An Introduction to Corporate Compliance Programs

Did you know that National Paralegal College features the only fully online Master of Science in Compliance Law program that is accredited by the Compliance Certification Board? Check out this presentation, which will introduce you to the world of corporate compliance programs.

The realities of business compliance can be overwhelming.  Getting to a solid understanding of all applicable laws and rules is a detailed, complex and onerous process.  First, identifying and gaining an awareness of the portfolio of federal, state and local requirements that are relevant to a given business may be a monumental undertaking.  Which laws, regulations, ordinances, administrative rules or other published guidance apply to a company’s unique offering of products and services?  Second, cataloguing those requirements in a concise and methodical manner requires an investment of business resources that might otherwise be engaged in profit-generating activities.  There may also be internally-imposed, voluntary standards for which a company chooses to comply to reinforce its brand image.  Finally, all these requirements, whether legally required or voluntarily adopted, create obligations to comply with them that must be effectively monitored.  This is especially true if the company brands or markets its adherence to higher standards. 

Legal analysis is only the first step.  A business needs to know to what and where it applies in its operations.  The most critical role of corporate compliance is to make sure employees, and others who may represent the company, know the rules beforehand and that they continuously follow them.  All this information, process, structure and leadership must be implemented in an effective compliance program. 

After inventorying its compliance obligations, investments must be made in experienced compliance professionals to lead and provide guidance to others in the organization.  Ideally, a corporate compliance function that reports to the Board or other senior level in a company may be assigned overall responsibility and governance of the program.  However, the subject matter experts for a given regulatory policy or standard are typically delegated the day-to-day, operational responsibilities of compliance.  This may take many forms but must include the design of easy-to-understand policies and procedures.  In addition, employees may require additional, readily-accessible guidance to aid them in their compliance roles, e.g. job guides, posters or other visual aids.  Role-based training that tells an employee what he or she needs to know to comply is critical – nothing more and nothing less.  An effective compliance programs ensures that an appropriate level of knowledge is spread to those who need to know.

            Compliance leadership is not simply knowing the law so that the business doesn’t get into trouble.  It’s a successful blending of compliance with an ethical culture.  Of course, following laws, regulations, local ordinances, agency guidance and internally-imposed obligations or standards is a threshold requirement.  Developing and maintaining a culture based on values, integrity and accountabilities, though, creates state-of-the-art compliance.  This kind of culture goes beyond the minimum requirements to adopt internally-imposed policies and obligations, based on industry standards or other leading practices.  In other words, always doing the right thing in a preventive manner eliminates or at least lessens opportunities for business harm from compliance failures.  Business harms certainly result when monetary fines and penalties may be imposed, but perhaps more importantly, such failures may also damage a company’s reputation – not to mention the operational impediments created by reactively remediating the failure, in an urgent and often prescriptive manner.  As former U.S. Attorney General Paul McNulty said, “If you think compliance is expensive, try non-compliance.”

            Indeed, the most visible hallmark of an ethical culture is exhibited by a company’s senior leaders.  State-of-the art compliance requires an ongoing commitment from the highest levels of leadership to consistently demand ethical conduct, in addition to promoting compliance with the law and leading practices.  Such leadership does not use compliance as an excuse or “scapegoat” for negligence and wrongdoing, while suborning a lack of funding for program resources, refusing to hire and promote skilled compliance professionals or not insisting on compliance-knowledgeable subject matter experts to direct and manage their operations.  Giving shareholders, employees, vendors and the public the false belief that the company supports full compliance with the law and day-to-day ethical behaviors is “more dangerous than no compliance program at all”[i].  A company must invest the time, effort and resources to carefully tailor and individualize its compliance program, not just give lip service to it.

