Case Studies

With all of the demands on employee time, how do I make sure I’m training enough?

This is a question we hear all the time from companies that are struggling with that delicate balance – training employees enough to mitigate key risk areas, but not overtraining them or contributing to training fatigue. We always advise clients to think of knowledge within their organization as happening in layers. The first layer – general knowledge – is what all employees within the organization, regardless of job function, need to know about a company’s key risk areas. This knowledge is usually conveyed through code training that is delivered to all employees, and that training should set the basic foundation so that the average employee could recognize an issue and know where to report it. Most companies – a little more than 60 percent in Corpedia-ACC’s last state of the function survey – are delivering that universal code training every other year with an interim certification to compliance with the code.

The remaining time should be used to focus in on knowledge level two – specific knowledge. This level requires the compliance officer to match training to specific job functions, in order to more effectively and efficiently mitigate risk. That means that sales will receive different training – likely on competition law, gifts and entertainment/conflicts of interest, anti-corruption – then procurement, and so on. Matching specific training to specific risks presented by specific job functions is the best way to make sure you’re achieving that delicate balance. Delivery of one focused course per quarter is most common, which means that a company that is on a biennial code training schedule could deliver 7 specific courses to employees between code trainings.

What should a company’s response be to the Dodd-Frank Whistleblower provisions that will soon be in effect, which encourage employees to report wrong-doing to the SEC through the payment of large bounties?

First, a company should not seek to emulate Dodd-Frank by posting bounties internally. This sets the wrong tone, not to mention that it is unlikely an organization can compete with the $300,000 plus bounties offered by the SEC. Second, the proper response to Dodd-Frank Whistleblower should already be included in an ethics and compliance program following best practices. The ultimate answer to Dodd-Frank is a healthy corporate culture where employees do not fear reporting and believe that the organization will properly handle any misconduct.

Some specific things an organization can do to respond to Dodd-Frank concerns include:

Institute a culture survey of the employee population to better understand their perception of topics such as retaliation, pressure to commit violations of the code of conduct, and organizational justice.
Review training of the company’s managers. The vast majority of reports of misconduct are made to managers, not the anonymous hotline or the compliance office. If employees are uncomfortable with reporting to their managers, or their managers do not know how to encourage open communication and handle any reports they receive, then the SEC might seem like an option.
Review the organization’s messaging about anti-retaliation and reporting.
Review the current messaging around what happens when an employee makes a report. Survey data shows that employees are most comfortable reporting where they understand the process and have faith that it works, so the more clarity and transparency an organization can provide, the better. Consider whether it makes sense, for example, to share a scrubbed version of the data on hotline calls and open door reporting that you present to the board, or to produce a regular communication around responses to misconduct.

Recent research around “sign at the top” indicates that people may be more forthcoming or truthful with certifications at the beginning rather than the end of documents as their obligations remain “top of mind.” Is there any applicability in the ethics and compliance space?

A: This “sign at the top” concept is taking root in a number of different ways in the ethics and compliance space. For example, we’re seeing its use in:

• Workplace computer “sign-on” screens when employees log in to their computers at the beginning of a workday. The log-in screen, which organizations rotate on a periodic basis, reminds employees about their obligation to use their computer appropriately, keep company information confidential, etc.
• “Pop-up” windows before employees exit the company’s intranet to visit a social media site like Facebook or Twitter. Once again, the window is a reminder of the company’s expectations for employee behavior on those sites, and requires employees to click and accept that they understand the policies. Where possible, some companies are actually tracking the time the window is open for, and if the time seems unreasonably short the employee will get a “Did you really read that in 5 seconds? Are you sure?” message.
• Conflicts of interest disclosures where again, the employee is required to read the policy (and the tracking concept above is employed), initial or otherwise acknowledge that they will answer the questions truthfully, and then is presented with the questionnaire itself.
• T&E report filings (for employees) and approvals (for managers) when the company is using an online filing system; the individual signing in to file or approve will initial or acknowledge that they will follow the company’s gifts and entertainment policy.

These are just a handful of ways we have seen this concept being used so far. Our partner, Ethisphere, recently hosted a CLE webcast titled Compliance Communications: Overcoming Challenges and Best Practices in which the Chief Ethics Officer, Kathleen Edmund of Best Buy discusses some of these topics in further detail. Click here to watch.

When establishing your company's Gifts and Entertainment Policy (Giving and/or Receiving), how do you define “nominal” or "more than nominal value"? Should the definition include a maximum dollar amount or a definition for "nominal"?

