The Complete Compliance and Ethics Manual

Compliance Officer

The compliance officer is the leader or figurehead for an organization’s compliance and ethics program. To successfully lead any venture, to some degree a leader must possess the following characteristics: technical skills and knowledge, vision, authority, support, and charisma. This new profession (or skill set) of compliance and ethics is complicated, requiring a broad understanding of all aspects of the business while not actually being fully responsible for any one particular aspect of the business. For example, a compliance officer must be able to understand at a detailed level a company’s billing, finance, operations, and quality functions, but he or she will not actively work in billing, finance, operations, or quality assurance.

To know when an organization may be lacking in compliance and ethics or engaging in inappropriate activities, a compliance officer must possess the technical skills and knowledge of specific industry operations, rules, and regulations to appropriately investigate potentially inappropriate situations. This includes an understanding of financial statements, billing and accounts receivables, accounts payable, operations, arrangements and contracts, and industry legal requirements and regulations. The compliance officer also must have the overarching understanding of how each of these aspects of business affects the others. All too often in many organizations, the compliance officer does not have this breadth of experience or the full complement of leadership qualities demanded by the critical functions.

Compliance officers tend to rely too heavily on the individuals performing the functions being investigated; therefore, he or she may not be able to ask the right questions or explore the answers provided for truthfulness and accuracy. He or she may not know when outright fraudulent schemes are in play or when ignorance is causing inappropriate or illegal actions.

An organization must select a compliance officer who has a clear vision for and commitment to ensuring compliance and ethics, but many either do not have this vision or are unable to communicate it. This individual must inspire his or her supporting compliance and ethics committee to be creative and effective in weeding out non-compliance and encourage employees and management to act in a compliant, ethical manner. This vision and purpose must be communicated to all parties in the organization: board members, compliance and ethics committee, management, employees, and customers. If designated from within an organization, the compliance officer duties may be piled on top of an already full load. The designated individual may not have a clear vision for compliance and ethics, may not have the time or focus to make it happen, and certainly may not have the energy to inspire the organization to be compliant.

Recent experience with complete compliance and ethics plan ineffectiveness at a client organization was directly related to the compliance officer. After eight months of performing detailed compliance and ethics-related assessments, audits, and reviews for a company under corporate integrity agreement, the compliance officer had never attended a single meeting in person. On the rare occasion when he actually attended a meeting, he would call in. Moreover, as a member of upper management, he was the worst offender of specific compliance and ethics-related policies that were created to correct situations that were being investigated by the compliance and ethics committee. Worse yet, the policies were distributed to the group via memoranda that he approved and that went out under his name.

This was a small organization that had delegated the duty to a well-respected, high-level individual who already had a full plate of duties. Thus, he served more as a figurehead for compliance and ethics who would sign memos that the committee created, rather than a true leader of the effort. These or similar circumstances are not uncommon unfortunately. The problem became obvious and resulted in additional obstacles for the committee when attempting to enforce policies with any other individuals. As was recommended to the organization, a more effective individual replaced the original compliance officer, which made all compliance and ethics activities from that point on more smooth and effective.

Standards of Conduct and Policies and Procedures

Standards of conduct and policies and procedures are the fundamental documentation underlying a compliance and ethics program. The standards of conduct must set the tone for all employees to resolve to put forth proactive efforts to comply with the organization’s compliance and ethics program and generally act in an ethical manner. In effect, they are the mission statement of the compliance and ethics program. They do not, however, lay out detailed rules and procedures specific to certain issues or processes.

Compliance and ethics policies and procedures, on the other hand, are very specific to individuals, situations, and processes. They provide a knowledge base for the reasons behind compliance and ethics-related practices through the statement of the policy and purpose of the document. Furthermore, through the actual procedures, they serve as clear guidelines for how to fulfill the compliance and ethics directive or how to perform specific functions in compliance and ethics with rules and regulations.

Without standards of conduct or comprehensive, clear, and accurate compliance and ethics policies and procedures, a compliance and ethics program is non-existent. Policies and procedures that contain outdated, inaccurate, or misleading information may cause individuals to act inappropriately when their intentions were in fact to act appropriately. Should the policies and procedures be too theoretical or cumbersome for the average employee to use, the policies may cause accidental mistakes and compliance and ethics risks out of confusion. If accurate and current, but inaccessible or unavailable to employees due to a lack of education regarding their content or inadequate dissemination, the policies, again, are as ineffective as if they were non-existent.

