Publication
Proposed changes to Alberta’s Freedom of Information and Protection of Privacy Act
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
United States | Publication | May 2019
In light of the changing conditions and risks a company faces and with best practices evolving, a company should periodically step back and take a fresh look at:
While each compliance program and each set of procedures for prevention and control of accidents requires its own separate analysis, there are similarities and overlaps in basic principles between those programs and those procedures.
Below, we discuss some of the key principles to follow in establishing and maintaining programs and procedures to achieve these goals from a US perspective. We thought it would be useful to put these principles into checklists that can be used to help companies review and evaluate their programs and procedures. We also discuss below what the record should ideally show regarding the related actions of both company management and the company's board of directors.
With respect to compliance programs, the US Department of Justice (DOJ) has recently issued new guidance for evaluating corporate compliance programs. While this new DOJ guidance does not contain surprises, it is helpful because it is detailed and lays out the factors the DOJ looks at in grading a compliance program. This guidance provides an additional and primary checklist for the review of compliance programs in addition to the checklists set out below.
The primary goals of these programs and procedures are generally to avoid a compliance breach or a serious accident and to minimize the costs and adverse effects if any breach or accident does occur, including minimizing any US government fines or third-party US claims. In the case of compliance programs, a robust program, coupled with an effective and visible internal reporting system for potential violations, can also cause employees to report problems internally instead of pursuing lawsuits or making claims directly to regulators.
When putting policies and procedures in writing, the following points are worth keeping in mind:
There is always a potential risk that writings might be used in hindsight against the company or against individuals as establishing standards of care or as defining reasonable or required conduct that was not followed. This risk can be significantly reduced:
The company must, of course, ensure that the guidelines do not set a lower standard of care than what is currently required by law or expected by regulators, which is an important reason why companies should periodically review their compliance policies.
(a) Maintain written codes of conduct that set forth the company's policies regarding compliance with legal requirements and with business ethics
(i) Review the compliance policies on a regular basis (yearly or more frequently if circumstances change)
(ii) Obtain input regarding (1) the subjects to be covered (considering the company's current and planned activities and the current and potential circumstances the company faces), (2) the exact rules and principles that should be stated and (3) how best to make the policies effective
(iii) Compare the risks and compliance requirements covered in these company policies with those that are identified by the company in its public disclosure documents
(iv) Consider whether differences in approach or in language are needed for the various jurisdictions in which the company operates
(b) Communicate the policies and related procedures and train employees on proper compliance
(c) Communicate certain policies to agents and contracting parties as appropriate
(d) Have procedures adapted to the company's circumstances that are designed to detect both (1) situations that may raise increased compliance risks and (2) potential or actual violations
(e) Consider whether new applications of technology (blockchain, artificial intelligence and other areas of fintech) may be available and appropriate to help (1) ensure compliance with certain legal requirements or (2) detect possible violations of compliance policies or suspicious activity
(f) Have procedures in place in advance to deal immediately with any suspected violations of policies
(g) Address reporting to the Board and/or Audit Committee
(h) If there are any potential or actual violations, the company should take the following actions and the record should show that these actions have been taken:
(i) Assess the effectiveness and actual administration of the compliance program
The company's compliance program discussed above requires that company personnel must comply with various rules and principles in their conduct primarily to comply with legal requirements and business ethics. The company also needs to have procedures in place to manage various operational and external risks that could create potential accidents (such as fires, explosions, equipment accidents, environmental spills, extreme weather conditions, data breaches and other events), often caused by external forces. For these other risks that could cause a costly incident, some of the same factors discussed above (regarding compliance programs) should be applied in developing appropriate prevention/mitigation/response procedures.
The following self-assessment questions express some of the principles to be followed in the content and administration of these procedures to deal with accidents. Each of the following questions should ideally be answered: "Yes."
(a) Does the company maintain clear written procedures designed to prevent, identify, control, mitigate, respond to and learn from any incidents?
(b) Does the company obtain input from appropriate internal personnel and external advisers (including insurers) in creating and regularly reviewing these procedures?
(c) Do the procedures, at a minimum, address the risks of incidents that the company has identified in its public disclosures or that are the subject of various company representations in financing agreements and underwriting agreements (such as risks relating to cybersecurity)?
(d) Do the procedures address risks that are encountered or planned for by others in the lines of business conducted by the company or at the locations where the company operates?
