Posted on August 2, 2011 in Ask the Experts

What should a Company’s response be to the Whistleblower provisions?

First, a company should not seek to emulate Dodd-Frank by posting bounties internally. This sets the wrong tone, not to mention that it is unlikely an organization can compete with the $300,000 plus bounties offered by the SEC. Second, the proper response to Dodd-Frank Whistleblower should already be included in an ethics and compliance program following best practices. The ultimate answer to Dodd-Frank is a healthy corporate culture where employees do not fear reporting and believe that the organization will properly handle any misconduct.

Some specific things an organization can do to respond to Dodd-Frank concerns include:

Institute a culture survey of the employee population to better understand their perception of topics such as retaliation, pressure to commit violations of the code of conduct, and organizational justice.
Review training of the company’s managers. The vast majority of reports of misconduct are made to managers, not the anonymous hotline or the compliance office. If employees are uncomfortable with reporting to their managers, or their managers do not know how to encourage open communication and handle any reports they receive, then the SEC might seem like an option.
Review the organization’s messaging about anti-retaliation and reporting.
Review the current messaging around what happens when an employee makes a report. Survey data shows that employees are most comfortable reporting where they understand the process and have faith that it works, so the more clarity and transparency an organization can provide, the better. Consider whether it makes sense, for example, to share a scrubbed version of the data on hotline calls and open door reporting that you present to the board, or to produce a regular communication around responses to misconduct.

Posted on July 18, 2011 in Ask the Experts

How is recent research around “sign at the top” being applied to the ethics and compliance space?

A: This “sign at the top” concept is taking root in a number of different ways in the ethics and compliance space. For example, we’re seeing its use in:

Workplace computer “sign-on” screens when employees log in to their computers at the beginning of a workday. The log-in screen, which organizations rotate on a periodic basis, reminds employees about their obligation to use their computer appropriately, keep company information confidential, etc.
“Pop-up” windows before employees exit the company’s intranet to visit a social media site like Facebook or Twitter. Once again, the window is a reminder of the company’s expectations for employee behavior on those sites, and requires employees to click and accept that they understand the policies. Where possible, some companies are actually tracking the time the window is open for, and if the time seems unreasonably short the employee will get a “Did you really read that in 5 seconds? Are you sure?” message.
Conflicts of interest disclosures where again, the employee is required to read the policy (and the tracking concept above is employed), initial or otherwise acknowledge that they will answer the questions truthfully, and then is presented with the questionnaire itself.
T&E report filings (for employees) and approvals (for managers) when the company is using an online filing system; the individual signing in to file or approve will initial or acknowledge that they will follow the company’s gifts and entertainment policy.

These are just a handful of ways we have seen this concept being used so far. Our partner, Ethisphere, recently hosted a CLE webcast titled Compliance Communications: Overcoming Challenges and Best Practices in which the Chief Ethics Officer, Kathleen Edmund of Best Buy discusses some of these topics in further detail. Click here to watch.

Posted on June 28, 2011 in Ask the Experts

When establishing your company’s Gifts and Entertainment Policy (Giving and/or Receiving), how do you define “nominal” or “more than nominal value”?

Response by Palmina Fava, Partner at Paul Hastings and Member of the Ethisphere-Corpedia Joint Committee

A: Providing guidance to employees operating around the world on appropriate gift and entertainment limits is a challenge. When bearing responsibility (and liability) for thousands of global employees and agents, it is critical to provide some context and specificity for what the company deems appropriate. To that end, companies are moving in the direction of defining “nominal” with some specificity, recognizing the difficulty in translating “nominal” into different languages and cultures while retaining the same meaning. Definitions among companies vary but generally they equate “nominal” with the terms “insignificant value” or “token amount” or “not greater than $250,” using DOJ Opinion Releases, non-prosecution agreements, and other statements by DOJ as a guide. Setting a dollar limit on the term “nominal” is tricky because the DOJ has found gifts valued up to $250 appropriate, provided the other standards enunciated below are present, yet many companies set a lower threshold (i.e. no more than $50 on any single occasion and $150 total in a calendar year) either because other entities in their industry are using that threshold or because those amounts comport more closely with local laws in the countries in which they operate.

