1. Gain Support and Commitment
Board of Directors or Governing Board Support
Compliance begins with the top tier of the organization. Support from the top is very important; there can be no program at all, much less an effective one, without the vision and guidance of the board. It is the board that officially recognizes the need for a compliance program and authorizes its launch and implementation, including the hiring of a compliance officer. The first step toward implementation of a compliance program is management’s communication of their commitment. A resolution or memo from the board stating its unequivocal support for the program is a strong beginning. The source of such a statement may be different depending on the organization. In some organizations it might come from the chairman of the board, in others from the CEO. Whatever the source, board endorsement should be in a written format; it must communicate unqualified support for and commitment to the compliance process and ethical business behavior; and it must be effectively communicated to everyone. (See Appendix A.10 Sample Board of Directors Resolution.)
One option is for the chairman of the board or CEO to distribute the memo or resolution to management. Management then distributes the document to their employees so that the word trickles down and the message is reinforced that all managers endorse the compliance program. This approach also makes the compliance program directly accessible to staff and gives staff an opportunity to discuss the document in relatively small groups. A special department or unit meeting to discuss the program and distribute the letter can lend weight to the message, or it can be an agenda item for a regularly scheduled meeting. Whatever the venue, staff should be given ample opportunity to ask questions and offer feedback.
Moreover, the board’s role does not end with voting to establish a compliance program and distributing a letter of support—nor does its responsibility. Ongoing, visible support from the board of directors is crucial. Most people care about what the boss cares about. When the board takes compliance seriously, that sense of importance will trickle down. Your board may need guidance in understanding the seriousness of compliance. They may not immediately recognize that “doing the right thing” equals good business, that compliance is a valuable, long-term investment. The board of directors, meeting infrequently and not always aware of day-to-day operations, can be insulated from problems. In the case of compliance, however, the board must understand the implications of not taking active measures to prevent potential wrongdoing. They should be educated about the potential for liability and reminded of the Caremark International Derivative Litigation, which makes the board responsible for implementation of a system to gather information on the company’s efforts to prevent and detect fraud and abuse. It is in the best interest of the organization to have the board take an active rather than a passive role in compliance. Also the Federal Sentencing Guidelines are very clear regarding corporate responsibility.
Support from Management
Management plays an influencing role in making compliance work with support expressed in a myriad of ways. Attendance at educational programs cannot be mandatory for everyone except managers and vice presidents. Making time to demonstrate a personal commitment goes a long way to enhancing a system-wide commitment. After attending training sessions, managers should discuss the content with staff either at a regular department meeting or as circumstances permit one-on-one.
Supervisors or managers also must lead by example, for actions speak louder than words. A manager cannot encourage employees to report questionable behavior and then give special treatment to a friend. Once a potential infraction is reported, the non-retaliation policy must be rigorously observed. It is up to management to make sure employees do not hesitate to come forward for fear of retaliation. “Tone in the middle” is also very important for an organization’s culture. While the top leaders may be supporting the compliance efforts, if there is no follow through and incentives built in for middle management, the culture will fail in its efforts for an effective compliance program.
Staying on top of compliance issues is a manager’s day-to-day obligation. Managers and supervisors must closely follow news and information from their professional organizations and pass along any and all compliance-related issues to the compliance office. The compliance officer is encouraged to be proactive and, from time to time, to ask managers and supervisors what new regulations are developing in their fields.
Support from Professionals
Certain industries revolve around key professionals who hold influential positions in the organization. Examples of key professionals in select industries include physicians in health care, engineers in building, attorneys in legal, programmers in computer science, investigators in research, et cetera. These individuals play key leadership roles in their industries. Frequent situations will arise where one of these individual’s support can make all the difference in creating a true culture of compliance. It is thus to your advantage to find a key professional champion—someone who understands and supports the mission of the compliance program and who will back you up when needed. Moreover, this professional can be a model of how employees can effectively incorporate compliance into their other job functions without distracting from the performance of their actual duties and without consuming inordinate and unacceptable amounts of time. This key professional can advocate compliance in several ways:
Emphasize operational and fiscal improvements gained through compliance.
