The Department of Justice has come knocking and is investigating your company for let’s say –serious money laundering or sanction violations or for manufacturing a defective product that has caused injuries or deaths.
The press is bad, raising grave questions about the company’s culture. Emails released to the public show that employees are afraid to speak up for fear of retaliation, or worse, employees are hiding misconduct from the regulators.
It’s just a matter of time before your company settles charges with the government and is likely to pay a hefty fine. A deferred prosecution agreement and the potential imposition of a monitor is, well, looking like it’s on the horizon.
If your company finds itself in this position, your crisis management team should be asking itself what first steps we should take to demonstrate to the government or a potential future monitor that our company is committed to improving its culture and compliance program.
Here are some of the first remedial steps:
- Communications Plan: The company should design a standalone written communications plan. Through the execution of its plan, the company will need to emphasize the critical importance of a compliant culture and stress the obligation of everyone at the company to raise their hand if there are concerns. This plan should be executed over many years to ensure that the culture becomes ingrained at the company. It will require a steady drumbeat of communication and messaging that must be authentic. It should come from the CEO and the senior leadership team, but also from middle managers. Employees must truly believe (1) the company wants to hear about problems and (2) employees will not be retaliated against for raising issues. The company must also have a mechanism that permits employees to report issues anonymously.
- Training: The company should provide new training to all employees to bolster the communication message, which should acknowledge the problem, stress the importance of compliance, and instruct employees on their obligation to share issues of concern with its compliance function. The training should also emphasize the company’s non-retaliation policy against those who raise concerns.
- Compliance: The company’s compliance program must have policies and procedures to ensure that each compliance concern raised by an employee is examined and assessed appropriately. A record should be maintained of every review providing an analysis of the concern, identifying who reviewed the matter, and how the concern was resolved or escalated. There should also be a mechanism to communicate to the employee the status of the matter raised by the employee as well as the ultimate resolution. These matters should be supervised by compliance management, and there should be a process designed to ensure that senior leadership is reviewing matters that raise significant issues.
- CEO and Board Oversight: The CEO and the Board should receive periodic updates on the effectiveness of the compliance program so they can ensure that issues are properly addressed and that they remain informed. During these updates, they should be apprised of any reviews that might pose a significant risk to enable them to mitigate the risk. In addition, the compliance function should have a direct line to communicate with the CEO whenever an urgent matter arises.
The above described steps are foundational for any compliance program and are necessary steps to take to demonstrate to the government and a potential monitor that the company is changing its ways.