Last year, a former Morgan Stanley managing director pleaded guilty for his role in a conspiracy to evade the company’s internal accounting controls and violate the U.S. Foreign Corrupt Practices Act. This case is significant because the U.S. Department of Justice (DoJ) declined to bring enforcement action against the executive’s employer. The DoJ’s references to Morgan Stanley’s compliance practices in its opinion release provide an insightful benchmark for companies in all industries to use in evaluating their compliance practices.
For decades, it has been generally accepted that (a) established internal controls do not guarantee that violations of internal policies, laws and regulations will not occur, and (b) collusion can circumvent established controls. The DoJ’s public acknowledgement that it “declined to bring any enforcement action against Morgan Stanley” sent a powerful message that Morgan Stanley had attained the elusive “reasonable assurance” threshold.
Following are 10 lessons learned from the DoJ’s decision regarding Morgan Stanley:
- Lead with a strong “tone at the top” – Management sets the tone at the top when it comes to compliance. In addition to “walking the talk” by conducting business ethically, upper and middle management should consistently and frequently communicate the necessity for adhering to the organization’s values. Zero tolerance for corruption must come from the top down.
- Maintain strong administration and oversight of compliance – Individual employees should be given specific responsibilities and accountability. Enforcers of the company’s compliance plan should be designated. Compliance officers should oversee and manage compliance issues and should be supported by a clear reporting structure. Strong board risk oversight of compliance also should be in place.
- Conduct a comprehensive risk assessment – Only through an effective risk assessment process can management understand the bribery and corruption risks inherent in the company’s global operations. The process provides direction and focus to compliance oversight through an understanding of where the firm is operating and the local risks that should be taken into consideration.
- Refresh for change – Make sure your compliance program evolves with new regulatory developments and industry guidance. Don’t allow compliance processes to become stale. Continue to invest in compliance. Take into account any lessons learned from past violations.
- Understand the players in the countries where the organization does business – Apply the term “foreign official” broadly and require executives dealing with such officials to report their dealings. If third-party agents are used, focus on understanding contractual provisions; what the third-party agent is really doing for the company; how the agent is being paid; and the business motivation for using the agent. Ensure that conditions do not change over time during an ongoing business relationship.
- Verify that compliance training and certification are robust – Training should spell out the company’s expectations for compliance with its corporate policies and procedures, as well as anti-corruption or anti-bribery laws and regulations. Retraining should occur periodically, and all employees and third parties should certify that they comply with the company’s compliance policies. Whenever policies and procedures are updated, the new information should be circulated to employees and third-party agents, and they should be retrained.
- Ensure that effective auditing and monitoring capabilities are in place – The auditing and monitoring processes should evaluate the compliance program’s effectiveness. The appropriate board committee charged with risk oversight should regularly receive and review audit reports, as well as notification about complaints or investigations of noncompliance with corporate policies designed to prevent or detect bribery and corruption risk.
- Provide Means for Notification – When compliance issues arise, the organization needs to become aware of them as soon as possible. There should be a system for employees to use to report wrongdoing and notify the company of suspected violations of the firm’s policies and applicable anti-corruption laws and regulations. Employees should be provided with the names and contact information of compliance and legal officers. An anonymous confidential hotline should be provided, and employees should be encouraged to use the available reporting mechanisms.
- Act decisively – Upon receipt of any allegations, the proper individuals within the organization should take immediate action, including seeking advice from appropriate experts (including outside counsel); investigating the allegations; disciplining or terminating employees participating in illegal acts; notifying the appropriate authorities; and disclosing the matter to shareholders.
- Maintain adequate documentation – Train ing sessions should be well documented (e.g., track the date, time and location of each training session conducted and compliance communication delivered). Archive and store a copy of each training program delivered and each compliance policy communication sent. Records of when employees received either training or management communications should be kept in the employees’ personnel files.
The above lessons provide a blueprint other companies can apply to enhance how they manage compliance. When rogue employees engage in collusion to circumvent established internal controls, the Morgan Stanley case proves that the DoJ will credit companies when they demonstrate a consistent, deliberate and clear commitment to compliance in addition to strong support from the top.
Questions for Boards
The board of directors may want to consider the above lessons in assessing a company’s management of corruption and other compliance risks in the context of the nature of the entity’s risks inherent in its operations.
How Protiviti Can Help
Protiviti assists companies with building sustainable compliance risk assessment processes and developing anti-corruption and other compliance programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to prevent and detect corruption risk at every level, from corruption risk governance and employee training to tailored audits and monitoring programs.
Board Perspectives: Risk Oversight (Issue 42)