chevron-down Created with Sketch Beta.

GPSolo eReport

GPSolo eReport Article Archives

Developing a Legal Compliance Program Checklist

Helen L Respass


  • This checklist outlines the key steps to take and the principal issues to consider when developing, implementing, and maintaining a legal compliance program.
  • The checklist addresses program benefits, tone from the top, the role of the chief compliance officer, coordination of internal resources, and geographic and cultural challenges.
  • The checklist also addresses risk assessment, hallmarks of an effective program, integration of mergers and acquisitions, program documentation, and compliance as a strategic partner.
Developing a Legal Compliance Program Checklist
Nazman Mizan via Getty Images

Jump to:

Navigating the current regulatory environment can be a challenging exercise requiring extensive planning, strategic thinking, and the coordination of many different resources. Companies should:

  • Examine their business activities carefully.
  • Identify the areas that create risk for the company.
  • Consider how to structure a compliance program that effectively addresses those risks.

This checklist provides an overview of the key business and legal issues to consider when developing, implementing, and maintaining an effective legal compliance program. While it covers the principal considerations involved in building a US-based program, many of the steps and issues discussed also apply to programs for multinational companies.

The checklist addresses program benefits, tone from the top, the role of chief compliance officer, coordination of internal resources, geographic and cultural challenges, risk assessment, hallmarks of an effective program, integration of mergers and acquisitions, program documentation, and compliance as a strategic partner.

Lay the Groundwork for the Compliance Program

Counsel (or other compliance program sponsor within the company) should lay the groundwork for an effective compliance program by taking the following preliminary steps:

  • Build support for the program across the organization, obtaining the buy-in of the company’s governing body (such as the board of directors or board of managers), senior management, and key employees.
  • Create the infrastructure for a centralized compliance program.
  • Inventory and coordinate the existing compliance activities within the organization.
  • Anticipate potential challenges that the compliance program may face in the geographic areas relevant to the company.
  • Assess the company’s risks and determine the actions needed to address those risks.

Present the Business Case for the Compliance Program

If the company’s governing body and senior management are not already committed to developing a robust compliance program, counsel may need to advocate for the program by explaining its practical benefits. An effective compliance program puts in place internal controls that help a company:

  • Prevent violations of law. Particular consideration should be given to the potential criminal and civil liability that corporations, officers, and directors may face as a result of actions taken by corporate personnel.
  • Reduce liability for misconduct. An effective program can identify potential problems early, which may allow the company to:
    • apply for amnesty or reduced sanctions under voluntary disclosure programs offered by certain regulatory agencies;
    • qualify for cooperation credit toward reduced charges and sanctions or no enforcement action at all (declinations);
    • reduce the measurement of organizational guilt and calculation of fines under the Federal Sentencing Guidelines for Organizations (Organizational Guidelines) of the U.S. Sentencing Commission (U.S. Sentencing Guidelines § 8C2.5(f)(1); and
    • avoid criminal liability for offenses requiring proof of intent by demonstrating the company’s due diligence in preventing illegal conduct.
  • Improve the company’s operations. A centralized program can reduce fraud, abuse, and waste and optimize compliance processes and business decisions.
  • Build stakeholder trust. A robust program helps demonstrate that the company values integrity, transparency, and accountability in its business.

Obtain Top Level Commitment and Support

Once the company’s governing body and senior management understand the importance of an effective compliance program, they should take steps to ensure its success by:

  • Instilling a culture of integrity that starts at the top (tone from the top).
  • Providing strong, explicit, and visible support for the program and its policies and procedures.
  • Giving the program sufficient stature within the company.
  • Supplying the program with the necessary personnel and resources to succeed.
  • Emphasizing the vital role that compliance plays in the company’s performance and success.

Appoint a Chief Compliance Officer

To create the infrastructure for a centralized compliance program:

  • Create the role of chief compliance officer (CCO) to have overall responsibility for the program.
  • Select a high-level individual with sufficient authority to fill the role.
  • Ensure the individual has the necessary qualifications and experience to perform the role.
  • Determine where the role should reside within the organization. Consider implementing one of the three most common structures:
    • the general counsel (GC) is appointed CCO and serves dual roles as both GC and CCO;
    • the CCO is a separate individual but reports to the GC; or
    • the CCO is independent of the GC and reports directly to the chief executive officer (CEO) and the governing body.

