1. Gain Support and Commitment
Support, buy-in and commitment are critical to having an effective compliance program. It takes a “village” to make it work. Commitment and the right culture breeds effectiveness. We will discuss several vital groups that should be included in the village.
Compliance and ethics begins with the governing authority. Support from the top is critical. There can be no program at all, much less an effective one, without the vision, support, and guidance of the board. It is the board that officially recognizes the need for a compliance and ethics program and authorizes its launch and implementation, including the hiring of a compliance officer. The first step toward implementation of a compliance and ethics program is management’s communication of its commitment. A resolution or memo from the board stating its unequivocal support for the program establishes a strong foundation. The source of such a statement may be different depending on the organization. In some organizations it might come from the chairman of the board, in others from the CEO. A university or college may want the statement to come from the Dean or university president. Whatever the source, board endorsement should be in a written format; it must communicate unqualified support for and commitment to the compliance process and ethical business behavior; and it must be effectively communicated to everyone.
One option is for the chairman of the board, CEO, Dean, or other top-level executive, to distribute the memo or resolution to all division heads. The division heads then distribute the document to their managers so that the word trickles down and the message is reinforced that all managers endorse the compliance and ethics program. This approach also makes the compliance and ethics program directly accessible to staff and gives staff an opportunity to discuss the document in relatively small groups. A special department or unit meeting to discuss the program and distribute the letter can lend weight to the message, or it can be an agenda item for a regularly scheduled meeting. Whatever the venue, staff should be given ample opportunity to ask questions and offer feedback.
Moreover, the board’s role does not end with voting to establish a compliance and ethics program and distributing a letter of support—nor does its responsibility. Ongoing, visible support from the board of directors is crucial. Most people care about what their boss cares about. When the board takes compliance and ethics seriously, that sense of importance will trickle down. Your board may need guidance in understanding the seriousness of compliance and ethics. They may not immediately recognize that “doing the right thing” is good business, and that compliance and ethics is a good, long-term investment. The board, meeting infrequently and not always aware of day-to-day operations, can be insulated from problems. In the case of compliance and ethics, however, the board must understand the implications of not taking active measures to prevent potential wrongdoing. They should be educated about the potential for liability and reminded of the Caremark International Derivative Litigation, which makes the board responsible for implementation of a system to gather information on the company’s efforts to prevent and detect fraud and abuse. The Compliance and Ethics Officer should accept the responsibility in assuring that the board receives training on the compliance and ethics program on an ongoing basis. It is in the best interest of the organization to have the board take an active rather than a passive role in compliance and ethics.
Support from Management
Management plays an influencing role in making compliance and ethics work with support expressed in a myriad of ways. Attendance at educational programs cannot be mandatory for everyone except managers and leadership. Making time to demonstrate a personal commitment goes a long way to enhancing a system-wide commitment. After attending training sessions, managers should discuss the content with staff either at a regular department meeting or as circumstances permit, one-on-one.
Supervisors or managers also must lead by example, for actions speak louder than words. A manager cannot encourage employees to report questionable behavior and then give special treatment to a friend. Once a potential infraction is reported, the non-retaliation policy must be rigorously observed. It is up to management to make sure employees do not hesitate to come forward for fear of retaliation.
Staying on top of compliance issues is a manager’s day-to-day obligation. Managers and supervisors must closely follow news and information from their professional organizations and pass along any and all compliance and ethics-related issues to the compliance office. The compliance officer is encouraged to be proactive and, from time to time, to ask managers and supervisors what new regulations are developing in their fields.
Support from Professionals
Certain industries revolve around key professionals who hold influential positions in the organization. Examples of key professionals in select industries include physicians in health care, engineers in building, attorneys in legal, programmers in computer science, investigators in research, etc. These individuals play key leadership roles in their industries. Frequent situations will arise where one of these individual’s support can make all the difference in creating a true culture of compliance and ethics. It is thus to your advantage to find a key professional champion—someone who understands and supports the mission of the compliance and ethics program and who will back you up when needed. Moreover, this professional can be a model of how employees can effectively incorporate compliance and ethics into their other job functions without distracting from the performance of their actual duties and without consuming inordinate and unacceptable amounts of time. This key professional can advocate compliance and ethics in several ways:
Emphasize operational and fiscal improvements gained through compliance and ethics
Provide data to support compliance and ethics activities and improvements
Build trust through involvement
Be a partner—not a dictator
Cultivate the early adopters and enthusiasts
Communicate, communicate, communicate.
