Table of Contents
What Is Compliance?
Compliance is often defined in dictionaries as, “The action or fact of complying with a wish or command or a set of rules.” This can be a set of external rules, such as laws, regulations or third party contractual obligations or it can be a set of internal rules, such as codes of conduct and internal policies or controls, which are imposed by the organization itself.
The failure to comply with these external and/or internal rules creates a compliance risk which can expose the organization to financial loss, material loss, fines and voided contracts. Besides the risk of economic loss, companies also stand to lose future business opportunities and their good standing and reputation.
Compliance risk can be defined as the risk that the codes, internal policies, systems and controls implemented by the organization to ensure compliance to relevant laws and regulations applicable to the organization, are not adhered to and/or are ineffective which leads to noncompliance. Compliance professionals are tasked with identifying and managing these compliance risks through the implementation of an effective compliance program.
What Is a Compliance Program?
There are many definitions of a compliance program. On a very basic level it is about education, scope, prevention, detection, collaboration, and enforcement. It is a system of individuals, processes, and policies and procedures developed to ensure compliance with all applicable laws, industry regulations, and private contracts governing the actions of the organization. A compliance program is not merely a binder on a shelf and it is not a quick fix to the latest risk areas. A compliance program—an effective compliance program—must be engrained in the culture and an ongoing process that is part of the fabric of the organization. A compliance program must be a commitment to an ethical way of conducting business and a system for helping individuals to do the right thing. On a practical level, compliance programs are used by organizations to prevent, detect, and fix ethical and regulatory compliance risks by effectively implementing education and training, auditing and monitoring, investigation and discipline, and policies and procedures to prevent noncompliance.
Who Needs a Compliance Program
-
Private Businesses
-
Publicly Traded Companies
-
Foundations and other Non-Profit Organizations
-
Government Agencies
-
Schools
-
Others.
There is no one size fits all compliance program. An effective compliance program needs to be tailored for each organization based on the industry in which it operates and the specific needs of the organization.
Why Do You Need a Compliance Program?
So,why do we need yet another formal program—this time on compliance?
First and foremost, an effective compliance program safeguards the organization’s legal responsibility to abide by applicable laws and regulations and protects its reputation. Any organization that has international operations must stay current with applicable laws and regulations in each country in which it does business. Enforcement trends in regulations include examples such as:
-
Increased anti-corruption enforcement—e.g., the Foreign Corruption Protection Act (FCPA) in the US, the UK Bribery Act in the UK, and the strengthened anti-corruption standards established by the Organisation for Economic Cooperation and Development (OECD)
-
Global growth of antitrust laws and regulations—more than 100 countries now have penalties for anti-competition behavior
-
Increased protection of whistleblowers—e.g., the Dodd-Frank Wall Street Reform Act in the US
-
Increased privacy and data protection regulations—e.g., The General Data Protection Regulation (GDPR) 2016/679 on data protection and privacy for all individuals within the European Union (EU), the Asia-Pacific Economic Cooperation’s (APEC’s) Privacy Framework, the Payment Card Industry (PCI) Data Security Standard in the US, etc.
Why Compliance Programs are Essential
-
To protect reputation or the organization
-
To encourage a culture of “doing the right thing”
-
To increase awareness both for employees and stakeholders
-
To provide an avenue for employees and stakeholders to raise potential issues
-
To reduce the imposition of fines and sentences.
While a compliance program may require significant additional resources or reallocation of existing resources to implement an effective compliance program, the long-term benefits of implementing the program outweigh the costs. An effective compliance program is a sound investment.
Main Reasons to Implement a Compliance Program
-
Adopting a compliance program concretely demonstrates to all stakeholders at large that an organization has a strong commitment to honesty and responsible corporate citizenship. One of the company’s greatest assets is its reputation and, once damaged, one of the most difficult to repair. An effective compliance program can both preserve and enhance an entity’s reputation by preventing fraud and abuse and/or by discovering inappropriate actions early and resolving them in a timely and proper manner.
-
Compliance programs reinforce employees’ innate sense of right and wrong. People have an inherent sense of right and wrong and want a means to respond to conduct they perceive to be noncompliant. By providing employees with ways to express concerns to management and to see a positive response, the relationship of trust with their employees can be strengthened. This can be done with compliance tools such as codes of conduct and training.