Provide data to support compliance activities and improvements.
Build trust through involvement.
Be a partner, not a dictator.
Cultivate the early adopters and enthusiasts.
Communicate, communicate, communicate.
The earlier you achieve professional buy-in the better. Invite professionals to compliance implementation committee meetings and actively seek their input throughout the start-up—and beyond. Many organizations have a strong professional presence on their compliance committees. If at all possible, consider having a professional chair the compliance committee. When funding permits, sending a key professional to a compliance conference can provide valuable education as well as increased awareness that can facilitate support. Achieving professional buy-in will be an important challenge, but it is a critical element of launching an effective compliance program.
Support from Staff
It isn’t a crime to make a mistake; it is a crime not to do anything about the mistake once it is detected. In launching a compliance program, staff will need to be convinced that looking for problem areas is not the sole responsibility of the compliance office—it is everyone’s responsibility. Education is the first step, but also look for ways to heighten awareness on a day-to-day basis. When launching a compliance program, some organizations will distribute items with a compliance slogan and the organization name or logo. Everybody loves to get something free that they can use, and if the budget permits, these items can increase awareness and foster cooperation.
Staff buy-in will correlate directly with the organization’s ability to foster an environment of trust. As emphasized earlier, assuring that the non-retaliation policy will be followed is the best way to ensure active staff participation. Rewarding and thanking those who come forward to do the right thing will provide immediate positive feedback to staff and reap long-term rewards for the compliance program overall.
2. Establish Financial Support
Management, up to and including the board of directors, also must be willing to make a financial commitment to compliance. Resources and space cost money, and most organizations have limited, even diminishing resources. While the level of commitment is not necessarily correlated directly with the resources (human and financial) allocated, a reasonable budget must be developed in consultation with the compliance officer. An organization unwilling to commit the necessary resources isn’t demonstrating support for the compliance program and—unquestionably and unfortunately—that message too will filter down through the organization.
Knowing what to do won’t make it happen. The reality is you can’t do it without money. But how much money do you need? The right amount will depend on the organization, its size, and scope. Remember, the compliance program must influence everyone in the organization; adequate funding will go a long way in demonstrating and eliciting commitment. This is a good place to mention again that the only thing worse than having no policies is having them and not following them. Under-funding can be one source of such a situation. If investigated, a compliance program’s value in any settlement will depend largely on the regulatory agencies’ interpretation of the organization’s commitment to good corporate citizenship. In fact, “a compliance program that has neither the moral nor the budgetary support of senior management may actually be deemed as tacit approval for the inappropriate activities.”
Both external and internal risks and the controls to manage those risks factor into a budget. An identified risk area may require immediate attention and hence extra expense, perhaps specialized training or a new computer software program. Bear in mind that certain internal factors can impact, directly or indirectly, the compliance budget. For instance, if your organization has a high turnover rate, the compliance budget will need to provide for training the flow of new employees as well as the existing staff. A highly decentralized operation may call for either a centralized compliance process or additional monitoring to ensure procedures are consistent or at least consistently enforced. Other factors that can impact the compliance budget are poor communications infrastructure, poor data processing controls, and compensation structures that emphasize financial performance with no compliance considerations.
Organization size, setting, scope and culture will influence how the compliance department is staffed. In some organizations the compliance officer role may not be full time, but rather a fraction of a full-time equivalent (FTE) position. In a large, multi-site location, the compliance department will be much more extensive. There are a variety of staffing possibilities for a compliance department. An education coordinator can make a vital contribution to a program’s effort, because a large amount of employee education needs to be conducted. Other valuable positions include someone to accumulate and analyze compliance data and an auditor who can regularly audit or monitor and help with documentation. Secretarial or administrative support also is helpful. If you are unable to add these resources to your staffing contingency, identify where in your organization you could possibly leverage these types of resources through a shared model—this option may suffice while you are building the program capacity and rationale for the compliance resources ongoing.
