What do William in the US, Rajan in India and Jean-Louis in Italy have in common? You wouldn’t know at first glance, but all three were CEO’s, and all three were sentenced to jail for violations of EHS regulations. The companies concerned were also issued millions in fines and/or liability claims, but in a CEO’s eyes, up to two decades in prison may seem a bit more shocking. Is it a sign of the times that three CEOs on three different continents were sentenced to jail in the past months? Could you soon be liable for your company’s non-compliance?
The volume of EHS regulations is increasing every year, yet those regulations serve no purpose if they are not enforced. Governments are becoming increasingly aware of this and targeting corporate management with stronger enforcement actions. One of the first questions from enforcement inspectors is always: do you have an effective compliance assurance program? If the CEO is prepared, he has nominated a capable Director in charge of EHS who in turn has nominated a corporate EHS Manager with the task to make it happen. This is usually where the EHS Manager or Director becomes a vital part of the process. So how do you “make it happen”? Do you have a compliance assurance program and how can you guarantee that it is effective?
Are you confident in your corporate compliance program?
In September 2011, Enhesa carried out a survey amongst corporate EHS managers on their confidence in the effectiveness of their corporate compliance program. Forty-three percent had little or no confidence that their corporate compliance program was able to ensure regulatory compliance (see diagram). This puts the concerned EHS managers, senior management and board of directors of these companies at risk of being held liable and facing criminal charges.
What is the law saying?
Although often considered primarily financial in scope, The Sarbanes-Oxley Act of 2002 section 805(a)(2)(5) and the related US 2010 Federal Sentencing Guidelines are explicit on the issue of compliance infractions including those around EHS issues. Regulators target any person in the chain of command from the CEO to the EHS manager for infractions. Similar laws and regulations can be found around the globe, often less elaborate, but not less effective.
Using the Sarbanes criteria as an example, what is considered an acceptable compliance program?
A company has to exercise due diligence to prevent and detect criminal conduct; and promote a corporate culture that encourages a commitment to regulatory compliance. Such compliance programs should be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.
The Board of Directors shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance program. Senior Management of the company shall ensure that the company has an effective compliance program. Specific individuals within the company shall be delegated day-to-day operational responsibility for the compliance program. Individuals with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, on the effectiveness of the compliance program. To carry out such operational responsibility, such individuals shall be given adequate resources, appropriate authority, and direct access to the governing authority.
Even the best compliance programs cannot prevent the fact that sometimes things go wrong, but they can substantially reduce the risk and effects of mishaps and give you some defense when facing enforcement penalties and legal actions.
Who is to blame?
When there is a serious issue of non-compliance, the inspectors often start at the top of the company and follow the chain of command to assign blame. In minor cases, they may start the other way around – from the bottom to the top. In either case, you may be called upon to prove that you did what you should have done in your position to ensure things did not go wrong. Using the “lack of resources” excuse will not help if you did not address that issue in writing before the problem or communicate this up the chain of command in the appropriate manner.
Everyone has a role. According to the Act, the company’s Board of Directors shall be knowledgeable about the content and operation of the compliance program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance program.
High-level personnel of the company shall ensure that the company has an effective compliance program. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance program.
Specific individual(s) within the company shall be delegated day-to-day operational responsibility for the compliance program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
Where are you in this chain of command? Do you do what is expected from you, not only in terms of what your superior asks from you, but also in terms of what corporate responsibility and regulators expect from you?
A Compliance Program is not a paper manual hidden away in a manager’s file drawers.
The company shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance program, by conducting effective training programs and otherwise disseminating appropriate information.
The Compliance Program must be a living program.
Why do you need compliance audits?
Putting in place an effective compliance program inevitably includes going through the basic elements of every management system: Plan – Do – Check – Act. Plan your compliance program or its improvement, roll it out and then check how things work out in practice. It may seem like common sense, but many companies still work on the blind assumption that local staff knows and understands the regulations. Other companies assume that following corporate standards based on the US Code of Federal Regulations will be sufficient to avoid trouble. Knowing what the local regulations require from you is essential for both the local manager as well as the corporate auditor.
The US Sentencing Guidelines are very explicit on the issue. They require any company to take reasonable steps to:
■ensure that the company’s compliance program is followed, including monitoring and auditing to detect criminal conduct;
■evaluate periodically the effectiveness of the company’s compliance program; and
■have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the company’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
The company’s compliance program should be promoted and enforced consistently throughout the company. There should be incentives to perform in accordance with the compliance program as well as disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
If criminal conduct is detected, the company needs to take reasonable steps to respond to the criminal conduct and to prevent further similar conduct, including making any necessary modifications to the company’s compliance program. The company shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each corporate requirement to reduce the risk of criminal conduct identified through this process.
Interested in knowing where you stand in this regard? Register to participate in one of the free Enhesa Webinars on “Six Steps to Compliance” or contact the Enhesa experts’ help to review the effectiveness of your compliance program and support you in building a best-in-class management system.
-Thierry Dumortier, Enhesa Director