The Basics of Compliance
Compliance is a hot issue in today’s business world. Small and large companies alike should strongly consider developing a compliance program tailored to their organization. While the task may seem daunting and complex, it does not have to be. Indeed, in many instances, it is best to start simple and then, over time, add to or change elements of the program to address deficiencies or changed conditions.
So where to begin? This article offers some guidelines which can serve as a launching point for an organization’s development of a compliance program.
Compliance is the process by which an organization strives to adhere to standards applicable to its business. An effective compliance program not only clearly defines the boundaries of permissible business conduct, but it also dissuades behavior that can put an organization at risk.
It is important to underscore that compliance is a process. A compliance professional’s job is never done, and a compliance program must be alterable to address changes to the legal landscape and business environment. Moreover, a compliance program must allow for the incorporation of new, more efficient processes and techniques for achieving its objectives.
Because a compliance program is not fixed and will evolve over time, an organization should not be paralyzed by the notion that compliance is an all or nothing proposition. In fact, truth be told, no compliance program is 100% effective in preventing all violations. Instead, the goal in implementing a compliance program – and every subsequent change thereto – is to reduce an organization’s existing risk of violations. Thus, even a piecemeal approach to compliance – i.e. starting with a basic program targeted at the most significant risk areas and then expanding it over time – furthers the goal as it implements (or improves) a process designed to reduce an organization’s overall risk exposure.
Determining the Scope of the Compliance Program.
At the outset, an organization must decide which risk areas it intends to address through its compliance program. To that end, an organization should prepare an assessment that identifies all of the compliance risks related to its business. The identified risks should be scored based on the likelihood of the risk materializing and the impact of the risk on the organization, and then be ranked in order of significance. From there, the organization should define the scope of the compliance program by selecting the risk areas it intends to address. Obviously, to achieve the greatest bang for its compliance buck, an organization should address the higher ranking risk area(s) first. The number of risk areas to be addressed will vary by an organization’s industry, available resources, and whether it elects to take a piecemeal or comprehensive approach to compliance.
Identifying Applicable Standards.
After determining the scope of the compliance program, an organization must then identify, for each of the risk areas to be addressed, the standards with which it is expected to comply. These standards come from three primary sources: (1) laws and regulations; (2) company values; and (3) contracts.
- Legal and Regulatory Standards. These standards are derived from the laws and regulations applicable to the organization based on the industry, country, and region in which it operates. These legal and regulatory standards should set the floor for acceptable conduct within an organization. After all, operating within the bounds of the law should be a minimum expectation of all employees.
- Company Values. Many organizations promote certain values and principles to govern their business conduct. These values and principles are typically codified in a code of conduct or similar document, and articulate standards of behavior beyond what is required by law. These standards seek not only to deter behavior that could trigger a violation, but also behavior that could be perceived as wrongful conduct. In addition, by promoting values-based standards of conduct, company leadership seeks to serve a greater good and position the organization as a responsible member of the community.
- Contractual Standards. Many contracts incorporate standards of conduct to which an organization may not otherwise be bound. For example, a contract may require adherence to guidelines, policies or best practices developed by trade associations or industry groups. In addition, subcontractors, suppliers, and vendors are often contractually required to comply with the code of conduct or compliance program of their respective principal.
Regardless of where they originate, it is essential that all relevant standards be identified and considered in the development of the compliance program. The compliance program must harmonize these standards, resolve any conflicts, and develop a singular framework that defines the boundaries of permissible business conduct. The omission of any relevant standard from the analysis can be critical as it leaves the organization exposed to risk that may go unaddressed.
Defining the Applicable Standards.
Once an organization identifies the standards by which it is governed, it must undertake an analysis to define these standards. The analysis is two-fold. First, it must articulate what the standards say. Specifically, it must state the prohibited conduct and identify the elements of a violation. Second, it must explain what the standards mean. That is, the organization must describe how the standards are interpreted, applied and enforced.
For example, an organization developing its anti-bribery/corruption compliance program may prepare the following analysis to define the anti-bribery provision of the Foreign Corrupt Practices Act (“FCPA”):
FCPA Anti-Bribery Provision**
Step 1 (standard defined)
Prohibited Conduct: The FCPA prohibits offering or giving anything of value to a foreign government official or to any third party agent or intermediary knowing it will be offered or given to a foreign official for purposes of obtaining or retaining business.
Elements of a violation:
- offering or giving;
- anything of value;
- directly or indirectly;
- to a foreign government official;
- for obtaining or retaining business.
Step 2 (standard explained)
- An actual payment or transfer of value is not required. Offering or authorizing the improper payment is sufficient to trigger a violation.
- No requirement that the bribe be successful in achieving its purpose.
- The phrase “anything of value” is intentionally broad and has been interpreted to include a range of non-monetary benefits including extravagant gifts, services, charitable donations, political contributions, loans, travel expenses, sporting events, entertainment outings, job offers, etc.
- No minimum value for an improper payment or gift.
- No distinction between low-ranking government employees, high-level officials, or candidates for public office.
- Public official requirement includes officers and employees of any department, agency, or instrumentality of government (Note: many governments operate through state-owned and state-controlled entities).
As illustrated above, step 1 of the analysis provides a succinct statement of the prohibited conduct and breaks out the key elements of a violation. Step 2 explains the prohibited conduct. Importantly, the explanatory notes should be drafted in terms relevant to the business. The more relatable the explanation the easier it will be to develop policies and procedures to comply with the standard.