Given the nature of the company’s business, size, resources, and other specific circumstances, consider and compare how each possible structure will:

  • Meet requirements under the Organizational Guidelines that a person with sufficient authority should oversee the compliance program and have direct access to the governing body (see U.S. Sentencing Guidelines § 8B2.1(b)(2)).
  • Capitalize on operational efficiencies in how the GC and CCO functions overlap and cooperate. In overlapping areas of responsibility, clearly define and divide the roles of the GC and CCO.
  • Create or save costs for the company.
  • Impact the company’s attorney-client privilege when conducting internal investigations and other compliance-related activities.
  • Handle conflicts of interest between the GC and CCO roles.
  • Incorporate checks and balances around the compliance program.
  • Allocate the CCO’s time, resources, and attention to the compliance program.

Coordinate Internal Resources

To eliminate inefficiency and duplication in the company’s compliance activities:

  • Identify the business functions and processes within the company that already play a role in maintaining compliance.
  • Determine if any additional roles may be relevant to the regulations, statutes, and other requirements applicable to the company.
  • Collaborate with these key internal stakeholders to align compliance standards, procedures, and processes.

Once these key internal stakeholders are identified:

  • Engage them early in the development process to solicit feedback for program improvement and instill a sense of involvement in and ownership of the program.
  • Obtain their buy-in and support.
  • Assemble an internal team of compliance champions to increase the impact of the company’s compliance function at the local level and within individual corporate groups.

Consider Geographic Scope and Cultural Differences

The geographic areas that are relevant to a compliance program include where the company’s:

  • Business operations and employees are located.
  • Materials are sourced.
  • Suppliers and customers are located.
  • Key business partners operate.

To develop a compliance program that is effective in the local context:

  • Review the risks that are specific to the company’s relevant geographic areas.
  • Research how competitors respond to compliance issues in those geographic areas.
  • Obtain feedback from applicable stakeholders in the field on how to bridge geographic divides and cultural gaps.
  • Incorporate practical steps and specific examples and advice that make the program relevant to the local audience.
  • Communicate compliance policies and procedures in a variety of styles and languages that are relevant to the target audience.
  • Identify and address other cultural sensitivities that affect how the company implements the program.

Conduct an Initial Risk Assessment

Counsel should partner with the company’s internal audit function or engage external resources to:

  • Analyze the organization’s business activities.
  • Thoroughly review the regulatory and contractual requirements applicable to the business.
  • Create a risk profile or risk matrix that:
    • identifies potential legal risks within the organization;
    • assesses the level of risk for each risk area;
    • prioritizes the likelihood of a violation; and
    • quantifies the likely damage to the organization from a violation.

Implement the Core Elements of an Effective Compliance Program

  • Once the company has identified its key risks, it should design its compliance strategies to address those risks.
  • This includes taking steps to implement the core elements of an effective compliance program.

Demonstrate Strong Organizational Leadership and Ethical Culture

The company’s governing body and senior management should:

  • Set the tone from the top and promote a culture that encourages ethical conduct and compliance.
  • Be knowledgeable about the compliance risks of the company.
  • Adopt and approve compliance policies and procedures.
  • Promote the program by providing strong political and verbal support, adequate funding, and appropriate resources.
  • Empower the CCO with appropriate authority and independence to implement the program.
  • Stay current on the content and operation of the program and provide appropriate input and feedback to the CCO.

Other mid-level managers and supervisors should:

  • Also be knowledgeable about the compliance program.
  • Echo the tone from the top and provide a supportive tone in the middle.

Create Standards and Procedures to Prevent and Detect Misconduct

In determining the standards of conduct and internal controls and procedures to implement, consider:

  • The standards called for by any applicable government regulation.
  • Industry practice.
  • The size of the organization.
  • Any misconduct that has occurred in the past.

At a minimum:

  • Prepare a code of conduct and ethics with a statement of organizational values from the company’s top executive (such as the CEO, president, executive director, or equivalent role). If the company is a public company, it must comply with the requirements of the Sarbanes-Oxley Act of 2002 (SOX) and applicable securities exchanges.
  • Create, maintain, and distribute an employee handbook.
  • Implement other written policies and procedures for employees and relevant third parties.
  • Implement financial and accounting controls.
  • Extend the compliance program to all of the company’s subsidiaries, including its non-US entities.
  • Make clear that all directors, officers, and employees are expected to follow these policies.

