Elements of Effective Compliance

There's no shortage of guidance from regulators around the world on what a good compliance program should entail.

In theory, documents such as the U.S. Federal Sentencing Guidelines and many others should help compliance departments design robust, sensible programs. In practice, however, the proliferation of such guidance can make the job daunting and confusing.

The U.K. Bribery Act of 2010, for instance, outlines six principles it says should form the foundation of any company's efforts to prevent bribery. The Organization for Economic Cooperation and Development has identified a dozen practices that constitute its “good practice guidance on internal controls, ethics, and compliance.” And, the Sentencing Guidelines, which some consider a roadmap for building a compliance function, devote several pages to the elements Uncle Sam considers essential to effective compliance programs.

“It's getting complicated,” says Paul McNulty, head of the business crimes and investigations practice and chair of the global corporate compliance steering committee at law firm Baker & McKenzie. The various guidelines can pull companies in different directions, as they emphasize various aspects of compliance.

Of course, the answer isn't to simply ignore the guidance, says McNulty. He and his colleagues reviewed the various guidelines and found a set of “core subjects” common to all. “They are in all lists around the world.” Understanding and effectively applying these concepts can help compliance officers meet, or even exceed, the expectations set by government entities across the globe.

Leadership

The starting point in any effective compliance program is leadership. “Tone at the top” may have become a business cliché, but that doesn't make it any less important. Indeed, the Federal Sentencing Guidelines state that an effective compliance program will “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

A compliance program that lacks a firm, vocal commitment from an organization's executive team faces an uphill battle, says Joseph Spinelli, managing director of the global investigations and compliance practice of Navigant Consulting. “Without this, it's rare that we see an effective program. It takes the highest level of management to be involved in setting the tone.”

The CEO plays the starring role in developing a strong ethical culture, but the effort can only succeed with a good supporting cast, starting with the board of directors.  A major element of effective compliance leadership is strong governance, McNulty says. That hinges, in large part, on the quality and level of oversight provided by a company's board of directors.

The strength of an organization's compliance leadership also can be assessed, at least to some degree, by the level of investment in the program, McNulty says. The executive team has to be willing “to invest someone with responsibility to build the program,” he says. He or she needs access to the human and technical resources required to establish a quality compliance program.

Until recently, compliance often has been an offshoot of another department, such as finance or legal, notes Mark Schlageter, president of governance, risk, and compliance business at Thomson Reuters. Given the proliferation of new regulations and heightened enforcement, today's compliance departments often merit their own leadership teams, he adds.

Risk Assessment

Before any compliance policies and practices are put into place, an organization must assess the risks it needs to manage. The question is: “What do we face as a company that might be unique to us?” McNulty says. “What are we trying to manage?”

“You want the message to be: ‘This matters a lot. This is part of our business. Compliance is at the core of who we are.'”

—Paul McNulty,

Chair, Global Corp. Compliance Steering Committee,

Baker & McKenzie

Neglecting to conduct a solid risk assessment weakens the foundation of a compliance program. Moreover, any regulator investigating an organization's compliance efforts will expect to see that it first identified and examined the risks to which it's exposed, and then developed policies and procedures around those exposures, he adds.

An organization's risk assessment should take into account changing regulatory expectations, as well as industry best practices, says Schlageter. “If you don't understand where you are in the industry, you're starting behind the eight-ball.”

Another factor to consider is an organization's relationships with intermediaries or third parties, Spinelli notes. Several recent enforcement cases hinged on a company's use of third parties to improperly win business. An example is the Justice Department's 2010 settlement with Alcatel-Lucent, in which the company agreed to pay a $92 million penalty and implement rigorous compliance enhancements.

“Starting in the 1990s and continuing through late 2006, Alcatel pursued many of its business opportunities around the world through subsidiaries like Alcatel CIT and Alcatel de Costa Rica using third-party agents and consultants who were retained by Alcatel Standard. This business model was shown to be prone to corruption, as consultants were repeatedly used as conduits for paying bribes to foreign officials and business executives of private customers to obtain or retain business in many countries,” a release from the Justice Department stated.

A credible risk assessment policy, like any element of an effective compliance program, isn't a one-off event. Most organizations will want to re-assess their risk profile about once a year, McNulty says, and after transformative events, such as a major acquisition or joint venture. “It's a big change in the risk profile,” McNulty adds. Often, the individuals directing these deals focus primarily on the purchase price and the need to move quickly, rather than any lurking compliance issues. Yet the addition of large numbers of new employees and third parties, often unknown to the acquirer, can present significant risks.

Policies and Controls

After identifying all significant risks, an organization is ready to begin developing policies, procedures, and a code of conduct, to translate general principles into rules that should guide employees' actions, McNulty says.

For example, Google's code of conduct outlines the practices that allow employees to put its well known motto, “Don't be evil,” into practice. The code instructs employees on handling confidential information from competitors or former employers that they may come across: “We respect our competitors and want to compete with them fairly. But we don't want their confidential information,” Google's code of conduct read. “The same goes for confidential information belonging to any Googler's former employers. If an opportunity arises to take advantage of a competitor's or former employer's confidential information, don't do it.”

Training and Communication

Even the most eloquent policies and procedures are of little use until employees, as well as others working on behalf of an organization, know and understand them. Providing training on the application of the organization's policies and expectations is critical, McNulty says.

This requires first identifying just who should receive instruction. While many companies recognize the need to train employees, some overlook the need to provide it to third parties, McNulty says. For instance, if the intermediaries will be establishing relationships with government officials, the organization will want to make sure they understand its policies regarding bribes.

Another step is determining which venues will be most effective in disseminating information. This will depend on, among other factors, the concepts to be covered and the location of the employees receiving training. For some topics—the steps involved in conducting an investigation into a bribery allegation, for example—in-person training may be most effective in disseminating the information. In other cases, such as when employees are scattered across the globe, online training may be the most practical option.

Oversight

Once an organization has a program in place, it needs a robust process for overseeing it, McNulty says. Along with ongoing monitoring, regular audits, in which the program is reviewed in a “deeper dive,” are paramount, he adds. Finally, the organization needs a method for responding to and investigating any allegations of improprieties.

One area in which some companies commonly fall short is in documenting the actions they've taken to respond to allegations or red flags, Spinelli notes. That is, a firm may appropriately investigate an incident, but neglect to record its follow-up efforts. If the organization itself is investigated by a government agency, management may then have a difficult time making the case that it has properly addressed the situation and that it has an effective compliance program in place.  

Another danger compliance executives need to guard against is a check-the-box mentality, in which compliance efforts become mechanical, rather than thoughtful and conscientious. “You want to say that this is a way of life for us as a company,” McNulty points out. “You want the message to be: ‘This matters a lot. This is part of our business. Compliance is at the core of who we are.'”