Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Building A Compliance And Ethics Function

Boehme Donna | February 13, 2007

Having established global compliance and ethics functions and implemented programs at two multinational companies with a combined total workforce of more than 150,000, and having networked with hundreds of my peers in other companies, I’m often asked what I would have done differently in my jobs or to summarize my most valuable lessons learned. Aside from the obvious truth that we never stop learning in this fascinating and rapidly evolving profession, some critical areas do come to mind that, in hindsight, would benefit from a strong early focus and strategic planning on the part of those accountable for their company’s compliance and ethics programs. So in no particular order, here are my observations.

Creating Or Clarifying Your Job Description

We work in a relatively new profession, growing in recognition and influence much like the financial controller function, which evolved 25 years ago. This sometimes means that you spend a good deal of time discussing, negotiating, debating, and speculating on what is and is not under your purview, not only with management, but also with sister functions, such as legal and audit.

By setting out and agreeing on a clear, written job description, you can stake out those areas where compliance should be recognized as the key function having a single point of accountability, and alternatively, identify those areas that are “owned” by others (where compliance is only a supporting function). Another mechanism that can be useful is an interface chart that secures agreement between those areas that seem to overlap responsibilities, such as legal and audit. My experience is that such overlap actually is rare; usually there is scope to set out the distinct roles and activities conducted by each function. Just like a winning football team, it is critical that each player knows the requirements of his job and does it well.

Building Networks

Another task well worth attention from a compliance executive is early identification and engagement of key compliance and ethics champions and owners. This requires patience and a thorough understanding of how businesses are operated and where decisions are made, since these folks don’t always wear T-shirts that say “I brake for compliance and ethics professionals.” Is there a mover and shaker on the HR leadership team who can be drafted onto your ethics advisory committee? Are any regional leaders willing to help sponsor focus groups?

Many in our role are familiar with the value of formal “compliance committees” to help ensure the engagement and support of an effective compliance program. But other networks might exist that you can tap into or create for less formal engagement, facilitation, and support. Find the people in those networks. Give them a role, a job—this is networking in its truest and most valuable sense. In one company we asked top leaders to host events with a specific request to tell personal “war stories” about enforcing compliance. Not only did this deliver a strong “walk the talk” message from senior management, but we also were able to identify leadership champions that we could tap later as sounding boards or for other important assistance.

Clarifying Responsibilities In Areas Beyond Your Control That Still Can Scuttle An Otherwise Sound Program

In many companies, the compliance and ethics efforts develop alongside or after other key control functions. For most folks in our world, that means a number of areas in the company are outside our control but nevertheless remain critical to the success of the compliance program. You may have a state-of-the-art confidential employee helpline backed by best practice investigation protocols, but if your colleagues in security don’t share critical information with you on certain cases they control, don’t buy into your definition of confidentiality, or don’t actively support the company’s non-retaliation policy, you will have big problems. Similarly, implementing a meaningful compliance risk assessment as envisioned by the recent amendments to the U.S. Sentencing Guidelines is pretty difficult without support and candid information-sharing from internal audit.

Look around. The promulgation of Sarbanes-Oxley also meant that many compliance executives found SOX activities layered over or developed separately from their own program. Do some areas of your company have significant compliance activities going on—or worse, required activities that are not happening—but where you don’t have mechanisms to give input or share key information? If so, you must open a dialogue about how you can support or create engagement in this area, and otherwise bring it into the compliance framework. Failure to do this can result in the compliance executive being blindsided by major problems, even if you thought you had in place a good “Seven Elements” compliance program that meets the requirements of the Sentencing Guidelines. Picture the headline about a compliance failure in your company in one of those areas that was “carved out” of the compliance and ethics program. Don’t look for the paragraph explaining that this happened in an area outside of your program and your responsibility. It won’t be there.

Where The Rubber Meets The Road: Getting A Handle On Investigations

In my view, mechanisms and protocols to ensure that investigations are confidential, independent, objective, and effective are frequently overlooked, but can mean the difference between a paper program or one with real weight and teeth. Codes of conduct, training, and communication are all critical elements of a program, but investigations are truly where the rubber meets the road.

Consider the following hypothetical scenario where a company develops a program with all of the right bells and whistles to meet the seven elements. An employee receives, reads, and is trained on her responsibilities under the code of conduct and is informed about the confidential helpline as a mechanism to raise concerns. This employee later observes potential bribes being made in her sales region and calls the helpline. Now what happens?

I’d like to tell you that the compliance function oversees an independent, competent, fit-for-purpose investigation with proper protocols that promote confidentiality, professionalism, objectivity, impartiality, timeliness, and non-retaliation—and that all this results in a succinct fact summary that helps line management take the right corrective action, including any appropriate disciplinary action.

