Processes to enhance compliance programs
The level of integrity and status of compliance with policies and procedures as well as external laws and regulations are key elements in any organization’s culture and business conduct.
The STEER Maturity Level assessment (MLA) “Legal & Financial Compliance” serves as guideline to review and assess the Company’s compliance program and system of internal controls that help the Company to be in compliance with legal and financial requirements.
The STEER MLA concentrates on the assessment of the effectiveness of the Company’s Compliance Program and the Company’s “system of internal controls” designed to prevent fraud as well as properly manage situations where fraud has occurred.
STEER will produce the following deliverables at the conclusion of the Compliance MLA:
1) A comprehensive report that identifies strengths and weaknesses in the customer’s Compliance program and establishes priority areas for improvements.
2) A presentation kit to be used for briefing management at different levels as required by the customer and if requested conduct the briefing.
Upon request, STEER will assist the customer in developing an action plan to close any identified gaps and work with the customer to complete these actions.
Companies want to create a work environment that fosters productivity and provides a safe and secure setting for their employees. As part of the foundation to reach this goal, most companies create a Code of Conduct, to provide employees with the framework for desired behavior and values.
The Code of Conduct is not merely a book or brochure, it is a set of principles designed to ensure the company’s integrity and success. It is the starting point from which to build a pillar of integrity.
Employee acceptance and support for the Code of Conduct makes it become part of the company’s DNA. To achieve this, a company’s Code of Conduct needs to be presented to employees as a platform for discussion, beginning with the senior management level. Once there is a true understanding of how this Code can guide and support business decisions, it needs to be a topic on the agenda for employee team meetings. This allows for an open discussion on the specific benefits and challenges the company’s Code of Conduct and compliance policies present for various departments within the organization.
At STEER we focus first on the strength and clarity of your existing Code of Conduct and offer enhancements where needed. We work with your management to ensure the Code is clearly understood and accepted by conducting employee workshops and presenting case studies.
At STEER we have a proven track record of achieving positive employee acceptance by partnering with management and employees, listening to their concerns and questions, and finding practical solutions to perceived integrity challenges.
Do you remember when you learned how to drive a car? Most of us begin this process by reading a driving manual, but it is not until we are in a car and driving that we really understand how to apply what the manual states.
Companies’ compliance policies should be viewed in the same way. Presenting employees with a policy (manual) is not enough. Employees need to “test drive” the compliance program by attending workplace workshops where real life job specific training can occur.
Employee training should be an interactive and enjoyable exercise designed to allow for open discussions and challenges. For best results, training should be tailored to the audience and adapted for the employees’ level within the company and must also be culturally sensitive when training in a global environment.
Compliance trainings often focus on what an employee is not allowed to do. An alternative training approach which has proven to be successful is one which focuses on what you can do as an employee rather than what you can’t do to perform your job duties in a compliant manner. This approach prevents, for example, sales employees from misunderstanding the limitations set by company policies and curbing sales activities since they may fear that their actions could violate company policies.
A company must not be afraid to sit with employees and “test” the level of compliance acceptance. This type of hands-on approach identifies compliance policy misperceptions, which can ultimately have a negative impact on the company’s bottom line results.
In our experience at STEER the best results are achieved by training specific job classifications for a focus on compliance program elements that are directly relevant within that job category.
A company’s compliance culture excels when employees are confident and secure with their full knowledge of the company policies. Training both in-person and through workshops is the way to achieve this result.
A supplemental component of training is e-learning. This is a cost effective, far-reaching, platform that can be both entertaining and educational. Together with in-person training employees have an opportunity to learn about compliance on many levels, which helps to promote full comprehension and confidence.
A hotline can be a very effective tool or channel for employees to report concerns regarding non-compliant behavior in their work environment. We believe that companies should provide this communication channel to allow any employee and stakeholder to report concerns of business misconduct anonymously. However, based on our experience, the use and acceptance of a hotline might differ from country to country. When it comes to report observations and concerns this channel is not necessarily perceived as the most universally attractive option for employees everywhere. Introducing a hotline therefore requires a “customized” approach that takes into considerations the different cultural backgrounds as well as preferences and resistance towards hotlines as a communication channel.
When a company rolls out a hotline, the way it is communicated to employees is very important. Questions such as “what type of issues do I report”, “what happens if I call the hotline”, and “will I be protected against retaliation when I report an issue” are on the mind of any employee who is considering making a call.
When a company addresses these concerns through effective communication and formal procedures employees gain the confidence to make this important call. Employees’ first impressions of a hotline during the roll out phase will set the stage for their confidence in using this tool.