The earlier you achieve professional buy-in the better. Invite professionals to compliance and ethics implementation committee meetings and actively seek their input throughout the start-up—and beyond. Many organizations have a strong professional presence on their compliance and ethics committees. When funding permits, sending key professionals to a compliance and ethics conference can provide valuable education as well as increased awareness and facilitate support. Achieving professional buy-in will be an important challenge, but it is a critical element of launching an effective compliance and ethics program.
Support from Staff
It isn’t a crime to make a mistake. It is a crime not to do anything about the mistake once it is detected. In launching a compliance and ethics program, staff will need to be convinced that looking for problem areas is not the sole responsibility of the compliance and ethics office—it is everyone’s responsibility. Education is the first step, but also look for ways to heighten awareness on a day-to-day basis. When launching a compliance and ethics program, some organizations will distribute cups or pens with a compliance and ethics slogan and the organization name or logo. Everybody loves a freebie, and if the budget permits, these items can increase awareness and foster cooperation. Consider placing the hotline number on employee badges.
Staff buy-in will correlate directly with the organization’s ability to foster an environment of trust. As emphasized earlier, accepting the non-retaliation policy as nothing short of gospel will be the best way to ensure active staff participation. Rewarding and thanking those who come forward to do the right thing will provide immediate positive feedback to staff and reap long-term rewards for the compliance and ethics program overall.
2. Establish Financial Support
Management, up to and including the board of directors, also must be willing to make a financial commitment to compliance and ethics. Staffing and space cost money, and most organizations have limited, even diminishing resources. While the level of commitment is not necessarily correlated directly with the resources (human and financial) allocated, a reasonable budget must be developed in consultation with the compliance officer. An organization unwilling to commit the necessary resources isn’t demonstrating support for the compliance and ethics program and—unquestionably and unfortunately—that message too will filter down through the organization.
Compliance and Ethics Budget
Just knowing what to do won’t make it happen. The reality is, you can’t do it without resources. But what resources are needed? The right amount will depend on the organization, its size, and scope of the compliance and ethics program. Remember, the compliance and ethics program must influence everyone in the organization; and adequate funding will go a long way in demonstrating and eliciting commitment. If investigated, a compliance and ethics program’s value in any settlement will depend largely on the government’s interpretation of the organization’s commitment to good corporate citizenship. In fact, “a compliance program that has neither the moral nor the budgetary support of senior management may actually be deemed as tacit approval for the inappropriate activities.”
Both external and internal risks and the controls to manage those risks factor into a budget. An identified risk area may require immediate attention and hence extra expense, perhaps specialized training or a new computer software program. Bear in mind that certain internal factors can impact, directly or indirectly, the compliance and ethics budget. For instance, if your organization has a high turnover rate, the compliance and ethics budget will need to provide for training the flow of new employees as well as the existing staff on compliance. A highly decentralized operation may call for either a centralization of the compliance and ethics process or additional monitoring to ensure procedures are consistent or at least consistently enforced. Other factors that can impact the compliance and ethics budget are poor communications infrastructure, poor data processing controls, and compensation structures that emphasize financial performance with no compliance and ethics considerations. (For an overview of factors to consider, see Appendix 3A, “Compliance Program Implementation Action Plan.”)
