A discussion on avoiding corruption issues has to take place on two levels; a more general macro view, as well as on a practical level. So, in general terms, a company has to start with the right culture, a culture where it's known that corruption will not be tolerated and that there will be real consequences if it does occur or even if it's been entertained as a possibility. I cannot overstate how important it is to set expectations from the very beginning, both internally and with counterparties. In addition to a good general culture though, there also needs to be a comprehensive compliance program that incorporates everything we've discussed in previous courses. But a robust compliance program must be well implemented and also able to specifically address anti-corruption issues as they arise. An effective anti-corruption compliance program can prevent potential FCPA and other corruption problems from occurring in the first place, as well as assist in detecting issues if and when they do occur. This will give a company the ability to act earlier before matters become worse and be in a better position to consider options on what to do to remediate the issues. It also adds to the general culture of a company and is another opportunity to emphasize a company's commitment to compliance and ethical conduct. Finally, if a company has a robust and effective anti-corruption program, it will generally be considered as a mitigating factor should there be a law enforcement or regulatory investigation. Both the SEC and the Department of Justice have stated that they will consider this in deciding whether to bring charges, what charges to bring, and what if any penalties to pursue. The Federal Sentencing Guidelines similarly provide for mitigation when the offense occurred even though the organization had in place at the time of the offense an effective compliance and ethics program. In 2017, the Department of Justice published a new framework on evaluating corporate compliance programs to be used in the context of criminal investigations. They made it very clear that it wasn't a checklist or a formula and that all matters would be considered on a case-by-case basis. But it's very helpful to understand and use the general concepts to assist in formulating an anti-corruption program. Here are the items that they said they will use to evaluate a compliance program during an investigation. So, first, an analysis and remediation of the underlying misconduct. Has the company done a root cause analysis of the matter in question? What were the findings? Were there prior indications or opportunities to detect the misconduct in question that were missed? If so, why? What remedial steps has the company taken to prevent similar misconduct in the future? They'll also look at senior and middle management. Has leadership encouraged or discouraged the type of misconduct in question? Has it demonstrated a commitment to compliance? How much oversight does the board of directors or senior management exercise relating to compliance? I think this item can be summed up as what was the culture of compliance and how does that relate to the anti-corruption program? Dovetailing with that is autonomy and resources dedicated to compliance. Was compliance involved in training and decisions relevant to the misconduct? Do the compliance and relevant controlled personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? How have decisions been made about the allocation of personnel and resources for compliance and relevant control functions in light of the company's risk profile? Then, of course, there are the policies and procedures. What has been the company's process for designing and implementing new policies and procedures? How has the company communicated these procedures and these policies to relevant employees and third parties? What controls failed or were absent that would have detected or prevented the misconduct? Are the policies and procedures reviewed and updated? If so, how often? Another item is a risk assessment. What methodology has the company used to identify, analyze, and address particular risks that it faces? What information or metrics has the company collected and used to help detect the type of misconduct that occurred? How has the company's risk assessment process accounted for the risks? Like a company's policies and procedures, training and communications is another item they will evaluate. What training have employees in relevant control functions received? How has the company measured the effectiveness of training? What has senior management done to let employees know the company's position on misconduct that might have occurred? What resources are available to employees to provide guidance relating to compliance policies? For the specific matter, confidential reporting and investigations are important factors to look at. Things like, how has the company collected, analyzed, and used information from its reporting mechanisms? How has the company ensured that investigations have been properly scoped, and were independent, objective, and appropriately conducted, and properly documented? Are there an evaluation of whether there was a mechanism for making a confidential report? Next, they'll look at incentives and disciplinary measures. What disciplinary actions has the company take in response to the misconduct that was discovered? Who participated in making disciplinary decisions for the type of misconduct? Have the disciplinary actions and incentives been fair and consistently applied across the organization? How has the company incentivized compliance and ethical behavior? They're also going to evaluate whether there is continuous improvement, periodic testing, and review. That's the second to last item that the Department of Justice mentioned. What types of audits and testing take place, and would it or should it have identified the issues relevant to the misconduct? Has the company reviewed and audited its compliance program, including testing of relevant controls, and the collection, and analysis of compliance data? Have they interviewed employees and third parties? Finally, third-party management. How has the company's third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management process? How has the company monitored third parties in question? How has the company incentivized compliance and ethical behavior by third parties? There's a lot there. Taking some of the more salient points from the Department of Justice, you can boil it down to the following five key elements that at a minimum, every anti-corruption program should have: policies and procedures, a risk assessment and identification of warning signs, training, preventative measures, and an understanding of how to properly interact with government officials.