Client kick-off meetings for compliance and ethics-related projects often begin with the client typically providing us with a substantial document entitled, “Compliance and Ethics Plan, Policies, and Procedures.” Usually, an employee who is no longer with the organization created the document, and no other person in the organization has read the “plan,” which was based on a boilerplate and not tailored to the operations of the specific program. It often reads like a book and not like a resource manual that is indexed and can be easily searched, and it does not identify the responsible parties for specific functions or the practical application of the policy. Furthermore and also common, the policy may be written in legalese that an average employee cannot interpret and use in a practical setting.

This form of compliance and ethics plan, or collection of policies and procedures, is a liability to an organization. It creates a false sense of security to management that someone in the organization has implemented “compliance and ethics” so that inappropriate activities could not be occurring. Moreover, if under investigation, the policies and procedures may serve as “proof” that an organization “knew” what was proper and improper but was “intentionally” acting improperly despite the policies.

Ask an employee with direct responsibility for important business functions, such as billing, if he or she can describe broadly the content of the compliance and ethics policies and procedures. If he cannot, it is time to revisit the policies and redistribute them in an alternative manner.

Training and Education

Along with auditing and monitoring, training and education is another key to achieving successful effectiveness. It is of paramount importance to effectively communicate both the structure and substance of a compliance and ethics program to all organization stakeholders. Without communicating how the program works and what it is trying to accomplish, the program is like the sound of a tree falling in a forest with no one around to hear it.

Since all organizations are different, varying in size, function, structures, employee education level, mission, cultures, etc., different levels and forms of training and education must be employed. Whereas all employees should have some level of education in compliance and ethics, more extensive education in specific areas should be given to the appropriate employees. The training cannot be boilerplate, and it must address the risk areas specific to the organization and the employees performing different functions within the organization.

To soundly convey the compliance and ethics program’s message and capture the attention of the audience, education must be creative and accurate. Experience indicates that as much live training as is feasible increases the success of efforts. By augmenting live training with a variety of media such as seminars and conferences, memoranda, one-on-one instruction, postings, etc., the information will be more readily retained by the audience. Clearly, the content of the education must be accurate, current, and conveyed in a manner understandable to the audience. The effort of creating solid policies and procedure, conducting thorough audits, holding regular compliance and ethics meetings, etc., are futile if individuals throughout the organization do not understand the compliance and ethics efforts being put forth and their responsibilities under the program.

Clients often voice concern over the expense of recommended compliance and ethics training programs. This is due to the various types of training suggested to be given by qualified trainers geared at reaching the appropriate audiences with the right information. Clients often search for the least-expensive, non-tailored, online compliance and ethics training and hope it can serve as the complete package. Although several online training programs are very good products and can be effective, they should be supplemented with education tailored to the organization explaining how compliance and ethics has been integrated into the organization’s operations. In addition, online forums dismiss the value of a live forum for the exchange of ideas and questions. Live training programs usually lead to the discovery of compliance and ethics risks or areas of needed improvement through questions from the employees—education traveling in both directions. Taking shortcuts in training often results in higher long-term costs from re-training and poor compliance and ethics.

Open Lines of Communication

Employees, agents, customers, and management should be free to express concerns, request information and education, and discuss situations without fear of retaliation. Often the most valuable information regarding compliance and ethics risks comes from an individual raising a concern in passing without fully understanding if a violation is occurring or if an issue really exists. That type of communication should be nurtured and encouraged, which is best accomplished when an anonymous reporting mechanism exists and when resolution of the situation is communicated back to those concerned. Many whistleblowers only seem to take that route after raising an issue multiple times with no apparent or communicated response from the organization. Thus, effective and open communication must have the elements of anonymity and responsiveness in return.

Communication must go both ways, which is difficult when reports of suspected violations occur anonymously. An effective compliance and ethics program will appropriately investigate reports of misconduct and resolve the issue. From time-to-time, an investigation will show that an action was appropriate even though it appeared inappropriate. (Laws and regulations are often difficult to understand, and complex safehavens may be appropriate when appearing to be in violation.) If the resolution of that issue is not communicated back to the anonymous reporter, this individual may grow disgruntled at the perceived lack of attention to the matter. Thus, broader communication to the entire organization regarding the issue and the resolution may be warranted.

Smaller organizations often have a difficult time implementing “anonymous” reporting mechanisms, sometimes due to the cost and sometimes due to the inevitable nature of knowing where information came from when an organization is very small. Thus, in addition to an anonymous reporting mechanism, the culture of openness and non-retaliation must be present.