Developing Policies and Procedures.
With the above preliminary work complete, an organization can begin developing its policies and procedures. While distinct and separate concepts, policies and procedures go hand-in-hand. The policy sets the framework in which the procedures are established. Said differently, the policy articulates the goal, while the procedures describe how you achieve it.
For example, in addressing charitable giving as part of its anti-bribery/corruption compliance program, an organization may include the following policy statement:
“XYZ Corporation maintains a zero tolerance policy toward bribery and corruption and has developed a comprehensive program to ensure compliance with both the letter and spirit of the Foreign Corrupt Practices Act (“FCPA”). While XYZ Corporation permits, and encourages, charitable giving, all charitable donations made by, or on behalf of, XYZ Corporation must be transparent and permissible under the FCPA.”
The procedures should then articulate step-by-step instructions for how to achieve this policy goal (i.e. how charitable donations should be requested, reviewed, approved /denied, and verified). The procedures may also include limits on the amount of the requests and specify the due diligence required to verify the legitimacy of the recipient and the purpose of the request.
In drafting policies and procedures it is important to remember that the end-product will be distributed to employees at all levels of the organization. Avoid using legalese and complex language. Policies and procedures should be drafted so they are easily understood by all.
As a final matter, it is important to note that developing a compliance program is only half the battle. An organization must also ensure that the program is followed. To that end, the policies and procedures must also establish internal controls for detecting noncompliant behavior. Moreover, they should include specific documentation requirements at various stages of the process. Documentation is essential as it provides contemporaneous records to determine whether the processes are followed.
Implementing the Compliance Program.
The policies and procedures provide the guts of the compliance program. However, the manner by which the program is implemented will determine its overall effectiveness. The following are key elements to an effective implementation strategy:
- Commitment from Leadership. An essential element for effective implementation is the unblinking support of the organization’s leadership team. Leadership engagement, also referred to as the “tone at the top”, requires key leaders to champion the roll-out of the compliance program, emphasize its importance, and underscore the organization’s zero tolerance policy for improper business conduct.
- Employee Training. All employees should be trained on aspects of the compliance program relevant to their position during the roll-out period (or as a part of new employee orientation). In addition, there should be periodic (no less than once per year) training to reinforce key aspects of the program. As with most things, one-size does not fit all and, thus, the training programs should be tailored to specific audiences based on job function, management responsibility, etc.
- Incentives and Discipline. An organization should align its incentive and disciplinary programs with the organization’s standards of compliance and ethical conduct. Compliance and ethics should also be included as part of the performance evaluation process and be an important consideration in deciding issues of compensation and promotion. Finally, incentive and disciplinary programs must be consistently applied at all levels of the organization.
- Monitoring and Audits. An organization’s compliance obligations do not end with the initial roll-out of the program. It is critical that an organization monitor and audit the program to ensure employees are complying with the standards. An organization, therefore, should observe/review employee conduct before, during and after a given project or transaction. These observations and reviews provide valuable insight as to what is working and where there is a need for improvement. Monitoring and auditing techniques should also be used to develop key benchmarks against which the overall effectiveness of the compliance program can be measured.
- Remediation. The failure to prevent misconduct, in and of itself, is not evidence that a compliance program is ineffective. However, if improper conduct is detected, an organization must address it and prevent further similar misconduct. All suspected violations must undergo a two-step investigative process. The initial and immediate focus should be on the specific incident and misconduct at issue. This phase should answer the “who, what, when, where, how and why” type questions. After this evaluation, the organization should take immediate and appropriate disciplinary action against the employee(s) involved. The second step should have a broader organizational focus, evaluate the systems in place, and identify any weaknesses in the existing program. The findings of this phase should be used to improve the existing program and prevent further similar misconduct.
As a final point, an organization must also maintain an open line of communication with its employees regarding the compliance program and prevailing business practices. For example, an organization should consider implementing a reporting system that features both an employee helpline, whereby an employee can seek compliance related guidance, and an anonymous hotline to receive reports of suspected (or actual) misconduct. In addition, to reinforce key elements of the compliance training, an organization should regularly disseminate compliance related information to its employees. This communication strategy could include a compliance newsletter, monthly emails, posting to a community message board, quarterly webinars, and other initiatives. These communications should seek to engage the employees in some way – perhaps conclude with a call to action or a contest (with nominal prize). Not only will employee engagement help solidify the theme of the communication, but the response rate can serve as a metric to evaluate the effectiveness of the communications strategy. Finally, the organization should solicit feedback from its employees. Reports from the “trenches” can provide invaluable insight and information for improving the efficiency and effectiveness of the program.
In today’s business world, it is imperative for organizations to develop and implement a compliance program tailored to their business. While the task may seem daunting at the outset, employing a strategic approach to the undertaking can break it down into manageable pieces. That is, an organization should carefully determine the scope of the program, identify and define the applicable standards, and develop clear and concise policies and procedures to meet these standards. Thereafter, the organization must develop an effective implementation strategy to maximize the overall effectiveness of the program. Once the program is implemented, the compliance team must evaluate the program on an on-going basis and incorporate changes, as appropriate, to more effectively mitigate its compliance risk.
*This article is intended to be a source of general information. It is not intended to provide legal advice. For specific counsel or advice, please consult with an experienced professional.
**Examples used in this article are for illustrative purposes only. They do not purport to be a complete analysis of the referenced matters.
***For any questions or comments, please contact Three Twelve Group by phone at 404.872.5615 or by email at firstname.lastname@example.org.