            Commonly tagged “tone at the top”, words and actions of the senior-most leaders must be unambiguous, with clear and open endorsement for the compliance program and for including integrity in business conduct.  “Tone in the middle”, or the words and actions of mid-level leaders, must be appropriately sanctioned when their behaviors don’t encourage ethical conduct or don’t support the compliance program.  Even more telling, finger pointing, instead of appropriately-crafted responses to compliance failures, flags an unwillingness to engage in and commit to a successful program.  Unfortunately, even state-of-the-art programs will experience failures. 

            Clearly defining what compliance means for the organization may be necessary, as the company may have stumbled into tribal definitions or exhibit factions of compliance, prior to the Board and other senior leaders committing to invest time, effort and resources to build an enterprise-wide program.  Former U.S. Attorney General McNulty said “Compliance programs are established by corporate management to prevent and to detect misconduct in accordance with all applicable criminal and civil laws, regulations and rules.”[ii]  Further, the U.S. Sentencing Commission Guidelines Manual reinforces that “To have an effective compliance and ethics program, an organization shall promote an organizational culture that encourage ethical conduct and a commitment to compliance with the law.”[iii]  Without appropriate levels of commitment and support from company leadership, a compliance program will fail or, worse, be siloed, inefficient and cost-prohibitive. 

Building the Business Case

            Building the business case for compliance and ethics doesn’t need to rely on opinion, taking a risk or jumping in with a leap of faith.  Solid business intelligence indicates that an effective compliance and ethics program increases reputational value for a company or brand - among consumers, investors, vendors, suppliers, employees and other stakeholders.  In numerous studies, Booz Allen Hamilton, a management consulting firm, found a strong link between a corporation’s public commitment to compliance and ethics and its financial performance.  “Among financial leaders - public companies that outperform their industry averages – 98% include ethical behavior/integrity in their values statements, compared with 88% for other public companies.”[iv]  In addition, DePaul University reported in its 2004 study that “well-managed companies that take their ethical, social, and environmental responsibilities seriously have stronger long-term financial performance than the remaining companies in the S&P 500 Index.”[v] 

            Even more telling, LRN, a legal research and consulting firm, conducted a 2006 study that “provides new evidence that links a company’s ability to foster an ethical corporate culture with an increased ability to attract, retain and ensure productivity among U.S. employees.”[vi] Recent studies report that

·         94% of employees say it is critical that they work for an ethical company.

·         More than one-third reported leaving a job for ethical reasons.

·         One in four workers reported seeing unethical or even illegal behavior where they work and 89% of those said it affected them adversely.[vii]

·         97% of recent MBA graduates surveyed said they were willing to be paid less to work for an organization with a better reputation for corporate social responsibility and ethics.[viii]

Finally, building an effective compliance program provides an opportunity to take advantage

of lessened fines and penalties under the Federal Sentencing Guidelines for Organizations (FSGO) when dealing with prosecutors.  If an offense occurs, even though the corporation had an effective compliance and ethics program according to the requirements in the U.S. Sentencing Commission Guidelines Manual[ix], it will reduce the company’s culpability, leading to a reduction in fines of up to 60%[x]. 

Federal Sentencing Guidelines for Organizations

            The Sentencing Reform Act of 1984 provided for the development of guidelines to further the basic purposes of criminal punishment, namely deterrence, incapacitation, just punishment and rehabilitation.  The Act provided authority to promulgate such guidelines, policy statements and commentary to prescribe the appropriate sentence for offenders convicted of federal crimes.  As a result, the U.S. Sentencing Commission was created an as independent agency of the judicial branch, with seven voting and two non-voting members, to establish sentencing policies and practices for federal judges.  The original sentencing guidelines were submitted to Congress in 1987 and took effect on November 1 of that same year, applying to all offenses on or after that date.  The Commission was established as a permanent agency to monitor sentencing practices in federal courts and to continue research and analysis that may result in submission of amendments to Congress.  The Commission may submit amendments each year to Congress, which automatically take effect unless modified or disapproved by Congress.  The policy objectives of the guidelines were to create an effective and fair system with honesty in sentencing, reasonable uniformity in sentencing and proportionality based on conduct of differing severity.

