Establishing an effective Compliance and Ethics Program ("Program") has become a necessity to protect any highly regulated organization. At its core, an effective Program protects an organization by detecting and preventing improper conduct and promoting adherence to the organization's legal and ethical obligations. In 1991, the U.S. Sentencing Commission established the most recognized standards for an effective Program within its Sentencing Guidelines Manual ("Guidelines"). These Guidelines are closely aligned with the principles set forth in compliance guidance that various agencies have developed over time. These include guidance related to investment companies, companies interacting with foreign officials, hospitals, nursing homes, pharmaceutical companies, and government contractors to name a few. These Guidelines and this guidance have been used by organizations to design and implement their Programs. While there is no "one-size-fits-all" Program for every organization, there are several core components that must exist to have an effective Program. These components are set forth below.
An organization must have standards of conduct and internal controls reasonably capable of reducing the likelihood of criminal and other improper conduct (Guidelines, 8B2.1(b)(1)). The foundation of these controls should be a code of conduct. The code should contain an overall description of the program and address in a practical manner the compliance risks that are relevant to the organization. It should identify clearly those who are responsible for administering the program, the role of the governing authority, and provide general guidance on the business behavior expected of all employees. The code should also identify clear channels for reporting misconduct or violations of the code, and make clear that disciplinary action will be taken if an employee violates the code.
In addition to the code, an organization needs to have more specific policies and procedures to provide detailed guidance on the approach the organization wants employees to follow, or avoid, in its business relationships. These more detailed policies and procedures should address legal and regulatory risks relevant to the organization's business. These can be policies that address areas such as conflicts of interest, political contributions, agent and vendor due diligence, internal accounting practices, anti-corruption expectations, record retention, government funded projects, export controls, and custom issues. Depending on the industry, there are several guidance manuals, such as those identified above,that attempt to explain the types of areas that should be addressed.
The organization's governing authority, which usually refers to the Board of Directors or if the organization does not have a Board of Directors, should be knowledgeable about the content and operation of the Program and exercise reasonable oversight over its implementation and effectiveness. Specific individuals among high-level management should be assigned overall responsibility for the Program. One or more individuals should be assigned responsibility for the "day-to-day" operations of the program. Those individual(s) should have direct access to the governing authority and report to it periodically. This direct access is necessary to ensure that compliance information is channeled to those with the ultimate accountability for the organization. Those responsible for running the program should have adequate resources to operate the program effectively. What is deemed adequate will vary depending on the size and operations of the organization.
It is further expected that corporate leadership strive to foster a culture that promotes compliance with the law. This "culture of compliance" can be achieved through publicly rewarding compliant behavior and making clear that the reporting of non-compliant behavior benefits the organization and will not be met with retaliation.
An organization should take reasonable steps to ensure that individuals with substantial authority have not engaged in illegal activities or conducted themselves in a manner inconsistent with the Program. This usually requires that the organization employ screening procedures to check a person's background and criminal history. This would include background checks and following up with prior employers or references in connection with hiring and promoting. In addition, there may be more industry specific checks required depending on the organization's operations. For example an organization that receives federal contracts and certain types of federal assistance and benefits should consider steps to determine whether its employees are listed on the government's Excluded Parties List System (EPLS). The EPLS identifies those tagged with administrative and statutory exclusions across the entire government, as well as individuals barred from entering the United States. Similarly, an organization that receives revenue or payments from federal healthcare programs, like Medicare and Medicaid, should consider steps to ensure that employees are not listed on the OIG Excluded Parties List. This list is maintained and published by the OIG and lists all persons and entities who have been "excluded" from participation or involvement in federal health care programs.
An organization should ensure that the Program's code of conduct, policies and procedures are widely promulgated and that employees are trained on the programs objectives and relevant policies (Guidelines, Â§ 8B2.1(b)(4)). Proper training should be required for all employees including the governing authority, the organizational leadership, the organization's employees, and, as appropriate, the organization's agents. Proper training typically includes training on the code of conduct, and basic components of the compliance and ethics program. Depending on the size of the organization, additional specialized training should also take place for the various policies and procedures applicable to specific employees who need them to properly perform their jobs. It is recommended that training be tracked, attested to, documented, and followed-up.
