“Rey . . . these are your first steps.”
– Obi-Wan Kenobi
Depending on the type of product you make or service you provide, there are numerous laws and regulations governing what you can do and how you can do it. You should be proactive and have an understanding of what is required under the law and what you need to do to be in compliance.
Keep in mind, many of these obligations could extend well beyond just a couple departments or handful of employees. For example:
- Cybersecurity laws can affect every employee that has a computer and e-mail address;
- Workplace behavior laws can affect every employee who may have interactions with other employees;
- Workplace safety laws can affect every employee involved in the production process;
- Anti-corruption laws can affect your entire internal and external sales, marketing and distribution networks if you are a global manufacturer; and
- Antitrust laws can affect every employee who may have some level of influence over how you compete in the marketplace.
Developing and implementing internal standards and guidelines addressing these laws can be critical to minimizing exposure to non-compliance. However, just cobbling together a policy and then e-mailing it to everyone with a “READ THIS AND DO WHAT IT SAYS!” subject line can be a waste of time and resources.
Pro Tip #1: Generate Buy-In
In my experience, telling senior executives that they can or can’t do something because a particular law says so often goes over like a lead balloon. Instead, helping them to understand the “Why?” – in plain English and without resorting to starchy and yawn-inducing legalese – is a more productive way to generate buy-in for a compliance process up front.
I like to start with a 90-minute presentation to key stakeholders, beginning with an educational background on the applicable law itself (as long as it’s interesting enough to draw in the audience). For example, when developing and implementing an Antitrust compliance program, consider beginning with a history lesson on the rise of these laws in the U.S., including legendary figures like Teddy Roosevelt, John D. Rockefeller, Andrew Carnegie and J.P. Morgan.
Embellish a bit if necessary and have some fun with it. I try to channel my old high school history teacher, Mr. Koester, who was adept at making even the most boring subjects entertaining. The storytelling aspect – in addition to the content itself – is an important part of getting the audience interested and engaged up front.
Then generally discuss the laws themselves, including how they are enforced and penalties for violation. If your audience tuned out during your awesome history lesson, you may get their attention when discussing that criminal violations of the Sherman Antitrust Act are felonies punishable by up to 10 years of prison and fines of up to $1 million per violation for individuals (up to $100 million per violation for corporations).
Next, provide real-world horror stories of what can actually happen when you violate the law. Let’s say you’re generating buy-in for an anti-corruption policy, talk about how the Department of Justice knocked on the door of medical device manufacturer Smith & Nephew for using a Greek distributor to make improper payments to doctors at state-owned hospitals there (hint, the DOJ considered this to be bribing government officials). The result? Smith & Nephew had to pay a $16.8 million fine and agree to a compliance monitor for 18 months. Oh yeah, and it also had to give up over $4 million in profits and pay nearly $1.4 million in prejudgment interest to resolve civil Securities Exchange Commission charges.
Now that you have their attention, provide some easy-to-understand hypotheticals and have your audience discuss whether the conduct would constitute a violation. There will invariably be at least one devil’s advocate who will try to argue the contrarian position. This is a good thing, as it means the presentation is at least being digested and thoughtfully considered. Take the additional step of incorporating others into the discussion as much as possible, which can create a cooperative dialogue encouraging everyone to participate and think critically.
Reinforce throughout that this is not intended to make them experts on the particular law, but to help them spot potential issues in their own business dealings so they can be aware and proactively address if necessary. And, of course, so they won’t be blindsided when they are asked to review and sign a written compliance policy later.
Pro Tip #2: Develop a Written Policy
Okay, now that you have buy-in for this project, it’s time to prepare the written policy. Yes, this is a document that should serve as a front-line shield to that potential “knock on the door,” but it should likewise be something that can be read and understood up, down and across the organization without too much strain or effort. I’m looking at you, starchy lawyers who love to write in indecipherable legalese – WRITE IN PLAIN ENGLISH!
Consider beginning the policy with a letter from the Chief Compliance Officer, or another high-ranking senior executive, communicating the company’s commitment to high ethical standards and expectation that the policies be followed. This establishes up front the general significance and gravity of the policy being implemented (and that it’s not just another “TPS Report” or perceived roadblock put up by the legal or compliance department).
Next, add a general, easy-to-read summary of the highlights of the detailed policy. This should be no more than a couple pages and will list the most important aspects – i.e., the “NEVER do this . . .” or “ALWAYS do this . . .” items. Then provide a statement briefly communicating the overarching, non-specific compliance guidelines, which should include some version of the following
- Each employee is individually responsible for compliance with [the subject laws].
- Employees may not engage in, approve of or tolerate any conduct violating [the subject laws].
- Employees in management positions are personally accountable not only for their own actions but also for the conduct of their subordinates.
- Employees violating the policy may be subject to disciplinary action, including termination.
- Materials and education programs will be provided as needed to explain what is expected of employees related to their compliance obligations in connection with day-to-day responsibilities.
The next section should be a general overview of the subject laws themselves and categories of enforcement and penalties for violation, followed by a more comprehensive list of the specific prohibitions and requirements. This list should be in plain English and broken down into sections with an easy-to-read bullet-point summary at the end of each.
The policy should conclude with a recitation that the policy is not intended to make employees experts on the particular laws, but rather to assist them in understanding their compliance responsibilities, spot potential issues when they arise, and raise the flag when necessary. Make sure to identify the person or department where questions or issues can be directed.
Of course, be sure to include a section at the end in which the employee expressly acknowledges receiving, reading and understanding the policy, where to go with any questions, and the consequences of not following the policy (i.e., disciplinary action including termination).
Pro Tip #3: Provide Regular and Meaningful Training
Developing a robust written policy is only half the battle when it comes to creating a culture of compliance within your organization. Equally important is to provide regular and meaningful training to your employees to help them understand their obligations, incorporating them into day-to-day responsibilities. And remember, establishing a culture of compliance starts at the top, so executives and managers should be leading by example.
Depending on the size of your company, individually training each and every employee may be impractical or impossible. In order to reduce training burdens, learning management system (LMS) software is available which can provide relevant modules to automate delivery, tracking and administration of training to all relevant employees.
At a minimum, consider in-person training for management-level personnel, making them personally accountable for training subordinates. Of course, training should be well-documented to ensure enterprise-wide compliance, with regular auditing to ensure best practices (hint, consider a third-party expert to periodically audit your compliance controls).
All of this contributes to a culture of compliance. So when an investigation or lawsuit invariably commences alleging noncompliance, you can confidently demonstrate that your company: (1) has written policies governing such infractions; (2) regularly educates personnel on these policies; and (3) fosters a culture of compliance with the laws and regulations governing your industry. It should go without saying that this can and does minimize exposure to worst-case outcomes.
As one of the nation’s only practices focused exclusively on Preventive Law, KEEFER is skilled at identifying compliance requirements and developing and implementing policies that are relevant to your business.
KEEFER is your ounce of prevention.