SCCE Compliance 101 Third Edition

Compliance Committees

Industry has demonstrated that the formation of a management compliance committee can be an effective addition to the program, although the specific composition of the committee may vary. This committee benefits from having varying perspectives from professionals working in operations, finance, audit, risk management, human resources, and legal, as well as employees and managers of key operating units. The committee assists the compliance officer in ensuring effective mechanisms are in place to mitigate risk areas—real or potential.

The compliance officer’s role on the committee can vary. In some organizations the compliance officer sits ex officio. In other organizations, the compliance officer may chair the committee. Regardless of who chairs the committee, the compliance department commonly is responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.

Management compliance committee functions, in addition to aiding and supporting the compliance officer, can include:

• Analyzing legal requirements (along with counsel) on the committee and specific risk areas

• Regularly reviewing and assessing accuracy of and adherence to policies and procedures

• Assisting with the development of standards, a code of conduct, policies, and procedures

• Monitoring internal systems related to standards, policies, and procedures

• Regularly reviewing industry guidance and new information and integrating it into the compliance program

• Participating in the risk assessment process

• Determining the appropriate strategy to promote compliance

• Developing a system to solicit, evaluate, and respond to complaints and problems

The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance program. Furthermore, the committee should include individual representatives of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer on compliance activities and risk areas within their departments. The members also provide important communication back to their respective departments on the organization’s compliance requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization. See Appendix 3, Sample Compliance Oversight Committee Confidentiality Statement.

Organizations also are implementing leadership/board compliance committees that may oversee the management compliance committee. The management compliance committee reports to the leadership or board compliance committee, and they report to the full board.

Board of Directors or Governing Board Support

Compliance begins at the top tier of the organization. The FSG states, “The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”^[4] The board sets the tone for the rest of the company and is ultimately responsible for the compliance program. Support from the top is fundamental—there can be no program at all, much less an effective one, without the vision, support, and guidance of the board. It is the board that officially recognizes the need for a compliance program and authorizes its launch and implementation, including the hiring of a compliance officer.

The first step toward implementing a compliance program is management’s communication of commitment. A resolution or memo from the board stating its unequivocal support for the program is a strong beginning. The source of such a statement may be different depending on the organization. In some organizations the statement might come from the chairman of the board, in others from the CEO. Whatever the source, board endorsement should be in a written format; must communicate unqualified support for and commitment to the compliance process and ethical business behavior; and must be communicated effectively to everyone in the organization. For an example resolution of support, see Appendix 4, Sample Board of Directors Resolution.

One option is for the chairman of the board or CEO to distribute the memo or resolution to management. Management can then distribute the document to employees so that the word spreads and the message is reinforced that all managers endorse the compliance program. This approach also makes the compliance program directly accessible to staff members, creating an opportunity to discuss the document in relatively small groups. A special department or unit meeting to discuss the program and distribute the letter can lend weight to the message, or it can be an agenda item for a regularly scheduled meeting. Whatever the venue, staff should be given ample opportunity to ask questions and offer feedback.

The board’s role does not end with voting to establish a compliance program and distributing a letter of support—nor does its responsibility. Ongoing, visible support from the board of directors is crucial. Most people care about what their boss cares about regarding the organization. When the board takes compliance seriously, that sense of importance will spread. The board may need guidance in understanding the seriousness of compliance, though. Board members may not immediately recognize that “doing the right thing” equates to a good business practice, or that compliance is a valuable, long-term investment. The board of directors, which meets infrequently and is not always aware of daily operations, can be insulated from problems. In the case of compliance, however, the board must understand the implications of not taking active measures to prevent potential wrongdoing.

Board members should be educated about the potential for liability and reminded of the In re Caremark International Derivative Litigation case, which makes the board responsible for implementation of a system to gather information on the company’s efforts to prevent and detect fraud and abuse.^[5] It is in the best interest of the organization for the board to take an active, rather than a passive, role in compliance. The compliance officer should report regularly to the board. Also the FSG is very clear regarding corporate responsibility.^[6]

Support from Management

Management plays an influential role in making compliance programs work, expressing support in a myriad of ways. Attendance at educational programs is one way, which cannot be mandatory for everyone but voluntary for managers and vice presidents. Managers must make time to demonstrate their personal commitment to compliance—this goes a long way to enhancing a systemwide commitment to compliance. After attending training sessions, managers should discuss the content with staff either at a regular department meeting or as circumstances permit one-on-one.

