Welcome back to the 9th edition of OIG Shorts, a publication of the Sheppard Mullin Organization Integrity Group (OIG). This post discusses the importance of a targeted, multi-layered compliance program focused at individual deals, sales, contracts, etc. – as distinguished from the equally important company-wide E&C program previously discussed here.

By a targeted compliance program, I'm referring to a compliance program aimed at reducing the unique risks that flow out of any highly regulated area – e.g., government contracts, antitrust, international trade, healthcare/life sciences, etc.

Too often, companies think of compliance as the province of the Law Department, which is understandable. But while the Law Department plays a critical role in managing regulatory compliance and reducing risk, the Law Department is only one component of a much broader community of risk reducers. The other components include some or all of the following:

  • Ethics & Compliance (E&C). The E&C team in many ways is the “owner” of a company's E&C efforts. While others focus on compliance at the tree level (i.e., the contract/transaction level), the E&C team generally focuses on the forest (i.e., the structure and effectiveness of the compliance program overall). The E&C team also can play a key role in conducting internal compliance-related audits and investigations. The work of the E&C team has taken on new importance over the last few years as the DOJ has been very vocal about the Department's expectations and its intent to hold CECOs responsible for inaction.
  • Contracts. While some companies focus their Contracts team almost exclusively on business enablement matters, many companies engage Contracts as a key front-line player in the fight against noncompliance. While these folks often are not lawyers, they typically bring to the table great understanding of their respective regulatory regimes and a lawyer-like perspective on risk reduction.
  • Internal Audit. Most large companies have an Internal Audit group, but too often they lack the specific subject matter expertise/regulatory knowledge (and bandwidth) to conduct sufficiently robust contract-level audits. Nonetheless, IA is a critical component of a multi-layered compliance program since its work can tell one a lot about the effectiveness of the Company's compliance efforts generally. (And to the extent they have knowledge and bandwidth to conduct contract-level audits, all the better.)
  • Risk. Many larger companies have a Risk Department that is separate from Legal and E&C. This group typically focuses on helping the company make optimal business decisions while reducing all manner of risk, including reputational risk, PR risk, shareholder risk, employee dissatisfaction risk, financial risk, and, while it overlaps with the Law and E&C groups, compliance risks.
  • Finance. The “owner” of all things monetary, Finance is a key player in any targeted, muti-layered compliance effort. In many companies, the Finance team plays a critical role in pricing policy, pricing compliance, expense policy/compliance, revenue recognition matters, securities compliance, and much more.
  • Sales. While I concede the Sales Team often isthought of as the source of the work for all the compliance functions described above, if properly structured and incentivized, they also can and should play a core compliance function. The Sales folks often are a company's first line of defense against noncompliance. If they are trained well, led well, supervised well, and incentivized properly, they can identify compliance risks at a very early stage, making everyone else's job easier.

The most effective risk-reduction strategy for a company is one that thoughtfully considers and incorporates all of these functions into its efforts to drive compliance at the individual deal, sale, contract, and order level.

The most effective risk-reduction strategy for a company is one that thoughtfully considers and incorporates all of these functions into its efforts to drive compliance at the individual deal, sale, contract, and order level.

  • Come up with a plan. It's important to be deliberate about each group's responsibility to avoid compliance gaps both globally and when focused on individual transactions and deals. It's also important to document the plan.
  • Form a committee. Periodically bring together representatives from each group so that everyone knows their role, everyone else's role, how everything fits together, and the high cost of failure.
  • Encourage cooperation and communication. It's critical to avoid the dangers that come from stovepiping – that is, relying on overly narrow and isolated internal channels of communication. If one group is seeing risk, it's important that other groups involved in the compliance efforts be made aware of those risks promptly (albeit, often through a Law Department prompted privileged communication).
  • Look for patterns. It's dangerous to think about non-compliances as “one-offs.” Sometimes they are, sometimes they're not. Accordingly, every function involved in the overall compliance effort should be scrutinizing the transactionsthat cross their desks for both individualized compliance and for broader patterns. And the compliance committee described above should have a formal charge to look for patterns as well. In general, patterns of noncompliance are what move a manageable contract problem into a very expensive False Claims Act problem.

Reducing risk in any highly regulated environment takes a village. To be effective, that village should encompass a number of different functions each focusing on their particular areas of expertise, but doing so in a coordinated manner.

Taking these steps will not guarantee that your compliance program will prevent all wrongdoing. It will, however, materially contribute to the overarching goal of reducing risk to the enterprise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.