International: winning the multinational compliance war

Successfully implementing an effective compliance and ethics program is similar to achieving victory in a military campaign: it’s dependent upon people understanding and following rules. But it also involves those people believing in and living the culture of the organization.

Being a compliance officer at a global corporation is a complicated job, requiring in-depth understanding of legal and regulatory structures, which need to be balanced with underlying cultural and social norms in various countries and communities. The main jurisdictions most compliance officers have to deal with are the US and Europe and, while these regions share many similarities, there are some major differences to overcome in order to implement a truly effective enterprise-wide ethics program.

Haydee Olinger, global compliance officer at McDonald’s, says there are three main areas of difference between the US and Europe that a compliance officer needs to understand: labor law, privacy law and anti-corruption statutes. ‘The data protection laws in Europe, Canada and otherplaces are very different and require us to have a different process for things like our whistleblower hotlines,’ she explains. ‘That also creates challenges for me when I am conducting internal investigations, especially if there is a need to check email or other internet usage and correspondence, which is not so easy to do in those markets under local laws.’

More than one investigation has fallen apart because privacy rules were violated and evidence became inadmissible. It can be a problem because many US companies do not do their homework: they neglect to consult local experts and therefore run afoul of not only local law but also local custom.

Private investigations
The privacy laws are a challenge, agrees Ruth Steinholtz, former general counsel at German multinational Borealis. ‘France, for example, has very different rules from the US, which came to be a problem for the hotline rules and anonymity,’ she notes. ‘Europe generally tends to protect people’s privacy much better. In most cases it has been more a question of taking the time to understand what the rules are and finding ways to deal with them, and US companies have not done a very good job of that. They are more sensitive to it now so anyone who still has issues is not doing his or her job well. These issues are well publicized.’

The main focus of many compliance officers is corruption. Every year sees a dramatic increase in Foreign Corrupt Practices Act (FCPA) investigations and lawsuits in the US, and the rest of the world is catching up. In fact, recently revised anti-bribery legislation in the UK may well be the new standard.

‘The UK Bribery Act expanded the scope of prohibited conduct under FCPA,’ explains Olinger. ‘Because of that we are challenged to develop an anti-corruption compliance program that is consistent across all the markets rather than having an individual program for each market. This act is actually setting the standard for our general anti-corruption program; it is much more expansive than the FCPA.’

Far from simple
The rules are pretty simple – you don’t pay bribes – but few, if any, companies are finding it simple to implement compliance programs. Several approaches have been tried but many people are now starting to believe it is more about culture than rules.
Olinger believes the challenges are the same for all companies, regardless of sector or size. ‘Our focus is on trying to understand the implication of regulatory changes and realigning our resources to meet those changes,’ she says. ‘This requires using local personnel through training efforts, continually assessing our risks and identifying the gaps, responding to increased enforcement trends, and staying on top of business and social trends that might affect a compliance program.’

One very important aspect of a compliance program, according to Olinger, ‘is to have your foundation in your values. I really don’t like it to be a compliance program rather than a values and ethics program. I think that resonates better with employees and helps them to understand how to manage ethical dilemma. I want them thinking about what is the right thing to do, not what is or isn’t allowed.’

Steinholtz couldn’t agree more. ‘If you look at compliance, it hasn’t worked,’ she points out. ‘It is time to realize we need a different approach and find some other method of achieving ethics, values and compliance. I am not saying compliance is useless but it has to be the servant of ethics, not the other way around.

‘Last year when I spoke at the SCCE conference on the differences between the two systems and why I feel a values approach is more effective, I was expecting to see hostility to the approach. That was not the case, however: there were a lot of people who told me they feel corporate culture is very important, and that culture trumps compliance.’

Achieving an ethical culture takes a lot of interpersonal contact. Olinger estimates she spends 20 percent of her time traveling. ‘One thing that’s very important in my role, especially internationally, is to be out there,’ she says. ‘It is important to be seen to be on the ground and this requires traveling a reasonable amount.

‘Meeting people, talking about ethics and compliance personally is far better than just sending an email or a video. People are more receptive to seeing us, hearing us and having a dialogue. They are much more engaged when we are there. But face time alone does not equal a successful program. You have to have the right people involved, and there is a lot of debate about the role lawyers should play in the process.’

Dodging the turf wars
‘Personally I don’t like the idea of a separate compliance function because you get turf wars and a rivalry between the general counsel and chief compliance officer,’ observes Steinholtz. ‘I was general counsel and we didn’t have a separate compliance function. I was, in effect, the head of the ethics program. We used a combination of the lawyers and other staff and internally nominated a group of employees from all over the company who served as ethics ambassadors.

‘They received additional training and helped managers implement ethics programs and keep ethics in everyone’s mind. Even though it was run out of the legal department, I ran it as if it was not, because I knew if we took a legalistic approach no one would listen.

‘If you take a values-and-principles approach, ethics and compliance becomes part of everybody’s job so you don’t need a separate function. If you have a large external compliance function it allows others in the firm to think, This isn’t my problem because there is a department that takes care of it. That can remove ownership.’

There are good arguments on either side. It is true that sometimes, because of the way they think, lawyers are not the right people to run compliance, ‘but they should be,’ argues Steinholtz. They have a good understanding of the legal underpinning and the need to have certain formalities respected, but they need training in some other areas. ‘The legal function should not be the only function involved,’ concludes Steinholtz. ‘It is everybody’s responsibility.’