Challenging times

Several speakers spoke of their frustration of trying to address a whole range of compliance issues, while working with drastically reduced staff - either because of budget cuts, or because former employees had been asked to leave. One representative of a major international corporation said: "In recent months, I've turned into the compliance person, the anti-money laundering person, as well as running a legal department." The speaker accepted that their industry's regulators were unlikely to be impressed by this situation, but there was very little their company could do to rectify it in the short term. "On one hand, you risk being beaten over the head by regulators, if you do not have the staff in place. On the other hand, you are saving money by not hiring people. In this climate, it's difficult to justify hiring someone earning C$200,000 a year."

While this speaker's employer was now attempting to restock their legal and compliance function, it was proving difficult to locate suitable candidates with appropriate skills. "The people we are looking to hire only have experience of a small aspect of what we do. It's difficult to find people with a broad-based background, who can effectively multi-task," the speaker concluded.

One corporate counsel spoke of the "paranoia" within corporations at the present time. Besides the always-present danger of unforeseen liability risks emerging from far-flung locations, there was constant fear that the company's previous decisions could come back to haunt them, when exposed to the harsh glare of 20:20 hindsight. Another speaker suggested this situation was being exacerbated by a lack of clear direction from their governments about what specific standards of behaviour were expected of them. "All we can do is look for snippets of information about what the government is looking for," they said. A third speaker suggested that business leaders were now so scared of making strategic decisions that subsequently turned out to be a mistake, that business development was now becoming "inhibited".

Targeting resources

With many companies under both internal and external compliance pressure, one counsel reported how their organisation was now operating a "triage" system in relation to compliance - that is, the organisation was mainly targeting its limited resources on the issues that were fundamental to its existence. Another speaker admitted their company's current tolerance of fraud committed against their organisation was "high". There was a very practical reason for this policy - it was not cost-effective to investigate every suspected case. Unlike fraud committed by the company's own employees, fraud that is committed against the company had minimal "reputational" implications, the speaker reasoned. At the end of the day, exposure to fraud was simply "the cost of doing business", they suggested.

Another participant recalled how their organisation now made use of sophisticated IT systems to assist them with the rooting out low-level, internal, fraud. The counsel described how their company's IT system now monitored all outgoing emails, and automatically "flagged up" any attempt to export business-sensitive information. While the speaker admitted they were a "dinosaur" in relation to their understanding of IT, they said even they were "impressed" by how effectively the monitoring system worked in practice.

Spreading a culture of compliance

Several speakers at the Toronto gathering agreed with the often-repeated mantra that a companies' corporate compliance culture depended on clear and unambiguous support from top-level management. In practical terms, this means that companies must set clearly-defined codes of conduct, which must be communicated to all personnel, and then adhered to. What's more, anyone who did not adhere to the code should be expected to leave the organisation.

However, anyone hoping for an "easy solution" when trying to adopt such working practices, will surely be disappointed by the views expressed by the meeting's participants. One private practice speaker suggested that in-house counsel could draw on other company's published codes - often available on the internet - as a "checklist" for devising their own. However, other speakers queried this idea, arguing that a company's code must be "personal" to the organisation. In any event, one speaker added, all codes "take a long time" to become ingrained into the company's working practices.

More generally, the meeting discussed how in-house counsel could also play their part in ensuring that the actions of third parties do not jeopardise their company's own reputation for corporate compliance. Many sales-driven organisations depend on intermediaries to sell their products on their behalf. Yet, regulators often take a dim view of companies who allow such third parties to behave in a way that they themselves would not endorse. As a result, many companies now take active steps to mitigate against the danger of third-party liability / reputational damage.

At the Toronto meeting, one in-house counsel recalled how they have rolled out a short - but highly targeted - compliance training programme to its top 1,000 intermediaries, with a special focus on anti-corruption legislation. The company had archived its objectives by requiring that all new intermediaries take part in a short compliance training programme as part of their initial engagement. Existing intermediaries were also required to take part in the training programme, as part of their annual re-certification process. Initially, the counsel feared the intermediaries would resist this imposition on their time and working practices. In fact, they recalled how feedback from the intermediaries had been overwhelmingly positive.

By contrast, one in-house lawyer indicated that, in their particular business sector, the most important risks facing their company were not, in fact, legal or regulatory. Instead, the speaker described how their employer's relative financial health had been ensured mainly by its long-standing commitment to taking a conservative approach to credit risk. The lessons from this intervention were clear. In some industry sectors, the in-house legal and compliance function can only play a relevantly minor roll in minimising the key corporate risk to their employer. Arguable, there is little point in engaging in "gold plated" regulatory compliance, if such expense will only have a marginal impact on the company's overall risk profile.