Provide Oversight, Autonomy, and Resources for the Compliance Function

The compliance program should be overseen by a CCO and compliance personnel who have appropriate authority within the company, adequate autonomy from management, and sufficient resources to effectively implement the program. Depending on the size of the organization, consider designating one or more high-level personnel to support the CCO, with day-to-day responsibility for the operation of the program. In selecting the CCO and other compliance personnel:

  • Avoid assigning compliance responsibilities to individuals who have engaged in illegal activities or other conduct inconsistent with an effective compliance program.
  • Conduct due diligence on the individuals, including background and reference checks.
  • Screen individuals against applicable government watch lists.

Train and Communicate on Compliance Matters

At least once a year, train the company’s directors, officers, employees (including new employees during onboarding) and, where appropriate, agents and business partners, and regularly communicate with them on:

  • The laws and policies applicable to them.
  • Activities prohibited under those laws and policies.
  • Ways to recognize and report potential violations.
  • The penalties for violations.

To be considered effective, training and communications should:

  • Apply different styles that resonate with the target audience and use languages that are understood in the applicable geographic areas.
  • Use multiple communication channels to build awareness and reinforce the compliance message (such as through email, intranet postings, town hall meetings, staff meetings, and internal newsletters).
  • Be tailored to the roles and responsibilities of the individual. For example, create training and guidance geared toward:
    • directors that focus on their fiduciary duties;
    • managers and supervisors that review how to respond to employee concerns and handle whistleblower reports; and
    • hiring managers and human resources staff that address how to apply background checks and other hiring and onboarding procedures.

Establish Internal Reporting Mechanisms

The company should:

  • Establish multiple, convenient reporting mechanisms (such as internal or external telephone or online hotlines) for employees and agents (if appropriate) to:
    • seek guidance;
    • raise compliance concerns; and
    • report potential or actual misconduct.
  • Consider that confidential and anonymous hotlines are:
    • required under SOX for public companies to receive reports of accounting and auditing concerns;
    • regarded as best practices by regulators; and
    • subject to regulatory approval and limitations in some non-US jurisdictions.
  • Assure employees that their good faith reports are protected and encouraged and can be made without fear of retaliation.

Use Incentives and Discipline to Promote and Enforce Compliance

The compliance program should include incentive and disciplinary systems and processes to promote and enforce compliance throughout the organization, including:

  • Employee job descriptions that incorporate compliance responsibilities.
  • Performance goals and metrics that require all:
    • senior leaders and company managers to foster a culture of compliance and be accountable for the success of the compliance program; and
    • employees to demonstrate compliant behavior.
  • Compensation incentives and other rewards for employees and managers who demonstrate and promote compliance.
  • Disciplinary policies and employment consequences for non-compliance that are clear, appropriate, fair, and consistently applied, regardless of an individual’s position or status.
  • Internal coordination between the compliance function and other areas of the organization that have primary responsibility for administering discipline.

Investigate and Remediate Misconduct

When the company receives a report of potential or actual non-compliance:

  • Take immediate steps to stop any misconduct.
  • Ensure that no retaliatory action is taken against the reporter.
  • Promptly and thoroughly investigate the report.
  • If appropriate, report the violation and investigation findings to and cooperate with the applicable government agency.
  • Take remedial action that is appropriate and adequate given the nature of the misconduct and the resulting harm.
  • Discipline the culpable individuals.
  • Analyze the root causes of the misconduct and implement corrective measures to address those root causes and prevent similar misconduct in the future.
  • Report regularly to the company’s governing body and senior management on the status and findings of the investigation.
  • Develop protocols for verifying that corrective actions have been completed and for escalating cases when remediation falls behind schedule.

Conduct Due Diligence and Oversee Third-Party Relationships

Third-party relationships can create significant compliance risk for the company. As part of managing this risk:

  • Conduct risk-based due diligence on third parties, including:
    • target companies in a merger or acquisition;
    • joint venture, investment, and other business partners; and
    • agents, consultants, and other third-party representatives.
  • Obtain commitments to compliance from the company’s transaction counterparties.
  • Consider terminating relationships with third parties that fail to behave in a compliant manner.

