Compliance & Ethics For Lawyers And In-House Counsel

Compliance & Ethics forLawyers and In-House CounselPreconference PM6Joseph Murphy, Director of Public Policy, SCCEDonna Boehme, Compliance Strategists LLCSociety of Corporate Compliance & Ethics11th Annual Compliance & Ethics InstituteLas Vegas, October 14, 2012Poll #1The principles of Attorney-Client Privilege meanthat:A) The compliance function must be excluded fromprivileged investigations e.g. bribery investigation.B) Reports on investigation should be provided only tolawyers.C) The compliance function must report to the GeneralCounsel.D) None of the above1

Poll #2In a recent survey of the state of chief complianceofficer roles, the percentage of CCOs reportingto the General Counsel and to the CEO,respectively, were:A) 35% & 32%B) 58% % 27%C) 44% & 38%D) 29% & 49%PRECONFERENCE OVERVIEW:What do Lawyers & In-House Counsel Need toKnow about Compliance and Ethics? Role of Privilege, Confidentiality & Other Legal Principles ina Compliance Context Compliance is not a legal function, but lawyers &in-house counsel have many critical roles in program Compliance and Legal have separate, but (mostly) mutuallysupportive mandates Understand “scary topics” e.g. Risk Assessments,Investigations & Reporting through Compliance Lens2

RIPPED FROM THE HEADLINESTakeaways for Lawyers & CCOs ?453

WHAT IS A COMPLIANCE AND ETHICS PROGRAM?(let’s parse) A multi-disciplinary management control systemconsistent with relevant standards (including theOrganizational Sentencing Guidelines)that seeks to “detect and prevent misconduct” andsupport a culture of accountability and transparencyincluding by conducting risk assessment, setting clearwritten standards, training, communicating and engagingemployees, monitoring and auditing the program andreporting to management and the boardand continuous improvement in response to detectedproblemsHow to build trust and accountability7 elements of an effective C&E program(Organizational Sentencing Guidelines)managementcommitment &resourcesstandards,controls &procedures “walk the talk” policies & procedures high level personnel beyond “legalese” resources understood byhumansenforcement,discipline& incentives no “double standard” no retaliation performance alignmenttraining &communication job related &monitoring, evaluation& reporting metrics &measurementcontinuous internal reporting lines multimedia reports to seniormanagement & Board Board trainingsubstantial personnelauthority avoid discretionaryauthority to managerslikely to violatereview& modifyprogram ongoing risk assessment including after breaches promotions & new hires4

THE CECOChief Compliance OfficerChief Ethics & Compliance OfficerDirector of Global ComplianceVP –Business Practices & ComplianceGlobal Ethics Director**********Leader of Compliance & Ethics FunctionOverseer of Compliance & Ethics ProgramSubject Matter Expert of C&EDoor Opener/Empowerer of TeamCoach & Educator to ManagementRally Chair/Symbol for EmployeesDirect Access Reporter to BoardLiaise to RegulatorsMODULE 1: PRIVILEGE, WORK PRODUCT,CONFIDENTIALITY & OTHERLEGAL PRINCIPLES Through a Compliance Lens Myths and reality5

The “lawyer” privilege Anything a lawyer does is privileged If a client is involved the privilege is weakened If a lawyer thinks and writes something it’s protectedas work product Anybody who reports to a lawyer is under theprivilege But this privilege applies only when the lawyer isriding a unicornAttorney-Client Privilege: the facts Non-lawyers can play a role in compliance matterseven if conducted under privilege Protection requires a client asking for confidential legaladvice Non-lawyers can act under counsel’s direction & control “Upjohn letter” BUT: in EU, privilege for in-house counsel not generallyrecognized (Akzo Nobel). Unlike UK & US.6

Work Product Protection: the facts Under FRCP, work product privilege does not requirelawyer The rule covers preparation relating to litigation by a “party” But it is always best to use lawyers for case preparation,even when non-lawyers are involved Don’t forget – it also applies for potentially bringing acase against someone else Protection is only qualified for fact gathering, but absolutefor counsel’s mental impressionsBut isn’t it safer to have lawyers do everythingand claim blanket privilege for all complianceactivities? How do you prove your case that you had an effectiveprogram in place if you cloak everything with privilege Sharing with the government likely waives attorney-clientprivilege The best protection is to fix what you find Claiming privilege for everything undercuts your credibility7

Legal ethical issues for compliance lawyers Who is the client? Upjohn/Miranda warnings? Duty to escalate SOX 307 escalation Confidentiality & disclosureScenario: The Case of Angst in AzerbaijanMark, CECO for International Pipeline Co, is currentlyoverseeing a hotline call from an anonymous source atthe company’s Azerbaijan operations. The caller suspectsthat a member of a government official’s family is involvedin a lucrative transaction with the local subsidiary, whichis bidding on a big government contract. In consultationwith the Compliance Committee, which includes theGeneral Counsel, a decision is made to bring in an outsidelaw firm to investigate. The General Counsel tells Markthat from now on, due to privilege matters, the Legaldepartment will work directly with the outside expert, andCompliance will be out of the loop until final resolution.Meanwhile, the local compliance leader, HR and theanonymous caller continue to reach out to Mark and histeam with questions and the Compliance & Ethics reportto the Board is due in a week.8

