When It Comes to Making Disclosure Decisions, Be Prepared

Borrowing from the time-tested motto of Boy Scouts everywhere, companies need to “be prepared” as they approach potential questions from regulators and the perpetual debate over what to disclose, how to disclose it, and when.

Last week, at the Compliance Week 2012 annual conference, a panel tackled the tricky topic of disclosure and decisions that are often less about legal requirements than policy and judgment. Is self-disclosure the best way to stay ahead of a problem, or are there costly pitfalls that warrant a more measured, internal approach?

“This issue of what to disclose, when to disclose it, and how to get to the point where you can make an appropriate decision about it, particularly for those of us in heavily regulated industries, are decisions that are increasingly central to our job as compliance officers,” said Jay Cohen, chief compliance officer at Assurant.

“We have thousands of regulations that at any one time we could be violating,” he said of the insurance giant. “There are a lot of opportunities to wrestle with this decision.”

Cohen cited a study by international law firm Fulbright & Jaworski that found 50 percent of U.S. companies had conducted an internal investigation of some kind in 2011. Of those, one-fourth made the decision to disclose something to a regulator as a result of the investigation.

“My take on this decision is, more than anything else, you have to prepare, prepare, and prepare,” he said. “You have to prepare before you are faced with that decision, so that you have the information, the analysis, and the right people that gives you the opportunity to reach a defensible decision. At the end of the day, whether or not a decision is defensible is as much about the process that got you there as the decision itself.”

“We try to answer the questions before [regulators] ask them,” said Terry Thompson, general auditor of Santee Cooper, South Carolina's state-owned electric and water utility, and the state's largest power producer.

Cohen breaks the decision-making process into five categories.

1.       Information: “If, when, and how you will know what happened,” Cohen said, adding that the more remote the office, the less likely they are to report something. Because many employees bring problems to a superior, rather than using a company hotline or similar tool, his company has a mandatory reporting requirement for managers. How they handle compliance issues is factored into the “leadership scorecard” for executive reviews at his company.

2.       Investigation: Are the resources in place ahead of time to assess and investigate an issue?

3.       Escalation: Who do you tell inside a company and when?

4.       Response: Have you stopped and fixed the problem, whether or not you report? What will it take to stop the problem and fix what has already happened?

5.       Analysis: Do you understand all of the consequences and considerations?

“You have to vet your plan with senior management, and the one thing you have to be prepared for more than anything else is to be second guessed, both internally and externally,” Cohen said. “That's why it is so important to be ready for it.”

Beyond internal politics, the premature decision to self-report a matter to the SEC can be very costly, financially and as a result of reputational damage, he said.

Cohen recounted a situation that took place at a former employer. A business unit in France was sold to another party, which promptly raised issues about whether sales had been improperly reported. Because the sale price for the business depended on the volume of sales, the new owners questioned whether the unit had lied about sales figures or exaggerated how much they were worth.

“We lost time because the allegation itself didn't get to the right people soon enough,” Cohen said. “We lost time because we didn't appreciate what it would take to investigate a matter that had happened in France. We lost time because we didn't have the right people ready and we didn't have the right external and internal resources ready to deal with a situation like this.”

“We totally underestimated the implications of reporting the matter to the SEC and what it would mean in terms of how far that investigation had to go, how many places other than France we had to go, how high up the organization we had to go to make sure that senior leaders weren't involved in terms of the campaign to gin up sales,” Cohen said. “We wound up reporting before we even knew whether the underlying allegation itself had any merit. The result was a multi-million dollar investigation including the cost of outside counsel and forensic resources. And at the end of the day we came to the conclusion that there was nothing there.”

“This issue of what to disclose, when to disclose it, and how to get to the point where you can make an appropriate decision about it, particularly for those of us in heavily regulated industries, are decisions that are increasingly central to our job as compliance officers.”

—Jay Cohen,

Chief Compliance Officer,

Assurant

Being prepared and having the right resources in place ahead of time would have helped clarify “the collateral consequences” of the decision.

“We could have conducted a reasoned and defensible investigation of the matter that would have gotten us to that same point a lot easier,” Cohen said.

The evaluation of risk versus cost benefits can be even more difficult for companies with a strong, identifiable brand or mission statement,” said Carl Lackstrom, vice president of risk management and internal audit for HMS Inc.

Reputational Risk

“In the absence of regulatory requirements, it becomes a brand issue for your company,” he said. “The companies that end up looking the worst, and have the worst reputational impact from the incident, are often those that are doing things that are against the stated values of the company or the themes that they present publically. When they have those kinds of incidents it creates a much greater reputational risk.”

Thompson advocated a “fire drill” approach to potential disclosure issues. “A company should probably do a risk assessment to see what's most significant in terms of the impact it might have,” he said.

 “Think through, ‘if X, Y, and Z happens this is what we are going to do … audit is going to be involved, we've got somebody in IT ready to help us look at e-mails and laptops and we have external counsel and other resources we can call in.' If everybody knows what they have to do they are not surprised when we call,” Cohen said. “They are ready to go. If they get a little overwhelmed, we have the opportunity to rethink things.”

The “Disclosure: What's Mandatory and What's Common Sense” panel listens in as Carl Lackstrom (far left), vice president of risk management and internal audit at HMS, discusses the evaluation of risks versus cost benefits.

Lackstrom stressed the need to properly train all levels of the company to ensure they don't trigger a premature disclosure requirement. “Employee awareness is a big issue we struggle with,” he said. “We have lots of people in our company who are dealing with customers and government agencies on a daily basis. Oftentimes, these employees don't have a full understanding of the disclosure requirements that we face as a company. That can lead to things like premature disclosure, inadvertent disclosure, or things are publically said and trigger a disclosure event.”

“In today's day and age, the means by which our employees can disclose information about the company are much broader than they used to be,” Lackstrom added. “Many of you have wrestled with the issues of social media. It is real easy for a rogue employee, well intentioned or not, to communicate things through their own personal use of social media that end up reverting back to the company. In essence, it creates an incident or disclosable event that may not have needed to happen and you weren't prepared for.”

Assuring the right internal controls are in place is an important step to protecting against such unintended communications.

“One of my biggest challenges is trying to maintain a level of credibility with our regulators and convincing them that not only do we have the right process in place to reach decisions about what to tell them or not tell them, but that we have the right compliance program in place and are trying to follow the rules as best we can,” Cohen said. “That credibility does buy us a certain amount of leverage and can result in a little less second-guessing.”

Cohen pointed to recent charges against a former executive at Morgan Stanley who was accused of violating the Foreign Corrupt Practices Act through shady real estate deals with an influential Chinese official, who in turn steered business to Morgan Stanley's funds.

“The Justice Department and the Securities and Exchange Commission not only congratulated Morgan Stanley for self-disclosing and cooperating, but also talked about all the things that the company had done through its FCPA compliance program to prevent this from happening in the first place,” Cohen said. “They bought a tremendous amount of credibility with very tough regulators because of their underlying compliance program.”