An effective corporate compliance and ethics program is essential for virtually all U.S. businesses in today’s regulatory environment. Essentially, a compliance and ethics program is a set of protocols a company puts in place to prevent and deter unlawful conduct and to promote a culture of compliance. There are at least two reasons to invest the time and resources necessary to create such a program and make it effective. First, an effective compliance program provides management timely and accurate information about potential legal problems and a means of promptly redressing them. Second, if a company is ever investigated for a potential violation of federal law, having an effective compliance program in place may significantly reduce any penalty imposed and may even convince prosecutors not to pursue penalties at all.
It is virtually impossible to prescribe a “one-size-fits-all” compliance program for companies in any industry. Many companies have broad and diverse business lines, and face a multitude of federal regulatory requirements at each phase of their operations, including sales, supply chain management, and human resources, to name just a few. Yet, regardless of a particular company’s business lines, the core structure of an effective compliance program is largely constant. The “Organizational Sentencing Guidelines,” a set of advisory sentencing benchmarks promulgated by the U.S. Sentencing Commission at the direction of Congress, set forth seven elements necessary to make any compliance program effective. (See the U.S. Federal Sentencing Guidelines, 18 U.S.C.A. §8B2.1, for more detail.)
(1) Standards and Procedures: A company must establish standards and procedures to prevent and detect criminal conduct, and communicate them effectively. At bottom, this is a common sense requirement: if a company expects its employees to do the right thing, it needs to communicate, through standards and procedures, what the right thing is and how it can be accomplished. It is equally important to communicate this information to employees in a concise, practical fashion, rather than through cumbersome legalese.
(2) Oversight: A company must give a specific senior executive or committee of executives overall responsibility for the compliance program. However, a company’s “governing authority” — typically its board of directors — must oversee its implementation. In addition, all management, not just those with direct oversight of the program, must understand the company’s policies relevant to their business unit and ensure that employees under their management understand and follow those procedures.
(3) Exercise Due Diligence: A company must use “reasonable efforts” not to give individuals who have engaged in illegal activity or other conduct inconsistent with an effective compliance program a role in senior management or supervisory authority over the program (e.g., as a manufacturing plant or sales manager). This does not impose an absolute bar hiring individuals with a history of misconduct in positions of responsibility. Yet, when making hiring decisions, a company should consider the degree to which an individual’s record of misconduct relates to the individual’s anticipated responsibilities.
(4) Communication and Effective Training: A company’s compliance program cannot merely look strong on paper. The company must effectively implement the program through education and training. Training for many companies may need to cover topics such as confidential information, proper accounting, organizational property, gifts and favors, fair labor standards, unfair trade practices, Americans with Disabilities Act (ADA) rules, sexual harassment, outside employment, and reporting. Training should not merely recite the law, but should explicitly explain the company’s policies and ask employees to think through complex “gray areas” they may encounter in their day-to-day tasks.
(5) Monitoring, Auditing, and Disclosure: A company must audit its compliance program to make sure its elements are actually being implemented and periodically evaluate the program’s effectiveness. For example, auditors may ask employees what they perceive as the “unwritten rules” within the company to determine whether the compliance program’s goals match its actual operation. Separately, a company must provide employees with effective mechanisms through which to anonymously or confidentially report potential misconduct or seek guidance on compliance issues, protect such individuals against retaliation, and adequately follow up on their reports. Most compliant companies utilize an independent service to manage their “hot line”.
(6) Discipline and Incentives: A company must provide appropriate incentives to encourage employees to comply with the program and impose appropriate disciplinary measures when employees fail to do so. It is important for the company to enforce these rules consistently to maintain the credibility of the program.
(7) Corrective Action: A company must address misconduct after it occurs — including, at times, self-reporting to the authorities — and must take reasonable steps to prevent similar misconduct in the future. In addition, a company’s Board or Audit Committee must receive regular and meaningful reports on audit results and the status of corrective action.
Finally, once these seven elements are in place, the program must be periodically reassessed and modified to ensure that it is kept current and effective.
All companies with significant U.S. operations should adopt a compliance program based on the Guidelines’ approach. In addition to providing information about potential problems and a means to address them, such a program offers a company critically important protection if it is ever investigated for potential misconduct. Under federal law, a company typically is liable for the wrongful acts of an employee so long as the employee is acting in an official capacity, even if the employee acted contrary to corporate policy and instructions. If a company finds itself in that position, having an effective compliance program in place can help to insulate it from the harsh sanctions that would otherwise apply by convincing prosecutors that no penalties are appropriate or, at a minimum, reducing any penalty imposed.
With the assistance of counsel and other experts, a corporate compliance program can be tailored to an individual company’s precise needs. The seven elements described above, however, provide the essential foundation for any company embarking on this process. To go a little deeper into these 7 key elements of a compliance program, we have prepared a FREE eBook, "7 Elements of a Compliance Program", which you can download by clicking the button.
Sam H. Carr is the Managing Partner of Carrtegra, LLC. Sam has over 30 years of experience in accounting, auditing, financial management and consulting. Sam has focused much of his career on process improvement and redesign. Sam holds an MBA and is a CPA, CIA, CISA and a Certified Compliance and Ethics Professional (CCEP). Sam is a finance and operations executive with broad-based experience that includes 12 years as a CFO or Chief Accounting Officer in both public corporations and private entities, and fourteen years with an international public accounting firm. Sam orchestrated an Initial Public Offering of a consolidation of dental practices throughout the United States. In addition to his IPO experience, he owns a powerful track record of demonstrated skills in a wide range of business environments including designing financing, mergers and acquisitions and growth companies. Sam has been the Chief Executive of a management consulting firm for the most recent 10 years. Sam’s focus has been substantially on quality of services and valued solutions as well as client and employee retention.