Unfortunately, too often the story can take a detour. Delays in finding an appropriate investigator allow important documents and data to be destroyed or altered. A manager with an interest in the outcome of the investigation is asked to lead it. The supervisor of the concerned employee suspects she has called the helpline and calls her in for an intimidating warning that “only team players get ahead.” No one on the investigation team has subject-matter expertise on the matter of bribery. An outside investigator is called in with no limits set on what is permissible in the investigation (a warning against pretexting, for example).

Any one of these detours will likely result in a poor investigation that prevents the company from detecting and preventing illegal behavior, or may even get the company into trouble. When this happens, employees notice. What’s at stake? Nothing less than the fundamental credibility and integrity of the entire compliance and ethics program. Early strategic planning by the compliance executive should always include a plan, protocols, and mechanisms for good, effective investigations.

Institutional Protections

Joe Murphy of the Compliance Systems Legal Group (to which, in full disclosure, I am a special adviser), has written extensively on this critical topic, most recently in his new book, Working for Integrity (Society of Corporate Compliance and Ethics; 2006). It is one I view of paramount importance to our field, and one that must be addressed by the profession, the C-suite, and the policymakers to effect the intentions of the Sentencing Guidelines and SOX. Joe often conjures up the image of a compliance and ethics officer being called into a meeting with a powerful CFO-type executive, subjected to threats, intimidation, and retaliation, and left with the dire choice of abandoning his principles to keep his job (perhaps until the compliance executive is arrested, which has happened before), or of doing his job well and then losing it.

It is an impossible and unacceptable position that no professional should have to navigate (imagine an internal auditor being threatened with a demotion unless he changed his report), yet anecdotal evidence indicates that this happens with alarming frequency. Early discussions with senior management by the compliance executive (ideally before accepting the role) should include institutional protections, such as written terms and conditions of employment being approved or controlled by the board, direct and unfiltered access to the board or board committee (codified in the Sentencing Guidelines), and automatic escalation of certain events (such as the hypothetical CFO incident above) to the notice of an independent committee of the board.

Compliance is a difficult and lonely job. The nature of compliance and ethics is that those in the role, if doing their job well, inevitably are called upon to challenge the status quo or apply transparency to some existing business practices.

Educating Your Board And Finding A Board Champion

The 2004 amendments to the Sentencing Guidelines codified for the first time a board’s accountabilities as “knowledgeable about the content and operation of the compliance and ethics program and … exercise [of] reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” This resulted in hallelujahs from around the compliance and ethics world. Yet expecting boards suddenly to change their activities of their own accord to reflect these new responsibilities is unrealistic.

Boards and their committees have crowded plates and many compliance officers still fight for precious time on their agendas. So unless you are fortunate enough to be invited to speak on this topic from a supportive board member (see below) or have a regularly scheduled session (the best practice of leading companies), you will need to seek time to facilitate a robust discussion on just what the board needs to learn to become “knowledgeable.” And if you have trouble creating this opportunity, you just might have to remind your management about the “direct access” to the board contemplated in the 2004 amendments for those holding “day-to-day operational responsibly” for the compliance and ethics program.

On a related topic, finding and engaging the support of a motivated board member should always be the goal of every practitioner. Pat Gnazzo, chief compliance officer for CA (a company subject to a deferred prosecution) and the former chief compliance officer for United Technologies Corp., who has been billed as one of the tough new breed of “ethics enforcers” by Business Week (Feb. 13, 2006), tells the enviable story of his great champion on the UTC board, the legendary statesman and senator Howard Baker, and his current champion at CA, Walter Schuetze, former chief accountant at the Securities and Exchange Commission. “Every compliance and ethics practitioner needs a Howard Baker or a Walter Schuetze; unfortunately until boards catch up with their new accountabilities, there are not enough of these types of individuals to go around,” he says.

Never Being Isolated: Developing A Network Of Professional Peers And Mentors

Compliance is a difficult and lonely job. The nature of compliance and ethics is that those in the role, if doing their job well, inevitably are called upon to challenge the status quo or apply transparency to some existing business practices, which can lead to natural tension with established and powerful elements in the company.

When this happens, it’s important to have a network of other compliance and ethics professionals outside your company who can offer a reality check, advice, or sometimes just plain moral support. Just the other day I called one of the shining stars of our profession, who happens to be a mentor, to say, “I wanted to run this one by someone smart.” He replied, characteristically, “Should I get my dog on the phone?” But it’s truly amazing how different life can look when you reach out to others. Why do I list this in my ”strategic planning” tips? Because as busy as you are, it’s important to your effectiveness as a professional to include in your own portfolio the necessary time to develop and maintain a network of peers or mentors who can offer this kind of support when you really need it. You’ll be glad you did.