Skip to content

Policy implementation: do we need to be control freaks?

September 14, 2011
by

 

In 2009, AON Ltd was fined £5.35million by the FSA for failing to take reasonable care to establish and maintain effective systems and controls to counter the risks of bribery and corruption. It had policies in place, but it was ruled that these policies were inconsistently implemented and inadequately monitored. It was the largest fine ever administered by the FSA.

As AON found, the challenge for an organisation is not the creation of appropriate policies and codes of conduct but what happens afterwards and whether they are implemented effectively. Just as a project can be judged to be effective only if its benefits are realised, so a compliance programme is successful only if the members or employees of an organisation adhere to it.

Proper implementation programmes have a proven value in courts of law. Regulations are increasingly including something called a “due diligence” clause which puts the onus on the individual or organisation to prove that they acted to prevent the activity happening – a move away from the “identification doctrine” which requires the law to prove that an individual is at fault (sometimes difficult, especially in a larger organisation where senior executives can be at some distance from the functional decision making). Clause 7 of the UK Bribery Act is an example of this due diligence clause:

“A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending – (a) to obtain or retain business for C, or

(b) to obtain or retain an advantage in the conduct of business for C.

But it is a defence for C to prove that C had in place adequate procedures designed to prevent persons associated with C from undertaking such conduct.”

The recent Dukes vs. Wal-Mart case in the US (the largest class action in history) provides further evidence of the value of enforcing written policy. The plaintiffs were required to prove that Wal-Mart “operated under a general policy of discrimination”, but the Court found no proof of this. Wal-Mart’s “announced policy forbids sex discrimination” and, importantly (as AON was unable to prove) they also had evidence that they implemented the policy. The court proceedings report: “as the District Court recognised, the company imposes penalties for denials of equal employment opportunity”.

Knowing that you have to make sure people do something is easy: the difficulty for many companies is striking the right balance between control and autonomy. A very controlled, process-driven environment is appropriate in some businesses, or in some specific areas of business such as food processing, but if you get too heavy handed in the wrong place, you’re stifling management autonomy, and imposing excessive and sometimes counter-productive restrictions and costs on operations. It’s really important to understand how the specific risks of infringement relate to each department, or country of operation and to adjust the response according to the perceived risk. Is this the sort of place where we are likely to be offered bribes? Is there a risk that we might have so few controls in place that gender discrimination could occur without penalty?

The ideal for any organisation is to create an environment or “culture” in which people habitually and naturally act in a way that is in line with company policy and the law, and where colleagues and managers support each other to do this.

It is hard to define the point at which a regular occurrence becomes a “culture”. Politicians and the media tend to use the word “culture” in a negative context – “a sick culture” (the Justice Minister discussing referral fees in personal injury cases), “a culture of phone hacking” (with reference to the News of the World), “no discernable, broadly embraced culture of safety” (Deepwater Horizon and the energy industry in general). Whether negative or positive, the word certainly implies that a particular behaviour is sufficiently widespread for it to be habitual and known about by everyone.

The question for companies is how to achieve a state where a particular positive behaviour becomes so engrained in the way of working that it can reasonably be assumed that no-one could be unaware of it. How to achieve this is dependent on the particular structure and operation of the organisation, but certain key elements are common to all organisations regardless of how controlled they need to be or the resources available to them: consistency of application at every level and in every market, effective and repeated communication of key messages, a form of monitoring or reporting mechanism and, finally, support from all levels of management.

Good compliance is not necessarily about being controlling, but about achieving the correct level of control so that business can operate effectively within the policy framework of an organisation and the law.

This blog was written by Caroline Bland

Advertisement
from → Uncategorized
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.