The five elements are:
- Risk Assessment
- Standards and Controls
- Training and Communications
This point means more than the “tone at the top; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by the company’s senior management. Management’s commitment to compliance should be unambiguous, visible and active. Even more important than support or the right tone, compliance standards require companies to have a high-ranking compliance officer with the authority and resources to manage the program on a day-to-day basis. The compliance officer must also have unrestricted access and a direct reporting line to those responsible for the corporate conduct, including the Board of Directors.
Valuable questions regarding the leadership of a compliance program are: How is Board oversight implemented? Does the company have an ethics or audit committee reporting to the full Board? What is the role of the Chief Compliance Officer? What is the role of the company’s general counsel? How do the legal and compliance departments interact? Does the Chief Compliance Officer have “real power?”
The Board of Directors has an equally key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place. The Board is also responsible for providing the resources needed to effectively implement the compliance program. Additionally, the Board should monitor the implementation and effectiveness of the compliance program by:
- Being actively involved
- Attending Board meetings
- Reviewing, considering and evaluating the information provided
- Inquiring further when presented with potential issues or questionable circumstances
- Acting on potential compliance issues as soon as the Board is aware of them
- Regularly receiving compliance briefings and trainings
The implementation of an effective compliance program is more than simply following a set of compliance regulations or providing effective training. Compliance issues touch many areas of the company and you need to know not only what your highest risks are, but where to focus your efforts to mitigate them and move forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify the areas of high risk in order to prioritize and allocate your resources to the appropriate areas first.
What are some of the areas where you need to assess your risks?
- Products and services?
- Customers and entities?
- Geographic locations?
- Business opportunities and partnerships?
- Transaction risk?
In addition to an initial risk assessment used to either: (1) develop your compliance program or (2) help you identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of the compliance efforts rather than an occasional ad hoc effort exercised when convenient or after a crisis has occurred. It is recommended that risk assessments be prepared close to the same time each year or prior to when new products or services are introduced. Annual risk assessments act as a strong preventive measure if they are performed before something goes wrong and help you avoid a “wait and see” approach.
Standards and Controls
Generally, every company has three levels of standards and controls:
- Code of conduct – a must have for each company expressing its ethical principles. However, a Code of Conduct is not enough.
- Standards and policies –policies in place that build upon the foundation of the code of conduct and articulate code-based policies, which should cover such issues as bribery, corruption and accounting practices.
- Procedures – enabling applied procedures to confirm the policies are implemented, followed and enforced.
The purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than words on a piece of paper.
Training and Communication
An important pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. There are several key elements to training. First, you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk areas and focusing on directors, officers and sales employees. Second, for high-risk industries, it is recommended to provide in-person annual training for employees and third parties. Enforcement officials have made it clear that the most effective training is presented in-person, regularly and frequently. Another benefit of in-person training is the immediate feedback from the audience, which would be much less likely to occur during a webinar or other remote training. Lastly, during in-person training, employees are more likely to make casual mention of a potential risky practice, giving the company the opportunity to address the situation before it becomes a larger problem.
It is important to pay attention to what employees say during training. This is because training can alert you to potential problems based on the types of questions employees ask and their level of receptiveness to certain concepts.
Even after all the important ethical messages from management have been communicated to the appropriate audiences and essential standards and controls are in place, the key question is: are your employees following the company’s compliance program?
Monitoring is a commitment to ongoing assessment of compliance programs, detecting issues in real time and then reacting quickly to remediate the findings. Reviewing is a more limited process that targets a specific business component, region or market sector during a particular time period in order to uncover and/or evaluate certain risks.
Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the regulators will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and reviews. To fulfill this essential element of a compliance program, you also have to respond and fix the problems.
By following the “five essential elements” approach, your company can virtually meet any legal requirement you come up against when doing business anywhere in the world.