(e) Are the company's Board and/or Audit Committee provided with appropriate information about these risks and the procedures to deal with them, together with relevant reports on any incidents or potential red flags, so that the Board and/or Audit Committee can exercise their oversight role?
(f) Does the company train and retrain appropriate personnel to carry out the procedures effectively?
(g) Do the procedures provide clear instructions as to which employees have authority to perform or approve tasks that are sensitive or dangerous (and, if so, are those protocols actually known and followed within the company)?
(h) Do the company's procedures provide for monitoring, detecting and investigating, on a timely and early basis, any red flags and any potential, developing and actual incidents?
(i) Do the company's procedures provide for immediate handling of any potential or actual problems that may arise or are uncovered, addressing:
(j) Do the procedures include identifying in advance staff and resources, both internal and external, that will be needed and will be available to respond if an incident occurs?
(k) Does the company in fact take prompt and effective action:
(l) Does the company have a communications plan in place for public relations crisis events, so that (1) an appropriate spokesperson can be quickly identified, (2) the company speaks with one voice and (3) post-crisis statements can be reviewed for accuracy before dissemination?
(m) In communicating and messaging about how the company will improve its risk management, does the company avoid criticizing its past actions as inadequate or needing improvement and instead focus on the improvements it is making? Note that this is not inconsistent with a company's decision in some crisis management situations to issue some form of an apology as the best communication, with or without more details.
(n) Does the company try, where possible, to independently test the effectiveness of the procedures that are in place to prevent, identify, control, mitigate and respond to incidents?
(o) In general, does the record show that a comprehensive effort has been made and continues to be made by the company to identify and control risks, especially risks that could harm people, assets or the environment, and that it is a company priority to do so?
(p) Put another way, does the record show a company whose management and directors have been careful and diligent to try their best (1) to protect their personnel and other people from harm, (2) to avoid damaging the assets of others and (3) to show respect for preserving and protecting the environment? Does the record show this is more than just a dollars and cents calculation made in specific situations to avoid costly expenses and third party claims and that it is one of the core operating principles of the company?
With respect to the risks referred to in checklists 1 and 2 above, the senior executives leading the company should take the following actions, among others, and the company's records should show that these actions have been taken:
(a) Pursue comprehensive efforts to identify the risks that could be created or encountered by the company's activities, including any new or developing risks
(b) View the proper identification and control of risks to be an important part of their job
(c) Possess the necessary abilities and have available to them the necessary resources in order to identify, understand and manage those risks or use appropriate persons from inside or outside the company who have the necessary abilities and have access to the necessary resources
(d) Conduct, direct or oversee the actions listed in checklists 1 and 2 above
(e) Show continuing interest in reviewing the effectiveness of the policies and procedures put in place and referred to in checklists 1 and 2 above, including reviewing and (as appropriate) reacting to periodic reports regarding (1) any potential or actual violations or incidents, (2) the responses taken and (3) the implementation of lessons learned
(f) Ensure that appropriate communications channels exist within the organization so that potential problems are disclosed to the executive team in a timely manner and so that the company's public disclosures are accurate
(g) Maintain a consistent tone from the top endorsing and supporting these policies and procedures for all personnel throughout the company, including fostering a culture of compliance with laws, of protection of the safety of persons and assets inside and outside the company and of respect for the environment
With respect to the risks addressed to in checklists 1 and 2 above and other risks (such as possible regulatory changes or price changes), the directors of the company acting as the Board and/or acting through the Audit Committee should take the following actions, among others, and the company's records (including board minutes and agendas) should show that these actions have been taken:
(a) View oversight of the company's identification and control of risks to be an important part of the directors' duties
(b) Ensure that the board has the right abilities to identify and understand the risks facing the company and how those risks should be managed or receive help from appropriate persons from inside or outside the company who can properly inform and assist in this oversight role
(c) Question management about key risk areas, controls and potential problems, including whether management has established an effective reporting system that will raise potential problems up to the executive and board levels
(d) Receive appropriate and timely reports at briefings by company management regarding:
(e) Discuss these reports and matters with senior management and ask questions and make comments
(f) React to any red flags by asking questions when appropriate, by requesting more information and by overseeing action to fix or improve the situation
(g) Show continuing interest in reviewing the effectiveness of the policies and procedures put in place to deal with the risks addressed in checklists 1 and 2 above
Publication
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Publication
On December 15, amendments to the Competition Act (Canada) (the Act) that were intended at least in part to target competitor property controls that restrict the use of commercial real estate – specifically exclusivity clauses and restrictive covenants – came into effect.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023