Policy Governance: Which Compliance Policies Should be Enterprise-Wide in Scope?

A client recently came to me with an interesting question and something of a dilemma.  Leadership of this particular company were reluctant to implement an enterprise-wide conflicts of interest policy because of a desire to be sensitive to the various cultures in which the company operates combined with a sense that conflicts is not a significant risk area for the company.  The question of the potential risks created by conflicts of interest is a discussion for another post.  In this post, we explore the very interesting question of how to go about assessing whether a particular compliance policy should be applied consistently on an enterprise-wide basis or could instead vary by region, country or business unit.

Thinking through this question with a group of smart and thoughtful lawyers from the company afforded me the opportunity to give serious consideration to relevant factors to be considered in determining which policies should be enterprise-wide in their applicability.  (We also considered the important but distinct question of which policies should be owned by Ethics and Compliance versus some other function, although that topic will also be saved for another post.)  We came up with a list of factors to consider, which may be useful to other organizations.  Indeed, one thing that struck me as we went through this exercise was the extent to which these questions are so often decided in a rather ad hoc way – by circumstance, corporate history, enforcement history, or even force of personality – rather than through consideration of relevant factors.

In the interest of transparency, I should perhaps preface my discussion of those factors that we considered with the disclosure that, as an outside lawyer, my bias tends to be in favor of centralized, corporate ownership of policies because that structure just feels less risky. 

The factors that we identified as relevant to the question of enterprise-wide versus regional applicability include:

• Importance of the policy or particular standards or principles to the culture of the organization. Some policies are so important to the corporate culture, that they simply should be applicable to all employees in a consistent manner.  While I hesitate to call the code of conduct a policy, this would absolutely be true for the code, a supplier code, and the company’s non-retaliation policy, for example.
• Extraterritorial enforcement. If the European Union, the United States, the United Kingdom, or another enforcement authority is likely to bring an enforcement action against a company regardless of where misconduct occurs, then it makes sense to have one policy with consistent rules and standards that satisfy the most stringent of applicable laws. So, for example, companies should likely have one anti-bribery policy that reflects the relevant laws of the United States, the United Kingdom, and other countries that may bring an enforcement action.
• Consistency of legal and compliance standards across countries. The reasoning here is that, to the extent that legal standards are generally consistent, it likely makes sense to have one enterprise-wide policy, rather than varying policies for different regions.
• Where laws conflict. In some areas of the law, it may be impossible to implement an enterprise-wide policy because of conflicts between various countries’ laws.
• The extent to which public expectations of standards or of disclosures suggest that an enterprise-wide policy is preferable. This would include, for example, social responsibility and human rights issues and ESG policies.
• The extent to which an area of the law may be highly-regulated on a local basis, such as health and safety compliance. The more highly-regulated an area is on a country or local basis, the more appropriate that policies will be regional, although, even in these areas, organizations may have enterprise-wide policies that discuss the importance of compliance with the applicable laws in that area.
• Where it may be important to create rules that recognize local custom and culture while complying with legal requirements. For example, organizations often have regional versions of gifts and entertainment policies in order to account for differences in expectations and cultural practices.
• Standards governing behavior that impacts the company on a global basis, such as social media compliance and protection of intellectual property, which are likely to impact the company regardless of where in the world the activity occurs.
• Legal requirements that contemplate global policies and global compliance, such as laws governing human trafficking.
• The importance of centralized record keeping or data related to a policy, so that consistent application is required to create and maintain necessary data or records.

There are undoubtedly additional relevant factors that the client and I failed to identify in our short (but so interesting!) brainstorming session.  If you think of others, please let us here at Ideas & Answers.  We’d love to expand on our list.

With respect to that client and its conflicts of interest policy, the jury is still out, but I’m hopeful that our brainstorming session gave the compliance team some reinforcing arguments as to why an enterprise-wide conflicts of interest policy would benefit the organization.  I should note that we also conducted some helpful benchmarking that indicated that a substantial majority of multinational companies have enterprise-wide conflicts of interest policies, which will likely be more persuasive to senior leaders than our list of relevant factors.