Defining "compliance"

For several speakers, the definition of compliance was almost limitless. Whether compliance involved carrying out an audit of the company's adherence to the Foreign Corrupt Practices Act (PCPA), or merely ensuring it had complied with its stated aims in relation to CO2 emissions, one thing was certain. Today, "compliance" rarely means simply "complying with the laws of the company's home country". At the very least, compliance normally refers "compliance with all laws in all countries in which the company operates - especially the FCPA and Sarbanes-Oxley". More commonly, compliance also means testing a company's adherence to its internal policies or other published statements of corporate intent, such as the Dow Jones Sustainability Index.

Because compliance is now such a broad topic, one of the key challenges for any general counsel is to create and resource an organisational structure that encompasses all areas to be tested. When polled, the meeting divided into two main categories - those which had separate compliance departments and those where compliance formed part of the legal function. One speaker complained that, in reality, they did not have the budget for "any" compliance function whatsoever, while another reported that different aspects of the compliance function were scattered between several different departments.

Perhaps the most common complaint at the meeting was that compliance had become "siloed" between different departments, who often did not talk to each other. To overcome this problem, several speakers suggested creating a compliance or risk management committee. This committee, which would contain representatives from all departments that carry out some form of compliance function, could meet when required to discuss areas of mutual concern.

The changing nature of compliance

Another key issue that in-house counsel must grapple with is that the definition of compliance often changes over time. This is something that counsel should try to remain aware of, and plan for - if possible.

During his presentation, Patrick Garver from the Barrick Gold Corporation gave several illustrations of how his company's compliance requirements had evolved over a number of years as the company has grown. For Mr Garver, who is the company's executive vice president, some of the key events that changed the nature of the compliance challenges for Barrick Gold included its first cross-border acquisition, its listing on the New York Stock Exchange, and the first time the company purchased a company that operated in a different language.

According to Mr Garver, the implications for the company's compliance regime caused by these developments often only became apparent after the event. "When we merged with a US company in 2001, one of the changes we made was to shift to the U.S. Generally Accepted Accounting Principles. At the time, we had only a general sense of what impact that would have on compliance." For Mr Garver, the latest challenge is how to manage compliance now that his company has decided to decentralise its operations into regional business centres. "We now have to train, and then trust, a lot of people all over the world - who will continue to be accountable into Toronto - to oversee Sarbanes-Oxley, FCPA, environmental issues, and the like, and also to train their own staff. That's a huge change to make," he said.

Knowing your company's position on the compliance "circle"

One of the most revealing aspects of the meeting related to how different counsel had attempted to devise their compliance programme. Some had begun the process with a detailed assessment of key risks, whereas others had started from a point of principle. This lead participants to suggest there was a compliance "circle", encompassing four distinct stages: Risk assessment, implementation and documentation; oversight and audit; and cultural acceptance.

Speakers agreed that it would be useful for any counsel wishing to establish a successful compliance programme to first establish their company's position on this compliance circle. For example, a company that currently operates in a "principles-based" environment should typically focus on putting procedures and audits in place which allow the company to prove its adherence to these principles. By contrast, a company that is more familiar with operating within a rules-based environment probably faces a different challenge - that of getting its employees to "buy in" to a compliance "culture" as a matter of choice, rather than obligation.


The dangers of focusing on one aspect of the compliance circle and the expense of another was demonstrated by the presentation given by Stephen Lloyd, head of commercial at Fraser Milner Casgrain LLP. Mr Lloyd recalled how one company, which enjoyed strong links with the local community, had been forced to terminate contracts with long-standing suppliers. Unfortunately for this company, the concept of "doing the right thing" often meant giving private reassurances to these suppliers that were at odds with the "technical" termination language put together in the contract by the lawyers. Ultimately, the company was successfully sued for a significant amount of money by one of those suppliers on the basis of reliance on the private reassurances that the company would "take care" of the supplier. As a result of the lawsuit, the entire culture of the company changed. It is now much more accepted that internal counsel have an important role to play in how contractual relationships are managed. The message of compliance with common law duties to respect representations you make to your partners has been passed. "Even if you try to 'do the right thing', the words of the contract you enter into still matter," Mr Lloyd told the meeting. "Today, the company is much friendlier towards lawyers."

Demonstrating compliance

During the course of the debate, it was suggested that many companies may be compliant with all their key objectives - but they may not be able to quickly prove it. In such situations, proof of compliance may scattered across various different documents, spreadsheets or official forms, but not collated into a readily-accessible folder, checklist or document bundle. The meeting therefore had an obvious solution: if this scenario accurately describes your company's approach to compliance - sort it out. It is much better to organise compliance documentation during a quiet period of the year, rather when the regulators have appeared in reception.
 
For in-house counsel, the ability to demonstrate compliance becomes more difficult when the actual responsibility for implementing a compliance programme is left to another department. For example, a company may have a clear and unambiguous policy on document retention - but it will be the IT department that will be responsible for ensuring backup tapes are routinely wiped. Yet failure to follow the company's official document retention policy could cause havoc with any litigation discovery process or a regulatory investigation. An ad hoc approach to compliance could lead to the accusation that the company had selectively destroyed incriminating documents.

More generally, any company who fails to follows its own stated policies, and then is found guilty of an offence, may be dealt with more harshly when the company is sentenced. In some situations, failing to implement an existing policy can be worse for a company than having no policy at all.

In such situations, arguably the only realistic option open to in-house counsel is to follow the "Sarbanes-Oxley" approach. That is, they should require that the responsible line managers "signs off" a statement confirming they have met their compliance obligations. Line managers who fail to sign off compliance statement, or sign off without being certain that compliance has been achieved, should be punished or removed.

In terms of compliance training, several speakers at the meeting spoke in favour of the use of online packages. Not only were such packages cost-effective, they were also eminently capable of being audited. However, some speakers doubted whether such programmes always "got inside their employees' heads", and genuinely tested their level of understanding. It was therefore suggested that online packages should be used in conjunction with alternative approaches such as focus groups, where appropriate.

For those who preferred a more traditional face-to-face approach to compliance training, the frequency of such training was often an issue for concern. "I recently attended an annual FCPA training programme," recalled one speaker. "Of the 20 people in the room, only two had had the training before - the rest were all new employees." For companies with high turnover of staff, annual compliance training programmes may not be adequate. For such companies, it may be more helpful if initial compliance training forms part of a new employee's induction programme, rather than relying on programmes periodically scheduled throughout the year.