Supervisors or managers also must lead by example; as the adage goes, their actions speak louder than words. A manager cannot encourage employees to report questionable behavior and then give special treatment to a friend. Once a potential infraction is reported, the nonretaliation policy must be rigorously observed. It is up to management to make sure employees do not hesitate to come forward out of fear of retaliation. “Tone in the middle” is also very important for an organization’s culture. While top leaders may support the compliance efforts, if middle management lacks follow-through and has no incentive to support the program, the organization’s culture will undermine efforts to achieve an effective compliance program.

Staying on top of compliance issues is a manager’s daily obligation. Managers and supervisors must closely follow news and information from their professional organizations and pass along any compliance-related issues to the compliance officer. Likewise, the compliance officer is encouraged to be proactive and occasionally ask managers and supervisors what new regulations are developing in their fields.

Support from Professionals

Central to certain fields are key professionals who hold influential positions in their organizations—and their industries. Examples of key professionals in select industries include physicians in healthcare, engineers in building, attorneys in legal, programmers in computer science, investigators in research, etc. Frequently, situations arise in which the support of one of these individuals can make all the difference in creating an authentic culture of compliance. Therefore, it is to your advantage to find a key professional champion—someone who understands and supports the mission of the compliance program and who will back you up when needed. Moreover, this professional can be a model of how employees can effectively incorporate compliance into other job functions, without distracting from the performance of their duties and consuming inordinate and unacceptable amounts of time.

This key professional can advocate for compliance in several ways, including:

• Emphasizing operational and fiscal improvements gained through compliance

• Providing data to support compliance activities and improvements

• Building trust through involvement

• Being a partner, not a dictator

• Cultivating the early adopters and enthusiasts

• Communicating, communicating, communicating

The sooner you achieve professional buy-in, the better. Invite key professionals to compliance implementation committee meetings and actively seek their input throughout the start-up and beyond. Many organizations have a strong professional presence on their compliance committees. If at all possible, consider having a key professional serve as chair of the compliance committee. When funding permits, send a key professional to a compliance conference to provide valuable education and increase their awareness. This can facilitate greater compliance program support. Achieving professional buy-in may be challenging, but it is a critical element of running an effective compliance program.

Support from Staff

It is not a crime to make a mistake, but it can be a crime not to do anything about the mistake once it is detected. In a compliance program, staff need to be convinced that looking for problem areas is not the sole responsibility of the compliance officer—it is everyone’s responsibility. Education is the first step to building this awareness, but the compliance officer should also look for ways to heighten awareness on a daily basis. When informing staff about a compliance program, some organizations will distribute items with a compliance slogan and the organization’s name or logo. Most employees enjoy receiving something free that they can use, and if the budget permits, these items can increase awareness and foster cooperation with the program.

Staff buy-in will directly correlate with the organization’s ability to foster an environment of trust. As emphasized earlier, ensuring that the nonretaliation policy will be followed is the best way to secure active staff participation. Rewarding and thanking those who come forward to do the right thing will provide immediate positive feedback to staff and reap long-term rewards for the compliance program overall.

Financial Support and Budget

Management, up to and including the board of directors, must be willing to make a financial commitment to compliance in order for the program to be successful. Staff, resources, auditing, education, and office space cost money, and most organizations have limited, even diminishing, resources. While commitment level is not necessarily directly correlated with resources allocated to the program (both human and financial), a reasonable budget must be developed in consultation with the compliance officer. An organization unwilling to commit the necessary resources is not demonstrating support for the compliance program and—unquestionably and unfortunately—that message will also spread through the organization.

Simply knowing what to do will not make a compliance program happen. The reality is you can’t run a compliance program without money. But how much money does the program need? The right amount will depend on the organization, its size, and scope. Remember, a compliance program must influence everyone in the organization; adequate funding will go a long way in demonstrating and eliciting commitment. This is a good place to mention again that the only thing worse than having no policies is having them and not following them. Underfunding can lead to such a situation. If the organization is investigated, a compliance program’s value in any settlement will depend largely on how regulatory agencies interpret the organization’s commitment to good corporate citizenship. A compliance program that lacks management accountability, a culture that backs the compliance program, and the budgetary support of management may be deemed as tacit approval for the inappropriate activities.

Both external and internal risks and the controls to manage those risks factor into a budget. An identified risk area may require immediate attention and hence extra expense, perhaps specialized training or a new computer software program. Bear in mind that certain internal factors can affect, directly or indirectly, the compliance budget. For instance, if your organization has a high turnover rate, the compliance budget will need to provide training for new employees as well as existing staff. A highly decentralized operation may call for either a centralized compliance process or additional monitoring to ensure procedures are consistent across operations—or at least consistently enforced. Other factors that can have an impact on the compliance budget are a poor communications infrastructure, poor data analytics, and incentives not aligned with compliance objectives.

