In recent actions the U.S. Consumer Product Safety Commission (CPSC) has emphasized the importance of effective compliance programs, echoing the approach taken by other federal agencies in a variety of contexts. Proactive compliance procedures and internal controls aimed at CPSC requirements can help prevent unreasonable risks of injury or death and reduce a company’s risk of future product hazards. Although the primary goal of such compliance programs is consumer safety, in articulating requirements for compliance programs, CPSC also is underscoring a component of the duty of care owed by directors.
Other federal agencies have incorporated compliance-related requirements in multiple situations. These requirements have been embodied in settlement agreements, consent decrees, non-prosecution and deferred prosecution agreements, institutional compliance, and corporate integrity agreements.
The existence of a comprehensive compliance program that is “applied earnestly and in good faith,” that is well-designed and that “works” is among the factors considered by federal agencies in deciding whether to pursue enforcement action. An important inquiry is whether the compliance program is merely a “paper program” or is designed and implemented in an effective manner. Even if a legal violation occurs, a robust compliance program may help avoid severe government action and penalties. Like other agencies, CPSC routinely inquires about compliance programs during investigations.
Civil penalties. Among the factors that CPSC may consider in determining the appropriate civil penalty is the existence and nature of a safety and compliance program or system. Where a violator establishes by “clear, reliable, relevant, and sufficient evidence” the existence and relevance of a reasonable and effective compliance program that relates to the violation, a lower penalty may be appropriate.
Criminal penalties. The existence of an effective compliance program also can result in reduced criminal penalties. The Department of Justice’s sentencing guidelines specifically address the compliance effort required to mitigate a sentence and the important components of a compliance program.
One Size Does Not Fit All
Similar to the approach taken by other agencies, CPSC has declined to adopt formulaic requirements for compliance programs in favor of a more flexible approach. Effective compliance programs are tailored to a company’s business and the associated risks.
Tailoring compliance to legal risks. The threshold inquiry in designing or evaluating a compliance program is risk assessment—identification of the largest legal risks. These risks then should be prioritized based on likelihood and severity of the consequences of non-compliance, and procedures should be designed to prevent and detect such non-compliance. In short, the compliance program should reflect the specific risks presented.
The existence of a comprehensive compliance program that is “applied earnestly and in good faith,” that is well-designed and that “works” is among the factors considered by federal agencies in deciding whether to pursue enforcement action.
Tailoring compliance to size and nature of the company. Compliance likely will be managed quite differently by a large entity with a complex risk profile, a wide range of products, and numerous supply chains, as compared to a small business with limited product offerings. A larger entity, for instance, generally will require more formal compliance procedures.
Integrating compliance with enterprise risk management (ERM) and internal audit. Compliance programs should dovetail with an entity’s overall ERM programs. In addition, compliance program processes should reflect, and operate seamlessly with, other internal controls and internal audit functions and with quality control procedures.
Integrating compliance with business initiatives. Because an effective compliance program reflects the risks inherent in a company’s business, the need for compliance program revisions should be considered whenever the company modifies or expands its lines of business. New lines of business—including acquired operations—may involve new legal requirements and create new risks that should be taken into account.
Elements of an Effective Compliance Program
A thoughtfully designed and implemented compliance program that is consistently enforced can help prevent, detect, remediate, and report legal violations. At the most basic level, effective compliance requires a culture that—from top to bottom—promotes ethical conduct and prevention, identification, and resolution of legal violations.
The critical components of an effective compliance program are well recognized—and have been reflected accordingly in CPSC actions.
Written policies and procedures. The compliance program should be set out in a written plan or policy that defines practices and procedures to be followed to achieve legal compliance. Companies subject to CPSC jurisdiction, for instance, should include controls and systems sufficient to identify situations reportable under Section 15(b) of the Consumer Product Safety Act and to file all required reports timely and accurately.
The written plan or policy also should contain a code of conduct setting forth the organization’s commitment to compliance and should be approved by the board of directors (or equivalent governing body).