The resulting sentencing table was based on data derived from pre-guidelines sentencing practices as a starting point.  In addition, it provided imprisonment for economic crimes, such as tax evasion, fraud and embezzlement, insider trading, antitrust and money laundering.  Criminal regulatory offenses are also addressed in the guidelines, including regulatory schemes promoting public safety.  Such offenses may involve food, drugs and consumer products, as well as environmental crimes.  The guidelines’ authority was influenced, but nonetheless upheld, by the Supreme Court in several landmark cases in 1989, 2005 and 2007.

After the corporate scandals surfaced in the new millennium, the Sarbanes-Oxley Act of 2002 directed the Commission to develop guidelines and related policy statements that apply to sanctioning an organization.  “Organization” means a person other than an individual, intended to apply to corporations, partnerships, associations, joint ventures, unions, trusts, pension funds, governments, political subdivisions, non-profits and other unincorporated organizations.   Organizations act through individuals and are generally vicariously liable for offenses committed by their employees or other agents.  In addition, individual employee-agents are also responsible for their own criminal conduct.  Because modern prosecution frequently involves individual and organizational co-defendants, the Act required that the guidelines be designed “so that the sanctions imposed upon organizations and their agents, taken together, provide just punishment, adequate deterrence and incentives for organizations to maintain internal mechanisms for preventing, detecting and reporting criminal conduct.”[xi]

The Act further directed the Commission to ensure that the guidelines “are sufficient to deter and punish” organizational misconduct. Hence, the requirements set forth to maintain such internal mechanisms are intended “to achieve reasonable prevention and detection” of conduct for which the organization would be vicariously liable[xii].  The diligence of an organization in seeking to do so has a direct bearing on the penalties, probation, deferred prosecution or even declination to prosecute a company.[xiii]  The Guidelines Manual is clear that when the internal mechanism or compliance and ethics program is “reasonably designed, implemented, and enforced so that the program is generally effective”, the failure to prevent or detect the instant offense does not necessarily disqualify the organization from a lessened sentence or reduction in fines.[xiv] The fine range for any organization is “based on the seriousness of the offense and the culpability of the organization”.  Culpability generally will be determined by several factors but the existence of a compliance and ethics program will mitigate the ultimate punishment of an organization.[xv]

            There are factors, however, which will disqualify a company from such mitigation, even if the company otherwise demonstrates the existence of a compliance and ethics program.[xvi]  First, the company must have in place at the time of the offense an “effective compliance and ethics program”, as specified in the Manual.[xvii]  The Manual outlines eight criteria that an organization must satisfy before its program will be considered “effective” per the guidelines and thus eligible for reduced fines.  In addition, if, after becoming aware of an offense, the organization unreasonably delays reporting the offense to appropriate governmental authorities, the reductions for an effective compliance and ethics program do not apply.[xviii] 

            Further, the involvement of certain individuals within the organization disqualifies an organization from the reductions.  The standard for “involvement” is participated in, condoned or willfully ignored the offense.  Individuals who may disqualify the organization because of their “involvement” are

·         High-level personnel of the enterprise

·         High-level personnel of a 200-person business unit within the enterprise[xix]

·         Personnel assigned overall or operational, day-to-day compliance responsibilities[xx]

Likewise, there is a presumption that an organization did not have an “effective” compliance and ethics program when i) high-level personnel of an organization with fewer than 200 employees or ii) substantial authority personnel, but not high-level personnel, participated in, condoned or was willfully ignorant of the offense.  The presumption for these limited cases only may be overcome with substantiating evidence on a case-by-case basis, i.e. for small organizations with fewer than 200 employees or where substantial authority personnel, but not high-level personnel, was involved.[xxi]