Compliance Program Staffing

Organization size, setting, scope, resources, and culture will influence how the compliance department is staffed. In some organizations the compliance officer role may not be a full-time one, but rather a fraction of a full-time equivalent (FTE) position. In a large, multisite location the compliance department will be much more extensive. A variety of staffing possibilities exist for a compliance department. An education coordinator can make a vital contribution to a program’s effort, as a large amount of employee compliance education needs to be conducted. Other valuable positions include someone to accumulate and analyze compliance data and an auditor who can regularly audit or monitor compliance risks and help with documentation. Administrative support is also helpful. If you are unable to add these resources to your staffing contingent, identify where in your organization you could leverage these types of resources through a shared model; this option may suffice while you are building a program’s capacity and provide rationale for ongoing compliance resources.

For larger organizations considering staffing needs, it will be important to include a compliance designate or compliance field liaison, a position that can help facilitate compliance efforts at remote locations. For organizations with offices outside the US, it is very important to have a compliance designate or field liaison in other countries, particularly considering cultural and language differences that may exist. Full-time or part-time compliance personnel need appropriate training and resources, and this can be provided in many ways on-site. Some examples include making available a reference binder, offering a phone number or email address to direct questions, and giving focused training on key areas of risk and process. Additionally, involving designates or field liaisons in process and approach development encourages ownership of their roles. Be sure to budget accordingly.

All compliance department staff should have job descriptions. If need be, the compliance officer should develop their job description. For an example, see Appendix 1, Sample Compliance Officer Job Description. Job descriptions for additional department staff should include a detailed list of duties and responsibilities and, to the extent possible, measurable expectations. For an educational coordinator, for example, you might want to require an annual educational plan that is due by a specific date. An auditor might be expected to review a certain number of risks on a monthly basis. As time passes and compliance requirements change, job descriptions may need to be modified and adapted. Regular employee input to the job description, perhaps in preparation for an annual performance review, will keep the document relevant.

Whatever the size and scope of the organization, all compliance department staff should have certain characteristics. As it is an outreach department, good people skills are vital. There will also be daily interaction with a wide variety of personality types. The ability to stay calm and focused is an asset to someone working in compliance. Compliance involves a lot of change, and people often don’t like change. On occasion, the compliance staff must be able to deal with unhappy, dissatisfied staff—especially when delivering difficult news that may mean more work. Strong communication and listening skills are critical. Discretion is also required. A good sense of humor helps, too. As you interview for compliance department roles, probe for these qualities. If you don’t find them, keep looking. Once you have hired staff, foster these qualities in them and provide feedback and guidance in performance reviews.

Most compliance officers agree that a sizeable majority of compliance activities are related to education and training. Therefore, an education coordinator must be high on the list of early hires. As noted in this book, education is the first and best line of defense in compliance. An educated employee will be less likely to engage in an act of noncompliance and, knowing the organization’s commitment to compliance, will be much more likely to come forward if there is a question or concern about potential noncompliance. Having a staff member focus on education can make for better educational programs and allow the compliance officer to coordinate the big picture of the program. An education coordinator should have a strong background in the industry and solid experience in adult learning strategies. Computer skills are needed not only for development of presentations, but also for preparing and creating handouts. Organizational skills are also important; just keeping track of attendance can be a daunting task. Here, too, strong people skills are important.

Monitoring and auditing efforts help ensure that the organization remains vigilant in its compliance efforts. These activities are detective and preventive in nature. Having someone on staff to coordinate these efforts will ensure that regular review happens and that it is objective, documented, reported, and analyzed. This individual should also have specific and high-level experience in the industry, as the complexity of an organization’s compliance can only be fully understood by an individual who understands the field. The first step toward prevention is to check competency up front.

Ongoing Operations

Other operational expenses to consider include some sort of reporting method, educational materials, internet access, professional journals and newsletters, and legal counsel. Reporting mechanisms (such as hotline phone numbers and email addresses) can be handled internally or externally, and the costs of each option will need to be assessed. Having a mechanism handled externally may be more economically feasible for many organizations. When looking for outside help, secure competitive bids and be sure they are based on comparable information. It may be worthwhile to request outside proposals before making a final decision. There’s nothing to lose in finding out what an external resource can do for you.

Educational materials can be a considerable compliance expense. A video program for general sessions may be helpful. A video customized to your organization can be very expensive, but off-the-shelf videos exist that may well meet your needs. You also will need to provide for specialized training for certain professionals as well as key departments and employees. Such training is often provided through outside consultants or specialists, and hence will have budgetary implications. In-house and ongoing training may require audio-visual equipment and software to create engaging visual materials.

