A Resource Guide to the US Foreign Corrupt Practices Act, published by the United States Securities Exchange Commission (SEC) and Department of Justice (DOJ), considers “continuous improvement: periodic testing and review” as one of the “hallmarks of an effective corporate compliance program”. Similarly, the United Kingdom Ministry of Justice’s TheBribery Act 2010 – Guidance also includes monitoring and review as one of “The six principles”, which are designed to pave the way for “robust and effective anti-bribery procedures”. This article primarily focuses on the importance of embedding the practice of remediation within a compliance framework to ensure effective periodic review, thus driving improvements and allowing for a progressive and pragmatic approach to dealing with any issues that arise.
Within a compliance framework, “remediation” refers to correcting errors, faults or anomalies which occur on a daily basis within your organisation. It is widely accepted by the authorities that it simply is not possible to design and deploy policies which take into account every possible scenario that your organisation may encounter, from grass-root level to executive-board level; consequently, any occurrences of error, fault or anomaly not covered by the parameters of any given policy will need to be corrected or remediated. You will find that issues are indeed remediated on a daily basis – whether via escalation, an email process or seeking verbal consensus to decide on a particular route or decision – yet when called upon by regulators organisations time and time again fail to fully demonstrate that adequate measures and procedures are in place. Implementing a remediation strategy within a compliance framework can save your organisation from severe penalties under bribery legislation.
Maintaining and documenting all issues and synchronising with policies
Using an existing in-house record-keeping system or a specially-built software solution, full records of all issues should be maintained, from the moment they are raised until the outcome or resolution. This is undeniably the key foundation for a pragmatic approach to possible changes or revisions to existing policies. Policies should always be considered as works in progress as things will always occur that they do not cater for, and a company should have a remediation process to capture such scenarios. Using the data from the various steps that your organisation has taken to solve a previous issue means you will quickly be able to determine instances where provisions within a policy have been violated. Whether an isolated one-off issue or one that frequently occurs, you will be better able to assess the impact of a violation and accordingly make changes in a policy and solve a targeted issue. This can be applied to any given review period that your company has in place, whether quarterly or annually. Policies do not have to be modified on a whim; all modifications should be justified, and this will in turn increase the credibility of the compliance programme as a whole.
Effectively illustrating your compliance programme
An effective remediation process will clearly illustrate that your due diligence mechanism is not a perfunctory exercise that is simply conducted so there is some documentation in your company file. It will also demonstrate that your compliance programme is not a “check-the-box” exercise, rather a well-thought-out, multi-dimensional process which takes into account the unique risks associated with your business, allowing you to logically manage and mitigate those risks.
In recent times we have seen that when a company has been found to have violated provisions of anti-corruption and anti-bribery legislations, prosecution leniency has often been shown if the company has been able to demonstrate that they have an effective mechanism in place which addresses concerns and mitigates associated risks to actively drive improvements. The FCPA guidance provides clarification on this point: “In appropriate circumstances, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.”
A compliance programme in general should be thought of as a living organism which constantly evolves. Organisations who consider compliance programmes to be a one-off initiative will find that their programmes will quickly become stagnant and outdated. To keep a compliance programme from becoming outdated, and to avoid the unsustainable scenario of making drastic changes once things have already started to go wrong, it is imperative that a remediation strategy is in place to continuously address issues and enable you to manage and mitigate adverse repercussions that might affect your business.
Communicating to your staff
In order to encourage all employees to report issues your company’s code of conduct should be explicit in assuring that doing so will not result in any form of retaliation from other members of staff. In addition, organisations need to clearly communicate to employees the process to log an issue that requires remediation. There are often issues which arise but which are not remediated simply because employees do not know where or with whom to log the issue or incident. In instances where issues are logged via email there is a high chance of the email being lost amongst other “more important” emails or lost in an individual’s inbox and therefore not accessible to anyone else. Providing all employees with access to a software system which logs, tracks and records the various steps taken to close an issue is the most-effective and recommended method for logging issues as it allows everyone in the company to comfortably and easily raise issues from the convenience of their workstation. The responsible department can then channel the query or issue to the right person or department to remediate the matter while collecting all-important data that can be reviewed periodically to drive improvements within your compliance programme.
Building a company-wide remediation strategy within your compliance framework is fundamental to guaranteeing your organisation’s protection in the event that regulators conduct an investigation on possible violations. In such circumstances investigators are more likely to be lenient if you have clear evidence and data that an effective compliance framework (one which continuously monitors and improves processes by consistently remediating issues that arise) is in place. An effective remediation strategy should also be viewed as building your company’s defence under the Bribery Act provision of a corporation’s requirement to have adequate measures and procedures in place to prevent bribery.
Remediation strategies: ten key points
- Your company’s compliance structure must include a robust remediation process
- The remediation strategy needs to be repeatedly communicated to all employees in the organisation – aim to deeply etch this process until it becomes part of the company’s DNA
- Address in your code of conduct that employees raising any business issues or reporting any possible violations of policies shall not be met with any form of retaliation
- Provide an easy-to-access portal for employees to report any issues that require remediation – software solutions are most effective as they will collect data to drive improvements to your compliance programme as well as recording the workflow and input from various departments when resolving an issue
- Compliance must be a company-wide initiative – it should not be disjointed from the rest of the business
- Regularly monitor and report to the business (typically to the board) the issues that have been reported and remediated, including an analysis of the trend and nature of issues reported and how they were remediated
- Ensure that all issues are remediated in a consistent manner
- Use data from the remediation process to determine which internal polices require revision so revisions are justified
- Periodical review and revision of internal and external policies should take into account any previous issues and the consequent remediation
- Record all issues and their remediation process diligently to build your company’s defence of having adequate measures and procedures in place