ScenarioThe Case of Angst in AzerbaijanWhat are the issues?Who are the stakeholders?How does this impact the integrity of thecompliance program?How should this be resolved?MODULE 2: THE MANY ROLES INCOMPLIANCE(So many roles, so few lawyers!) In-house counsel/legal department are key,invaluable partners to Compliance function Yet there is often confusion about overlap &interface (“fence” problem) Defining roles is the solution,& the empoweringfactor Often the difference between a high-performingprogram and a hot mess!9

Some common roles for in-house counsel Compliance Officer(more on this later) Lawyer for the Compliance Function Subject Matter Expert (SME) Risk Owner Compliance Program Owner Lead investigator/ Investigator Regional liaisonAnd here’s the tough part:Whatever the role, the in-house counsel’scompliance program activitiesare subject to the oversight of the Compliance OfficerThe Compliance Officer as the “client”(talk amongst yourselves)10

To the flip chart!THE CONTROVERSIES:WHERE SHOULD COMPLIANCE REPORT?SHOULD THE GC ALSO BE THE CCO? 2010 Amendments to Sentencing Guidelines“Reporting to the Board”– Must have direct, unfiltered access to the Board and SeniorManagement– Must be the person with “day to day” responsibility! – Can that be a GCwith another full-time job? Recent Corporate Integrity Agreements have routinely requiredsegregation of Compliance Group from the Law Department– Tenet Healthcare (Grassley quote)– Pfizer Agreement – Segregates Functions– But: Siemens Compliance Group – Recombines Law and Compliance! 2012 PWC/Compliance Week State of Compliance Survey– CECO Reports to:– 35% to GC (down 6% from 2011) ;32% to CEO; 16% to CFO;14% to Other Exec; 3% to Board or Audit Committee11

MODULE 3:“SCARY TOPICS” Topics where Compliance and Legal often interface And sometimes disagree Examples: Risk Assessment, Discipline &WhistleblowersRisk Assessments The foundation of an effective compliance program The only way to determine which risks to coverwhere to put resources Some GC’s FEAR risk assessment & seek toavoid it Pat Gnazzo UTC story12

Discipline One of 7 elements - apply principles of disciplineconsistently Can’t guarantee results but can guarantee process It’s easier to fire the mailroom guy than the high-flyer Every company has a defining moment(2 war stories) Coaching/Soft landing vs Public Hanging/ TransparencyDisciplinary Caution Don’t forget Discipline for failure to take reasonable stepsto prevent or detect criminal conduct No “gee, whiz, I had no idea all my directreports were committing felonies” This means the bosses are at risk in aninvestigation Remember, the client is the corporation, notthe senior managers13

Whistleblowers Big developments: Dodd Frank, IRS bountyprogram (UBS case) But society & companies are ambivalent about WBs Company “white blood cells“ want to attack WBs Sometimes led by LegalThe Company’s WB Dilemma Company needs WBs to come forward and raiseissues before they reach the media & regulators The goal of Federal Sentencing Guidelinescompliance program: “to detect and preventwrongdoing” BUT whistleblowers are often 1) fired2) forced out 3) shunned 4) demoted 5)marginalized 6) harassed 7) did I say shunned? Consider: “Take your whistleblower to lunch”14

3 Undeniable Truths About Whistleblowers WBs are not always “model employees Bounty programs level the playing field If you leave misconduct on the table, someone isnow more likely to report it (“arbitrage”)Example: ex-UBS banker Bradley Birkenfeld(the “Tarantula”)Scenario: The Case of the Ostrich SolutionClaire is CECO of Awesome, Inc, a US-basedmanufacturing multinational operating in 60 countries.As part of a risk assessment pilot, some of Claire’scompliance team are meeting with three of thecompany’s businesses based in the US, Italy andChina. Early results from the pilots are indicating risksarising from third party intermediaries (safety,environmental and bribery). Colleagues from Legalwho have participated in the pilots as subject matterexperts have raised concerns with the GC, who meetswith Claire and requests that the risk assessments bequietly closed. The written comments from managersproduced by the pilots are worrisome as they are notprivileged and may be subject to discovery.15

Scenario : The Case of the Ostrich SolutionWhat are the issues?Who are the stakeholders?How does this impact the integrity of thecompliance program?How should this be resolved?MODULE 4: NOT YOUR FATHER’SINVESTIGATION Investigations are where the rubber meets the road(close the deal) All other elements can be present, but if investigations don’tuncover the right facts to decision-makers, program is merewindow-dressing How are investigations carried out in your organization? Who leads, what training, conflicts, how documented?16

SEVEN INVESTIGATION MYTHS1. Legal should conduct all investigations.2.Compliance should conduct all investigations.3. If the matter is privileged, non-lawyers can’t be involved.4.We can use experienced investigators from other parts of the companywithout further training.5. Any lawyer or HR person can conduct effective investigations – its aninnate skill for them6. Investigation training is about detecting fraud, how to interview, how todetect lying.7. Best way to control confidentiality is to give warnings in writing to all leadinvestigators & witnesses.HALLMARKS OF MODERN, EFFECTIVECOMPLIANCE INVESTIGATIONS Clear written investigation guidelines, includingconfidentiality, objectivity, impartiality, professionalism,timeliness, competence & non-retaliation Need to know list Investigation training for all who lead or supportinvestigations Nonretaliation policy includes protections for CCO Everyone understands respective roles CCO has line of sight17