There will be costs for printing announcements, agendas, and handouts. Costs for printing the code of conduct and policies and procedures can be surprisingly large, and while the code of conduct doesn’t need to look like the annual report produced by a marketing company, a credible code for the organization deserves to have a professional design. Find the right look and feel for your organization—just remember to budget accordingly.

Internet access is a must. All relevant regulatory documents are available online as are innumerable other helpful compliance-related sites. Adequate computer support is critical.

Professional journals and newsletters are vital ways of keeping abreast of new developments, best practices, and industry trends. They also provide articles, suggestions, and ideas that can be circulated to appropriate managers or adapted for internal newsletters. Consider budgeting each year for electronic and printed materials to build a compliance library that will be a resource for the organization. Also, membership in professional associations, such as the Society of Corporate Compliance and Ethics (SCCE), is a good investment. Belonging to a professional association reinforces your professional standing and provides you with a growing network of invaluable resources.

Investigative costs can be unpredictable, especially when an organization is in a state of crisis or turmoil. The compliance office should at least use an annual comparison to try to estimate these costs. If the program is new, an estimate of costs could be based on what other departments spent on compliance-related investigations, especially those that have relied on outside resources, since a compliance function could have conducted the investigations internally at a comparative savings.

Finally, if your organization has in-house counsel, consult with that person to determine budgetary needs. If you currently rely on external counsel, you may want to alert the law firm of your new or expanding compliance program and solicit estimates for additional costs. Such expenses may be part of the legal budget, but it is best to be sure they are appropriately covered somewhere.

Compliance Department Mission and Goals

Once the members of the compliance program are in place, they must function as a team toward a common goal. Building that sense of community within the compliance department is critical before it’s possible to build organization-wide compliance camaraderie. One way to build that cohesive team is to conduct an annual retreat for compliance personnel. As always, the size and setting of the organization, as well as logistical issues, must be considered, but when possible, holding the retreat off site can be invigorating, motivating, and enormously productive. Off-site sessions are preferred only to eliminate or at least minimize the distractions of telephone calls, meetings, and quick questions from staff. The first retreat could be dedicated to drafting a department mission statement that is consistent with the organization’s mission statement. It is important for everyone in the compliance department to understand and have consensus regarding this fit.

Goals for the upcoming year (which need not be a calendar year) and a review of progress toward current-year goals should also be a focus. Be sure to identify a realistic number of goals that are achievable and measurable. Not all goals will be measured quantitatively, but when discussing goals, explore with staff how success will be measured. Goals need not be directly tied to specific problems. The following are some sample compliance department annual goals:

• Ensure compliance in the organization’s activities.

• Develop and maintain clear lines of communication with key personnel throughout the organization.

• Provide diverse educational opportunities to meet the demands of the organization and its community.

• Create and maintain quality compliance resources that are easily accessible.

• Promote the Code of Professional Ethics for Compliance and Ethics Professionals.

• Elevate awareness and increase participation regarding compliance issues.

• Expand the collaborative relationships with key stakeholders.

• Maintain an open-door policy that fosters confidentiality and trustworthiness.

The more active a role the staff members take in developing the mission statement, especially the goals, the more they will feel ownership of the mission and goals, and the more likely they will succeed at achieving them.

No matter how the goals are determined, it is important that they be effectively and regularly communicated to the department staff. Discussing and measuring progress along the way, with updates at regular staff meetings, will contribute significantly toward progress. Assigning a department “liaison” for each goal can also contribute to ownership and stimulate progress. A department retreat will facilitate communicating goals to staff. Any goals that come to the department from executive management should be communicated and incorporated into tracking and measuring practices.

Annual Compliance Report and Evaluation

Consider creating an annual compliance report. The compliance department will provide a detailed annual compliance status report to the board of directors or the board of trustees and the organization’s executive management. An annual compliance report, however, is a different document, one meant for all staff. The annual compliance report is the program’s opportunity to communicate its mission and goals to the organization and provide benchmarking data. It is also an opportunity to talk about the organization’s compliance success stories, thereby reinforcing positive images of compliance and fostering support. Thanking compliance champions and those who came forward to identify problems provides positive reinforcement organization-wide. The all-staff annual compliance report need not be glitzy and expensive. The point is to get the word out and build support for the program. Use the data that you’ve gathered and show your enthusiasm. It can be contagious.