A developing best practice is to provide context in the Gifts and Entertainment Policy for permissible expenses, i.e.:

Gifts shall be provided only as a token of esteem or courtesy or gratitude.
Gifts and entertainment shall not be given to induce the recipient to favor the company or in exchange for the recipient’s actions that benefited the company.
Gifts shall not be in cash or cash equivalents (i.e. gift cards) and shall not exceed $XXX [typically ranging from $150 to $250] in value in a calendar year per recipient.
Gifts and entertainment shall be given only if permitted under local laws and the guidelines of the recipient’s employer/government entity.
Gifts and entertainment must be reasonable, customary, and appropriate for the occasion.
Gifts must be presented openly and transparently.
Gifts and entertainment must be recorded accurately in the company’s books and records and supported by appropriate documentation.
In giving gifts or entertainment, avoid the intent and appearance of impropriety.
Accepting a gift or entertainment that is not reasonable or customary or that exceeds $XXX [typically ranging from $150 to $250] in value in a calendar year or that is intended to induce your behavior improperly is prohibited.

Moreover, some companies provide examples of what constitutes a “nominal” amount, such as:

single bottles of reasonably priced wine
modest refreshments at a conference
items with the company’s logo, including a shirt or a laptop case
chocolates, flowers, or fruit

Companies similarly juxtapose the examples of the “nominal” or “token” gifts with the non-token gifts, such as:

tickets to a sporting event
use of a holiday home
free or discounted travel (i.e. a free ski weekend)
rounds of golf
jewelry
preferential treatment or access to confidential information
discounted or free products for personal use

The key in defining “nominal” in your Gift and Entertainment Policy is to recognize the risks attendant with your business, and, while keeping the unique composition of your employee and agent base in mind, enunciate a definition that empowers your agents to understand the company’s values and limits.

Posted on June 6, 2011 in Ask the Experts

Should the Chief (Ethics and) Compliance Officer Report Directly to the Board?

A: The best reporting structure for Chief (Ethics and) Compliance officers is now commonly debated, especially given the most recent amendments of the U.S. Sentencing Guidelines, calling for “reporting responsibility” to be established between the employee responsible for the “day to day” operations of an organization’s ethics and compliance program and its “governing authority” (usually the Board). The Sentencing Commission was primarily concerned with granting the director of the ethics and compliance program access to the board in the event of high-level criminal activity and carefully avoided dictating a specific organizational structure and making specific suggestions as to reporting lines.

That caution has led to this question – how does one implement what the Guidelines now recommend? An emerging best practice, particularly with organizations with more than 1,000 employees, is to create a direct and documented reporting line between the C(E)CO and the Board.

While the Guidelines only require a C(E)CO to have direct access to the Board for instances of illegal (or apparently illegal) activity and for annual program reports , many organizations are expanding this relationship beyond this “failsafe” function in order to foster a relationship between the C(E)CO and the board to encourage reporting should it be necessary. This approach makes practical sense. Limiting the C(E)CO’s board exposure to yearly updates in the absence of legal emergencies might present a problem, because C(E)COs may not then develop the comfort level they need to make difficult reports sans regular contact with the board. Furthermore, if another executive – the general counsel, chief legal officer or chief executive officer – sets the C(E)CO’s pay, and is responsible for hiring, firing, and promotion, then they may also be hesitant to go to the board with a sensitive issue that may implicate the c-suite.

Many companies – indeed, the majority of organizations we have benchmarked over the last six months – now consider it best practice to remove the C(E)CO from such an awkward situation so they are truly able to communicate with the Board freely by implementing a formal reporting relationship.

In addition, if the C(E)CO is not the employee responsible for the “day to day” operations of the ethics and compliance program due to wearing multiple hats, companies are increasingly including the individual overseeing the program in board meetings to allow them to become comfortable with the governing authority as well, fulfilling the spirit of the updated U.S. Sentencing Guidelines.

Ethisphere provides additional insights on the role of the C(E)CO in this whitepaper: The Business Case for Creating a Standalone Chief Compliance Officer Position.

Posted on May 13, 2011 in Ask the Experts

“Effective Oversight” by the “Governing Authority”? How can we ensure that?

A: The key point to remember when contemplating what information and data to provide the board is that the members of the board need to be able to conduct effective oversight of the entire ethics and compliance function of the organization. This means that they need several different sources of information to do their job.

Traditionally, many organizations have been very good about providing the board data and information about violations and ongoing investigations, but this is only one piece of the puzzle.
The board should also be aware of…

any training initiatives
policy or code changes
other compliance program metrics (such as traffic at ethics and compliance intranet portals)
any risk assessment data
culture survey results
summaries of ethics and compliance communications
and benchmarking data on industry best practices

And that only touches on a few broad categories!

While busy audit committees have limited bandwidth these days and the compliance officer must be mindful of overload, it is vitally important that the board be provided a broad spectrum of data so they can meet their obligations. In another “Ask the Experts” we will touch on the growing trend of creating “Compliance Committees” of the Board to take on the oversight responsibility.