Before our fond memories of the Society of Corporate Compliance & Ethics 2023 conference sail into the sunset, I want to recap one more session I attended at the conference since it’s a subject well worth a compliance officer’s attention: the delicate art of remediating a compliance failure while you’re still investigating it.
This has been on my mind because by coincidence, we saw that issue surface in a recent FCPA enforcement action against Albemarle Corp. The company first discovered FCPA problems in its Vietnam operations and then, as the non-prosecution agreement from the Justice Department notes, “took remedial action and continued to investigate other potential issues” — which Albemarle subsequently found in Indonesia and India.
The plain truth is that companies grasp the severity of compliance violations before understanding the full scope of those violations all the time; you can already see at least some of the repairs that will need to begin as soon as possible. The longer you wait to begin those immediate repairs, the more risk is coming through the door of your enterprise and the more legal liability you might face later.
On that basis, compliance teams are more than justified in undertaking remediation even while your investigation is still ongoing. So how can you do that smartly?
Well, that brings us back to the SCCE conference and a group of compliance officers trying to answer that question.
Pursuing Two Paths at Once
The panelists stressed that when you are investigating a compliance violation, you’re really trying to identify two things. First are facts, to help you understand exactly what happened. Second are process gaps, to help you understand how the violation happened.
As you identify those process gaps, in many instances there will be no reason not to start remediating them immediately. For example, say you’re investigating a bribery violation, and you find that the bribes happened thanks to incomplete documentation when a reseller was asking permission for a price discount. You could implement new controls — say, no granting of price discounts to high-risk resellers without compliance officer review — right away, even as you’re still trying to determine other facts about culpable individuals.
If your company has an internal audit team, you might be able to enlist them to help review the flawed processes and recommend new controls. You could also hire an outside compliance consultant, but consider how that might look to regulators reviewing your case. If the company hasn’t tapped an internal person to bolster compliance program weaknesses (say, by naming a chief compliance officer), the Justice Department or other regulators might want to know why not. Relying on an outsider might come across as an unserious management team looking for a low-budget solution to their compliance problem.
Another wise move would be to adopt a remediation policy before any particular compliance violation forces your hand. Such a policy demonstrates the company’s seriousness of intent — you’re not just doing all this to investigate what went wrong; you’re there to implement change. A remediation policy also helps to keep everyone in agreement about what remediation will entail.
Remediation and Personnel Actions
Of course, all the advice above is about remediating flawed processes. It’s also entirely possible that the “remediation” you need involves personnel actions. Here, the SCCE panelists said, you need to tread much more carefully.
An important point to remember here is that the regulators investigating your case might know more about the individuals involved than you do. That means it always behooves you to talk to the government early about what you’re planning to do, so they can keep you on the right path.
For example, you might decide to give the offending employee a warning and call the case closed. Then the government might tell you no, the offending employee should be fired. Now you’re re-opening the issue, confusing everyone involved, creating bad blood with other employees, and potentially even exposing the company to civil litigation from the warned-then-fired employee.
Given all those concerns, it’s no surprise that the SCCE panelists also recommended putting employees on paid leave. That gives you more power to compel the employee to participate in interviews, and more time to talk with regulators about your plans for employee discipline. (Another suggestion: when talking with regulators, take a “This is what I’m thinking, please explain whether I’m on the right path” line of inquiry, to pump them for more information about what they know.)
While we’re on the subject of employee discipline, let’s also remember that the Justice Department guidelines for effective compliance programs have a new section about “consequence management.” Regulators want to see that you have a logical approach to disciplining employees for compliance violations.
Not only does that mean you should have clear policies about who gets what discipline for which infractions; you should also have clear records to demonstrate that you follow through with those policies. Regulators may well ask to see that documentation when you approach them to say that you want to impose certain levels of discipline for the violations in question.
When you’re in talks with the government about a compliance violation, eventually the regulators are going to ask: how do you know this incident won’t happen again? Therefore it’s never too early to think about remediation — including while your investigation is still ongoing.
Ultimately remediation is going to depend on a cross-disciplinary effort. Typically that will be compliance, legal, HR, internal audit, and accounting, plus various other supporting actors depending on the exact circumstances. So ask yourself: Who should own this effort? Who is invested in the long-term success of your remediation effort?
For example, if you’re investigating a bribery scheme and decide to remediate by restructuring your overseas sales operations, clearly your head of sales will be invested in the success of that overhaul. Bring him or her into the conversation early and often, or else you might end up with a remediation plan that won’t work. (Or worse, a plan that the head of sales will work to undermine.) On the other hand, if the compliance violation is about data privacy, where your remediation will be a suite of new policies for customer interaction, you might want to involve the head of customer service or fulfillment.
Above all, brief regulators often on the state of your remediation work. After all, you get credit for having an effective compliance program at the time of settlement. That means you need to communicate and assure that you’re on the right path, rather than find out at the finish line that you went in the wrong direction.
And hats off to the four great speakers on that remediation panel:
- Uma Amuluru from Boeing;
- Alison Anderson, from law firm Boies Schiller;
- Fernanda Beraldi from Aurorium; and
- Rebecca Rohr, from Ericsson.