            The Manual distinguishes high-level personnel from substantial authority personnel by defining high-level personnel as individuals who have substantial control over the corporation at large or who have a substantial role in the making of corporate policy.  Examples of high-level personnel are directors, executive officers, individuals in-charge of major business units, functional unit or department heads and individuals with substantial ownership interests.  In contrast, substantial authority personnel are individuals who exercise a substantial measure of discretion in acting on behalf of the corporation.  For example, individuals who exercise substantial supervisory authority or non-management personnel who exercise substantial discretion when acting within the scope of their authority, such as those who negotiate or approve price-levels or significant contracts.[xxii]

            There is an exception to all disqualification, however, when certain criteria regarding the role of the individuals responsible for the compliance and ethics program are met.  The criteria are meant to incent organizations to consider Board-level reporting obligations for their chief compliance officer.  The criteria are summarized as

·         Direct reporting obligations to the governing authority or an appropriate subgroup, such as an Audit Committee of the Board of Directors;

·         Detection of the instant offense before discovery outside the organization;

·         Prompt reporting to appropriate governmental authorities; and

·         No compliance personnel participated in, condoned or was willfully ignorant of the offense. [xxiii]

“Direct reporting obligations” requires that an individual has express authority to communicate personally to the governing authority (or appropriate subgroup thereof) on any matter and no less than annually on the implementation and effectiveness of the compliance and ethics program.  “Prompt reporting” contemplates that the organization will be allowed a reasonable time to conduct an internal investigation.  In addition, no reporting is required if the organization reasonably concluded, based on information then available, that no offense had been committed.[xxiv]

Effective Compliance and Ethics Program

The Federal Sentencing Guidelines for Organizations (FSGO) outline eight elements required to have an “effective” compliance and ethics program, for purposes of reducing culpability and sanctions.  The first element continues the discussion about an appropriate compliance infrastructure within the organization.  The organization’s governing authority must be knowledgeable about the content and operation of the compliance and ethics program.  The governing authority must exercise reasonable oversight with respect to the implementation and effectiveness of the program.  In addition to the oversight of the governing authority, the senior-most level of leadership must ensure that the organization has an effective compliance and ethics program as described in the Guidelines Manual.  A specific individual within the senior-most level must be assigned overall responsibility for the program.  In most companies, this may be General Counsel or a Chief Compliance Officer, if the compliance function is separate and distinct from General Counsel’s responsibilities.  Alternatively, many companies may position the compliance function in Finance or Internal Audit, in which case the senior-most level assigned overall responsibility for the program may be the Chief Financial Officer or Chief Audit Executive. 

Separately, the Guidelines require that specific individual(s) within the organization must be delegated day-to-day operational responsibilities for the compliance and ethics program.  Individual(s) with operational responsibilities must report periodically to the senior-most level of leadership, and to the governing authority, on the effectiveness of the compliance and ethics program.  To carry out such responsibilities, such individual(s) must be given adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority, such as the Audit Committee.[xxv]

The second element requires that the organization must establish standards and procedures to prevent and detect misconduct.[xxvi]  This means codes of conducts and internal controls that are reasonably adequate and sufficiently capable of reducing the likelihood of misconduct. [xxvii]  Thirdly, an organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the governing authority, leadership, employees and, as appropriate, third-party agents.  It may do so by conducting effective training programs and otherwise disseminating information appropriate to individual roles and responsibilities.[xxviii]

The fourth element requires that an organization must use reasonable efforts not to delegate substantial authority to any individual whom the organization knows, or should have known through the exercise of due diligence, has engaged in illegal activities or other unethical conduct, inconsistent with an effective compliance and ethics program.[xxix]  Background checks should be carefully tailored to the level and extent of an individual’s delegation of compliance authority and activities, both upon hire or when being promoted to a position that assumes compliance responsibilities.  “With respect to the hiring or promotion of such individuals, an organization shall consider the relatedness of the individual’s illegal activities and other misconduct (i.e., other misconduct inconsistent with an effective compliance and ethics program) to the specific responsibilities the individual is anticipated to be assigned and other factors such as (i) the recency of the individual’s illegal activities and other misconduct; and (ii) whether the individual has engaged in other such illegal activities and other such misconduct.”[xxx]  Exercise of such efforts may also be required for independent contractors with compliance authority or responsibilities.

