5 Keys for a Successful Corporate Compliance Program

by LW Consulting Inc. on June 12, 2017
Find me on:

On February 8, 2017, the Department of Justice (DOJ) issued guidance on how they intend to assess corporate compliance programs. Their report titled, "Evaluation of Corporate Compliance Programs," covers what organizations can expect in the event of a criminal investigation. It gives insight into what DOJ prosecutors are looking for when evaluating corporate compliance programs so that providers can prepare themselves in the event of such action.

One item of continued focus for the DOJ is individual accountability and corporate culture. J.C. Watts, a former U.S. Representative from Oklahoma, said "Character is doing the right thing when nobody is looking. There are too many people who think that the only thing that's right is to get by, and the only thing that's wrong is to get caught." These are surely words to live by for any corporation, particularly when speaking about individual accountability. All too often we see reports plastered across the media, from cyber security data breaches to money laundering schemes to technology disruption. One of the best ways companies can combat and prevent these types of misconduct is by implementing an effective corporate compliance program. An effective corporate compliance culture encompasses risk and accountability measures, coupled with routine staff education and training.

To help organizations create a culture of compliance, we've identified 5 keys for a successful corporate compliance program.

1. Leadership: A successful compliance program is fully endorsed by senior management.

It's important to have the support of senior management when developing and implementing a corporate compliance program. Moreover, companies need the authority of senior officers to help manage and enforce the program, including a company's Chief Compliance Officer. In addition to support and endorsement by senior management, a company's board of directors should also be involved in the process. According to Chapter 8 of the United States Sentencing Commission's Organizational Guidelines, "The individual or individuals with operational responsibility for the compliance and ethics program [should] have direct reporting obligations to the governing authority or an appropriate subgroup thereof." So what's the takeaway? When senior officers take compliance seriously, employees are more likely to follow suit. The phrase, "lead by example" best applies here.

2. Risk Assessment: A successful compliance program adopts risk assessment measures for internal controls.

This is an area that should not be overlooked. It's extremely vital that companies conduct routine risk assessments and record their findings, including how they plan to address and reduce risk. It's recommended that companies conduct annual risk assessments. However, it's startling the number of companies that do not conduct risk assessments until something goes wrong, or when they are faced with potential legal action. Because regulations change frequently, it's important for companies to stay current on new laws and tie up any loose ends they may find with internal operations. A risk assessment can help to identify any gaps in a company's business practices.

3. Standards and Controls: A successful compliance program incorporates detailed written procedures and policies for dealing with issues such as bribery, corruption and business practices.

No matter the type of company, there should be policies and procedures in place to identify and prevent misconduct. A company's policies and procedures should be readily available for all employees to access; and upon hire and thereafter, employees should receive training on these policies—as well as made aware of updates when they are available. There should be procedures for screening business partners to performing background checks on new hires and/or contractors. Protocols should also be developed for handling records, especially those where protected health information is involved. Remember, the importance of establishing standards and controls goes beyond having the paper trail, employees need to know and fully understand what is and isn't allowed and the personal consequences of misconduct.

4. Training: A successful compliance program provides education and training for senior management, employees and contractors on applicable laws, regulations, corporate policies and prohibited conduct.

Once a company has developed standards and controls, training is essential to educate employees on these standards. Training should be recurrent, consistent and documented in an employee's personnel file. However, educating employees doesn't stop with training. It's important to analyze if employees retained the information learned. To determine just how effective training efforts are, it's advantageous of companies to not only train employees, but to test employees on the training materials, determine a passing score, and decide when additional training is necessary. Training can be conducted in various formats—live or via online modules. Employees should come away from the training with a better understanding of laws, regulations and corporate policy—including prohibited conduct.

5. Oversight: A successful compliance program has a team to enforce, monitor, audit and respond to allegations and misconduct.

Finally, once a company has developed its compliance program, oversight is key. This can be tricky. Many companies are unsure as to how to provide effective oversight. Oversight involves three key elements: monitoring, auditing and responding. But who takes on this responsibility? Companies should appoint members to a compliance committee, led by a Corporate or Chief Compliance Officer, with the goal of carrying out these three key elements. Monitoring involves reviewing and detecting misconduct or areas of high risk. Members of the compliance committee should always be on the lookout for areas of needed improvement or potential risk. Auditing involves more targeted efforts in which a particular department, program or record is reviewed. Findings from the audit should be documented; and if risk or misconduct are identified, they should be addressed immediately. Responding is the act of remediation, addressing either the audit findings or problems unveiled during monitoring. It is essential to correct problems immediately to avoid risk to company reputation, clients served, or potentially costly legal action. For companies to effectively carry out their compliance programs, fixing problems as they arise and mitigating risk is ultimately the end goal.

To learn more about corporate compliance and individual accountability, download our infographic on the Yates Memo. It's an important 2015 policy that's still relevant and in place today, and it addresses how the DOJ assesses corporate compliance.

Download Our Infographic: The Yates Memo

Topics: Compliance