11 March 2019 | By Veronica Pinotti
Why every company needs a compliance programme
“Do we really need all this?”, general counsel are often asked by company executives. Veronica Pinotti, partner at the Milan office of White & Case LLP, explains why the answer is yes.
There are several good reasons to elaborate far-reaching compliance programmes. One, it is often a legal obligation to have them in place. Two, it is a business standard. Three, a compliance programme helps to minimise production costs. Four, it protects managers against civil liability lawsuits and the company against criminal liability.
The stakes are high. A lack of compliance with rules and regulations can negatively affect the competitiveness and financial strength of a company (e.g. by the imposition of fines and other penalties, or by suits for damages. It can also have negative consequences for managers and employees, result in disciplinary action, civil lawsuits or even the imprisonment of managers. Above all, compliance issues interfere with normal business activities or trigger negative publicity for a company. Just think of dawn raids…
A proper compliance programme covers a wide array of areas. For instance, it should include a functioning anti-corruption mechanism, which takes into account all regulations. It should also cover labour and trade regulations as well as the totality of the principles and guidelines, rights and obligations to which the company is managed.
The protection of data from employees, business partners and the company itself is another key aspect that needs to be addressed, and not to forget the identification, classification, protection, archiving and deletion of data. Companies need to strive to identify and limit the risks posed by digital means of communication. The goal should be the methodological protection of own intellectual property and the acceptance of the rights of third parties.
Compliance rules should also entail the promotion of free and fair competition as a means to protect against massive fines. The goal should also be to engage in successful business transactions with the public sector by adhering to specific regulations.
Finally, environmental protection rules also need to be internalised, as does the prevention and prosecution of criminal wheeling and dealing by staff members (White Collar Crime).
The implementation of a comprehensive compliance programme does not remove all risk factors, but often helps to reduce them significantly.
What is needed to assess risks properly and put remedies in place?
First, an internal audit should be conducted aimed at identifying potential areas of risk, e.g. in relation to the compliance with European and national antitrust and consumer protection rules. Then, the risk level should be identified, as should the employees working in high-risk areas.
Next, policies and training for employees should be developed in order to ensure that they are aware about all potential risks. This should include training, the production of manuals, as well as antitrust protocols for external meetings, document and information sharing.
Periodically, a review needs to be carried out in order to ensure that the above goals are reached, including simulations and a review of extensive documentation on the agreements and arrangements in place as well as interviews of employees. Regularly, these compliance documents, guidelines and policies, procedures and management tools should be audited to ascertain the extent they are respected within the company. Finally, a narrow set of straightforward and accessible compliance rules in the form of guidelines or policies focused on the areas identified as critical should be produced.
Companies that have employees in more than one country should also ideally have a single whistleblowing reporting system, tailored to reflect local data protection laws and whistleblowing regulations. While EU member states have more stringent data protection rules in place than the United States, they do not protect whistle-blowers to the same extent as the US, unless the company takes extra steps to ensure protection.
Different systems can be implemented. Among them telephone hotlines, Internet-based or internal email reporting systems (e.g. an account firstname.lastname@example.org) and the installation of an independent ombudsperson (either company-internal or external) who employees can contact in case of suspected compliance violations.
Generally, three types of compliance controls can be distinguished.
Internal controls are processes and procedures put in place by the company to ensure compliance.
Preventative controls are designed to catch or prevent errors and irregularities before they occur (including the provision of procedure manuals and training, the separation of duties in accounting processes, the proper approval of transactions, the requirement of adequate documentation for transactions, and physical security measures such as locking doors and otherwise controlling assets).
Lastly, detective controls are designed to find errors or other problematic issues after they occur so that corrective action can be taken. Examples include taking physical inventories of assets to compare to recorded assets, reconciliations of bank and accounting records, variance analysis, and periodic audits and reviews.
Multinational companies should consider developing a uniform program that applies globally rather than separate country-by-country programs. This fosters the emergence of a company-wide culture of compliance.
Local implementation and enforcement requirements often include the translation of documents into the local languages. This applies not just to written policies, but also to live training.
Whilst some multinational groups have a single language in which internal business is conducted, translating and teaching the compliance program in other languages may be appropriate unless the workforce is sufficiently fluent in the official language and can understand the rules and procedures in place.
Veronica Pinotti is partner at the Milan office of White & Case LLP. Veronica has more than 20 years of experience in the area of EU competition and regulatory law. She regularly advises European and international clients before the European Commission, national competition regulatory authorities, as well as civil and administrative courts.