Models for managing the compliance workload

Session Co-hosts:
Katsuya Natori, general counsel, IBM Japan
Julianne Long, general counsel, Asia, Reuters Japan
Geoffrey Wexler, director, business and legal affairs, Walt Disney Internet Group (Asia Pacific)

Session Facilitators:
Derek Benton, director international operations, LexisNexis® Martindale-Hubbell®
E. Leigh Dance, ELD Project Marketing International

The issue of compliance is one that divides corporate counsel. Some regard it as little more than an administrative procedure that should not be part of the legal function. Others regard it as a central part of the legal department’s role. Whatever their position, most counsel agree that a compliance regime can only be effective with top-level endorsement, dogged determination and a sophisticated appreciation of the different regulatory regimes in which multinational corporations operate.

Is compliance actually a legal function?

One of the most fundamental questions discussed at the forum was whether or not “compliance” should be regarded as a legal function. Here, the forum was sharply divided between those who believed that compliance was a core function of the in-house legal team, and those who believed it should be kept entirely separate. Some speakers even suggested that, because of the nature of their job, compliance officers should report directly to the financial director rather than the general counsel.

In order to answer this dilemma, it became apparent that in-house counsel must ask themselves how they define the role of the in-house legal function. If they believe the legal department should perform a 'strategic function', advising mainly on business-critical matters, then providing compliance advice may simply be impracticable – not to mention tedious. If however, a company already has a significant internal legal capacity in place, then managing compliance may make more sense. An effective compliance function typically requires an 'on the ground' presence in multiple location, plus access to a range of legal specialisms, including employment and competition law.

Some attendees of previous C2C forums had described non-legal compliance departments as little more than generators of incriminating paperwork, which hostile regulators could use to indict a company. However, attendees at the Tokyo forum were rather more sanguine about allowing non-lawyers to manage the compliance programme. Indeed, some speakers said they believed that non-legal compliance officers were actually better at performing such a role. This was because they had 'real world' experience of overcoming the inevitable conflicts between 'best practice' and the company’s commercial pressures. “My compliance team all came from our sales department,” recalled one local counsel. “People respected them because ‘they’d been there’. They also got to hear about potential problems earlier than I ever would have.” Generally, it was agreed that compliance can be a thankless task, requiring personal courage and dogged determination.

Regardless of who manages the compliance function, several speakers claimed that the availability of legal privilege – one key argument for requiring compliance to be handled by the legal function – was becoming increasingly irrelevant. “Most people in my company aren’t lawyers – they regularly write things a lawyer would never put in a letter,” said another in-house lawyer. “It’s dangerous to think that you can expect a document to become privileged just because you’ve sent a copy of it to a lawyer - privilege just doesn’t work like that. Continuing this theme, they added: “Depending on what type of institution you work for, privilege is almost always irrelevant. When faced with a hostile regulator, companies often decide to negotiate away the right to claim privilege anyway.” Others thought that privileged documents did at least have some residual value. One counsel said: “At least you get Brownie points for handing over privileged documents. It’s good to have that option.”

Fostering a compliance culture

All those attending the forum agreed on one key point: any compliance programme would be worthless without total – and public – support from the company’s senior management. A private practice participant illustrated this point by discussing the corporate scandal involving Dutch-based retailer, Royal Ahold. “On reading the official report into this scandal, it appears to me that the company was very well organised, and followed all required rules and procedures,” they said. “In Ahold’s case, the management simply allowed the company’s profits to be exaggerated. They didn’t drive down the culture of compliance throughout the company.” A similar comment was also made about the failed US energy giant, Enron. Developing this theme, several speakers spoke in favour of using fear as a tool to encourage compliance. In some circumstances, the threat of prison or massive corporate fines may be required to make senior managers take compliance seriously.

For those who had been responsible for delivering a compliance programme to their staff, a key lesson was to break down the compliance message into manageable sections. “To me, it’s like trying to get my children to eat hamburgers,” said one local counsel. “The message may be too big for employees to digest in one go, so it may need cutting into slices.” This approach was also followed by another in-house representative. “Our company produced an ethics and compliance management handbook,” they recalled. “Every week for nine weeks, the employees would receive one chapter by email. At the end of the process, they also receive a hard copy of the document.”

For this speaker, another idea was to deliver the compliance message using as many different media as possible. “When we put in place our compliance programme, we started it off with a message for the chairman and CEO,” they said. “This was followed up by codes of conducts and a staff helpline. We also produced posters, websites and mouse mats containing key messages. Each year, we collate an internal compliance audit, survey our staff via a questionnaire, and hold an ethics meeting. This helps us ensure that employees are constantly reminded that the compliance programme continues to exist.” For those counsel considering carrying out their own compliance audit, it was suggested that a company’s existing compliance manual was a good starting point for creating a compliance questionnaire.

In addition to this formal approach, it was suggested that in-house counsel should make use of non-legal management to promote the compliance message to their junior staff. In the previous speaker’s case, compliance confirmation is physically “signed off” by the business heads in each country. Others around the table suggested local management should take the lead in “cascading” a culture of compliance down throughout the company. “In my company, line managers deliver the compliance training,” said another local counsel. “This means that, if the employees break the rules, they are disobeying their direct boss, rather than someone they don’t know.” This approach may be particularly useful for companies that operate in overseas jurisdictions, but do not also employ a local in-house counsel for that territory.

