Designing and Implementing A Compliance Program
There is no one-size-fits-all compliance program.
Recent headline-grabbing prosecutions and regulatory enforcement actions across a broad spectrum of industries have shined a spotlight on the role of corporate compliance, in no small part due to the results they have yielded: billion-dollar fines and even prison sentences for those guilty of criminal violations. The implications of these developments for franchise systems may range from negligible to profound given the diverse range of business concepts that make up the franchise industry. However, and regardless of market segment, no franchise system should operate without an effective compliance program.
The starting point for the development of an effective compliance program involves an exercise that virtually all franchise systems are familiar and have integrated into their operations on at least a basic level: identifying the laws and regulatory rules governing the business. The most obvious example is that of the franchise sales process itself, which is governed by both state and federal laws and also may trigger the application of foreign laws to sales in certain international markets. The difference between a long and prosperous relationship with a new franchisee and costly litigation may hinge on the successful navigation of the Federal Trade Commission and state-level rules governing disclosure, earnings claims and waiting periods. Most franchise systems are also likely to have existing employee handbooks, policies and procedures addressing standard workplace issues such as harassment, confidentiality and the like.
The federal government’s recent high-profile enforcement actions also underscore the need for a compliance program that not only meets any generally applicable requirements, but that is also tailored to address the unique risks associated with a particular business or market segment. Is the franchisor expanding overseas? If so, the compliance program should include a comprehensive Foreign Corrupt Practices Act component. Is the franchisor soliciting new franchisees in the United States? If so, its compliance program should address the United States Department of Treasury’s Office of Foreign Assets Control and anti-money laundering rules and regulations.
Other important compliance areas that have drawn recent regulatory scrutiny include privacy and data security and even children’s use of mobile apps. This list is not exhaustive, of course, and whether these or other compliance considerations might affect a particular franchise system is a determination made increasingly difficult because there are more such laws in 2013 than there were just a decade ago.
While the contours of any compliance program may vary depending upon a company’s size, industry focus and ownership structure, the lessons of the government’s recent enforcement actions serve as a helpful guide. An effective compliance program is a system of policies and procedures designed to identify and prevent legal and regulatory violations by a company’s employees and other agents; manage those risks that may be unique to the business; and reflect and promote a strong ethical business culture.
Identifying and preventing compliance issues often involves detecting and addressing the various species of red flags that may indicate problems to regulators, industry watchdogs, auditors and lawyers. Accordingly, it is critical that the development, implementation and administration of the compliance program have the active participation and support of senior management. Determining who heads the compliance function is an important decision and will usually depend on a number of factors unique to the particular company. While the role is often filled by an in-house lawyer, experienced managers from human resources, finance and or internal audit may also be good candidates depending on the size of the company, the nature of the business, and the individual’s experience and reputation in the company. Regardless of who fills the role, an important lesson of the government’s recent enforcement actions is that the designated compliance officer should have clear authority and be part of senior management or have the strong support of senior management.
Risk Assessment. As noted earlier, a natural starting point when developing a compliance program is the identification of the laws and regulations governing the franchise system’s operations. This effort should be led either by in-house or outside counsel with sufficient familiarity with industry best practices, and should include the active participation of the senior leadership team. Moreover, this should be followed by, or performed in tandem, with a high-level risk assessment and “gap analysis” that includes interviews with key personnel at differing levels of management and a review and inventory of existing policies and procedures and key documents to begin to identify current strengths, weaknesses, operational and supervisory blind spots, and the process for identifying and addressing potential red flags. Once complete, the results of the risk assessment should be summarized and shared with senior management to secure the necessary buy-in for the development of the program, the commitment of appropriate resources, and the establishment of a timetable and action plan for its implementation.
Blueprint. The results of the risk assessment should identify the areas of greatest need for heightened compliance in view of industry best practices, and also may reveal where the company’s existing procedures are adequate. This will make it possible to prepare a compliance blueprint that can be tailored to the business. Elements of the blueprint usually will include a draft code of conduct, policies and procedures that can be customized to suit the culture of a particular organization. Interviews with focus groups of a cross-section of employees can assist with ensuring that key employee communications, such as codes of conduct and key policies, are easily understood by the relevant employee audience.
Policies and Procedures Refinement. Informed by the risk assessment and preliminary feedback from employees regarding the blueprint, the compliance team can begin to finalize the policies and procedures and develop key controls to address the substantive areas of highest risk. For some companies, this may involve the preparation of a single, comprehensive compliance policy encompassing all of the company’s operations. For others, a new chapter, addendum or supplement to existing polices may be sufficient. Regardless of the approach, the final versions should be closely aligned with the company’s culture and operations, devoid of legalese and mindful of the real-world risks of the market segment in which it resides.
Training and Communication. Ideally, every employee considers themselves part of the compliance staff, and successful implementation of an effective compliance program often requires that principle to be well understood throughout the organization. Introduction of new policies and procedures should be formal events accompanied by an announcement from the CEO or other senior management, perhaps in the form of a mission statement. It should also utilize a training plan using comprehensive materials that are tailored to the business, for example, online training modules for geographically diverse constituencies, as well as record employee participation. An employee helpline or hotline to field questions and anonymous tips, together with a compliance policy portal as a dedicated source of updated policies and procedures, can ensure that program information is readily accessible, used and understood.
Monitoring and Reporting. The final piece of the compliance puzzle is accountability. A robust program should employ the necessary internal controls and capture the appropriate data needed to hold employees, including senior managers, accountable for their compliance with its policies and procedures. Where appropriate, employee violations of the policies should result in prompt discipline, and the program should include mechanisms for annual testing and self-assessment of the compliance program and the reporting of results to senior management and the board as needed. Collectively, such mechanisms will also help facilitate the necessary adaptation of the program over time to changing business and regulatory conditions, as will periodic review of the program by an outside auditor.
There is no one-size-fits-all compliance program, but incorporating these basic elements in a manner tailored to suit the particular franchise system can help manage the risks associated with operating in an increasingly complex regulatory environment. ⎯
Donald P. Wray Jr. is international counsel of Little Caesar Enterprises, Inc. and a member of the IFA 2013 Legal Symposium Task Force. Jeffrey J. Jones is a partner of the law firm
Jones Day. Wray can be reached at Donald.Wray@LCEcorp.com and Jones at 614-281-3950 or jjjones@JonesDay.com The views set forth in this article are the personal views of the authors and do not necessarily reflect those of the law firm or company with which the authors are associated.