Response by Palmina Fava, Partner at Paul Hastings and Member of the Ethisphere-Corpedia Joint Committee

A: Providing guidance to employees operating around the world on appropriate gift and entertainment limits is a challenge. When bearing responsibility (and liability) for thousands of global employees and agents, it is critical to provide some context and specificity for what the company deems appropriate. To that end, companies are moving in the direction of defining “nominal” with some specificity, recognizing the difficulty in translating “nominal” into different languages and cultures while retaining the same meaning. Definitions among companies vary but generally they equate “nominal” with the terms “insignificant value” or “token amount” or “not greater than $250,” using DOJ Opinion Releases, non-prosecution agreements, and other statements by DOJ as a guide. Setting a dollar limit on the term “nominal” is tricky because the DOJ has found gifts valued up to $250 appropriate, provided the other standards enunciated below are present, yet many companies set a lower threshold (i.e. no more than $50 on any single occasion and $150 total in a calendar year) either because other entities in their industry are using that threshold or because those amounts comport more closely with local laws in the countries in which they operate.

A developing best practice is to provide context in the Gifts and Entertainment Policy for permissible expenses, i.e.:

• Gifts shall be provided only as a token of esteem or courtesy or gratitude.
• Gifts and entertainment shall not be given to induce the recipient to favor the company or in exchange for the recipient’s actions that benefited the company.
• Gifts shall not be in cash or cash equivalents (i.e. gift cards) and shall not exceed $XXX [typically ranging from $150 to $250] in value in a calendar year per recipient.
• Gifts and entertainment shall be given only if permitted under local laws and the guidelines of the recipient’s employer/government entity.
• Gifts and entertainment must be reasonable, customary, and appropriate for the occasion.
• Gifts must be presented openly and transparently.
• Gifts and entertainment must be recorded accurately in the company’s books and records and supported by appropriate documentation.
• In giving gifts or entertainment, avoid the intent and appearance of impropriety.
• Accepting a gift or entertainment that is not reasonable or customary or that exceeds $XXX [typically ranging from $150 to $250] in value in a calendar year or that is intended to induce your behavior improperly is prohibited.

Moreover, some companies provide examples of what constitutes a “nominal” amount, such as:

• single bottles of reasonably priced wine
• modest refreshments at a conference
• items with the company’s logo, including a shirt or a laptop case
• chocolates, flowers, or fruit

Companies similarly juxtapose the examples of the “nominal” or “token” gifts with the non-token gifts, such as:

• tickets to a sporting event
• use of a holiday home
• free or discounted travel (i.e. a free ski weekend)
• rounds of golf
• jewelry
• preferential treatment or access to confidential information
• discounted or free products for personal use

The key in defining “nominal” in your Gift and Entertainment Policy is to recognize the risks attendant with your business, and, while keeping the unique composition of your employee and agent base in mind, enunciate a definition that empowers your agents to understand the company’s values and limits.

Should the Chief (Ethics and) Compliance Officer report directly to the Board? Should the Board be responsible for hiring, firing, and setting the pay of the C(E)CO?

A: The best reporting structure for Chief (Ethics and) Compliance officers is now commonly debated, especially given the most recent amendments of the U.S. Sentencing Guidelines, calling for “reporting responsibility” to be established between the employee responsible for the “day to day” operations of an organization’s ethics and compliance program and its “governing authority” (usually the Board). The Sentencing Commission was primarily concerned with granting the director of the ethics and compliance program access to the board in the event of high-level criminal activity and carefully avoided dictating a specific organizational structure and making specific suggestions as to reporting lines.

That caution has led to this question – how does one implement what the Guidelines now recommend? An emerging best practice, particularly with organizations with more than 1,000 employees, is to create a direct and documented reporting line between the C(E)CO and the Board.

While the Guidelines only require a C(E)CO to have direct access to the Board for instances of illegal (or apparently illegal) activity and for annual program reports , many organizations are expanding this relationship beyond this “failsafe” function in order to foster a relationship between the C(E)CO and the board to encourage reporting should it be necessary. This approach makes practical sense. Limiting the C(E)CO’s board exposure to yearly updates in the absence of legal emergencies might present a problem, because C(E)COs may not then develop the comfort level they need to make difficult reports sans regular contact with the board. Furthermore, if another executive – the general counsel, chief legal officer or chief executive officer – sets the C(E)CO’s pay, and is responsible for hiring, firing, and promotion, then they may also be hesitant to go to the board with a sensitive issue that may implicate the c-suite.

Many companies – indeed, the majority of organizations we have benchmarked over the last six months – now consider it best practice to remove the C(E)CO from such an awkward situation so they are truly able to communicate with the Board freely by implementing a formal reporting relationship.

In addition, if the C(E)CO is not the employee responsible for the “day to day” operations of the ethics and compliance program due to wearing multiple hats, companies are increasingly including the individual overseeing the program in board meetings to allow them to become comfortable with the governing authority as well, fulfilling the spirit of the updated U.S. Sentencing Guidelines.

Ethisphere provides additional insights on the role of the C(E)CO in this whitepaper: The Business Case for Creating a Standalone Chief Compliance Officer Position.