In this, the second installment of my continuing series on Schedule C to the Alcatel-Lucent Deferred Prosecution Agreement, I’ll discuss corporate policies. The Alcatel DPA requires that the corporate compliance program “should include, but not be limited to, the following elements to the extent they are not already part of the company’s existing internal controls, policies, and procedures:
1. Alcatel-Lucent will develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.
So, according to the DOJ, corporate anti-corruption policies must be
- covering FCPA and other laws
Each of these is important, and difficult.
In my opinion, policies are the least important part of a compliance program. What’s in the policy, I mean. Because, seriously, what policy is going to say “it’s okay to bribe?” Well, maybe the sales policy at the Chinese subsidiary of Watts Water, but other than that (and that was in Mandarin)….
The only question for policies is how much they prescribe. Too much and the policy becomes unwieldy to draft and, more importantly, unreadable by field employees. Some companies go the other way and have ultra-short policies, but then have longer “procedures.” The policy itself says something like, “It is the policy of this company that no employee, officer, director, agent, or other person acting on the Company’s behalf not pay anything of value in order to improperly influence,” blah blah blah. Then there’s a massive set of procedures that define every possible situation and how to handle it.
The problem as I see it with policies that try to define the proper response to actual situations is that employees will game it. They could say “the policy doesn’t list this situation, so I thought it was okay.” The other problem with definitive policies is that they get long. A policy over three pages isn’t going to be read. And that’s a disaster in the making. You never want the answer to “do you know where to find the anti-bribery policy,” to be “we have an antibribery policy?”
So, you need a policy that is concise, that covers the high points, and that isn’t accompanied by a massive tome of “other materials” that no one will read.
A policy should let employees know what the Company stands for and what it won’t stand for. The policy coverage should be a structure. At the top is your Code of Conduct (in whatever form or by whatever name). It should include your general line about anti-corruption. “This Company does not bribe. Not to get business, not to get access, not to get anything: bribery is never acceptable.”
Then you need a specific anti-corruption policy. It should be under five pages, at most; preferably three pages; two, if you can swing it. It should lay out some basic decisions you make: are you including private-sector third parties in the policy? What are you going to do about facilitation payments? What are the general rules around gifts and hospitality? What is the approval process for providing travel? How are third parties (vendors, contractors, agents, distributors, etc.) approved for onboarding? Remember also that the policy needs to include a statement that all expenses must be recorded correctly, and how that’s done, and who to call when you have a question.
How you decide to handle these issues is less important than the next step: making the policy visible. You must engage in a significant effort to internally market the policy. You need it widely distributed. You need it trained on (and we’ll talk about training in another entry). You need it on the desk of every salesperson. You need it distributed to every third party you hire. Hell, have it given out to visitors in your building. Put it on your public Web site. Talk about it, often.
One word about language: make sure, before you finalize the policy, that you have it read by a high-school student. And not one of the smart ones. One of the ones in that half of the class that makes the top half possible. You need it understandable to every employee you hire. And, all due respect to outside counsel, don’t let your lawyers near it. They should review it, to make sure it covers all applicable areas, but don’t let them edit a word. If the word “heretofore” appears, or any Latin at all, you need to redraft. Also, you should talk about “bribery” and “corruption” not “FCPA.” The policy needs to be applicable around the globe.
A word about process: before you begin this process, you need to identify business champions in—at least—your sales, marketing, finance, IT, and operations divisions. The leaders of those divisions need to appoint liaisons with the anti-corruption compliance team. If you’re dealing with multiple businesses, then at least one person from each business. This is your draft review team. When you answer the questions above about the scope of the policy and what it covers and how it decides closer questions, you need business buy-in to those decisions. When you issue your policy, it cannot be a surprise. Who should those champions be? I would suggest high-performers. Seriously, pitch it to the business as a way to give high-performers access to a high-profile project with a view into areas of the business that a VP of Sales might not usually see (like operations, marketing, IT, etc.) The policy will need to get approved by the Board of Directors, which means access to the highest levels of the company, and a chance to shine. It will give the high performer contacts with other high performers that will help later on. And it will give compliance the chance to get high performance employees trained up and sensitized to compliance issues. A win-win. And this is an ongoing responsibility. The policies should list the liaisons, and their phone numbers, for further questions. If that person leaves the company, or moves internally, their boss is responsible for appointing another high-perfomer replacement.
A word about the number of policies: I would suggest you have, in the overall policy, a list of other relevant policies that deal with specific issues. I would suggest having a policy on how to provide travel; how to onboard third parties; and, if it’s relevant, gift and hospitality (including shows, events, conferences, golf tournaments, Wimbledon, etc). Depending on your specific risks, there might be others. Each of those policies should follow the rules for your overall policy: short, to the point, written by non-lawyers. When you have your complete set of policies, bind them together, and every employee VP-level or above should get a copy.
A final note about documentation: your policies are part of the documentation of your program, not the sum total of it. You should have a totally separate document written to answer one question: “how does this company handle anti-corruption compliance?” That’s a long, legally-oriented document which we can discuss another time. Your policies should be a part of that document.
No one said writing policies is easy. The temptation to give in to length and scope will be overwhelming. Resist. The more targeted your policies are, the easier it’ll be to train on them, and the more visible you’ll be able to make them.