The essentials of risk and compliance management in USA

Legal and regulatory framework

What legal role does corporate risk and compliance management play in your jurisdiction?

Compliance programmes that prevent, detect and respond to potential wrongdoing or misconduct are part of the expectations of the US government for organisations regardless of whether they operate in the US or in other countries around the world. While there is generally no legal requirement that organisations establish and maintain an effective compliance programme, having an effective compliance programme in place may serve to reduce fines, penalties and other terms of the settlement of any government investigation, whether brought on the basis of civil or criminal law. In addition, having a compliance programme that is effective is recognised as assisting in protecting the reputation of the organisation.

Which laws and regulations specifically address corporate risk and compliance management?

The primary source addressing compliance expectations is the US Federal Sentencing Guidelines (www.ussc.gov/sites/default/files/pdf/guidelines-manual/2016/GLMFull.pdf), as set forth in Chapter 8, Part B, Subpart 2.1 of those Guidelines. The Guidelines have been modified over time to reflect the ongoing evolution of compliance expectations. These Guidelines are established by the US Department of Justice (DOJ) and address how to calculate fines, penalties and prison sentences for a wide variety of offences committed by corporations and individuals. The Guidelines provide a formula for each offence that is then adjusted based on the underlying facts surrounding the conduct in question for aggravating and mitigating factors. One of the mitigating factors recognised for organisations is the existence of a compliance programme. The Guidelines set out the elements needed for a compliance programme to receive credit for reducing fines and penalties that would otherwise be due. These Guidelines are used by a variety of government agencies to guide their own regulatory and enforcement efforts.

Give details of the main standards and guidelines regarding risk and compliance management processes.

The main standards and guidelines are based on the Guidelines and have been further developed through implementation of the Guidelines by various agencies and resolution of enforcement actions. These standards are generally described as follows.

Support and commitment from the top

As a foundational matter, senior management and boards of directors should create a ‘tone at the top’ that promotes a culture of compliance. In evaluating an organisation’s compliance programme, US authorities say they will consider whether senior management has clearly articulated expectations of conducting business in compliance with all laws and organisation standards, communicated these expectations in unambiguous terms, followed these standards themselves, and supported compliance with appropriate resources. While ‘tone at the top’ is necessary, a commitment to compliance must be reinforced by middle management and others throughout the organisation as compliance is the duty of individuals at all levels.

Clearly articulated and visible corporate policies

Organisations should have written policies, procedures and codes of conduct that prohibit improper conduct. The policies should cover key risk areas and provide clear standards of expected behaviour. Typically, a code of conduct is included as a key document that sets forth expectations on acceptable conduct.

Governance and oversight

The governing authority should be knowledgeable about the content and operation of the compliance programme and exercise reasonable oversight with respect to its implementation and effectiveness.

The high-level personnel of an organisation should ensure that an organisation has an effective compliance and ethics programme. Specific individuals within high-level personnel should be assigned overall responsibility for the compliance programme. In addition, specific individuals within an organisation should be delegated day-to-day operational responsibility for the compliance programme. Individuals with operational responsibility should report periodically to high-level personnel and, as appropriate, to the governing authority or an appropriate subgroup, on the effectiveness of the compliance programme. To carry out such operational responsibility, these individuals should be given adequate resources, appropriate authority and direct access to the governing authority, or an appropriate subgroup.

A dedicated compliance infrastructure, with one or more senior corporate officers responsible for compliance, is needed. US enforcement authorities will look at whether an organisation devoted adequate staffing and resources to the compliance programme given the size, structure and risk profile of the business. At a minimum, US authorities expect that lead compliance personnel will have direct access to an organisation’s governing authority, such as the board of directors or an audit committee.

Excluded persons

An organisation should use reasonable efforts not to include within its substantial authority personnel any individual whom an organisation knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics programme. Practically, this means that an organisation should routinely check whether employees are debarred from doing business with the US government, usually through checking online exclusions databases.

