Navigating the current regulatory environment can be a challenging exercise requiring extensive planning, strategic thinking, and the coordination of many different resources. Companies should:
- Examine their business activities carefully.
- Identify the areas that create risk for the company.
- Consider how to structure a compliance program that effectively addresses those risks.
This checklist provides an overview of the key business and legal issues to consider when developing, implementing, and maintaining an effective legal compliance program. While it covers the principal considerations involved in building a US-based program, many of the steps and issues discussed also apply to programs for multinational companies.
The checklist addresses program benefits, tone from the top, the role of chief compliance officer, coordination of internal resources, geographic and cultural challenges, risk assessment, hallmarks of an effective program, integration of mergers and acquisitions, program documentation, and compliance as a strategic partner.
Lay the Groundwork for the Compliance Program
Counsel (or other compliance program sponsor within the company) should lay the groundwork for an effective compliance program by taking the following preliminary steps:
- Build support for the program across the organization, obtaining the buy-in of the company’s governing body (such as the board of directors or board of managers), senior management, and key employees.
- Create the infrastructure for a centralized compliance program.
- Inventory and coordinate the existing compliance activities within the organization.
- Anticipate potential challenges that the compliance program may face in the geographic areas relevant to the company.
- Assess the company’s risks and determine the actions needed to address those risks.
Present the Business Case for the Compliance Program
If the company’s governing body and senior management are not already committed to developing a robust compliance program, counsel may need to advocate for the program by explaining its practical benefits. An effective compliance program puts in place internal controls that help a company:
- Prevent violations of law. Particular consideration should be given to the potential criminal and civil liability that corporations, officers, and directors may face as a result of actions taken by corporate personnel.
- Reduce liability for misconduct. An effective program can identify potential problems early, which may allow the company to:
- apply for amnesty or reduced sanctions under voluntary disclosure programs offered by certain regulatory agencies;
- qualify for cooperation credit toward reduced charges and sanctions or no enforcement action at all (declinations);
- reduce the measurement of organizational guilt and calculation of fines under the Federal Sentencing Guidelines for Organizations (Organizational Guidelines) of the U.S. Sentencing Commission (U.S. Sentencing Guidelines § 8C2.5(f)(1); and
- avoid criminal liability for offenses requiring proof of intent by demonstrating the company’s due diligence in preventing illegal conduct.
- Improve the company’s operations. A centralized program can reduce fraud, abuse, and waste and optimize compliance processes and business decisions.
- Build stakeholder trust. A robust program helps demonstrate that the company values integrity, transparency, and accountability in its business.
Obtain Top Level Commitment and Support
Once the company’s governing body and senior management understand the importance of an effective compliance program, they should take steps to ensure its success by:
- Instilling a culture of integrity that starts at the top (tone from the top).
- Providing strong, explicit, and visible support for the program and its policies and procedures.
- Giving the program sufficient stature within the company.
- Supplying the program with the necessary personnel and resources to succeed.
- Emphasizing the vital role that compliance plays in the company’s performance and success.
Appoint a Chief Compliance Officer
To create the infrastructure for a centralized compliance program:
- Create the role of chief compliance officer (CCO) to have overall responsibility for the program.
- Select a high-level individual with sufficient authority to fill the role.
- Ensure the individual has the necessary qualifications and experience to perform the role.
- Determine where the role should reside within the organization. Consider implementing one of the three most common structures:
- the general counsel (GC) is appointed CCO and serves dual roles as both GC and CCO;
- the CCO is a separate individual but reports to the GC; or
- the CCO is independent of the GC and reports directly to the chief executive officer (CEO) and the governing body.
Given the nature of the company’s business, size, resources, and other specific circumstances, consider and compare how each possible structure will:
- Meet requirements under the Organizational Guidelines that a person with sufficient authority should oversee the compliance program and have direct access to the governing body (see U.S. Sentencing Guidelines § 8B2.1(b)(2)).