Organization size, scope of the compliance and ethics program, and financial resources will influence how the compliance and ethics department is staffed. In some organizations the compliance officer’s role may not be full time but rather a fraction of a full-time equivalent (FTE) position. In a large, multi-site location the compliance and ethics department will be much more extensive. The majority of compliance officers who are part-time should be full-time. Compliance if done right is a full-time job, unless the organization is very small. For an organization able to consider more than one full-time employee, there are a variety of staffing possibilities. Because so much of compliance and ethics is education, an education coordinator can make a vital contribution to a program’s effort. The education coordinator can develop web-based and live education. Another valuable position includes someone to accumulate and analyze compliance and ethics data (i.e. Code attestations, audit results, training attendance). Auditing staff are also needed who can regularly monitor and help with investigations. Administrative support also may be necessary. For larger organizations considering staffing needs, it should be noted that every facility or location should have a compliance and ethics designate or compliance and ethics field liaison. Even “part-time” compliance and ethics personnel need appropriate training and resources. Employees at the remote sites must be educated as well. Be sure to budget accordingly.
There are other operational expenses to consider, beginning with some sort of reporting method. Hotlines can be handled internally or externally; the costs of each option will need to be assessed. Outsourcing may be more economically feasible for many organizations. When looking for outside help, secure competitive bids, and be sure they are based on comparable information. It may be worthwhile to request outside proposals before you make a final decision. There’s nothing to lose in finding out what outsourcing can do for you.
Educational materials can be a considerable compliance expense. A video or web-based program could be considered for annual general compliance and ethics education. It is recommended that new employee orientation, remedial training and training on complex regulations/policies be done in person. A video customized to your organization can be very expensive, but “off the shelf” videos exist that may well meet your needs. You also will need to provide for specialized training for certain professionals as well as key departments and employees. Such training can be offered by existing in-house staff but also can be provided through outside consultants or specialists and hence will have budget implications. In-house and ongoing training may require audio-visual equipment and software to create engaging visual materials. There will be costs for printing announcements, agendas, and handouts. Costs for printing the code of conduct and policies and procedures can be a surprisingly large number, and while the code of conduct doesn’t need to look like the annual report from a Fortune 500 company, this isn’t a document to skimp on either. Find the right look and feel for your organization—just remember to budget accordingly.
Internet access today is a must. All relevant government documents are available online as are innumerable other helpful compliance-related sites. Adequate computer support is critical.
Professional journals and newsletters are vital ways of keeping abreast of new developments, best practices, and industry trends. They also will provide articles, suggestions, and ideas that can be circulated to appropriate managers or adapted for internal newsletters. Consider budgeting each year for books so you can gradually build a compliance and ethics library that will be a resource for the compliance and ethics department, the compliance and ethics committee, and others. Also, membership in a professional organization such as the Society of Corporate Compliance and Ethics (SCCE) is a good investment. Belonging to a professional organization such as SCCE reinforces your professional standing and provides you with a growing network of invaluable resources.
Finally, if your organization has an in-house counsel, consult with him or her to determine budgetary needs. If you currently rely on external counsel, you may want to alert the firm of your new or expanding compliance and ethics program and solicit estimates for additional costs. Such expenses may be part of the legal budget, but it is best to be sure they are appropriately covered somewhere.
Six Tips for Saving on Future Costs of Compliance and Ethics
1. Embed quality into existing processes—If processes that pose the greatest risk to the organization are revisited with an emphasis on quality, then the outcome of this exercise will be increased efficiency, increased customer satisfaction, and better, but less expensive compliance and ethics.
2. Centralize common processes and controls—Decentralized processes can lead to redundancy and inadequate oversight as well as extra expense.
3. Improve human resources infrastructures—Corporate culture is established by effective communication; communication is critical to training; training leads to improved compliance and ethics; compliance and ethics must be woven into the fabric of corporate culture. Turnover is the ‘smart bomb’ that disrupts the circle.
4. Improve information system processes—It is important and cost-effective to embed compliance and ethics into technology through controls such as edit checks and reports that facilitate monitoring.
5. Emphasize training—The best way to correct an error is to prevent its occurrence.
6. Monitor marketing and compensation—Review marketing materials to be certain the message is consistent with corporate philosophy; new business ventures should be evaluated for risk and the ability of the organization to manage the risk; compensation structures should embed measurable compliance and ethics objectives.