Monitor and Audit the Program for Effectiveness

The CCO should ensure that the compliance program is effective and being followed by:

  • Continuously monitoring the company’s operations to verify that internal controls, policies, and procedures are in place and being followed.
  • Conducting regular self-assessments of the compliance program, including the structure of the CCO function.
  • Coordinating with internal or external auditors to regularly:
    • confirm that the compliance program’s monitoring function is operating;
    • test compliance with and understanding of the program by conducting employee interviews and surveys, on-site visits, and spot checks;
    • conduct targeted, in-depth audits of high-risk areas for the company; and
    • check if employees are comfortable reporting non-compliance and how they view the company’s commitment to compliance.
  • Measuring the compliance program’s effectiveness and benchmarking findings against previous year results.
  • Identifying compliance gaps and operational weaknesses to recommend program improvements and updates.
  • Reporting the monitoring and audit results and recommendations to the governing body and senior management.
  • Updating the program as necessary.

Conduct Ongoing Risk Assessment to Maintain Program Effectiveness

To maintain an effective compliance program in an ever-changing risk landscape:

  • Analyze the company’s enterprise-wide business activities at least once a year to update its risk profile.
  • Identify opportunities for continuous improvement by evaluating factors such as:
    • program audit results, including employee feedback;
    • compliance reports;
    • changes to the business, including its relevant geographic areas;
    • changes to applicable law, including at the local level;
    • recent litigation and claims;
    • results of benchmarking against the practices of comparable companies;
    • evolving industry standards and new industry enforcement trends; and
    • new regulatory guidance on creating effective compliance programs.
  • Modify and tailor each compliance program element to address the updated risk profile.
  • Re-allocate compliance resources to the highest priority risks.
  • Coordinate the compliance risk assessment with the company’s enterprise risk management (ERM) program.

Take Additional Steps to Enhance the Compliance Program

Integrate Mergers and Acquisitions

All newly merged or acquired companies (acquired targets) should be brought into compliance with applicable laws and policies. The company should:

  • Conduct a post-acquisition risk assessment and audit of the acquired target, including a review of the acquired target’s:
    • compliance program and the competence of its personnel responsible for program oversight;
    • high-risk geographic areas and high sales volume areas to determine the compliance risks prevalent in those areas; and
    • contracts with agents, consultants, and other third-party representatives.
  • Correct any compliance deficiencies at the acquired target and, if appropriate, report non-compliance to the applicable regulators and apply for leniency.
  • Promptly integrate the acquired target into the company’s existing compliance regime, including rolling out the company’s code of conduct and anti-corruption, antitrust, corporate governance, and other relevant policies to the acquired target.
  • Train directors, officers, and employees of the acquired target, and where appropriate, train its agents and business partners, on the company’s compliance policies and procedures.
  • Ensure senior management at the acquired target is committed to compliance and responsible for implementation of the company’s compliance program at the acquired target.
  • Expand the company’s compliance program to meet its enterprise-wide growth needs.

Document All Compliance Efforts

Thoroughly document compliance measures and retain supporting materials so that, if required, the company can prove its commitment to implementing a rigorous compliance program. This includes documentation of:

  • Oversight efforts of the governing body with respect to compliance activities.
  • Training sessions and follow-up for directors, officers, employees and, if appropriate, agents and business partners, including compliance certifications signed by training participants.
  • Due diligence activities, including diligence of compliance personnel, joint venture and other business partners, and agents, consultants, and other third-party representatives.
  • Compliance-related reports received through informal and formal means, including through the company’s reporting mechanisms.
  • Internal investigations and other company action taken in response to reports of non-compliance.
  • Disciplinary actions taken for violating the company’s compliance policies and procedures.
  • Compliance program reviews, remedial measures, and continuous improvement actions undertaken by the company.

Make Compliance a Strategic Partner

The CCO can help senior management identify and remedy potential problems in the company’s infrastructure and strategy by:

  • Participating in strategic planning and execution (such as the development of sales, marketing, or other business plans).
  • Explaining the compliance implications of the strategic options being considered.
  • Evaluating the compliance risks for each strategic option, including the timely identification of pending and recent legislation that can have an impact on strategy.
  • Analyzing the cost of managing the compliance risks for each strategic option.
  • Understanding the risk appetite set by the company’s governing body. The compliance function can support organizational strategy while appropriately managing acceptable levels of compliance risk.
  • Identifying ways to use existing compliance resources to minimize risk and cost.
  • Preparing and helping the company to meet its compliance obligations during the execution of strategic initiatives.

Reprinted with permission from Thomson Reuters Practical Law. © 2022 by Thomson Reuters. All rights reserved. Thomson Reuters is a Sponsor of the GPSolo Division, and this article appears pursuant to the Division’s agreement with them. This article is not an endorsement by the ABA or the Division of any Thomson Reuters product or service.