1. Follow through with compliance program.
The company should either have an effective corporate compliance program or not have one — and avoid creating something in between. It is unacceptable to develop written policies and procedures and provide compliance training, and then fail to put the people or the resources into place to operate the program consistently with those policies and procedures. The company would end up encouraging the reporting of misbehavior, but establishing a record suggesting that it does not care about compliance, since reports would not be dealt with appropriately. That, in turn, could create difficulties for defense counsel, should the government enforcement community come tapping at the door.
2. Utilize good people and good policies.
An effective corporate compliance program requires both good people and good policies — not one or the other. While the company may hire excellent people to create and implement the program, if there is little institutionalization, through written policies and procedures, to make the program operate without those people, it will fail. The outcome will be no better if the company hires outside consultants to prepare wonderful written policies and procedures, but then assigns the corporate compliance post to a junior person who does not possess the right skill sets to make the program work effectively.
3. Keep list of high risk areas current.
A company’s perspective of its high risk areas is a function of its awareness of those risks. The company should keep its list of high risk areas current by monitoring government enforcement cases, which are not always reported like litigated cases. (Indeed, settlements are a kind of “case law,” since government investigations often lead to them.) Otherwise, the company may be caught off-guard if the government enforcement community targets it in a newly identified high risk area that is not on the company’s list.
4. Maintain adequate documentation.
The company must have a readily available chronological file or narrative maintained that describes, from the beginning, what has been occurring under the compliance program. When government enforcement knocks at the door, defense counsel will want to know if the company is operating an effective corporate compliance program, since the company can get “credit” for such program. A chron file or narrative memorializes contemporaneously the relevant events to get “credit” for the activity. Having an active compliance program without adequate documentation and archiving of those activities makes it as if such activities never occurred.
5. Avoid situations that suggest — “Do as I say and not as I do.”
Senior management’s actions must demonstrate support for the corporate compliance program. The program’s training materials for employees and contractors, as appropriate, serve to: (i) explain the written policies and procedures related to the company’s philosophy about compliance and how the program operates; and (ii) send a message to these people that senior management is serious about compliance. When any member of senior management chooses to ignore or modify what is said during these training sessions or in the written materials, his or her action serves to undermine what was trying to be accomplished
6. Practice what you preach.
If the company warns employees that there will be consequences for non-compliant conduct, it must follow through with action when the conduct occurs, or such warnings will become irrelevant. One termination of an employee for non-compliance — and having the word get out that the person was terminated because of non-compliance with company policies — is worth hours and hours of corporate compliance training. Employees want to see that the company really means that non-compliance “could” lead to termination, even if the person terminated is the best sales representative in the company or the person most likely to be promoted.
7. Create auditing or monitoring plan.
The company should “kick the tires” by auditing and monitoring, or else it may have no idea whether it is abiding by the compliance policies and procedures. A plan that touches on certain high risk areas and may rotate to others for review as to compliance is one of the best ways to get the most out of a compliance program. Often, through auditing and monitoring, companies can find issues before they are known externally and before they may become national, as opposed to local in nature. Then, depending upon what is found, the issue could turn into the focus of new training to ensure that company policies and procedures are followed appropriately.
8. Get corrective action right.
When non-compliant conduct is discovered, the company must be sure that the corrective action taken is as comprehensive as possible. For example, suppose a company discovered that some of its billings to the Medicare program were not accurate and then identified the exact person responsible for the inaccurate billings and why he was billing incorrectly. The only corrective action taken for this non-compliant behavior is terminating that employee. The company is done — right? Wrong. The company still needs to determine whether the billings to the Medicare program require a refund of some sort.
9. Be ready to report on historical events.
The company must be prepared to respond to an investigation with historical information. Often, the topic of a government investigation involves conduct occurring two or three years earlier. Such delays in investigations occur in part because a federal False Claims Act case is filed under seal awaiting the government to decide whether to intervene in the case or not, and also in part, because a private citizen may wait to bring a matter. Even if the investigation involves conduct occurring through the date of the government touch, the government may ask for information dating back as far as ten years ago.
10. Avoid decision paralysis.
The company should have a formal corporate compliance committee in place that is multi-disciplinary and comprised of people in senior management. This committee operates like a board of directors for the corporate compliance program. The compliance officer usually serves as the committee’s Chair, reports directly to the company’s CEO, and has dotted line reporting to an outside director of the company’s board of directors. Thus, the compliance officer has multiple ways to raise and resolve issues, including when committee members can’t agree on the sensitive matter of government disclosure or whether corrective actions for non-compliant conduct are sufficient. Avoiding “decision paralysis” requires ownership of the issue by the compliance officer and receptivity by the CEO and relevant board members to help with the resolution, when needed.