One of the principal responsibilities of the Legal function is participating in the establishment, administration and review of the company’s compliance and business ethics risk management program. There are a number of quantitative and qualitative tools available for identifying, assessing, analyzing and measuring specific risks; however, emerging companies typically lack the resources and patience to implement a complex risk management system. It is feasible though, and highly recommended, that emerging companies perform a “layers of protection analysis,” or “LOPA,” to determine whether the company has taken sufficient action to protect itself against adverse consequences of certain events.
The process for a LOPA depends on the particular risk, hazard or accident of concern to the company and the level of detail that the company is willing to commit to in carrying out the initial LOLA and subsequent assessments. A good example, which is certainly relevant to emerging companies from the time that they begin to expand their number of employees, is the LOLA that might be used in order to reduce the likelihood that the company will be harmed by illegal or unethical employee behavior. In that situation, a company may set a goal of establishing a reliable system for preventing, detecting and correcting employee behavior that is illegal, unethical or otherwise incompatible with the values that the company wishes to project to its stakeholders. In order to achieve this goal the company may establish three layers of protection which can be regularly evaluated under LOLA—prevention, which focuses on the initial selection and ongoing training of employees; internal detection and correction, which includes procedures designed to uncover and resolve problems at an early stage; and external detection and correction, which includes information obtained from outside of the company that identifies potential or actual legal or ethical problems that may eventually cause material damage to the company.
The first layer, referred to as “prevention,” attempts to reduce the likelihood of employee behavior problems by making sure that employees are carefully selected and properly trained and that incentives are provided to employees to increase the likelihood that they will performed in the manner expected. Among the elements that should be included in this layer are the following: background checks; comprehensive interview and pre-employment assessment procedures; new employee orientation programs; compliance training and awareness programs; policies, procedures and employee codes of conduct; control systems; performance evaluation procedures and reward systems tied to compliant behavior; and consistent communication from top management regarding the importance of legal and ethical behavior coupled with appropriate behavior by top management. The second layer, referred to as “internal detection and correction,” includes various tools and procedures for continuous internal monitoring of employee behavior to identify, and quickly resolve, potential issues before they escalate. Among the elements in this layer are the following: compliance monitoring; internal audits; risk assessments; employee questionnaires; ethics hotlines; and prompt and thorough investigation of potential issues followed by clear and effective corrective actions, including necessary modifications to prevention strategies in the first layer. Finally, the last layer, “external detection and correction,” relies on information from external sources to identify issues that may have not been picked up internally. In some cases the information is voluntarily solicited by the company, as is the case when external consultants are brought in to audit the company’s compliance procedures. In other cases the information comes in the form of queries from governmental agencies or complaints received from customers, business partners, investors, or public interest groups.
The ideal situation for any company is to strengthen the first layer—prevention—to the point where a minimal amount of resources will need to be invested in the other two layers and the risk associated with a major problem is substantially reduced. The efficacy of the prevention layer can, and should, be constantly measured by reference to how much time and effort is expended on correction in the second and third layers and lessons learned from dealing with problems that arise should be integrated into the preventive element in the form of training and modifications to reward systems. Not covered here, yet also important, is the implementation of crisis management procedures that can be used in the event that prevention, detection and correction are not sufficient to avert a major incident.