Disciplinary Guidelines

In an ideal world, individuals would follow rules and regulations because it is the ethical thing to do. In the real world, however, consequences for violations are necessary to enforce rules and regulations. Thus, a vital element of effective compliance and ethics is disciplinary guidelines.

Disciplinary actions serve two main purposes: (1) to punish an individual or entity for violating a stated rule or regulation and (2) to deter others from future violations. Disciplinary guidelines are ineffective when they are not communicated, enforced, or not enforced in a timely manner. When misconduct is uncovered, whether intentional or due to “ignorance” of how to act when sufficient training has been provided, disciplinary actions must be enforced.

Compliance and ethics programs quickly begin to break down when the consequences of misconduct are not enforced. The individual who acted inappropriately will realize that his or her improper actions will not be punished. He or she perhaps will continue the inappropriate actions or possibly escalate the behavior to illegal actions. Moreover, this sets a negative precedence for the organization, instilling others with the idea that inappropriate behavior will go unpunished. The incentive to do the right thing is diminished, and when an individual is faced with the choice of acting improperly for his or her own gain, he or she will have a stronger temptation to act improperly.

A common practice in business, which is often the most damaging to compliance and ethics efforts, is when an upper level manager acting inappropriately is not disciplined in accordance with policy. Experience shows that administrators, managers, and other employees who worked in an environment “pre-compliance” do not easily adjust to the documentation requirements and scrutiny that compliance and ethics activities add to their daily practices. Due to their often extended tenure, these individuals are also often highly respected and in powerful positions in the organization. When they are allowed to get away with non-compliant actions, even when they are “just doing things the way they have always been done” and not intentionally trying to act illegally or inappropriately, they create a culture for permissive violations and/or unequal application of the rules based on position. This lack of enforcement may clear the way for others to purposefully violate the rules. Compliance and ethics has to be taught not only through the “classroom” but also through the actions of all employees, especially those in positions of power.

Auditing and Monitoring

Although open lines of communication may help raise compliance and ethics violations, systematic auditing and monitoring are critical to the plan’s effectiveness. Routine, consistent auditing and monitoring is a must to find patterns of non-compliance due to system problems, human error, or actual wrong doing, which may not be reported through other channels as a violation. Hand-in-hand with the disciplinary actions, they demonstrate to employees that proactive measures are being taken to ensure that the organization is in compliance with applicable rules and regulations, including its own policies and procedures.

Auditing and monitoring presumably break down when the audit plan, schedule, and/or resources are insufficient to review all potential risk areas, are left incomplete, or are ignored. Audits must be planned and scheduled in order to ensure that all risk areas are reviewed and reviewed often enough to produce effective results. When audit schedules are not well planned or followed, simple errors that accumulate into patterns of abuse are not discovered as often or timely as necessary to ensure swift and simple resolution. Individuals acting inappropriately can gain confidence due to the lack of “policing” of their activities.

Experience in the real world teaches that audits conducted internally or externally usually do not produce error-free results. Even with vigilant efforts to comply, errors occur that must be corrected, especially when industry rules change and evolve frequently or when regular updates to software, inventory, pricing, etc., are required. Regular audits help to correct these mistakes that cannot only lead to abusive practices but simple inefficiencies and inaccuracies that can cost an organization significant dollars.

Responding To Offenses

When offenses are discovered, swift and appropriate actions must be taken. An adequate investigation of potential violations must be timely, and when inappropriate actions are discovered, the individuals involved must be disciplined in accordance with the compliance and ethics program, and corrective actions must be put into place. If a violation is discovered, it does not mean that a compliance and ethics program is ineffective. Rather, it demonstrates that compliance and ethics efforts are doing their job by finding offenses. Where the compliance and ethics program becomes ineffective is when the organization does not “learn” from the discovery. Understanding how the violation was allowed to occur and putting into place corrective actions to ensure that it does not occur again demonstrates an effective compliance and ethics program.

A common scenario with organizations whose audits discover inappropriate conduct demonstrates how compliance and ethics programs must have a defined process for responding to offenses to ensure that our human nature does not thwart compliance and ethics efforts. Executives usually panic first when an audit produces negative results that require corrective actions. They often spend too much time quantifying the situations and deciding how to take “immediate” corrective actions. The issue draws out for so long that the client tires of the issue and fails to implement a solid and direct corrective action plan to ensure the actions are not repeated. Immediacy and steadfastness in responding to offenses are required for effective compliance and ethics programs.