3. Develop Code of Conduct
When to roll out your compliance and ethics program to staff will depend on many factors. Certainly, the sooner you can enlist staff participation the better, and you need not have everything absolutely final before you officially launch the compliance and ethics program companywide. However, you do need to have one of the most important foundation elements ready and in place as you begin: the organization’s code of conduct.
In most organizations the code is drafted by the compliance officer and/or compliance and ethics committee. The code is then approved by the board. If you are in the position of drafting your organization’s code of conduct, there are many sources of sample materials. You can look for books with sample codes of conduct included. Templates for an effective code of conduct are best found by referencing existing best practice codes of conduct. In addition, you could tap into your networking resources to solicit codes of conduct from other organizations. However, it is not advisable to “lift” a code of conduct from another source, make minor tweaks, and try to make it fit your organization. Your code of conduct should reflect your organization’s spirit, tone, and culture. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance and ethics program will be much more difficult. The code should be written at a level that makes it understandable by all staff.
There may not be a “one size fits all” code of conduct, but there are certain elements that every code should include. Most codes of conduct begin with the official board of trustees’ or board of directors’ resolution approving the compliance and ethics program or the memo announcing the launch of the program. The code should begin with this strong endorsement from the highest levels of management. An endorsement signed by the board chairman or the CEO makes the message personal and says “you have my word on it.” This executive message is the place to state unequivocally that everyone in the organization and all affiliates are expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. A strong message in support of staff also is in order. The code of conduct provides guidelines and tools developed to help employees in situations created by today’s confusing and complex environment. Staff honesty is not the issue. When a situation poses uncertainty, the code of conduct provides guidance for appropriate conduct or, in more challenging situations, offers the way to get answers within the organization.
The code of conduct might be seen as an elaboration on the organization’s mission or vision, both of which deserve a highly visible place in the code of conduct. Many organizations have identified specific values that help accomplish the mission. If your organization has values in addition to the mission, these too should be prominently featured in the code of conduct.
As a resource for all staff and affiliates, the code of conduct also should include a detailed outline of procedures for handling questions about compliance or ethical issues, beginning with a description of chain of command. The best reporting mechanism is an open door. When a question arises, it is hoped the employee will feel comfortable in approaching his or her supervisor, the first link in the chain of command. In the event the employee and the supervisor cannot resolve the issue, usually the department manager is the next step. If discussions with the supervisor and department head are not satisfactory, in some organizations the corporate human resources representative is called in. Ultimately, if a compliance-related matter cannot be resolved at the department head or HR level, the corporate compliance officer, who represents executive management, gets involved. These steps should be delineated in the code of conduct along with a clearly stated promise of non-retaliation.
However, every employee may not be comfortable talking to management, so there should be other ways of reporting potential problems or posing questions. The code of conduct should provide a clear, concise explanation of how those alternate reporting methods work. For instance, list the hotline (or helpline) telephone number along with hours of operation. In this context, emphasize that all calls will be anonymous or held in complete confidence. To the extent possible, it will help to outline the procedures for how the organization will respond to reports or questions. Can you promise that the compliance department will investigate all reports? Can you promise that all compliance-related questions or allegations, whether received through chain of command, the hotline, or other reporting mechanism, will be investigated within 48 hours? Such specifics are important to include but will be reassuring to staff only if they are achievable.
As a key element of an effective compliance and ethics program, every code of conduct will want to include a description of the compliance and ethics program along with names of all compliance and ethics personnel and members of the compliance and ethics committee. Add phone numbers and e-mail addresses for all key contact personnel. The name of the board of director’s compliance and ethics committee liaison and/or in-house corporate counsel also may be included, if appropriate.
The narrative section of the code of conduct can deal with a wide variety of issues. This section can be written in scenarios, which allows for a very understandable format. For instance, policies on sexual harassment and controlled substances may be referenced, but the policy should not be restated in full. Every code will want to cover expectations regarding conflicts of interest, accepting of gifts and gratuities. Areas of specific weakness or risk should be addressed in the code depending on the organization setting. Most importantly, the code must emphasize zero tolerance for fraud or abuse, a commitment to submitting accurate and timely accounting materials, and compliance with all laws and regulations. Consequences of malicious or uncorrected wrongdoing should be noted with a description of the progressive discipline procedures, if appropriate. Also, it should be clearly stated that everyone has a personal obligation to report any possible wrongdoing. Not reporting makes an employee subject to discipline, too.
