In the aftermath of the New York Times investigative reporting, one thing is clear — Big is not necessarily better. What do I mean by that? You can take all the compliance resources you want, throw them at a problem and come up with zilch on the compliance front.
The message for Fortune 100 companies is loud and clear. You may have wonderful compliance programs, with extraordinary controls, state-of-the-art designs and information technology support. In the end, your program is only as good as the people who are responsible for implementing it. If they are not committed, your compliance program will falter.
With that in mind, Fortune 100 companies need to undertake a new type of risk assessment which aims at making sure that compliance intentions are being followed. How do you do that?
First, you appoint a team with cross-cutting expertise — legal, auditing, compliance, training and human resources.
Second, you give them a direction and authority to carry out a full assessment.
Third, you give them the authority they need by making them report directly to the Audit/Compliance Committee. Skip over senior management, but make sure they are aware of the review and comply with it.
Fourth, as a precaution against any potential uncooperative efforts, retain an outside independent monitor to supervise and follow the audit. (For example, Judge Sporkin could be appointed by the Board to oversee the effort but not to carry out the specific tasks).
These basic steps can help a Fortune 100 company to address any deficiencies in its compliance program. We have seen too many compliance programs which look good on the outside but fail basic tests on the inside. The company has to commit the will and the resources to conduct such a review.
One critical deficiency in the large, state-of-the art compliance programs is to design and implement an effective internal reporting system. Many large companies fall under the burden of bureaucracy which can suppress and frustrate an effective reporting system.
The goal of any reporting system is to make sure that issues are identified, communicated to the right person, elevated to the right level for a response, and reported to the appropriate officials to monitor on a macro scale how internal reporting systems are working. The company’s reporting system has to create an environment in which employees are commited to reporting potential problems. All too often employees are reluctant to report to their immediate supervisors for fear of retaliation. On the other hand, immediate supervisors may have a unique perspective and understanding of the issue which can help to determine how to deal with a potential problem.
It is important to support employees who report a problem. They need to be reassured on the retaliation issue, and they need to see that their complaints are taken seriously. An immediate supervisor should not be the sole determinant of the importance of an issue. An initial look has to be made by an internal compliance specialist and/or counsel. The immediate supervisor can be consulted if necessary. This may take more time and resources but it avoids one fundamental problem — the possible conflict a supervisor may have in reporting a potential problem.
Once an issue is reported. The compliance and/or legal specialist can assume responsibility for the issue — research, consultation and immediate assessment has to be completed quickly. It should be assigned to a specialist with a firm deadline for assessment, review and recommendation. A quick and effective review will help to make sure that issues are properly identified and then referred for further examination. As always, a record of this process needs to be maintained and audited to evaluate the internal reporting process.
All of this is money and time well spent. The dangers of avoidance, ignorance or plain obstruction are too great. Fortune 100 companies need to redouble their efforts and do so now.