On Wednesday I had the privilege of moderating an executive forum in Philadelphia on corporate governance and investigations. Roughly 40 compliance and audit executives were there, hosted by audit firm Baker Tilly and law firm Morgan Lewis.
Our goal: hash out some of the current challenges in managing complex investigations.
Granted, you could talk about astute management of investigations until the cows come home. Within the last several years, however, complex investigations have become especially complex — difficult issues of fraud and mismanagement to unravel; rising risk of whistleblowers shotgunning the issue into public view before you understand what’s really happening; huge sums of money involved.
Compliance, legal, and audit executives are all in the middle of that blizzard, and nobody sees investigations getting easier to manage any time soon. So what good practices and good insights did the group raise? Two come to mind.
First, find your allies on the other side of the enterprise and forge close ties with them. Our audience and panelists fell into two camps: audit and forensics people; or legal and compliance people. It was a great blend of perspective, and that’s what investigation functions of the future will need.
Why? Because either group can manage some parts of a complex investigation well, but neither one can manage all parts of a complex investigation well. The issues — especially for violations of the FCPA, the False Claims Act, or even data privacy law — simply get too intricate and beyond the expertise of any one “side” of good corporate governance.
For example, consider the SEC’s enforcement action against Sanofi last year over FCPA books-and-records violations. In that case, Sanofi sometimes gave “credit notes” to distributors, which essentially canceled some debts the distributors owed back to Sanofi. The glitch: under some circumstances, those credit notes could be converted into cash. I’ll give you one guess how that cash was ultimately used.
To resolve an issue like that, however, requires a sophisticated understanding of accounting policy and the ability to perform effective due diligence on third parties; skill in either one only addresses half your headache. A business needs strong audit and compliance functions that know how to work together if that company wants to prevent Sanofi-like problems.
Otherwise your business might be able to remediate specific incidents after they happen, which is great; but that won’t necessarily reducing the risk of repeat offenses in the future. Only a strong, effective root cause analysis can do that.
If your risk oversight functions can’t cooperate well, and can’t bring comprehensive expertise to bear when studying a complex misconduct problem.
If your risk oversight functions (compliance, audit, legal, IT) can’t cooperate well, and can’t bring that comprehensive expertise to bear when studying a complex misconduct problem — then your ability to conduct a root cause analysis is weaker.
And if executives don’t have that correct, full understanding of how a problem arose, they can’t implement the deeper structural reforms that might be necessary: new accounting policies, stronger control environment, more investment in skilled compliance or risk management personnel.
Then you’ll really be in the soup once that second incident occurs sometime in the future. That’s true whether you’re simply explaining the matter to the board, or worse, explaining to regulators and the public.
The idea of cooperation is not new to anyone, I know. But the misconduct and regulatory compliance issues that organizations face in the 2020s and beyond are only going to get more complicated. Which means that cooperation is only going to get more important.
To Disclose or Not?
This week’s forum also had spirited debate about a perpetually difficult question: whether to disclose corporate misconduct to regulators or not.
After all, the Justice Department’s new FCPA Corporate Enforcement Policy is clearly intended to encourage more disclosure; so are all the other new department policies relaxing standards for compliance monitors, cooperation, and more.
So that puts a choice in front of companies: Do we disclose and definitely incur some costs (since the investigations that follow do not come cheap)? Or do we keep quiet and risk incurring more costs if regulators discover the misconduct via other means?
There was a lot of uncertainty among our group about exactly what misconduct fits the disclosure profile. That is, what’s the difference between an errant employee who can be disciplined, and the matter quietly closed; or an employee who commits a crime because of larger organizational weaknesses, where the company faces corporate liability?
We didn’t reach any solid answer on that. Several participants made good arguments not to disclose.
Regardless, compliance officers can’t ignore the plain truth that whistleblower risk is increasing. If you do decide not to disclose something that you truly believe doesn’t rise to the level of corporate misconduct — that higher whistleblower risk drives up your need to be able to defend that decision, should regulators later come knocking.
If you decide not to disclose something that you believe doesn’t rise to the level of corporate misconduct — higher whistleblower risk drives up your need to be able to defend that decision.
So your documentation of an effective compliance program will need to be better. That documentation will need to match the Justice Department’s guidelines for evaluating effective compliance programs more closely.
Remember: once a whistleblower does report some supposed issue to the feds, you’ve lost the ability to self-disclose and qualify for more forgiveness under the FCPA Corporate Enforcement Policy (or other enforcement standards). So you’ll need to be able to demonstrate why you believed disclosure was never warranted in the first place.
You’ll need to be able to show why your board believed the compliance program was effective, and therefore no corporate crime was committed. And then some prosecutors might expect you to help them prosecute the errant employee anyway.