Joe Murphy – June 3, 2014
We have witnessed a very public dispute between Apple and the Court-appointed Monitor in the e-books antitrust case. That story is documented in the first report issued by the Monitor, Report of the External Compliance Monitor, United States v. Apple, Inc., et al., No. 1:12-CV-2826, and The State of Texas, et al. v. Penguin Group (USA) Inc., et al., No. 1:12-CV-3394, available here from the Wall Street Journal (hereinafter “Report”). Mostly overlooked, however, were interesting and important insights offered by the Monitor that relate to compliance and ethics programs.
One of the notable points related to risk assessment. Usually when the topic of risk assessment comes up there is a tendency to think only in broad terms; what are the different risk categories and how do they compare. So we may list antitrust, privacy, FCPA, discrimination, etc., and prioritize them at that level. But the Monitor’s report reminds us that risk assessment needs to take place within each risk category as well. Specifically he notes:
“An antitrust risk assessment is a fundamental component of any antitrust compliance program, and a systematic assessment of the risks that arise from Apple’s businesses, the activities of its employees, and its third-party interactions will help ensure that its Antitrust Compliance Program makes sense for Apple. We believe that such an assessment is a key component in making Apple’s Antitrust Compliance Program comprehensive and effective. Simply applying general compliance concepts in response to Final Judgment requirements, or adopting an off-the-shelf compliance program, without incorporating known or expected risks that specifically relate to Apple, is unlikely to lead to an effective and comprehensive Antitrust Compliance Program for the company.
A risk assessment, which should be conducted periodically and as a regular part of Apple’s compliance efforts, would also make the Antitrust Compliance Program dynamic; it would allow the company to respond to new risks as they develop. The assessment, if done well, would detect new risks that Apple could then take into account in its Antitrust Compliance Program in an effort to prevent violations. The assessment should consider antitrust concerns that have historically been important for the company, including non-public instances in which antitrust issues have been detected and addressed internally.” Report 45.
In other words, for a risk-specific program like antitrust to be effective, you have to look at the factors that relate to that specific risk. Yes, you need to prioritize your efforts and resources based on “risk,” but in each specific risk area it is worth taking to heart the Monitor’s sage advice.
One other point that comes from this. What the Monitor says about risk assessment is also true of program evaluation. You should certainly have an independent review of your overall compliance program. But also remember each of your risk-specific programs, and evaluate them from time to time, based on your risk assessment. Remember, even if you have accurately assessed your overall risks, and done a review of your umbrella compliance program, it still may be that your antitrust program does not meet your actual risks or is not working the way it should be working.