A number of companies are planning IPOs this year: Uber, Slack, Levi’s, Lyft and Airbnb, to name a few. We’ve written a few articles on Uber’s compliance woes and the company’s response (including how they have hired a number of resources and taken steps to build a compliance program). Lyft has not seemed to have had the same issues. Neither has Slack, Airbnb or (thankfully) storied jean company Levi’s.
As avid users of these services and products, we want these companies to succeed. In the last couple of years, we’ve been involved with over a half dozen tech company acquisitions and building up their compliance programs. Every company needs something different. There is a lot of guidance out there from the government to figure out the key themes, such as Chapter eight of the U.S. Sentencing Guidelines, the FCPA Resource Guide, as well as the U.S. DOJ’s Evaluation of Corporate Compliance Programs, and the OECD’s Anti-Corruption Ethics and Compliance Handbook for Business and Good Practice Guidance on Internal Controls, Ethics, and Compliance (both referenced by the U.S. DOJ). And there is also guidance for companies on specific compliance processes, for instance, NASA’s Guidelines for Risk Management, COSO’s Risk Assessment in Practice guideline, and the ISO 19600 standard. It’s a lot to read, honestly. And we know these companies are busy focusing on making great products for customers, so we’ve done some of the work for them.
What is a pre-IPO company supposed to do? Fortunately, we have combed through hundreds of pages of guidance and mapped out the requirements into five simple program elements. We put our work on our website: http://www.rmcconnellgroup.com/compliance-by-design/. Go now and look before reading further. We’ll wait.
Now that you’ve finished (or if you are in a hurry), here are some takeaways:
- Leadership. For a compliance program to work, someone needs to run the program that can work with the business to evaluate the legal requirements and address the company’s key risks. This person could be a dedicated chief compliance officer, or it could be the general counsel (deciding this structure is a separate article). For a tech company about to go public, you need to assess the compliance areas you have to deal with (more on that below) and ensure you have resources to address them. For instance, privacy will be a big issue for many of the IPO companies this year (particularly as they await California’s new privacy law, the California Consumer Privacy Act, to take effect in January 2020). These companies should have effective resources and an organization to think about issues such as third party data collection/management, privacy by design, notice regarding the use, security, and sharing of personal information, individual privacy choice and breach response. This organization element and leadership are key themes in the regulatory guidance. A company has to have leaders who consistently promote and enforce an organizational culture that demands ethical conduct and a commitment to complying with the law. Leadership must also be responsible for the structure of the program and ensuring that the company’s resources are allocated in a risk-based manner. The guidance notes that enforcement of the program is also fundamental to its effectiveness. Leadership must consistently apply incentives and disciplinary measures to effectively implement the program. This is basic blocking and tackling for mature compliance programs, but for a developing program, a key step is to get company leadership engaged and create the right culture.
- Risk Assessment. Risk assessment is where it all starts. If you’re Airbnb, you are looking at your risk profile across the business. What are the requirements? Licensing and privacy are likely significant subject matters for the company. A risk assessment process should start by identifying the company’s risks and analyzing relevant business metrics. For licensing, key risks may include the risk of not renewing licenses timely or the risk of failing to comply with regulatory requirements to obtain required licenses. Privacy may include the risk of not timely responding to suspected breaches of personal information or the risk of not providing appropriate privacy choices to individuals. Once you have the key risks, the company should calculate the residual risk scores by talking to relevant business partners—usually some combination of likelihood and impact of the risk. For licensing, the company may speak with legal or other business partners involved in the licensing process. For privacy, the company may speak with its IT or information security business partners. After determining the scores so the company can evaluate how to prioritize the risks, Airbnb would then develop action plans to mitigate its highest risks. An example of a privacy action plan could be to develop a comprehensive breach response plan. Each action plan should mitigate a risk and should be specific, measurable, achievable, realistic, and timely. This way, leadership knows when they are complete. The company should develop a risk assessment report to document the results in a meaningful way and present the results to the board of directors.
- Policies, Procedures, and Other Controls. What should Lyft do? If you are Lyft’s general counsel, you have done your risk assessment and determined that privacy, licensing and safety are your top three risks and you have to ensure you have a program around these three areas. You develop policies (which tell you what to do and why) and corresponding procedures (which tell you how to implement the policy), as well as controls to ensure the program works effectively. For privacy, your policy may address the type of personal information you collect and how you use it and you may have a procedure on how to respond to privacy breaches, and then controls to address. For Lyft, we hope that rider and driver safety would score as the highest risk (at least inherent because the company hopefully has great controls for this area). The company’s program on safety would address all of these risks in a documented and cohesive way. And this framework should be simple and easy to understand for employees.
- Training and Awareness. Now you have a risk assessment and a documented program. What’s next? Tell people about it in a fun and engaging way. What does a good job look like for employees? What does the company expect them to do? Is leadership on message? The regulatory guidance notes that companies should consistently communicate their policies and procedures to employees through training and communication. The guidance (and our mapping suggests that companies first assess their training and communication needs, develop a plan to address them, and then identify and assign training and communication to targeted audiences. It is also important to regularly track and evaluate the effectiveness of these trainings and communications to ensure the company’s employees are adequately equipped to fulfill their roles.
- Monitoring and Investigation. Now that the program is put together, are we done? Almost. If you are Slack and you’ve developed a great program on privacy and data security, you have to monitor it and make sure it’s working. And have a plan to investigate compliance failures in a documented and effective way. The guidance notes that companies should develop business metrics to enable them to monitor and audit their program and identify any opportunities or gaps. Based on these audits, the company should then develop and execute proactive mitigation efforts. Importantly, the guidance notes that companies should also implement confidential internal and external reporting channels to identify program gaps.
Tech is an exciting space with interesting and evolving issues. If you are ready to go public, better to do compliance sooner rather than later. And if you’ve already had some issues, it’s never too late to try to get it right. Both your shareholders and customers will insist! We hope our guidance helps the effort.
Ryan McConnell and Stephanie Bustamante are lawyers at R. McConnell Group—a compliance and investigations boutique law firm in Houston, Texas with Fortune 500 clients across the globe. McConnell is a former assistant U.S. Attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Bustamante’s work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. Send column ideas to email@example.com.