Unfortunately (at least in the view of public companies), the Securities and Exchange Commission has been very successful in its mission to create the illusion of three dimensions, or seemingly being everywhere at once. Its enforcement prowess is undeniable, and its tenacity is not to be underestimated. This means that many companies will (not may), at some point in the not-too-distant future, confront an SEC inquiry or investigation. How companies prepare for and respond to that unwanted attention can spell the difference between:
a modest diversion and a major crisis;
senior executives keeping their jobs or potentially forfeiting them; and
quickly disposing of nettlesome class action and derivative litigation, or enduring protracted proceedings where legal fees alone inflict serious and very real punishment.
In the context of responding to an SEC inquiry or investigation, there are three discrete periods to consider—before a problem has been detected; once a problem has been identified but before the SEC is involved; and when the SEC comes calling.
Before A Problem Has Been Detected
An ounce of prevention is worth years of cure. Since most companies don’t intend to violate the law, they (and their senior managers) often believe there’s little or nothing they can do to anticipate the specter of violative conduct raising its ugly head. Violations are a departure from the norm, this line of thinking assumes, so anytime a violation occurs it must be wholly unanticipated. This, however, is far from the case. Thinking ahead about what can go wrong is an important step—perhaps the most important step—in preventing things from actually going awry.
Cultures of integrity, ethics and compliance, like charity, begin at home and at the top. I’ve talked about the steps necessary to develop an effective culture and corporate ethos in previous columns (see my September 2004 column titled, “Instilling A Corporate Culture Of Integrity, Ethics And Compliance—Setting The Tone At The Top”) so a lengthy recitation isn’t needed here. Briefly, corporate leaders must not only talk the talk—they must walk the walk. Ensuring ethical behavior is not a delegable function. And, when problems arise, as they inevitably do, having a system in place that constantly stresses the importance of integrity and compliance will go a long way to establishing that any violations that may have occurred were isolated and non-systemic.
Companies need a full time compliance officer. For decades, financial services firms have been required to have a full-time compliance officer on the beat. After Enron, and its progeny, all public operating companies need one, too. In many firms, the chief legal officer is also the chief compliance officer. If a company is small or middling in size, that makes perfect sense. But for larger companies, there should be a separate senior official (who can report to or through the CLO) whose sole responsibility is compliance and ethical conduct.
Zero tolerance is the world in which public companies must reside. Companies need to approach violations of law and corporate policies and procedures as being what they are—significant and intolerable. If not, the impression will be created that, while the company may talk a good game, it isn’t really serious about it. While not every breach of policy or procedure is a hanging offense, zero tolerance has to be the rule.
Recordkeeping is critical. As companies grow, it becomes increasingly difficult to keep tabs on who’s done what, and how the company responded. But corporate records of complaints or potential violations can help companies detect the existence of a problem that may be systemic, even though the first few instances of that problem are relatively mundane. Of course, the sine qua non of good recordkeeping is that someone must actually pay attention to the good records being kept!
Just because no one’s told you there’s a problem doesn’t mean you don’t have one. Those who find problems before the problems find them (and before the government finds them) always do better than those who wait for the government to come knocking before deciding to inquire. In this context, it’s worth recalling my mother’s take on learning that she had terminal cancer—she told me she’d never been sick a day in her life until she went to see the doctor! Many companies approach their health the same way. The truth is, unfortunately, problems lurk under the surface at many companies. If you hope they won’t surface on your watch, you’re making a very short-sighted and highly-risky gamble with your company’s future and your own. If you find the problem first, you get to define it, contain it and resolve it first, and that’s always better than the solutions either the government or private class action lawyers will come up with!
Use other companies’ problems as opportunities for introspection by your company. One of the easiest and cheapest ways to stay ahead of the curve is by learning from the mistakes of others. When catastrophes and crises befall others, giving one’s self a pat on the back is both premature and unwarranted. Rather, two questions should be asked: first, “do we have that problem?” and second (assuming the answer to the first question is “no”), “could we have that problem (or something similar)?”
Create a standing crisis management team.
Because it is a corporate fact of life that a crisis will arise, companies should have standing teams ready to go. In an emergency, it’s important to know who will be responsible for what, and equally important to know how to reach each person on the crisis management team.
Periodically “game-play” potential crises. As hard as it is to believe, companies actually can predict what their next crisis may be. The best way to do this is by playing out potential crises and deciding how to prevent them from occurring, and how to address them should they in fact occur.
Once A Problem Has Been Identified, But Before The SEC Is Involved
The race is to the swift. When problems are first identified, the critical goal is to get on top of the problem immediately. Lapses between discovery and action usually result in even worse things happening to good companies. It is of the essence for companies to put in motion a game plan for defining the problem and its scope, and determining what appropriate responses will be.