Management oversight, responsibility, and accountability. High-level individuals within the organization must have overall responsibility for compliance. As articulated by several federal agencies, these senior executives should possess “appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” “Adequate autonomy” includes direct access to the entity’s board of directors or governing authority (or a committee with delegated authority).
At the board level, because directors must be knowledgeable about and exercise reasonable oversight over compliance, management should routinely advise the board (or applicable board committee) of compliance initiatives, identified compliance deficiencies and related corrective action taken.
Communication and training. Employees should be trained on compliance policies and procedures. Applicable regulatory requirements and the entity’s related policies, procedures, and processes should be clearly communicated. Penalties for not adhering to internal policies and regulatory requirements also should be covered. Training should be ongoing and should address legal developments and changes to compliance policies and procedures.
Internal controls and recordkeeping. In addition to mechanisms to prevent violations, a compliance program should incorporate adequate processes to make and keep accurate books and records of potential product safety issues and legal violations. The “control environment” should include procedures to record these product safety matters and to review and analyze the records with a goal of detecting product safety issues, proactively remediating them and reporting to the CPSC as required by law.
Consistent enforcement through disciplinary measures and remedial action. Adherence to compliance policies and procedures should be enforced consistently. Employees should be held accountable for compliance failures. Additionally, the organization should take steps to address compliance weaknesses.
A mechanism for confidential employee reporting of compliance-related concerns. An effective compliance program should provide confidential means for reporting concerns. Many companies employ a “hotline” mechanism, coupled with a protocol for the intake, triage, investigation, and disposition of allegations.
Compliance Programs and Governance
The effectiveness of any compliance program will depend in part on integrating the program with a governance structure appropriate to the entity. Establishing a clear and well-defined reporting structure formalizes oversight and accountability.
Board oversight. The board of directors ultimately is responsible for compliance oversight. A director’s duty of care includes a requirement to make good faith efforts to ensure that the corporation has reporting and information systems that are adequate to detect potential violations of law. Not only must the board confirm that a reasonable compliance program has been adopted, but the board also should approve key elements of the compliance program and oversight framework. In addition, the board should assess the program’s general effectiveness through regular management reports. Significantly, where an effective compliance program is not in place, directors could be liable for losses resulting from failure to comply with applicable legal standards.
Paralleling corporate law developments emphasizing the board’s compliance function, some agencies have imposed specific compliance-related obligations on board members in enforcement actions. Directors, for instance, have been required individually to certify that the full board reviewed and made “reasonable inquiry” into the compliance program and concluded that an effective compliance program had been implemented.
Day-to-day management operation of compliance. In keeping with management’s operational responsibilities, management should implement compliance procedures and manage legal compliance on a day-to-day basis. Not only should “high-level” individuals be responsible for compliance, those individuals should have direct access to the board or board committee with compliance oversight responsibility.
In regulatory enforcement developments that echo compliance-related certifications required of directors, similar certificates have been required of management employees. In one instance, individual senior executives were required to certify that:
they had been trained on and understood the compliance requirements applicable to the business under their supervision,
their job responsibilities included “ensuring compliance;” and
the business under their supervision complied with applicable regulatory requirements.
Such enforcement requirements highlight the importance of defining, and educating management on, compliance responsibilities.
Document retention. A document retention policy is another articulated component of an effective compliance program. Senior executives should be familiar with document retention policies and operational personnel should make certain that compliance activities (such as training sessions) are appropriately documented and that related records are retained.
In emphasizing and requiring compliance programs in various contexts, CPSC is reflecting well-established precedent and principles regarding effective compliance programs. At the same time, CPSC is allowing substantial flexibility for regulated entities to tailor compliance programs to the specific risk profile, operations, internal controls, and governance structure of the company.
The author is the general counsel of the United States Consumer Product Safety Commission (CPSC). This article expresses the author’s views; the article has not been reviewed or approved by, and may not necessarily reflect the views of, the Commission.