Having a Standard Compliance Program. Is That Good Enough?
Question: Our company has a standard compliance program, that has been provided to us by an outside consultant. Are we well-protected in case of anti-bribery and corruption violations and investigations by the authorities?
Answer: Compliance programs cannot be “off the shelf” programs, but should be tailored to each company’s risk profile and business model. A “standard” compliance program is not a sufficient defense to misconduct and bribery and corruption violations. The critical aspect of a well-designed program is risk assessment and companies should carefully analyze and address the varying risks they face, such as the location of its operations, the industry sector, the regulatory landscape, payments to foreign officials and use of third parties. A risk-based compliance program shall devote appropriate attention and resources to high-risk transactions.
In addition, a compliance program, even if tailored and well-designed, cannot be a “paper program”, instead it should be implemented in an effective manner and periodically reviewed and revised, as necessary. Even a solid compliance program may be unsuccessful in practice if implementation is lacking or ineffective.
Effectiveness and implementation of a company’s compliance program is an important factor considered by the authorities when deciding what action to take in the context of the misconduct. For instance, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.
Question: Our company has a standard compliance program, that has been provided to us by an outside consultant. Are we well-protected in case of anti-bribery and corruption violations and investigations by the authorities?
Answer: Compliance programs cannot be “off the shelf” programs, but should be tailored to each company’s risk profile and business model. A “standard” compliance program is not a sufficient defense to misconduct and bribery and corruption violations. The critical aspect of a well-designed program is risk assessment and companies should carefully analyze and address the varying risks they face, such as the location of its operations, the industry sector, the regulatory landscape, payments to foreign officials and use of third parties. A risk-based compliance program shall devote appropriate attention and resources to high-risk transactions.
In addition, a compliance program, even if tailored and well-designed, cannot be a “paper program”, instead it should be implemented in an effective manner and periodically reviewed and revised, as necessary. Even a solid compliance program may be unsuccessful in practice if implementation is lacking or ineffective.
Effectiveness and implementation of a company’s compliance program is an important factor considered by the authorities when deciding what action to take in the context of the misconduct. For instance, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.