Once a compliance program is up and running, it needs ongoing evaluation and updating based on findings. Getting in a routine of regular review can be difficult; indeed, it can be as daunting as getting a program started. Here are some aspects to remember when evaluating the program:

1. Look to your compliance program. Meet with the compliance committee to discuss and document current position and possible next steps.

2. Take small steps. Make preliminary attempts at next steps with full knowledge that there may be some missteps along the way.

3. Review lessons learned. Gather the key takeaways and lessons for those preliminary attempts.

4. Examine what still needs to be addressed. With your compliance committee, decide how to incorporate what you’ve learned with what you still need to do.

Remember: compliance is an ongoing process.

Program Development and Maturity

Compliance programs usually start small and continue to mature over time. Avoid trying to achieve everything overnight. Building a compliance program is a process that takes thought, consideration, and time.

Structure is the critical first step. Give consideration as to what your compliance program will be called. You may have noticed that some organizations have compliance programs, others have integrity or ethics programs. They are often considered synonymous, but a subtle distinction can be made between the terms. The title “compliance program” implies a primary concern with following rules and regulations, whereas the title “integrity or ethics program” puts the emphasis on values and doing the right thing. There may be differences in approach and subtleties of content, but there are basic elements common to both compliance and integrity or ethics programs. Whatever the title of the program, these common elements should form its basis (although for convenience, the term “compliance program” is used throughout). Each organization must pick a title—or perhaps create an entirely new title—depending on its needs and culture. The title needs to accurately reflect the focus of the program, i.e., values-based (ethics or integrity) versus rules-based (compliance) versus a hybrid approach for the title—which might be the organization’s Ethics and Compliance Program.

When building a compliance program, survey departments to determine what compliance-related activities are already occurring in your organization to comply with applicable rules/regulations. In the US, these areas might include employment and labor laws, employee and environmental safety, purchasing and supply chain, research, finance, requirements for publicly traded organizations, defense, energy and utilities, banking, privacy, and contract agreements. Every industry is subject to the regulations and guidance of regulatory bodies such as the United States Sentencing Commission (USSC), Food and Drug Administration (FDA), Environmental Protection Agency (EPA), Federal Information Security Management Act (FISMA), Federal Deposit Insurance Corporation (FDIC), National Institute of Standards and Technology (NIST), Securities and Exchange Commission (SEC), Occupational Safety and Health Administration (OSHA), Federal Communications Commission (FCC), and Federal Trade Commission (FTC). Demonstration to the regulatory agencies and stakeholders that you are committed to engaging in compliant behavior—in all that you do and everywhere that you conduct business—is important for every organization. This will occur with the implementation of a formal compliance program, which allows the organization to identify employees who are potential “bad actors.”

Discussing basic components of compliance programs for organizations doing business in the United States is the focus of this book. However, most principles of a sound compliance and ethics program are applicable to organizations worldwide and have been adopted into international standards.

There are many definitions of a compliance program. On a basic level, it is about education, prevention, detection, collaboration, mitigation, and enforcement. It is a system of processes, policies and procedures, and controls that are developed to ensure compliance with all applicable rules, regulations, contracts, and policies governing the actions of the organization. A compliance program is not merely a piece of paper or a binder on a shelf. It is not a quick fix to the latest hot problem. And it is not a collection of hollow words. A compliance program—an effective compliance program—must be a living, ongoing process that is woven into the fabric of the organization and that demonstrates commitment to the organization’s values and ethics as well as compliance with applicable laws and regulations. An effective program assists individuals within the organization to be aware of and understand the expectations to do the right thing.

To achieve this goal, a small organization may need to work with compliance liaisons/ambassadors to help fulfill the compliance mission. Compliance officers usually find themselves with multiple roles in the organization and the compliance committee is much smaller. Having compliance liaisons/ambassadors expands the compliance program’s reach and helps get the word out to others throughout the organization. These positions can champion the compliance message through education, identifying and escalating issues in their respective areas, and helping to explain the purpose and focus of the compliance program. It is important to ensure that the selected liaisons/ambassadors are credible, trusted, and can serve as advisers to the compliance program.

As an organization’s compliance programs matures, you can begin to benchmark against your program. This process helps to determine if your program is effective. You will better understand the organization’s risks and mitigation plans that need to be put in place. Data analytics are useful for this process and help drive compliance programs to the next level.

A compliance program is never finished; it should always be a work in progress. You must work to expand your program to fit the needs of your organization. Never be satisfied with the status quo. Look at the big picture. Add new areas to your program—many programs begin with a key risk, but other risk areas also need attention. As new information is released from industry and regulatory agencies, your program will need to expand to encompass these changes. The compliance officer needs to constantly be on the lookout for ways to enhance and strengthen the compliance program.