For larger organizations considering staffing needs, it will be important to include a compliance designate or compliance field liaison who will help facilitate the compliance efforts at remote locations. “Full” or “part-time” compliance personnel will need appropriate training and resources, and this can be provided in many ways on site. Some examples might include provision of a reference binder, a written phone number to call with questions, and focused training on key areas of risk and/or process. Additionally, it can be helpful to involve these individuals in process and approach development so that they will have ownership. Be sure to budget accordingly.
There are other operational expenses to consider, beginning with some sort of reporting method. Reporting mechanisms (e.g., hotlines, e-mails, etc.) can be handled internally or externally; the costs of each option will need to be assessed. Having a mechanism handled externally may be more economically feasible for many organizations. When looking for outside help, secure competitive bids, and be sure they are based on comparable information. It may be worthwhile to request outside proposals before you make a final decision. There’s nothing to lose in finding out what an external resource can do for you.
Educational materials can be a considerable compliance expense. A video program for general sessions and new employee orientation may be helpful. A video customized to your organization can be very expensive, but “off the shelf” videos exist that may well meet your needs. You also will need to provide for specialized training for certain professionals as well as key departments and employees. Such training often is provided through outside consultants or specialists and hence will have budget implications. In-house and ongoing training may require audio-visual equipment and software to create engaging visual materials. There will be costs for printing announcements, agendas, and handouts. Costs for printing the code of conduct and policies and procedures can be surprisingly large, and while the code of conduct doesn’t need to look like the annual report produced by a marketing company, it deserves a professional and credible look for the organization. Find the right look and feel for your organization—just remember to budget accordingly.
Internet access today is a must. All relevant regulatory documents are available online as are innumerable other helpful compliance-related sites. Adequate computer support is critical.
Professional journals and newsletters are vital ways of keeping abreast of new developments, best practices, and industry trends. They also will provide articles, suggestions, and ideas that can be circulated to appropriate managers or adapted for internal newsletters. Consider budgeting each year for electronic and hardcopy materials so you can gradually build a compliance library that will be a resource for the organization. Also, membership in professional organizations, such as the Society of Corporate Compliance and Ethics (SCCE), is a good investment. Belonging to a professional organization such as SCCE reinforces your professional standing and provides you with a growing network of invaluable resources.
Investigative costs can be unpredictable, especially when an organization is in a state of crisis or turmoil. The compliance office should at least use a comparison from year to year to try to estimate these costs. If the program is new, an estimate of costs could be based on what other departments spent on compliance-related investigations, especially those that relied on the use of outside resources, since a compliance function could have conducted these investigations internally at a comparative savings.
Finally, if your organization has an in-house counsel, consult with him or her to determine budgetary needs. If you currently rely on external counsel, you may want to alert the firm of your new or expanding compliance program and solicit estimates for additional costs. Such expenses may be part of the legal budget, but it is best to be sure they are appropriately covered somewhere.
Six Tips for Saving on Future Costs of Compliance
1. Embed quality into existing processes—If processes that pose the greatest risk to the organization are revisited with an emphasis on quality, then the outcome of this exercise will be increased efficiency, increased customer satisfaction, and better, less expensive compliance.
2. Centralize common processes and controls where it makes sense—Scattered efforts could lead to redundancy and inadequate oversight as well as extra expense, if the same functions are being handled within many different departments, e.g., education.
3. Focus on corporate culture—This is critical to success and efficiency. Employee satisfaction and retention are good indicators of culture, and employee turnover can be costly to an organization, not only in recruitment efforts, but also in training the new employee.
4. Improve information system processes—It is important and cost effective to embed compliance into technology through controls such as edit checks and reports that facilitate monitoring. Efficient technology frees up resources to be used in other areas.
5. Emphasize training—The best way to correct an error is to prevent its occurrence. The number one reason people are non-compliant is because they did not know or understand the area of compliance involved.
6. Monitor marketing and compensation—Review marketing materials to be certain the message is consistent with corporate philosophy; new business ventures should be evaluated for risk and the ability of the organization to manage the risk; compensation structures should embed measurable compliance objectives.