The fifth element continues to influence behaviors continuously by promoting and consistently enforcing appropriate incentives throughout the organization to perform in accordance with the compliance and ethics program, and it must install appropriate disciplinary measures for engaging directly in misconduct or for failing to take reasonable steps to prevent and detect misconduct.[xxxi]  “Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case specific.”[xxxii]

The remaining elements turn their attention from recruiting, hiring and appropriately training, incenting and disciplining individuals, relative to standards of conduct and internal procedures, to structures and governing functions that foster and support the compliance and ethics program.  For example, the sixth element requires that the organization take reasonable steps to ensure that the standards and procedures prescribed by the compliance and ethics program are followed and working as intended.[xxxiii]  There are typically three lines of defense included in monitoring, auditing and reporting structures

·         Self-monitoring by the business

·         Legal and compliance reviews

·         Independent or third-party audits

Regardless which of these structures are installed, the reporting of all verification activities and follow-up to both the governing authority and the senior-most level of leadership within the organization should be required.  To the extent that Internal Audit is performing these activities for a publicly-traded company, such reporting is mandatory, and must be provided directly to the Audit Committee of the Board of Directors.  In addition, an organization must install and publicize a mechanism that allows for anonymity and confidentiality, whereby the organization’s employees and other agents may report or seek guidance regarding potential or actual criminal conduct, without the fear of retaliation.[xxxiv] 

            After misconduct has been detected, the seventh element requires that an organization take reasonable steps to respond appropriately and prevent further misconduct, including making any necessary adjustments and modification to the compliance and ethics program.[xxxv]  Leading practice requires “investigatory, evaluative and reporting resources”[xxxvi] to make “certain that further investigations and responses are undertaken following the detection of possible misconduct.”[xxxvii]  Effective remediation to prevent similar conduct may include modifications to the compliance program, strengthened structures in high-risk areas or redesign of program elements.  The company should take reasonable steps “to remedy the harm” resulting from the misconduct, which may include providing restitution to identifiable victims.  Other steps to respond appropriately may include self-reporting and cooperation with the authorities. Prevention of similar misconduct may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications. [xxxviii]  “Recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to meet the requirements”[xxxix] .

In addition, an organization must periodically assess the overall effectiveness of the compliance and ethics program, independent of the need to evaluate specific areas or elements under investigation for misconduct.  Periodic surveys, interviews and document reviews by independent auditors or consultants are typically deployed, to gauge the overall effectiveness of the program.

            Finally, an organization must methodically evaluate the risk that misconduct will occur and take appropriate steps to design, implement or modify each of the other seven elements as identified by the process.[xl]  To meet the requirements of this most recent amendment to the Guidelines Manual, an organization must assess the likelihood that misconduct may occur because of the nature of a company’s business.  If, because of the nature of a company’s business, there is a substantial risk that certain types of misconduct may occur, the company must take reasonable steps to prevent and detect that type of conduct.  “For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing.  Likewise,” an organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.”[xli] When conducting such a risk assessment, a company may

·         Examine compliance problems that the company’s industry has experienced

·         Assess a company’s own past compliance history

·         Review documents that may demonstrate the risk of violations, such as litigation records, civil complaints, Board minutes, SEC disclosures, prior investigations or inspections, insurance records and auditors’ work papers

·         Analyze changes in the company and the industry in which it operates

·         Identify operating practices that inherently occasion liability-causing conduct

·         Identify non-obvious or incipient misconduct that may promote illegal actions[xlii]

The primary function of such an assessment is to prioritize and modify compliance resources to focus on conduct identified as most serious and most likely to occur.  A company may need to “risk rank” identified potential for misconduct by scaling the likelihood of its occurrence and the severity of its consequences, should it in fact occur.  This ranking also provides a mechanism to prioritize or modify the actions taken to meet program requirements set forth in the Guidelines Manual.[xliii] 