An organization's Program should include monitoring and auditing systems that are designed to detect criminal and other improper conduct (Guidelines, 8B2.1(b)(5)). This is an essential component of the Program as it allows the organization to evaluate whether it is effective and is being followed. In general, the audit should assess compliance with the code of conduct as well as the policies and procedures adopted to promote adherence with laws and regulations. Whether the audit is conducted internally by someone within the organization or by an outside entity, it should be done by individuals who are independent from the area being audited. In addition to evaluating the company's compliance with legal requirements, in order to evaluate effectiveness, the audit should gain an understanding from employees of the organization's ethical climate by asking employees whether they are comfortable reporting potential violations of the organization's policies or the law, how they view the organization's commitment to compliance, and whether there are risks that the Program is not addressing.
Effective lines of communication with employees regarding compliance concerns, questions, or complaints are critical. Employees must be comfortable speaking with a compliance officer or management regarding compliance concerns that may arise. Utilizing a reporting system, such as a hotline or helpline, is important to provide a means for employees and agents to report or to seek guidance about potential or actual improper conduct. The Guidelines and several compliance guidance also recommend that the reporting system incorporate a non-retaliation policy and that an organization should allow for anonymous or confidential reporting. The non-retaliation policy should be clearly documented, communicated to employees, included in training, and strictly enforced. Few things will chill a compliance reporting process more than if employees perceive that they will be punished in some way for reporting problems or asking for guidance.
An organization should promote and consistently enforce the Program through incentives and disciplinary actions. This should be done throughout all levels of the organization (Guidelines, 8B2.1(b)(6)). What is an appropriate incentive on disciplinary action will be "case specific." Appropriate incentives could include rewarding material concerns that are raised and even rewarding helpful recommendations for improving the implementation of the Program. Appropriate disciplinary actions could range from a reprimand with additional training, to a demotion, to termination. Ultimately, in order to be effective, the incentive or disciplinary action should be proportional to the conduct.
If improper conduct has been detected, it is imperative that an organization take reasonable steps to both address it, and to prevent further similar misconduct (Guidelines, 8B2.1(b)(7)). The failure to prevent or detect improper conduct in and of itself does not mean that a Program is ineffective. However, the Guidelines make clear that a "recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to" achieve an effective Program (Guidelines, 8B2.1 Commentary App. Note 2(D)). Thus, it is important for appropriate remedial measures to be taken. Such measures may include anything from disciplinary measures aimed at the person responsible for the improper conduct to modifying the compliance Program that is currently in place.
An organization should periodically assess the risk of improper conduct within its operations and take appropriate steps to design, implement or modify each element of the program to reduce the risk of improper or unethical behavior (Guidelines, 8B2.1(c)). This assessment usually entails evaluating factors such as audit results, recent litigation or settlements, compliance complaints, employee claims, industry enforcement trends, and the existence and sufficiency of policies covering an area. Organizations are now implementing formal risk assessment processes, whereas before they were frequently done more informally. The organization should map the results of a risk assessment on a "matrix" to show the level of risk for each area examined, the likelihood of a violation and the likely damage to the organization from a violation. These "risk matrices" should then be used to help prioritize program activities for the coming year. An organization should conduct a risk assessment at least once a year.
The importance and complexity of compliance programs have skyrocketed in recent years. It has become a key element for employees, investors, regulators, and everyone interested in running, protecting, and evaluating an organization. Although some of the best guidance comes from the federal sentencing guidelines, by the time a problem gets to the sentencing stage, it is far too late to implement a compliance program. These eight components provide the essential foundation to begin -- today to protect any highly regulated organization. These components help to establish an effective compliance and ethics program by detecting and preventing improper conduct and promoting adherence to the organization's legal and ethical obligations. The time to start is now.
- Daniel Small, Building and Developing Compliance Programs: Preparing and Protecting Your Organization, Nov. 2012 Holland & Knight, Corporate Compliance AnswerBook 2012-13, Practicing Law Institute Robert F. Roach, Compliance at Larger Institutions, NACUA Presentation, Nov. 2009 Christopher Myers and Michael Manthei, Health Care Reform Requires All Providers and Suppliers to Establish Compliance Programs, Holland & Knight Alert, April 2010 David Gebler, MBA 101: The Importance of Building Company Culture, Aug. 2012 U.S. Sentencing Commission, U.S. Sentencing Guidelines Manual