Size matters. Proportionality in responding to problems is essential. This means that if the problem is more modest in size, the nature of the response should be as well. But, conversely, if the problem is huge, so too must be the response. Again, however, the goal is to get control over events, rather than allowing events to control the company!
Tell the board. With corporate boards, the most important lesson is to follow the “Holiday Inn Rule”—no surprises. Not every peccadillo has to be brought to the board’s attention, of course. But if problems could be significant, telling the board, and telling it sooner rather than later, is smart policy. It’s hard for a board that’s timely informed and aware of the decisions being made to criticize management’s handling of the situation (although it’s always still possible), and even more important, board members may have valuable and constructive advice for management to consider.
Identify the issues. There are four critical questions that always need to be asked when a problem arises:How did we learn about the problem? If the answer is through serendipity, the company has a larger problem than it might otherwise imagine. The goal is to learn of problems through internal systems and controls. At the least the company needs to know whether its early-warning system helps contain a potentially growing problem and bring it to light at the earliest moment.
What caused the problem to occur? It’s always easy to assume that any misconduct is the result of a rogue employee who went off the reservation. Often, however, that may not be the case, and even if it is, no one is really going to believe that. Indeed, even if it was a rogue employee, how did that employee get hired? The normal tendency for firms is to look for others to blame. The actual solution is to figure out what went wrong and what things the company can do to identify how those things occur. The key here is always to look inwardly. The rogue employees may have been off the reservation, but it’s critical to remember that those rogues are your rogues, and also your responsibility!
What are the consequences of this misconduct? Every improper act carries consequences with it. People are harmed by misconduct (that’s why the conduct is called misconduct), and it’s the company’s responsibility to figure out all the consequences that flow from misdeeds committed by those under its control or supervision. For example, are the company’s financial statements rendered materially misleading? Have customers of the company been hurt? Is the company’s disclosure rendered inaccurate? Are shareholders likely injured?
What assurances exist that the misconduct isn’t likely to recur? It’s not enough merely to identify the problem and its likely impact. Companies confronted by improper behavior need to satisfy themselves, and ultimately regulators, that the likelihood of recurrence is small.
Provide a credible basis for believing the company’s answers to these critical four questions. The hardest lesson for companies in problem situations to grasp is that they can’t approach their problems with a “business-as-usual” mindset. Often, when potential problems surface, companies question the messenger rather than themselves. It doesn’t matter if the person who reports the misconduct is “disgruntled,” and it doesn’t matter if the person who engaged in any misconduct was a “cowboy” or “cowgirl.” What matters is what happened, how and why, and what the company is doing to fix it. Losing sight of those issues means losing control over one’s company. That’s a steep price to pay for the temporary pleasure of finding a scapegoat. This means that companies need to bring an independent perspective to the fact-gathering and analysis efforts.
Fact-finding and analysis must be done by people who have no reason to curry favor with the company, for people who have no reason to pull their punches. If independent fact-finding is warranted, and it usually is, it must truly be independent. That means that regular outside service providers can’t be put in charge of those efforts. There are many ways to achieve this, but they all start from one vantage point—the internal inquirers must be free of any past or present economic involvement with the company. If senior managers may be implicated in suspected wrongdoing, it’s a mistake to have them lead the internal inquiry, or have the internal inquiry report to, or through, them.
Adopt the “Goldilocks Approach” by reporting on situations neither too early nor too late, but at just the right time. The fact that a company has found a problem first is an enormous positive in an otherwise negative situation. But the critical factor to consider is when the timing is correct to alert the appropriate regulatory bodies of the situation. There’s no one rule of thumb to help companies determine the best time to make disclosure, but there are certain axioms worth noting:
It’s better to report too soon than too late.
The problem with premature disclosure is that the company won’t know enough, and when it learns more, may be perceived as having hidden information from the government in its initial disclosures. This is not a frivolous concern. But the solution is to be candid, indicating that disclosure is coming at a very early moment, that there may be more here than currently meets the eye, but the company will report back to the government as it learns more.
Don’t underestimate the severity of the situation. Hope springs eternal, and many companies hope that the first indication of a problem may be all there is, and the problem will disappear. That can happen, but rarely does. The important tenet for companies to adopt is to know what they don’t know, and reveal that. It’s fine to say, “At the present, all we’re aware of is ‘X’ but we’re not assuming that’s all that may have occurred.”
Public disclosure needs to be crafted with the interests of shareholders in mind, not litigators. If a problem warrants an internal review, after consulting with the government it’s often advisable to put out a press release. A release is always a concern to management, because management fears—rightly so—that the announcement could have a depressing effect on the stock price. A release is always a concern to defense counsel, because they’re afraid the company will make it impossible for them to defend government and private civil litigation. These are always difficult choices, but the key is to think like a shareholder, not a defense attorney. Litigators want to win the “case,” and managers should want to salvage the company!