Whatever methods are used to deliver compliance training, the general consensus of the forums appeared to be: do not expect employees to become an expert in this area. In practical terms, all that should be required of them is that they should be able to identify that something may be wrong. “They need to know when to put their hand in the air, and say there may be an issue that needs investigating,” said one private practice representative. “Just as important – they should also know who to ask for help,” they added.

Making use of outside counsel

In general, the mood of the forum suggested that counsel generally found it more useful to carry out a compliance role within the company, rather than relying on outside counsel. There were two practical reasons for this preference. Firstly, it was suggested that compliance should become “embedded” within a company’s culture, rather than imposed from outside. Secondly, compliance normally requires a detailed knowledge of a company’s internal dynamics. Again, this is hard to impose using external agents.

However, in some situations, it may be appropriate to use outside counsel to carry out a compliance audit. One private practice speaker told the forum of an audit they had been asked to carry out, after the previous head of compliance had left the company. A spot check of 150 key employees had produced some truly shocking results. Although the company operated in the highly-regulated financial services sector, almost 70 per cent of those employees they interviewed were classified as either “red” or “orange” in terms of their ignorance of compliance requirements. And, in a damning indictment of the company culture, almost 30 per cent of all managers were classified as “red”. “If the regulator had investigated the company, it would have been closed down,” they added. “The problems were so fundamental, that some people didn’t even know who they were supposed to be reporting to.”

In recalling this episode, the private practice lawyer freely admitted that their audit had created a potentially damning paper trail. In theory, a hostile regulator could have used this against the company in any future investigation. But, in their opinion, the problems within the company were so serious that this risk was justified. “In a doomsday scenario, at least the audit would probably have resulted in a reduced sentence for the company’s directors,” they said. “If there’s one thing Japan’s financial regulators appreciate, it’s that you have followed a proper process!”

The challenges of globalisation

Many of the counsel around the table worked for global corporations. This, it was agreed, frequently presented specific problems in relation to corporate compliance. Some counsel recalled how employees resented being asked to comply with company-wide policies, where these policies were principally designed to comply with the laws of the company’s head office. Here, the most obvious examples were the US Sarbanes-Oxley and Foreign Corrupt Practices Act. However, the new EU privacy directive also caused problems for some around the table. “I’ve had people asking me why we have to comply with this law, even though there is no equivalent legislation in Japan,” said one local in-house counsel.

In some situations, counsel recalled great difficulties in implementing company-wide compliance policies. In some situations, this was because these policies directly contradicted local law. Alternatively, procedural requirements made swift compliance difficult to achieve. “It’s sometimes difficult to make our head office understand just how long it will take to implement their policies,” recalled another in-house participant. “First, I have to propose the new rule to our local Japanese entity. Then the board has to vote on it. After that, the proposal has to be agreed to by the employee representatives. Head office may tell me to implement the new policy immediately – I may have to tell them that it could take up to 12 months!”

Generally, it was agreed that this type of problem was more prevalent in companies which operated primarily out of one country, with limited operations in other jurisdictions. “I’ve been relatively fortunate in this regard,” said one in-house counsel. “As a company, my employer is comfortable with operating in countries where local laws may be different. People are used to asking: ‘will this work in your country?’ Of course, this approach doesn’t necessary solve the dilemma, but it does make it easier when trying to draw up realistic global policies.”

Remaining compliant when dealing with clients

One final point of contention is how companies should deal with overseas clients on compliance matters. On occasions, these clients may not appreciate foreign compliance conditions being written into standard contracts. “Inevitably, this can make contract negotiations more difficult than they would otherwise be,” said one in-house counsel. “In some situations, the ignorance of clients can be frightening. I’ve worked with investment banks that are subsidiaries of US parents, who don’t think US law applies to them. I tell them that they should consider contacting their own US counsel!”.

In order to make the company’s compliance position as unambiguous as possible to all clients, several counsel suggested posting their policies on their corporate website. “Our policies are available to download in every language that we trade in,” concluded one in-house speaker.

However, some counsel suggested that it was not always easy to obtain an honest assessment of a law firm’s performance. “People are often willing to provide verbal feedback, but they are unwilling to put it in writing,” warned one speaker with many year's experience of this issue. “Even when people do complete surveys, the results are often useless because they tend to be too nice.” A private practice representative agreed: “You shouldn’t be shaking the tree for negatives, but you have to recognise that constructive criticism does not come easily to many people.”

Whatever system they use to rate their external counsel, in-house lawyers warned against using non-lawyers to obtain this feedback. For one counsel, making use of a procurement department to assess quality was described as “a joke”. “They asked a whole bunch of stupid questions and we had a huge number of complaints,” they said. Nor should law firms make use of independent assessors to obtain feedback from their clients. “Do it yourself,” said one law firm speaker, bluntly.

Takeaways

■ Is your in-house legal department structured in such a way that it is feasible for it to manage your company’s compliance function? If not, consider using a law firm to carry out a compliance audit.

■ Fostering a compliance culture requires constant reinforcement. Make use of every form of media available, from CEO webcasts to mouse mats. Make line managers responsible for training their own staff in compliance matters.

■ It is not always possible to impose global standards for compliance. Accept this, but ensure head office is aware of what is and is not feasible.

■ Do not sacrifice compliance standards to appease clients. Use standard contract terms and your corporate website to reinforce non-negotiable standards of behaviour.

Last updated -22 January 08

Back to homepage