opportunity to make available easily accessible, centralized repositories through which policies may be reviewed at any time. Giordano states:
Best practice is to have a single policy system in which any individual within the environment can log in and see all of the policies that apply to a specific job role in the organization and receive automated notification of the changed or new policy.
Policy Enforcement and Maintenance
No policy can be effective unless it is carefully monitored and revised (i.e., maintained) if necessary upon regular reviews (e.g., monthly or annually). Corporations should assess the level of non-compliance with any given policy in order to determine whether the policy should be amended or left in place without notification.
Such review, when managed through a corporate-wide technology architecture, “enables organizations to proactively protect the organization by aggregating and reconciling compliance with multiple regulations and requirements, the policies that result from them, and the processes that ultimately monitor and control them.”
A common technology platform consolidates information from various departments, e.g., Human Resources, Legal, Partnership Management, and others. This information must be integrated across the enterprise, which means working with contemporary information solutions, as well as legacy systems in larger, older companies.
Policy Management Today
Corporations looking to implement technology-based management systems today should keep in mind the fact that identifying, writing, training, updating and enforcing policy requires highly collaborative efforts that safeguard corporate interests.