-
Compliance programs are cost-effective. Although an effective compliance program requires a commitment of significant resources, those expenditures are insignificant in comparison to the disruption and expense of defending against any investigation. Moreover, an effective compliance program can also lead to business efficiencies, streamlined processes and better transparency in the business.
-
A compliance program provides a more accurate view of employee behavior relating to fraud and abuse. An effective compliance program provides ongoing training of employees, monitors their understanding and compliance with the program, and provides the mechanisms to discipline those individuals who violate the company’s code of conduct. It is through these vehicles that an organization can have reasonable assurances that it is acting in conformance with applicable rules.
-
A compliance program provides visibility into third-party business practices and third-party agent behavior relating to fraud and abuse. An effective compliance program provides ongoing training of third parties doing business with the organization, monitors their understanding and compliance with the program, and provides the mechanisms to exit third-party relationships in cases of third parties being found noncompliant. It is through these vehicles that an organization can have reasonable assurances that it conducts business with and via ethical and compliant third parties.
-
A compliance program provides procedures to promptly identify and correct misconduct.
A comprehensive compliance program provides established procedures for promptly and efficiently responding to problems that may arise. Through early detection, remediation and reporting, a company can minimize the risk of non-compliance such as penalties and sanctions imposed by regulatory bodies, and/or the fines and repercussions of violating contracts. Thereby, companies can reduce their exposure to penalties, and criminal and administrative sanctions.
-
Voluntarily implementing a compliance program is preferable to waiting for a mandate by a regulatory body.
Voluntary programs are preferable due to their flexibility to adapt to the organization’s culture. In designing a voluntary program you have the ability to decide what the structure will be. When you design the program, you also have the ability to gain a greater level of buy-in from all levels of the employees throughout the organization. Voluntary compliance programs demonstrate to your stakeholders your commitment to “doing the right thing” because you want to be a “good-faith organization” and not doing this because you “have to.”
-
Effective corporate compliance programs may protect corporate directors (board members, shareholders) from personal liability. The fiduciary duties of corporate directors—duty of care—require that they keep themselves adequately informed concerning the operations and finances of the organization as well as regulatory requirements applicable to the organization. An effective compliance program designed to assure compliance with applicable legal requirements has been recognized as meeting this duty of care.
Avoidance of penalties and fines should be a major incentive for organizations to implement a compliance program. Should an organization be found guilty of non-compliance, the penalties can be severe, and the financial implications due to loss of business can be profound.
Although a “one size fits all” compliance program does not exist, many industries have accepted seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. Effective compliance programs begin with a formal commitment by the organization to these basic elements. The seven basic compliance program elements are:
-
Standards and Procedures
-
Compliance Oversight
-
Education and Training
-
Monitoring and Auditing
-
Reporting, Investigation, Background Checks
-
Enforcement and Discipline
-
Response and Prevention
Once a program has been established, the program information and relevant regulatory materials should be distributed, read, and attested to carefully by all employees of an organization, as they make up the backbone of a good compliance program.
Additional Compliance Program Benefits:
-
Demonstrates to employees and the community the organization’s commitment to good corporate conduct
-
Identifies and prevents criminal and unethical conduct
-
Creates a centralized source of information on industry regulations
-
Develops a methodology that encourages employees to report potential problems
-
Develops procedures that allow the prompt, thorough investigation of alleged misconduct
-
Initiates immediate and appropriate corrective action
-
Reduces the organization’s exposure to enforcement sanctions
-
Prevents false or inaccurate financial statements from being generated and published
-
Fulfills the fundamental mission of the organization through ethical business conduct and business efficiency
-
Demonstrates to employees and the community the organization’s strong commitment to honest and responsible conduct
-
Provides a more accurate view of employee and supplier behavior related to fraud and abuse
-
Improves overall communication between and within departments
-
Identifies and prevents inappropriate and unethical conduct
-
Improves financial performance
-
Encourages employees to report potential fraud
-
Allows for thorough investigations of suspected inappropriate actions
-
Provides an “early warning” system for identifying problems
-
Minimizes an organization’s exposure to various criminal damages and penalties
-
Minimizes an organization’s exposure to qui tam or whistleblower suits or other actions of frustrated or disgruntled employees.