TIf you’re a compliance officer, you have a good idea of what constitutes an effective compliance program. You’ve worked diligently to put the right pieces in place in your organization and continue to provide support and monitoring to help ensure the program works as intended. And especially if your company is in a highly regulated industry, you know who’s looking over your shoulder and ready to pounce if a significant compliance event transpires.

We recently heard from Assistant Attorney General Leslie Caldwell about what she and her staff considers what is—or is not—an effective compliance program. And make no mistake—the Assistant AG, who is chief of the Justice Department’s Criminal Division, and her newly hired compliance counsel—are using specified criteria in assessing your compliance program and considering whether to bring charges against your company. These criteria are being used to test the validity of a company’s claims about its program, including whether it is thoughtfully designed and sufficiently resourced to address the company’s compliance risks, or rather is simply “window dressing.”

In a recent speech outlining the criteria, the Criminal Division head provided an element of comfort, saying that no one size fits all, no compliance program is foolproof, and they recognize the challenges of implementing an effective compliance program—adding that “we’re not interested in prosecuting mistakes or accidents, or bad business judgments.”  But she also said that a surprising number of companies lack rigorous programs, and even more companies have what appear to be good structures on paper but fail in practice to devote adequate resources and management attention—with others failing to consider obvious risks in important parts of the business.

The Criteria

So, what makes up an effective compliance program? In speaking recently to the Securities Industry and Financial Markets Association Compliance and Legal Society, the Assistant AG outlined the critical elements to be used in evaluating programs and working “with our prosecutors.” But as we’ll see in a moment, key elements absolutely critical to making a compliance program work are missing.

[F]or a compliance program to be truly effective, responsibility must rest with line management and be built into HR processes, culture must be based on integrity and ethical values, and communication channels must be in place and operating as needed.

Here’s what she and her staff look for:

Does the institution ensure its directors and senior managers provide strong, explicit, and visible support for its compliance policies? 

Do those responsible for compliance have stature within the company?  Do they get adequate funding and access to resources? Are compliance policies clear, easily understood by employees, and translated into languages they speak?

Are the policies effectively communicated to all employees, and the written policies easy to find? Is there repeated training, including direction on what to do when issues arise?

Does the institution review its policies and practices to keep them up-to-date with evolving risks and circumstances—especially important where a U.S.-based entity acquires or merges with a foreign business?

Are there mechanisms to enforce compliance policies, including incentivizing good compliance and disciplining violations?  Is discipline even handed—or are low-level employees terminated while senior people who directed or deliberately turned a blind eye to the conduct suffer no consequences?

Does the institution sensitize vendors, agents, consultants, and other third parties to the expectation that its partners are also serious about compliance? Does it do more than include boilerplate language in contracts, but rather takes such action as terminating a business relationship if a partner demonstrates a lack of respect for laws and policies?

Is the company candid and forthcoming with regulators?

Further, in investigations the Criminal Division looks at messages conveyed to employees, through in-person meetings, emails, telephone calls and compensation, and whether the company tolerated compliance failures year after year because the alternative would have meant a reduction in revenues or profits.

Helpful, but …

Yes, the criteria outlined here are useful and provide some basis for assessing and enhancing a compliance program. But with all due respect, the reality is that they miss several factors that are crucial for a compliance program to be truly effective.

One such factor is that responsibility for compliance must be in the right place. The focus above is largely on the compliance officer and supporting staff, but experience shows that no chief compliance officer can be positioned to ensure effective compliance, and he or she should not have primary responsibility for it. I’ve seen many companies that place that responsibility on the compliance officer’s shoulders, and it simply does not and cannot make sense. Yes, a compliance officer should have sufficient resources to ensure that the pieces of the program are in place, policies are appropriate, communications are made, training is effective and ongoing, third parties are involved, dealings with regulators are effective, and the like.

But for a program to function effectively, responsibility for compliance must rest first and foremost with line management. That begins at the top, with the CEO, cascading down through his or her direct reports and managers throughout the organization—each in their spheres of responsibility.  Managers closest to the action—those dealing with customers, trading partners, and counterparties, in all markets and venues—are positioned and must be equipped and have direct responsibility for legal and regulatory compliance in their spheres of operation.  Those are the individuals who must know the rules, and work first-hand with their personnel, and take responsibility for ensuring the compliance program operates effectively in their business units. The Assistant AG says that often you as compliance officer are the first line of defense against financial crimes, but that simply is not workable—and hopefully the Justice Department will come to recognize that. Yes, the chief compliance officer provides support and monitoring, and internal audit looks as well.  And regulators and indeed a number of CEOs with whom I’ve worked would like to look to the chief compliance officer as having that responsibility.  It may be convenient to do so, but it is short-sighted and misguided.

Another missing piece critical to effectiveness is integrating compliance into human resources measurement processes. Attention to compliance programs and effectively dealing with compliance matters must be an essential element of how performance is assessed and rewarded. Compliance needs to be included in objectives setting, evaluations, and salary adjustment and promotion considerations. Where managers don’t perform appropriately, disciplinary action must be taken. And note that we’re not talking about acting when violations occur, but rather determining whether managers are fully and effectively carrying out their compliance responsibilities in their business units—on an ongoing basis, before violations occur.

And there’s more. Compliance programs will not work well unless a company has a tone and the top, and culture throughout, based on integrity and ethical values. If they’re truly in place, virtually all business decisions are going to be based on a foundation of doing the right thing—including adhering to legal and regulatory requirements. Further, there must be effective communication channels throughout the management reporting hierarchy, as well as alternative whistleblower channels that are well designed, understood, accepted, and used as needed. These are topics unto themselves for another time.

Tipping Our Hats to the Assistant AG

We should compliment Ms. Caldwell for outlining important elements of an effective compliance program, and understand that she and her more than 600 lawyers will be using such elements in their investigation and enforcement actions. But let’s also recognize that for a compliance program to be truly effective, responsibility must rest with line management and be built into HR processes, culture must be based on integrity and ethical values, and communication channels must be in place and operating as needed. These additional elements are absolutely critical to success.