Conduct Risk Assessments. The only way to establish an effective and efficient compliance program is to identify and prioritize the risks specific to your company and the industry in which you do business. Businesses must conduct risk assessments – interview employees, review reports, and assess policies and procedures. Compliance Officers must research recent DOJ and OIG prosecutions and priorities in order to mitigate risks.
Establish Policies and Procedures. The company must establish policies and procedures that promote a culture of compliance. Compliance Manuals, Employee Handbooks and Cyber Security Plans must be readily accessible to all employees. The failure to report violations of policy, regulations or law should be directly linked to employee disciplinary action, up to and including termination.
Assign Roles, Responsibilities, and Accountability. The Company must establish roles and responsibilities for its employees. The Compliance Officer will be responsible for conducting audits, performing internal investigations, and training employees. The Privacy Officer will be responsible for assessing data security and protecting personal identification information or protected health information.
Perform Due Diligence of Personnel. Hiring an employee is one of the most important decisions a company can make. Conduct due diligence of personnel to make sure that the company is hiring the best person for the job and is not hiring a person who may be prone to break the rules and foster a culture of non-compliance. Cross-check industry databases to ensure that the employee has not been reprimanded or banned from certain industry functions, such as exclusions from federal healthcare programs.
Train Employees. This is an extremely important step not only to educate your employees, but also to protect your company. Train employees on the laws that govern your industry, whether it be the Bank Secrecy Act and Anti-Money Laundering, HIPAA and the False Claims Act, or the Foreign Corrupt Practices Act. Every employee should have a general understanding of the laws and regulations that govern the industry in which they work. Thoroughly train employees on reporting mechanisms for violations of policy, regulations and law. The Compliance Officer should make each employee certify completion of annual training.
Conduct Regular Evaluations of Employees. Supervisors should conduct bi-annual employee evaluations and document the meeting. Be honest during the evaluation process and accurately assess the employee’s work. Employees should be asked during each evaluation whether or not the employee is aware of any violations of policy, regulations or law. Affirmative responses should be directed immediately to the Compliance Officer for follow-up.
Conduct Regular Audits of High Risk Areas. The Compliance Officer/Compliance Department must conduct regular audits of company and OIG high-risk areas. The company must take a proactive approach to compliance and continuously test the policies and procedures that are currently in place. Compliance Officers should evaluate random samples, conduct trend analysis, and monitor certain high-risk activities. Cyber Security teams should test firewalls and data security, as well as test employees' knowledge of phishing and other cyber dangers.
Report Violations. Your Compliance Program will fail if employees do not feel comfortable reporting violations of company policy or violations of state and federal regulations and law. Employees need to know that they can report a violation without fear of retaliation from the company. There should be multiple methods to report: a direct supervisor, the Compliance Officer, or an Anonymous Compliance Hotline. This can protect the company later when disgruntled employees make whistleblower claims, yet never reported any violations to the Compliance Officer or through an Anonymous Compliance Hotline. The company should always strive to protect the anonymity of the whistleblower, although this may not be possible in every situation.
Promote and Enforce the Compliance Program. The company should establish and communicate incentives for employees who actively participate in the Compliance Program and who report valid violations of policy and law. In order to promote a healthy culture of compliance, management must promote compliance from the top down. To the same end, there must be disciplinary action for failing to report violations.
Investigate Alleged Violations. The Compliance Officer must take every alleged violation of policy, regulations, or law seriously and should immediately initiate an investigation upon notice. In certain circumstances, outside counsel should be notified to assist in the investigation and preserve any privilege. Compliance Officers should speak with employees/witnesses and review documents and communications in order to establish the facts and decide whether it was an intentional violation, a mistake, or a procedural blunder.
Mitigate the Risk. After an investigation is complete, the Compliance Officer should establish a corrective measure plan to resolve issues of non-compliance and promote change. The Compliance Officer should pursue disciplinary action against employees where necessary, modify ineffective policies and procedures, and follow-up with staff to ensure that corrective measures are taken.
Document, Document, Document. The Compliance Officer must document audit findings, internal investigations, employee training, and corrective measures. The best defense to an allegation of fraud is an effective and efficient compliance program. The government will scrutinize a company’s compliance program when deciding on civil penalties and/or criminal charges. In order to demonstrate the success of your company’s compliance program, the Compliance Officer must document everything