Training and communication

Organisations should take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance programme, by conducting effective training programmes and otherwise disseminating information appropriate to the respective roles and responsibilities of those required to be trained. The individuals included for this training are the members of the governing authority, high-level personnel, substantial authority personnel, organisation employees, and, as appropriate, an organisation’s agents. A compliance programme cannot be effective without adequate communication and training. While the nature and type of training given depends on the circumstances of the organisation and how it conducts business, the ultimate goal of training and communication is to make sure that individuals understand what is expected of them and are able to incorporate compliance guidelines in their everyday activities.

Moreover, it is expected that communication regarding compliance issues should not take place only in formal settings. While the nature of communication may vary based on the organisation and its business, in general it is expected that communication efforts could include such elements as internal newsletters for employees, a separate space on the intranet devoted to ethics, dissemination of examples of good practices of ethical conduct, posting of pamphlets and announcements on bulletin boards, presentation of positive results obtained from the implementation of the code of conduct and incorporation of the ethical and integrity principles and values in the organisation’s mission and vision statements. An effective compliance programme must provide resources for an organisation’s employees and relevant third parties to obtain compliance information. Specific organisation personnel should be designated to help answer questions.

Monitoring and auditing

Organisations are expected to take reasonable steps to ensure that the compliance programme is followed, including monitoring and auditing to detect criminal conduct, to evaluate periodically the effectiveness of the compliance programme and to have and publicise a system, which should include mechanisms that allow for anonymity or confidentiality, whereby organisation employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. These mechanisms for reporting potential or actual misconduct typically include the institution of hotlines, ombudsmen or other anonymous reporting systems. Monitoring and auditing serve as the basis for determining if the policies and procedures are being implemented effectively. What activities to monitor and audit are a function of the nature of the business and the way in which an organisation operates. Accordingly, there is no set rule as to what activities should be reviewed, but it is essential for an organisation to be able to justify the efforts it undertakes in that regard.

Incentives and discipline

The compliance programme should be promoted and enforced consistently throughout an organisation through appropriate incentives to perform in accordance with the compliance programme and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. Organisations should reward their employees for good behaviour, and consider including the review of business ethics competencies in the appraisal and promotion of management and measuring the achievement of targets not only against financial indicators, but also against the way the targets have been met and specifically against compliance with the organisation’s policies. Incorporating adherence to compliance as a significant metric for management’s bonuses, recognising compliance professionals and internal audit staff, and making working in the compliance organisation a way to advance an employee’s career are all ways to promote compliance. While incentives are important, so are disciplinary procedures to address violations. To evaluate the credibility of a compliance programme, US authorities will assess whether an organisation has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly and, when applied, whether they are commensurate with the violation and used consistently.

Response to incidents

An organisation’s response to a report of potential misconduct is also critical. Organisations must have an infrastructure in place to respond to the report, conduct appropriate investigations and document the response process, in a consistent manner. After criminal conduct has been detected, an organisation should take reasonable steps to respond appropriately to the criminal conduct, to determine the root cause of the misconduct, and to prevent further similar criminal conduct, including making any necessary modifications to the compliance programme.

Risk assessment and periodic reviews

In implementing the requirements listed above, an organisation should periodically assess the risk of criminal conduct and should take appropriate steps to design, implement or modify each requirement set forth above to reduce the risk of criminal conduct identified through those processes. Periodic reviews and assessments of a compliance programme are viewed as essential, as a programme that remains static is likely to become ineffective as risks shift. For example, organisations may use employee surveys to measure their compliance culture and strength of internal controls, identify best practices and detect new risk areas, or may conduct audits to assess whether controls have been implemented effectively.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Any organisation, regardless of the form of the entity that operates in the United States or is subject to US law, is expected to meet these compliance obligations.

What are the key risk and compliance management obligations of undertakings?

Organisations are expected to implement and maintain an effective compliance programme as described above.