At a recent Two Step webinar, Craig Newfield, Vice President and General Counsel of Gomez, Inc., and
Mark Martines, Executive Vice President and General Counsel of
Jenzabar, Inc., presented an excellent framework for improving and
assessing legal compliance at venture-backed, high-tech companies.
At these types of companies, there is inherently a tension between
activities that increase sales and profits and those that improve legal
compliance since they each naturally compete for limited resources. The
unstated question that tends to exist in some form is something like:
“Should we take the time to improve our stock option approval process
if that is going to take time away from negotiating a sales contract?”
Or, “Should we formalize our development processes to insure that
shareware that is used in our code is used in compliance with the
specific license agreements?”
Those are the types of real questions that growing technology
companies face every day as they grant new options or develop new code
and where the problems faced by careless compliance will not be
apparent until due diligence begins for the next round of investment or
an acquisition. But, if compliance issues are uncovered, they can throw
a monkey wrench into a deal just when you were hoping everything would
go smoothly and not increase the level of scrutiny by the investor’s
team of lawyers, accountants, and technology detectives.
The panel discussed the compliance benefits related to both enterprise risk reduction and value creation:
- Reduced risk of errors and irregularities
- Minimized risk of fraud
- Reduced risk of litigation
- Reduced costs of operational inefficiencies
- Minimized due diligence risks
- Increased regulatory compliance
- Improved contractual relationships
- Improved operational efficiencies
- Increased credibility with stakeholders
- Maximized value of the business
But, where do you start? The presentation quoted Richard Steinberg
of Steinberg Governance Advisors and the former corporate governance
practice leader at PwC for his recommendation to ask the right
questions:
- What are the most significant risks facing the company?
- What are we doing about them?
- Are our senior management and directors apprised of all material risks?
And how to you get the right answers? The panel suggested requiring
senior management and those who report to them to sign “Section
302-like” certificates that certify to legal compliance and appropriate
internal controls as far as their respective business activities and
information that flows up to the financial reports. Guidance can be
found in Sarbanes-Oxley and the COSO framework, but it must be used appropriately since neither are a requirement for non-public companies.
The five sections that make up a typical compliance scorecard and
were discussed in the webinar with real-life examples from their
experience are:
- Corporate Governance
- Fraud Prevention
- Records Management
- Protection of Assets
- Compliance with Laws
While their perspective was based on their own experience at
venture-backed, technology companies, certainly the compliance
framework that they developed could be used by any company that is not
required to comply with Sarbanes-Oxley.
Although compliance remains challenging and can be a complex
balancing act, the lessons learned from companies that have been
through the investment and acquisition process are that a well thought
out framework and an appropriate level of effort as applied to the
unique circumstances of each organization will provide an excellent ROI
whether measured by risk avoidance or enterprise productivity.
The recorded version of the webinar and the related white papers are available here.