Designing Compliance Program Elements

            Factors to be considered in determining the action required to meet the requirements of the Guidelines Manual include “(i) applicable industry practice or the standards called for by any applicable governmental regulation; (ii) the size of the organization; and (iii) similar misconduct”[xliv], patterns and trends.  For example, the formality and scope of actions that a company shall take to meet the requirements, including the necessary features of the company’s standards and procedures, depend on the size of the organization.  A large organization generally will devote more formal operations and greater resources in meeting the requirements than a small organization.  However, a small organization must demonstrate the same degree of commitment to ethical conduct and compliance with the law by relying on existing resources and simpler systems, such as “training employees through informal staff meetings and monitoring with regular ‘walk-arounds’.[xlv]   

            Regardless of the size of an organization, high-level and substantial authority personnel must be “knowledgeable about the content and operation of the compliance and ethics program, shall perform their assigned duties consistent with the exercise of due diligence, and shall promote an organization culture that encourage ethical conduct and a commitment to compliance with the law.”[xlvi] 

            To illustrate the design of the program elements, consider the following working illustration of actions required to implement a Conflicts of Interest compliance program.[xlvii]

·         Compliance Infrastructure

o   Identify a subject matter expert(s) to develop and execute the Conflicts of Interest program

o   Identify high-level personnel with overall responsibility and oversight of the Conflicts of Interest program, e.g. General Counsel, Chief Compliance Officer or highest-level executive in Human Resources

·         Standards and Procedures

o   Draft or review the Conflicts of Interest policy and Frequently Asked Questions on the company intranet

o   Design and executive Conflicts of Interest certification procedures

·         Communication and Training

o   Decide which roles within the corporation must certify to compliance with the Conflicts of Interest policy

o   Developing training and other communication materials that promote an understanding of Conflicts of Interest

·         Due Diligence in Delegation

o   Require background and reference checks for employees with responsibility for the Conflicts of Interest program, to include screen for illegal activities or other unethical conduct

o   Require background and reference checks for any third-parties who may be involved with the administration of the program

·         Monitoring, Auditing and Reporting

o   Business units or department heads monitor employee listings or exception reports for completeness of certifications

o   Legal or compliance personnel reviews identified conflicts for exceptions and risk

o   Internal audit annually tests the Conflicts of Interest process for timeliness, completeness and adequacy

o   Establish protocols for reporting results of the Conflicts of Interest program to the Board of Directors and the executive level of leadership

o   Ensure that “hotline” reports are routed to Compliance for appropriate follow-up

·         Incentives and Discipline

o   Develop performance goals for business unit or department heads for exercising due diligence that prevents and detects apparent Conflicts of Interest

o   Enforce appropriate discipline for failure to report or detect an actual or suspected conflict, up to and including termination

·         Response and Prevention

o   Investigate undisclosed Conflicts of Interest otherwise detected in day-to-day business dealings, e.g. discovering ownership of a supplier by a purchasing agent

o   Prevent similar misconduct by requiring ownership details of key suppliers in the onboarding process

o   Identify key trends by business unit, geography or department to evaluate program effectiveness

§  Evaluate promptness in completing annual certifications

§  Identify the occurrence and investigation of undisclosed Conflicts of Interest

·         Risk Assessment

o   Identify the likelihood of Conflicts of Interest given the nature of the business in

§  Business units or departments

§  Products, services or geographies

§  Business circumstances that inherently provide the opportunity for misconduct, e.g. purchasing computer supplies and services introduces the risk of selecting a vendor that has a financial relationship with the company’s purchasing agent

o   Evaluate the seriousness and consequences of potential Conflicts of Interest

o   Prioritize the how, what, where and when of compliance activities to prevent, detect and deter Conflicts of Interest based on the risks so identified