Make sure the internal inquiry has sufficient flexibility to explore unanticipated avenues. Although authorizing an internal inquiry is a good sign of great intentions, the inquiry needs to have room to explore issues that only surface after the inquiry commences. Trying to cabin the process artificially will only denigrate the credibility of the effort, and may necessitate having to do a second inquiry. It’s bad enough to have to do one internal inquiry; it is absolutely horrific to have to repeat the process because you didn’t get it right the first time!
Make certain the inquiry is conducted in a manner that lets the company share its fruits with the government.Corporations necessarily and properly worry about preserving attorney-client privilege. But when a problem of sufficient magnitude arises and an internal review is warranted, it is pointless to believe that the fruits of that effort can be kept under wraps. Rather, the more effective way to proceed is to assume that at least some of the inquiry’s product will need to be shared with the government (and perhaps others), and plan accordingly from the outset, rather than confronting the issue after the fact.
Corral the cowboys. When a problem surfaces, the critical effort is not only to find out what happened, but who may have been involved. Often, this requires some intense fact-finding before definitive responses are known. That cautions very strongly against prematurely punishing suspected wrongdoers. That said, however, it’s truly important to make sure that, while the situation is being investigated, those who may have had a hand in allowing it to happen (or causing it to happen) are no longer in a position to repeat their possible misconduct. Placing individuals who may be involved on administrative leave, or providing special supervisory techniques, is smart business. As my mother always used to remind me, “fool me once, shame on you; fool me twice, shame on me.”
While the inquiry is proceeding, make certain the problems can’t be repeated. Cleaning up a corporation’s act after an investigation is a given; but cleaning it up while the inquiry is proceeding is essential. One significant problem can be reckoned with. Duplicate significant problems only assure the company’s officials of a change of venue.
Once The SEC Becomes Involved
Don’t worry about strange bedfellows. If you’ve followed any of the foregoing advice, the SEC will become involved—either because you’ve shared the situation’s circumstances with the agency, or because the agency simply found out about the issues from other sources (or on its own). Either way, it’s critical not to view the government as your enemy, but rather try to make the government your collaborator. The SEC didn’t create the problem you’re now grappling with, but it certainly has the capacity to make things worse.
The goal should be to make a full-fledged SEC investigation unnecessary. Back in the ’70s, Fram Inc. ran its classic commercial showing a garage mechanic covered in grease, holding a Fram oil filter in one hand, and a rebuilt engine in the other. His refrain was simple: “you can pay me now, or you can pay me later.” The obvious message is you’re better off paying for a new oil filter now than paying for a rebuilt engine later. The same approach applies to the SEC. One of the reasons to do an internal review is to fulfill the fiduciary and legal obligations of the company, its officers and directors. But another reason to do the internal review is to get to the bottom of a serious problem with the company leading the way, rather than the government. Government-led inquiries can be far more invasive, disruptive and expensive than company-initiated inquiries. Isn’t that a very compelling reason for seizing the lead?
Communicate with the SEC’s staff early and often. As noted above, commencing an internal review may be necessary for the company’s officers and directors to satisfy their fiduciary obligations. But it also may limit the need for a government inquiry. To ensure this possible result, those charged with conducting the inquiry should brief the relevant SEC enforcement staff on their methodology, their efforts and, within reason, any preliminary indications. It’s also important to be able to assure the SEC staff that the special inquiry will make appropriate products available to the staff so that the staff can assess the progress being made and the need for additional government efforts. If the fundamental concern expressed by a company is preserving the privilege, the SEC can solve that problem by conducting its own investigation, which certainly won’t raise privilege issues. On the other hand, the SEC has assisted companies in arguing that the provision of information to the government in a cooperative vein does not waive attorney-client privilege as to third parties. Not only should there be regular communication with the SEC in these circumstances, the communications should emanate from the Board committee conducting the inquiry, not from senior management or defense counsel.
Every internal review should address not only what occurred but also what needs to be done to rectify the situation. Self-investigation and self-reporting are certainly necessary steps in dealing with an SEC-related problem. But they aren’t sufficient. It’s also critical for the company to address what steps it should take to remedy any damage that’s already occurred, and provide assurances this type of problem won’t recur. Thus, an essential goal of every internal review should include figuring out how to make amends for any damage inflicted, and how to provide greater assurances against a repeat performance. If these facets are handled appropriately, it will leave a lot less for the government to do, and can help ensure that any enforcement action that is instituted will be narrowly tailored.
It’s important to keep the public updated regularly. Once disclosure begins, the goal should be to refresh what’s been said and bring it up to date at relevant periods. There is no need to bombard the public with a steady stream of minutiae regarding the situation, but major milestones should be reported as they occur.
* * *
It may often be discouraging to find the SEC paying attention to your company. But by planning ahead, and then paying attention to the details of the situation, the SEC can be a helpful ally in making the company’s processes stronger, and giving the public greater confidence, even in the face of some untoward conduct.
No comments yet