As STEER professionals we have global experience establishing and managing hotlines on all continents in over 100 countries. Our approach with establishing ‘best practice’ hotlines has proven to be effective and a key component of a successful compliance program.
Whether or not to establish an in-house investigative unit or outsource investigative activities in relation to alleged employee misconduct depends on many factors, including (but not limited to) the financial burden of hiring expensive external expertise to conduct investigations and the company management’s desire to handle internal affairs internally.
STEER offers Government recognized ‘best in class’ practices to share with companies seeking to establish an internal investigative unit. STEER professionals have extensive corporate experience with investigating different types of allegations of employee misconduct, including FCPA violations. Our practices and protocols are recognized by Government authorities.
At STEER we recognize the sensitivities of an internal investigation and how to manage the process from the moment of receiving an allegation, through the remediation actions implemented in order to mitigate the risk of a repeating violation of the company’s policies and regulations, and/or local and international laws. In this respect, remediation may include employee discipline, internal control enhancements, reviewing business relationships, or in some cases, self-reporting to Regulators.
A very important part of the investigative process is managing the confidential internal communication regarding the investigation, to management and the affected departments.
In general, the investigative process consist of the following phases:
- Receipt of the allegation of business misconduct. This can occur (anonymously) through the existence of an employee hotline or stakeholder hotline. Allegations can also be addressed directly to the appointed compliance officer, by management, the audit function, HR, etc.
- Assessing the allegation. Not all allegations require an in-depth review and could be closed on the basis of an initial assessment. It could also be decided that an inquiry should be referred to another function, such as HR. It is strongly recommended to have a solid and consistent process in place to determine when an investigation can be closed.
- Preparing an Investigation Plan. An investigation plan describes the allegation and the actions to be taken to conduct a review. These actions could be background checks, financial reviews, email reviews, interviews of witnesses and suspect(s). In addition, the use of external expertise may be considered, such forensic expertise, security or local legal advice (when working abroad). In general, investigation plans, which relate to allegations that could potentially have a considerable financial impact on the company, such as bribery and anti trust related matters, are more extensive and include requirements, which would not apply to more common allegations of employee business misconduct.
An investigation plan may need to address potential restrictions in the investigation due to privacy and other local laws, or cultural and language barriers, which should be reviewed before the investigation takes place.
- Conducting an Investigation. During the investigation, the investigators execute the investigation plan. In practice, an investigation plan is a guideline for the investigation. Each investigation is unique and is subject to unexpected events, which often require the investigators to amend the investigation plan during the review.
Witness interviews are a critical part of an investigation. The task of an interviewer, or, if required, two interviewers, is to establish the credibility of a witness and obtain the facts surrounding an allegation.
“Conducting a good interview is at least as much art as science”. An interview requires a detailed preparation by the investigator. The importance of determining the location of the interview as well the day and timing cannot be underestimated. The interviewer requires a variety of skills necessary for obtaining information that the witness may be reluctant to share and determining whether the witness is telling the truth. An interviewer must be able to detect and interpret signals through the witness’ body language, speech patterns and overall demeanor.
- Reporting. A critical part of the investigative process is the investigation report. This report contains the facts obtained by the investigating team and may include witness/suspect statements and other documentation relevant to the investigation.
- Presenting the facts to a Disciplinary Committee. Depending on the size of the company, independent Global, Regional or Local disciplinary committees may be established, to ensure consistency and fairness of the disciplinary decisions. The disciplinary committee should consist of members of the management from different disciplines in the organization. The presence of an in-house legal counsel is strongly recommended.
The Investigation Report and relevant documentation, including statements obtained from witnesses and/or suspects are reviewed and discussed by the disciplinary committee. Investigators may present and/or be interviewed by the disciplinary committee. It is not unusual that in complex cases, the disciplinary committee requests the investigator(s) to conduct additional reviews before a decision can be made.
- Execution of the decision of the Disciplinary Committee and further remedial action. A disciplinary committee ensures consistency with respect to disciplining company policy violators and is responsible for communicating within the organization, required remedial actions to prevent violations from occurring again.
Disciplining the violator(s) of company policies does not prevent violations from occurring again. There are normally a number of control break downs in the processes of the affected entity and those break downs in the company’s system of internal controls need to be corrected in order to protect the organization from similar violations in future. The case therefore is not closed with taking the immediate disciplinary actions and disclosures but only once the deficiencies of the control system have been analyzed, understood and corrective actions have been taken. The involvement of the Internal Audit function is key in this phase. Changes in policies, processes and controls need to be communicated to initiate the learning process.