A question ethics and compliance professionals wrestle with constantly is whether they have real visibility into what is happening in the organization.
People who are skeptical of E&C may ask, when considering a budget request, why it is needed, if the company isn’t being investigated, or hasn’t uncovered any breaches in its operations.
But, as two ethics and compliance professionals said in a recent LRN webinar about how to navigate recent regulatory guidance regarding effective E&C programs, the lack of a compliance breach in a company is a sign that E&C may not be properly allocating its resources.
This is especially concerning in this time of pandemic, as companies hard hit by the effects and aftershocks of the virus may be looking to cut costs, and could potentially see E&C as a place to shave some budget, said one of the panel participants, whose name is withheld as the event was held under Chatham House rules.
The person likened it to a business that doesn’t want to pay $10,000 for preventative maintenance on Monday, only to be fined $10 million on Friday.
“I think there are a lot of organizations, especially as you get into the COVID environment, people are slacking off or pulling back,” said the panelist, a CECO at a major company in the extractive industries. “They are using survival as the issue they are pushing, saying we can’t do this because of that, so I think there is a real risk.”
If you are not finding issues, even if they are just minor, policy errors or issues, then you probably aren't looking hard enough, looking deep enough into the organization. If issues aren’t surfacing, lessons aren’t being learned, the CECO said.
“My personal view is--if you gave any compliance lawyer worth his or her salt, or a compliance professional--if you give them two weeks in any organization, they’re going to find something,” the person said. “My suspicion would be, if there’s zero issues, there’s probably some more testing, monitoring to be done.”
A second panelist, this one a former CECO who now works as an attorney advising companies on E&C matters, said it’s important to remember the fundamental difference between a policy violation and a legal violation.
“By and large, the place where we as compliance folks, as lawyers who do this work, where we live is on the difference,” said the attorney. “Yes, you may not go through all of the steps in onboarding a vendor, but that doesn’t mean it’s an FCPA violation. The difference between policy issues and legal violations is substantial.”
When thinking about breaches and what a breach is, most systems and processes and assessments and tests are going to find policy breaches; not every box is always going to get checked, the attorney said.
“And that’s healthy. It’s healthy to find that for the same reason that you want to see calls come into the hotline; that means the hotline is really working and trusted,” the attorney said. “But there’s a big difference between finding those and finding legal violations. I don’t think there’s anything wrong not finding legal violations, but you should be finding policy breaches.”