The code of conduct holds the potential to be an abstract document, one that might not seem relevant to the day-to-day work of the individual. Therefore, many organizations add a “sample question” or “examples of compliance and ethics violations” section. A mixture of the general and specific is suggested. Sample general questions might be:
I think I saw a violation of industry regulations. Whom should I contact?
Should I report a possible problem even if I’m not sure? Will I get in trouble?
What if my supervisor asks me to do something I think is wrong?
How can I be sure my report will be kept confidential?
Finally, most codes of conduct come with an acknowledgement or attestation form. The attestation form, requiring the employee signature, emphasizes the importance of the document and could provide certain legal advantages should there ever be a government inquiry. To encourage the employee to return the attestation form promptly, some organizations will require a signed attestation form before new employees can be assigned perquisites such as parking spaces. Attestation forms should be filed in the employee’s official human resources file. The compliance department may want to maintain copies. It is important to review the code of conduct during annual compliance training and have employees attest on an annual basis. (See Chapter 2, “Element 3 – Education, Communication and Awareness,” for a Sample Attestation Form.)
4. Identify Staffing Needs
The compliance officer, as noted earlier, is the “focal point” of the compliance and ethics program. Education and experience are important considerations in selecting a compliance officer, but more importantly, the position must be filled by someone who will be trusted and well respected within the organization. Personal characteristics should also be factored in.
All compliance department staff should have job descriptions. If need be, the compliance officer should develop his or her own job description. (See Appendix 2C, “Sample Compliance Officer Job Description.”) Job descriptions for additional department staff should include a detailed list of duties and responsibilities and, to the extent possible, measurable expectations. For an educational coordinator, for example, you might want to require an annual educational plan due by a specific date. An auditor might be expected to audit identified risk areas every month. Job descriptions may need to be modified and adapted as time goes by and as compliance requirements change. Regular employee input to the job description, perhaps in preparation for an annual performance review, will keep the document relevant. (See also, Appendix 3B, “Compliance Job Descriptions.”)
Whatever the size and scope of the organization, all compliance department staff should have certain characteristics. The compliance department is an outreach department, so good “people skills” are vital. There also will be daily interaction with a wide variety of personality types. The ability to stay composed will be an asset to someone working in compliance. Moreover, compliance has a lot to do with change, and in general, people don’t like change. Therefore, the compliance staff must from time to time be able to deal with unhappy, dissatisfied staff—especially when delivering difficult news that may mean more work. Strong communication and listening skills will be critical. Discretion also is required. A good sense of humor helps, too. As you interview, probe for these qualities. If you don’t find them, keep looking. Once you have hired them, foster these qualities in your staff, and provide feedback and guidance in performance reviews.
Most compliance officers would agree that a sizeable majority of compliance activities are related to education and training. Therefore, an education coordinator must be high on the list of early hires. As noted earlier, education is the first and best line of defense in compliance. An educated employee will be less likely to engage in an act of noncompliance and, knowing the organization’s commitment to compliance, will be much more likely to come forward if there is a question or concern about potential noncompliance. Having someone to focus on education can make for more and better educational programs and allow the compliance officer to coordinate the big picture. A training coordinator should have a strong background in the industry and solid experience in adult learning strategies. Computer skills are needed not only for PowerPoint presentations but also for preparing and adapting handouts. Organizational skills are important; just keeping track of attendance can be a daunting task. Here, too, strong people skills are important.
Monitoring and auditing help ensure that the organization remains vigilant in its compliance efforts. Having someone on staff to coordinate these efforts will ensure that regular review happens and that it is objective, documented, reported, and analyzed. This individual also should have specific and high-level experience in the industry as the complexity of compliance in an organization can only be fully understood by an individual who understands. The first step toward prevention is to check competency up front. (Work closely with HR on any candidate testing to be sure requirements for administering the test consistently to all applicants are considered.)