People say that hindsight is 20/20. I’d say from my experiences its true. If only we could have 20/20 vision before an incident occurs, think of all the heartaches and headaches we could avoid. It would be especially helpful as compliance officers, because you are asked to assess risk and take proactive measures to protect your company from rogue employees, corruption, litigation. For the most part you probably have a good idea of what you need to do to shield your company from risk – there’s the Code of Conduct, policies and procedures, executive buy-in, tone from the top and compliance training. You implement all of these elements, giving your best effort to cross all of your t’s and dot all of your i’s, but do you really have 20/20 insight into the risks at your company? Perhaps the closest we can come to predicting risk is taking the advice of others who have gone through DOJ or SEC investigations and learn from their mistakes.
Gallup, Inc., a well-known privately held American research company, underwent such an investigation in 2011. This is good news for us, because at this years SCCE Compliance and Ethics Institute, Gallup’s VP of Law & Counsel/Regulatory Compliance Officer, William Kruse, spoke to and provided us with the insight we need to successfully prepare ourselves to withstand a government investigation. Kruse’s recommendation is simple: strengthen your ethics and compliance policy management system.
The Case of Gallup and the DOJ
Gallup started off as a small private company that ended up growing proportionately faster than their compliance program could keep up with. As of 2003, Gallup business was conducted on trust and a handshake, there were no official policies or documentation. This had been sufficient for business from 1935 to the early 1990’s, but after that they began to take business overseas, their risk footprint grew. In 2009, employee Michael Lindley blew the whistle on Gallup for a handful of indiscretions including gross overbilling of government contracts. While the DOJ threw out some of Lindley’s claims, they did find 3 to be grounded in fact.
William Kruse had just started his career with Gallup at the time that Lindley’s claims were starting to garner notice from the DOJ. He was assured that the whole matter would be resolved before he started his new position at the company. But the matter wasn’t resolved and when Kruse came on board he was faced with two options for handling the DOJ investigation:
Option 1: Keep calm and circle the wagons
Option 2: Cooperate
Kruse admits that option 2 might not be intuitive, especially if you do not agree with the claims – but he stands behind his decision that cooperating with the DOJ or SEC is the best thing you can do. More than that he suggests that anyone facing an investigation take this three pronged approach:
- Investigate the matter internally as well
- Cooperate with the DOJ or SEC
- Do NOT retaliate!!!
Next, Strengthen Your Ethics And Compliance Program
My hope is that after reading this blog you will reevaluate your ethics and compliance policy management systems for areas of improvement. However, doing so does not mean you get to sit back and relax if your company is ever the target of an investigation. There is constant room for improvement, so if you do find yourself under investigation, ask yourself these questions to see if you can strengthen your program further:
1. Did I have systems in place?
2. Should I have done something different?
3. How did this happen?
Evaluate desired ends, actors, control tools, control implementation. Make control changes – i.e. reevaluate and rewrite policies, increase training time, switch up your training content. While these changes may make waves at work or frustrate people because they have more work to do, it will show the DOJ or SEC that you are serious about ramping up your corruption safeguards.
What do you have to do?
- Get board buy in to provide you cover – this needs to be from the very top. If the CCO or CEO are behind you and your initiatives, the wind and waves stop
- Document everything – training, audits, investigations
- Create a slide deck of training, have people sign in and keep it all
- Audit yourself, you can’t wait for KPMG – i.e. if we have a policy on x, y, z – is anyone auditing it to make sure people are actually doing what they are supposed to do? Timekeeping and invoicing are high risk areas. Look for areas where something might get missed, and develop a system to do so once a quarter.
- Keep logs of when people walk into your office and have an issue. Even if the issue is implausible, log it.
If Gallup had been able to successfully grow their compliance department as the rest of their business grew, graduating from handshakes and trust to written policies and robust ethics and compliance policy management, they may have been able to avoid their DOJ investigation. Policy management is one of the simplest answers to a successful compliance program. A policy management system allows you to track, manage and update policies in real-time. Authors receive notifications when they need to update policies and your workforce receives email notifications of policies that are pertinent to their job functions that they need to read and attest to.
For More Information About Ethics And Compliance Policy Management Training, Check Out These Resources:
- Blog: Employee-Driven Ethics & Compliance Policy Management: Involving Employees In Policy Creation
- Blog: 5 Reasons Using SharePoint As A Policy Management System Costs You Time And Money
- On-Demand Webinar: Benchmarking Your Ethics And Compliance Policy Management Process
Policy Management Success Kit
Your Policy Management Success Kit provides access to OCEG’s webcast on the next generation of policy management, the latest policy management illustration from OCEG and The Network on how to engage employees with interactive policies and finally Michael Rasmussen’s hot-off-the-presses whitepaper, “Benchmarking Your Policy Management Program.”
Download Your Kit Today