Methods of compliance delivery

Several speakers recalled how they now used on-line compliance training and monitoring programmes as a matter of course. In some cases, these packages are purchased "off the shelf" from commercial vendors. "The compliance training package we use is available in many different languages, which is very useful to us," said one speaker. They continued: "The package wasn't modularised when we purchased it, but we decided to remove some parts ourselves, that would have been confusing to our users."

For this speaker, one of the attractions of the specific package they use is that it is short, clear, and avoids being too US-centric. "I think that, if the training is too long, you'll lose some of the message. We decided to keep the training itself short, but attach a copy of our policies - so the users could read more about the subject if they wish to." However, another speaker warned that some off-the-shelf training packages were "pretty bad". In some cases, they said, the training offered was too legalistic for its intended audience, or too extensive in scope or - conversely - too general to be useful.

Another speaker recommended that any compliance training offered should send out clear and unambiguous messages - even if that meant the standard of behaviour required was rigorous than the legal regime it was based on. "The US Foreign Corrupt Practices Act does allow for 'facilitation payments' - payments which allow business to be transacted more quickly - in certain, narrowly defined situations," the speaker said. "But, because this narrow exception does not exist in all countries, we do not highlight this point in our company's anti-corruption compliance training programme. I try to keep the message simple - and avoid any 'grey areas' as much as possible."

While online compliance training can certainly help in delivering a corporate message to a mass audience - vital if it must be delivered to thousands of stakeholders - some speakers still regarded "face to face" training as playing an important role. One participant suggested that in-person training helped create a bond between the trainer and the training, which could then prove useful in uncovering corporate misdeed. They said: "I've had situations where people I have trained have called me a couple of days after the event. They said 'remember how you said this should happen...well'."

Following up on compliance concerns

Whatever systems companies use to deliver compliance training and monitoring, some speakers suggested this was only half of the issue. If a company goes to the effort of generating a huge amount of paperwork and bureaucracy to run a compliance system, it cannot then afford to skimp on the resources devoted to follow-up analyses or investigations. In some situations, a regulator may punish a company far more severely if an existing compliance system fails to work as planned, than in situations where a compliance system has never been created in the first place.

Echoing that sentiment, one in-house counsel warned against a "tick-box mentality" in relation to compliance. This occurred, they said, when compliance mainly consisted of "24-year-olds were just filling out boxes". Such an approach: "risk losing objectivity and judgement". One private practice speaker agreed, recalling how they had come across companies who spent "a great deal of money on systems." But despite this, such companies had managed to "take their eye off the ball" in terms of analysing and following-up on what the compliance systems were actually reporting.

One issue that did cause a degree of cynicism among some of the event's participants was the use of hotlines, where employees could call anonymously to report suspected corporate wrongdoers. One speaker - who used a third party provider for their hotline services - suggested that "99 per cent" of all calls consisted of low-level HR grievances. Another speaker suggested that companies should offer a range of services from their hotline number, and not just use the system for complaining about colleagues. In some countries, there was a very strong culture of not "telling on" people, they said. So, in order to gain "buy-in" for the hotline concept, it was essential that the company found a way of reducing the level of stigma attached to using the service.

Getting value out of external law firms

When it comes to assisting with compliance programmes, private practice law firms may have some useful insights to offer. If in-house counsels are struggling with compliance "capacity" issues, external lawyers can provide short-term assistance. And, of course, firms who act for several clients in the same business sector may be able to offer industry-specific "best practice" assistance, in terms of devising, delivering or reviewing corporate compliance scheme.

But within in-house legal budgets under pressure like never before, the focus of this counsel to counsel event was how to squeeze the best possible value out of external law firms - in whatever capacity they were instructed.

Developing this theme, one in-house speaker provided an entire check-list of best practices that their fellow corporate counsel could consider adopting. These included: requiring that external law firms work to a fixed annual fee, for an agreed number of hours per year; mainly relying on external lawyers for areas of law that charge regularly, where it would not be viable for internal lawyers to keep up-to-date with fast-moving developments; and review the seniority of the external lawyers working on each matter, to ensure their skills levels are appropriate to the task in-hand. Following one review, the counsel recalled how most of the work performed on one particular matter was transferred from associates to paralegals. Although this resulted in a massive cost saving, there was no obvious impairment to the quality of the work being performed.

Fortunately for the private practice lawyers attending the event, this same in-house counsel also had some suggestions for improving the lawyer-client relationship, which did not just involve bearing down on fees charged by law firms. This speaker recalled how their external law firms had been given access to the company's intranet. This meant that law firms could quickly review the organisation's systems and policies, without having to run all of their queries through the in-house legal department. The counsel also endorsed the use of legal updates and deal rooms provided by law firms, as a resource they valued highly.

Takeaways