Fabio Humar: “You have to get used to the idea that even the best compliance program is not perfect”

Quote: “A good risk matrix should consider, depending on the business, the types of damage that may occur and the probability of occurrence of each one”

Compliance is so fashionable these days that it’s rare to find course or law firm does not cover the creation and implementation of compliance programs. I have been critical of the legal industry’s approach to the issue, and on several occasions and in different forums have argued that compliance programs are, in fact, how the State discharges its duty to investigate and sanction, passing the buck – and the extreme cost involved – to private individuals. But, until we come to our senses and return to the path where the State is the one doing the investigating, companies have no other choice but to design robust compliance programs adapted to particular needs.

Let’s discuss the environmental crime prevention programs that mining companies must use and implement. The purpose of these programs is to prevent or mitigate environmental damage. They are typical risk-management and administration programs, focusing mainly on environmental crimes.

We should, at this juncture, make one thing perfectly clear: the greatest challenge facing companies in the sector is the paralysis of the State. And by paralysis we mean omission and negligence in the execution of the tasks and duties that, by law, fall to different public bodies.

Compliance pillars

I am not exaggerating one iota when I say that environmental criminal compliance must rest on two main pillars: the first, the obvious and natural prevention of the risks associated with the mining sector, in the framework of which priority should be given to those related to the crimes of Title XI of the Criminal Code; the second, even more important, is to prevent the inactivity of the State, in particular, of the agencies in charge of the application of enforcing the law, inactivity already well known from the cases in which the prosecutor’s office, the police and the information and financial analysis unit, among others, do not act promptly and in accordance to their legal duties.

Experience has shown us sometimes even by painful lessons, that, despite the adequate design and implementation of a criminal compliance program in mining and energy matters, we mustn’t assume the State will always have our back.

Recommendations

Here are some recommendations for those cases in which, despite a good compliance program, risk occurs:

(i) Always have the contact details of an expert lawyer to hand. No matter how much planning is done, no matter how many exceptional situations are anticipated, no matter how well put together you believe the compliance program to be, the best thing to do is, in any eventuality, is to call your lawyer.

By definition, compliance programs are made under precise and specific assumptions and circumstances, but they are not capable of taking every situation into account, nor of incorporating the regulatory changes that occur so frequently. The best thing is for the lawyer to be present after a risk occurs to deal the media, the authorities and any other persons involved.

(ii) Do not make decisions based on what has happened; rather, think about what is going to happen. What happened, happened, and it is too late to do anything about it (the time to assign blame or apportion responsibility will come later). For now, once the risk has materialized, the only thing left to do is to prepare for what will happen. To do so, it is crucial to determine the type of risk that occurred, the short and medium-term consequences and appoint a spokesperson either from your organization or a PR professional to respond to interest from the media or the authorities.

The worst damage caused by the occurrence of the risk is reputational, which feeds into legal risk: an incident occurring in the company makes the headlines, which causes the authorities to take a more intense look, which will, in turn, lead to more news. It is a vicious circle for the company.

(iii) See things through the eyes of a fierce critic who wants to harm you. The occurrence of a risk is nothing more than the occurrence of a damage that was foreseen as possible. A good risk matrix should consider, depending on the business, the types of damage that may occur and the probability of occurrence of each one.

Thus, once the risk has occurred and the damage has been done, its critics will try to take maximum advantage of the situation. It is possible that, for example, the company will suffer reputational fallout. Its suppliers will worry, banks will ask for reports and documentation, employees will be afraid for their future at the company. In short, there

will be disorder and some degree of chaos. Keep calm. Think that your case is not the only one, nor the worst. Make sure you do things the right way.

(iv) Don’t forget that everything will be interpreted in bad faith. Hindsight is twenty-twenty. We are all Monday morning quarterbacks, so don’t worry. Everyone (your customers, your suppliers and your allies) will tell you that things could have been done better and that there were serious flaws in your compliance program.

Take a deep breath, calm down and remember: there are no perfect-risk prevention and management systems. Even those of the world’s largest banks and most robust multinationals can suffer from serious flaws. Just be prepared for the authorities, particularly the Attorney General’s Office, to go over every detail of those that failed with a fine-tooth comb.

You have to get used to the idea that even the best compliance program is not perfect. That’s okay. That’s what lawyers are for.