An effective corporate compliance program is an essential component of internal controls for uncovering and preventing ethical lapses and criminal violations and smart companies are prudently adopting these programs. However, it is not enough to merely implement the program. It is also essential the program is properly and competently administered and maintained. This article acknowledges broadly accepted fundamentals of any corporate compliance program, explores common mistakes made during implementation and maintenance of the programs, and concludes with recommendations based upon Department of Justice and Securities and Exchange Commission guidance.
WHAT ARE THE FUNDAMENTALS OF ANY CORPORATE COMPLIANCE PROGRAM?
The purpose of a corporate compliance program is to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.2 Consensus suggests an effective corporate compliance program will incorporate the following essential elements:
- Risk identification and assessment
- Standards, procedures, policies and controls
- Leadership commitment
- Communication, guidance and training
- Monitoring, auditing and review
- Discipline and reporting
WHAT COMMON MISTAKES ARISE DURING IMPLEMENTATION OF CORPORATE COMPLIANCE PROGRAM?
Failure to identify/quantify all material risks. At the outset, it is imperative the organization identify and then quantify all material risks inherent to the business of the organization.3 Yet many organizations fail to invest the time and resources in this effort. Instead, the organization may focus too much of its program on a single area of compliance to the exclusion of others. For example, we
frequently uncover organizations addressing the risks associated with the accounting and financial functions to prevent such things as employee theft. Meanwhile, the sales function receives no guidance regarding corrupt practices. Or maybe the organization fully addresses risks relating to the Foreign Corrupt Practices Act while ignoring the False Claims Act. Sometimes the organization simply fails to assess all of the jurisdictions in which its personnel are doing business, consequently overlooking the laws in relevant states or even countries. Any organization failing to adequately assess all material risks ultimately will not achieve its corporate compliance objectives.
Failure to obtain multilevel management commitment. Among corporate compliance consultants, the need for commitment to integrity and ethics from senior management is essentially settled. It sets the tone for an unshakable commitment to integrity, ethics and legality. It encourages adequate funding for implementing and administering the program. In the end, it ensures absolute confidence among the rank and file top management will stay true to the commitment. Nevertheless, it is equally important to obtain an open and notorious multilevel commitment to the program. This ensures no breaks in the chain of command. It encourages dissemination of a consistent message from top to bottom. In the end, it makes it likely those most influential members of middle management have direct contact with personnel tasked with adhering to the compliance program.
Failure to integrate the program among all functions. One of the common missteps during the design of a corporate compliance program is the failure to integrate the program among all functions. An effective program will thread seamlessly through the administration, accounting, production, sales and service. Through integration, the organization can coordinate common activities among each function, eliminating redundancy and waste. Careful and thoughtful design should avoid or at least minimize bottlenecks. The integration among functions ultimately serves as an invaluable means of checks and balances among departments within the organization.
Failure to provide a mechanism to incentivize employees. A frequent oversight during the design and implementation of the program is to properly and successfully incentivize employees to abide by the corporate compliance program.4 The design team has to create a mechanism rendering compliance essential to and inseparable from business success within the organization. It is no easy task rewarding behavior that results in violations not occurring. One means may be to incorporate compliance in performance reviews, giving each employee an opportunity to document forgone opportunities for noncompliance. Further, it is crucial that the organization establish confidentiality and anonymity policies that shelter whistleblowers both from violators as well as colleagues.5
WHAT MISTAKES PERSIST DURING MAINTENANCE OF CORPORATE COMPLIANCE PROGRAMS?
Failure to monitor effectiveness of program. One of the most surprising errors encountered in our work is the number of corporate compliance programs that fail to monitor the effectiveness of its program over time.6 It may be something as fundamental as failing to monitor new regulations and amendments to existing regulations. It may include neglecting to assess the program for operational changes within the business. Circumstances change and an efficient compliance program will include a means of monitoring its ongoing efficacy. Solutions include periodic, but at least annual, analysis of applicable laws and regulations7. Similarly, it is essential to conduct audits of program compliance, including both scheduled regular audits as well as random, unannounced compliance testing. Finally, monitoring the effectiveness of the program requires an assessment of costs in terms of value and risk management savings. Risk management savings may include traditional expenses such as fines, penalties and damages or more subtle and unquantifiable expenses like reputational harm, employee morale and heightened government scrutiny.
Failure to keep senior management apprised and engaged. If obtaining the commitment to integrity and ethics from senior management at implementation is imperative, then keeping that management apprised of the effectiveness of the program during its enforcement is correspondingly crucial. A regular report to senior management encourages ongoing attention and commitment to the program. It promotes management support of adequate funding for administering the program. In the end, it sets the tone for stanch commitment to business ethics.
Failure to properly and thoroughly train employees. Once the corporate compliance program is in place, it must be effectually communicated to personnel throughout the organization.8 Training should be held frequently, systematically and pervasively. The instruction should reach all directors, officers and appropriate employees. The training should be customized, using language, methods and tools suitable for the target audiences in each case. Case studies, hypotheticals and examples should be tailored to the function or department so the message is topical and familiar. Best practices should be shared broadly and persistently. At its conclusion, constructive training requires a means of measuring comprehension and application.
Failure to report violations. No corporate compliance program is effective if violations are not reported promptly and fully. It is simply not enough to detect the compliance lapse. A successful program will uncover the breach quickly. Once discovered, the organization must be committed to its full and complete disclosure to appropriate authorities. After admission, the company will cooperate with authorities and contritely accept responsibility. If these measures seem nihilistic, consider the DOJ’s embrace of these actions in its sentencing guidelines.9 True penitence can make the difference in fines and jail time.10
It is not enough to implement and maintain a corporate compliance program. A productive program avoids common mistakes during implementation. Identify and quantify material risks. Obtain multilevel management commitment to the program. Integrate the compliance program among functions. Incentivize compliance among employees. Once implemented, monitor the effectiveness of the compliance program. Keep management apprised and engaged. Properly and thoroughly train employees. Finally, report violations to proper authorities promptly and completely.