News Stay informed about the latest enterprise technology news and product updates.

Panel: Self-police corporate risk to avoid SEC enforcement actions

A self-policing 'culture of compliance' helps avoid corporate risk and SEC enforcement actions, GRC experts said at a recent roundtable discussion.

David Bergers, the New England regional director for the U.S. Securities and Exchange Commission, recently delivered some advice for how organizations can maintain regulatory compliance: always self-report, always cooperate, and always encourage whistleblowers to come straight to the SEC.

It is an expectation of regulators that the most important job of a board of directors and senior management is to set a tone at the top.

R. Todd Cronan,
partner, Goodwin Procter LLP

Yes, Bergers realizes that this is idealistic and that most companies aren't likely to make his job that easy. But companies with a proactive attitude toward corporate governance risk will make SEC enforcement that much easier -- both on the U.S. Securities and Exchange Commission (SEC) and on the organizations themselves.

"We are looking for self-reporting on issues that appear at first blush to be material; that appear to be important," Bergers said. "You may not know all the facts, but if the facts that you've learned so far do concern you, we'd like to know about that."

Bergers was part of a roundtable panel discussion about SEC enforcement and related corporate governance risk on Oct. 24 at the Harvard Club Boston. The roundtable, organized by The Directors Roundtable Institute, was designed to help boards of directors understand their role in internal corporate investigations, compliance and governance, as well as how companies should address these issues.

Perhaps the most important step in this process is to create a "culture of compliance" that starts with organizational leaders, said panelist R. Todd Cronan, a partner with Boston-based law firm Goodwin Procter LLP.

"It is an expectation of regulators that the most important job of a board of directors and senior management is to set a tone at the top," Cronan said. "They look at your internal controls systems, they look at your messaging, they look at your internal audit functions, and most of all they look at how you conduct an investigation."

One significant indicator of this culture is the status of the compliance officer and internal auditors at the company, Bergers said.

"Is the compliance officer a member of the C-suite? Is the compliance officer given direct access to the directors? Are the directors talking quarterly with compliance officers and internal auditors?" Bergers asked.

The more independence and authority the compliance officer is given, the more comfortable the SEC is in knowing that the compliance function is working, and it is being given sufficient reverence in the organization, Bergers added.

"The importance given to the function, the authority and the idea that the compliance officer is really looked to as a leader of the organization is really what is key," Bergers said.

The crime of passivity

Panelists were clear that when companies get in regulatory compliance trouble, it's usually not for what they did. Instead, violations come when companies take steps to cover up activity.

Or, as panelist and Goodwin Procter LLP partner Joseph Savage, Jr. put it, companies are more likely to be liable when they're passive about regulatory compliance, rather than actively seeking ways to bend the rules.

"The concept that you're on the hook for failure to have a compliance program is one that's firmly established," Savage said.

More on SEC enforcement

SEC fines NYSE in compliance settlement

FAQ: How have SEC compliance rules evolved after the economic crisis?

"You are on the hook if you don't get the right professionals to conduct an investigation; you don't stay on top of the investigation in a professional way; and if you don't do the right thing with the results that you ultimately learn."

This is where self-policing comes into play: When considering a case against a company, the SEC looks at what steps the company took to avoid the violation, and how it responded to it, Bergers said.

Even if you end up hiring a third party to handle corporate governance and risk, boards and other company leaders should avoid thinking it's no longer their responsibility.

"You can't outsource your responsibilities for the culture, for the compliance, for the ethics," Bergers said. "The thing I worry about when third parties are involved is that senior management said, 'Great, somebody else is taking care of it, I don't have to worry about it.'"

SEC enforcement on foreign shores

Regulatory compliance is often more complicated for companies that take business to foreign shores, due to regulations and SEC enforcement under such rules as the Foreign Corrupt Practices Act (FCPA). One of the FCPA's main provisions is to prevent companies from bribing foreign officials to obtain contracts, but it's often more difficult to monitor compliance if many of those officials aren't even in the same country.

"Often, your compliance function is centered here in the U.S.," Cronan said. "We are talking about operational, legal and regulatory risk out in a foreign jurisdiction -- it makes it much harder."

The SEC also considers the steps companies take to ensure they stay in compliance with relevant regulations for the jurisdictions in which they're operating. The SEC will examine the percentage of companies' resources and assets that are devoted to staying compliant while conducting business in another country, for example.

"We look hard at if the company is acting in good faith; if it's contributing significant resources to it," Bergers said.

Another piece of advice? Companies should know their limits.

"There are situations where a company needs to come to the realization that if it cannot afford to ensure compliance, it needs to question whether it can go into a certain jurisdiction -- with the business comes the responsibility," Bergers said.

Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.