As the world staggers out of 2020 (good riddance) and into 2021, at least one thing remains unchanged: the need for a strong corporate compliance program, because organizations face the same highly regulated business environment as ever.
Precisely what form that program should take is something each business needs to determine for itself—and then re-assess, over and over again. The fundamentals of a compliance program, however, have been clearly defined and communicated by regulators for years. So, as compliance officers build or refine their compliance programs for the year to come, let’s review those fundamentals in detail.
What is a Compliance Program?
A compliance program is an organization’s collection of policies and procedures to help it comply with any laws, rules, or regulations that might apply to the organization based on its business activities. Those policies and procedures can encompass a wide range of specific actions, such as:
- Declarations by the CEO that misconduct won’t be tolerated;
- Written policies that prohibit certain actions, such colluding with competitors to fix prices;
- Written policies that require certain actions, such as performing a security audit before using a new tech vendor;
- Procedures to execute a policy, such as the steps one takes to perform anti-corruption due diligence on overseas sales agents;
- Internal accounting controls such as blocking payments to overseas agents whose due diligence isn’t complete.
Compliance officers should determine which of those actions your company should undertake, given the specific compliance risks that arise from its business. For example, a company with only one overseas agent might need a simple anti-corruption due diligence process; another with thousands of agents might want an automated technology solution. Then the compliance program should then put those measures into effect, including information about how well the program is or isn’t working.
While every company’s compliance program will be unique, it’s also true that all compliance programs must have a certain fundamental structure. The U.S. Sentencing Guidelines defined seven basic elements of an effective compliance program in 1991, and those elements have endured ever since.
What are those elements? Let’s consider each one in turn.
1. Designating a Compliance Officer and Compliance Committee
Senior leaders within the business need to pay attention to the compliance program and assure that it’s working appropriately. The Sentencing Guidelines define this idea in two ways.
First, the organization’s governing body—typically, the board of directors—must exercise “reasonable oversight” of the compliance program and its effectiveness. That doesn’t necessarily mean that the board needs to have a dedicated compliance committee (although many do, especially at large businesses). It does mean that the board can’t ignore the compliance program; paying attention to it is part of the board’s job.
Second, a specific person must be in charge of running the compliance program on a day-to-day basis. This person is “the compliance officer” although he or she doesn’t need that exact title. The compliance officer should then have clear, regular access to senior management and the board to brief them about compliance issues and how the compliance program is doing.
2. Policies, Procedures, and Standards of Conduct
These are the measures that the business practices to steer employees away from the misconduct and to help the compliance program detect any misconduct that might happen anyway.
We already gave the example of performing due diligence on overseas agents: the company should have a policy that commits the company to perform that task, as well as a clearly defined procedure for doing due diligence. An effective compliance program should have the same for all significant compliance risks the business faces: antitrust, data security, workplace harassment, environment and safety rules, fair lending, anti-discrimination, and many more.
Moreover, the company should have a Code of Conduct that describes the company’s overall approach to ethical conduct; and the expectations the company has for employee behavior; and mechanisms employees can use to raise concerns about misconduct to management.
3. Training and Education
Your compliance program must also follow up with training and education to help employees understand the policies and procedures you have, as well as the importance of ethical conduct generally. It won’t be enough simply to adopt a policy or Code of Conduct and then have employees sign a form that they understand the material. Part of an effective compliance program is making sure employees truly understand the material and how to incorporate it into their daily job routines.
4. Effective Communication
An important corollary to compliance training and education is that the communication of compliance objectives must be effective. For example, if you have a stellar Code of Conduct and online training materials, but those materials are only available in English when half your workforce doesn’t speak that language—you’re not communicating the compliance program effectively.
On a more abstract level, senior executives also need to be consistent in their messages about ethics and compliance. If they require all employees to sign a Code of Conduct that promises no bribery to win business, but then turn around and shout, “Win that contract by any means necessary or you’ll be fired!”—that doesn’t communicate the compliance program effectively either. Mixed signals about the importance of ethics and compliance are just as damaging as indecipherable ones.
5. Monitoring and Auditing
Compliance officers must also take steps to assure that their compliance program works on an ongoing basis after all the policies and procedures have been written and the training courses delivered. That involves several steps.
First, the program should periodically be audited to identify weaknesses, such as payments going to agents before due diligence or user access controls that were never disabled when an employee stopped working for the company. The company should also monitor the functioning of the program—say, a sudden spike in complaints about harassment, or employees never signing an attestation to the Code of Conduct.
Second, the company should periodically evaluate the effectiveness of the compliance program, based both on risks that might have changed (new regulations, new business plans) or on evidence gathered from audits or monitoring that suggest a weakness (“We’re still paying overseas agents before completing due diligence, that’s gotta stop”).
And third, the company needs a mechanism for people to submit allegations of misconduct, including submitting their concerns anonymously: the famed whistleblower hotline.
6. Disciplinary Guidelines
Violations of corporate policies or procedures will happen; that’s inevitable. So your compliance program must include disciplinary measures that will be imposed for anyone who commits misconduct or for failing to take reasonable steps to prevent misconduct. Along similar lines, your organization should also make sure that its incentive policies align with your ethics and compliance goals. (See our earlier example of a manager warning employees, “Win that contract or be fired!” Not a statement that aligns well with doing the right thing.)
7. Detecting Offenses and Corrective Action
And, finally, when the company does discover misconduct, it has to take steps to discipline the offender; and fix any underlying weaknesses, so the misconduct won’t be repeated in the future. We see this often in enforcement settlements announced by the U.S. Justice Department or related regulators: they include a list of compliance program improvements the company made after an incident, and steps such as firing the offending employees.
Remember the Fundamental Message
Despite the myriad of specific ways you might design your compliance program, all to meet those seven basic criteria outlined in the U.S. Sentencing Guidelines, perhaps the most fundamental question to answer is this:
Are we holding ourselves accountable for the ethics and compliance priorities we’ve defined?
That idea of the company holding itself accountable—that’s what regulators, employees, customers, and business partners all want to see. They want to see the company put true effort into its compliance program, where executives can explain their logic for various policies, procedures, and actions the company might take.
If your program can do that, you’ll be in good shape for whatever new challenges 2021 and the years to come will throw at us.
By Matt Kelly,January 4, 2021, published on GAN Integrity