- Capitalize on operational efficiencies in how the GC and CCO functions overlap and cooperate. In overlapping areas of responsibility, clearly define and divide the roles of the GC and CCO.
- Create or save costs for the company.
- Impact the company’s attorney-client privilege when conducting internal investigations and other compliance-related activities.
- Handle conflicts of interest between the GC and CCO roles.
- Incorporate checks and balances around the compliance program.
- Allocate the CCO’s time, resources, and attention to the compliance program.
Coordinate Internal Resources
To eliminate inefficiency and duplication in the company’s compliance activities:
- Identify the business functions and processes within the company that already play a role in maintaining compliance.
- Determine if any additional roles may be relevant to the regulations, statutes, and other requirements applicable to the company.
- Collaborate with these key internal stakeholders to align compliance standards, procedures, and processes.
Once these key internal stakeholders are identified:
- Engage them early in the development process to solicit feedback for program improvement and instill a sense of involvement in and ownership of the program.
- Obtain their buy-in and support.
- Assemble an internal team of compliance champions to increase the impact of the company’s compliance function at the local level and within individual corporate groups.
Consider Geographic Scope and Cultural Differences
The geographic areas that are relevant to a compliance program include where the company’s:
- Business operations and employees are located.
- Materials are sourced.
- Suppliers and customers are located.
- Key business partners operate.
To develop a compliance program that is effective in the local context:
- Review the risks that are specific to the company’s relevant geographic areas.
- Research how competitors respond to compliance issues in those geographic areas.
- Obtain feedback from applicable stakeholders in the field on how to bridge geographic divides and cultural gaps.
- Incorporate practical steps and specific examples and advice that make the program relevant to the local audience.
- Communicate compliance policies and procedures in a variety of styles and languages that are relevant to the target audience.
- Identify and address other cultural sensitivities that affect how the company implements the program.
Conduct an Initial Risk Assessment
Counsel should partner with the company’s internal audit function or engage external resources to:
- Analyze the organization’s business activities.
- Thoroughly review the regulatory and contractual requirements applicable to the business.
- Create a risk profile or risk matrix that:
- identifies potential legal risks within the organization;
- assesses the level of risk for each risk area;
- prioritizes the likelihood of a violation; and
- quantifies the likely damage to the organization from a violation.
Implement the Core Elements of an Effective Compliance Program
- Once the company has identified its key risks, it should design its compliance strategies to address those risks.
- This includes taking steps to implement the core elements of an effective compliance program.
Demonstrate Strong Organizational Leadership and Ethical Culture
The company’s governing body and senior management should:
- Set the tone from the top and promote a culture that encourages ethical conduct and compliance.
- Be knowledgeable about the compliance risks of the company.
- Adopt and approve compliance policies and procedures.
- Promote the program by providing strong political and verbal support, adequate funding, and appropriate resources.
- Empower the CCO with appropriate authority and independence to implement the program.
- Stay current on the content and operation of the program and provide appropriate input and feedback to the CCO.
Other mid-level managers and supervisors should:
- Also be knowledgeable about the compliance program.
- Echo the tone from the top and provide a supportive tone in the middle.
Create Standards and Procedures to Prevent and Detect Misconduct
In determining the standards of conduct and internal controls and procedures to implement, consider:
- The standards called for by any applicable government regulation.
- Industry practice.
- The size of the organization.
- Any misconduct that has occurred in the past.
At a minimum:
- Prepare a code of conduct and ethics with a statement of organizational values from the company’s top executive (such as the CEO, president, executive director, or equivalent role). If the company is a public company, it must comply with the requirements of the Sarbanes-Oxley Act of 2002 (SOX) and applicable securities exchanges.
- Create, maintain, and distribute an employee handbook.
- Implement other written policies and procedures for employees and relevant third parties.
- Implement financial and accounting controls.
- Extend the compliance program to all of the company’s subsidiaries, including its non-US entities.
- Make clear that all directors, officers, and employees are expected to follow these policies.