Although a one-size-fits-all compliance and ethics program does not exist, the Chapter Eight of the Guidelines Manual[3] outlines seven basic compliance elements that can be tailored to assist organizations in developing an effective compliance and ethics program. It is critical that there is demonstrated commitment to these seven basic elements:
-
Standards, policies, and procedures
-
Compliance program administration
-
Communication, education, and training
-
Monitoring and auditing
-
Internal reporting systems
-
Discipline for noncompliance
-
Investigation and remediation measures
Every organization strives for this effective program in the hopes of gaining some level of protection for having an effective compliance and ethics program. In addition, the elements have been massaged by the compliance and ethics industry, as they have been implemented in actual compliance and ethics program models. The industry has now defined the following as the components of an effective compliance and ethics program (not all inclusive):
-
Code of conduct and relevant compliance policies and procedures
-
Oversight and accountability by the board for the compliance program
-
Education, communication, and awareness
-
Delegation of authority
-
Enforcement, discipline, and incentives
-
Monitoring and auditing
-
Internal investigations, including a root cause analysis and corrective action plans
-
Consistent and fair discipline
-
Risk assessments
-
Effectiveness assessments of the compliance and ethics program
-
Ongoing program improvement
While the cost and the time involved may seem daunting, the cost of not having an effective compliance and ethics program could be much higher. Compliance is not cheap. Yet as a Department of Justice official notes, “[C]ompliance programs make good sense—both good common sense and good business sense. Compliance programs help prevent companies from committing crimes in the first place. Even if they fail to do so, partially successful compliance programs may help companies qualify for leniency. Either outcome easily warrants your companies’ efforts to adopt and strengthen compliance programs.”[4] An effective compliance and ethics program is a sound investment.
It is always important to note that each organization needs to tailor its compliance and ethics program to its specific mission and ethical values. Your organization may have stricter guidance that includes additional elements. This manual does not include every compliance and ethics element used by every organization globally. But it tries to address the standard used by most organizations—the elements listed above.
Additionally, note that while the seven elements provide a standard structure and framework for the compliance program, every compliance program can and should look different from another organization’s compliance program. A compliance program should be tailored to the size and complexity of the specific organization and should be operating according to that organization’s unique risk profile. And as your organization changes, the risk profile evolves, and the regulatory landscape shifts, the compliance program must keep pace and evolve to remain effective.
Many new compliance and ethics officers come into programs that have none of these elements. Some come into their new office with some or broken pieces of these elements. Keep in mind that effective compliance programs do not happen overnight.
Element 1: Standards, Policies, and Procedures (a Code of Conduct)
An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages ethical conduct and a commitment to compliance with applicable regulations and laws.
The first of the Guidelines Manual’s prescribed compliance elements requires that “The organization shall establish standards and procedures to prevent and detect criminal conduct…‘Standards and procedures’ means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.”[5] These two documents, the standards or code of conduct and the policies and procedures, become the tools upon which you can build your compliance and ethics program.
Code of Conduct
First and foremost, the code of conduct demonstrates the organization’s overarching ethical attitude and its system-wide emphasis on ethics and compliance with all applicable policies, laws, and regulations. The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes the board, management, staff, vendors, suppliers, volunteers, and independent contractors, which are frequently overlooked groups. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards of the code of conduct. The code should be written in a simple and concise manner that is reader friendly. It is not recommended that an organization include policies and procedures in its code. Scenarios and examples are great to explain how to handle a situation. An eighth-grade reading level is recommended. Simple and concise does not mean generic, however. The contents of the code of conduct will need to be tailored to the organization’s culture and risk profile and to its industry and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in a foreign language, or even braille as appropriate. Policies and procedures should not be included in the code, but a link to those that are relevant should be considered for inclusion.
The code of conduct provides a process for proper decision-making for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements or standards into performance reviews, and compliance with the standards must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including termination—for serious violations of the standards of conduct must be mentioned to emphasize the organization’s commitment.
Content Checklist
-
Demonstrates system-wide emphasis on compliance with all applicable laws and regulations
-
Written plainly and concisely so all employees can understand the standards
-
Translated into other languages, as appropriate
-
Includes links to internal policies and external regulations
-
Includes expectations for employee actions with internal affairs and other employees, as well as with external affairs and contractors and clients
-
Mentions organizational policies without completely restating them
-
Is consistent with company policies and procedures
-
Includes management’s responsibility to explain and enforce the code
Communicating to Employees Checklist
-
Employees must receive, read, and understand standards
-
Compliance officer, supervisor, or qualified trainer explains standards and answers questions
-
Employees attest in writing upon hire and annually they have received, read, and understood standards
-
Employee compliance with standards enforced through appropriate discipline when necessary
-
Discipline for noncompliance with the code stated in standards
Purpose Checklist
-
To present overarching guidelines for employees to follow
-
To confirm that all employees comprehend what is required of them
-
To provide a process for proper decision-making
-
To require that employees put standards into everyday practice
-
To elevate corporate performance in basic business relationships
-
To confirm that the organization upholds and supports proper compliance conduct
In addition, see Appendix 2-A, “Sample Letter to Vendors,” for an example of a letter describing the company’s code of conduct.
Policies and Procedures
Whereas a code of conduct provides guidelines for business decision-making and behavior, the compliance and ethics policies and procedures are specific, and address identified areas of risk. Most organizations already have an employee manual that outlines all human resource-related policies and procedures, and they may have other operational policies and procedures specific to certain business practices or operations. Whenever possible, compliance policies and procedures should be integrated into existing policies, and all policies within an organization should be consistent with laws, regulations, industry requirements, and general compliance. In fact, as part of the implementation of a compliance and ethics program, and while in the process of drafting compliance policies and procedures, all other policies within the organization should be reviewed and revised as necessary. While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it.
Develop your policies and procedures carefully. Organizations should have procedures that guide the development of policies. Take care that they are realistic, measurable, and enforceable. Lofty goals and platitudes may seem appealing, but they are too frequently open to interpretation. Involve those that are affected by the policy in its development. Assure that the policies have a stated timeline for revisions and that someone is identified as accountable for the policy.
Two types of compliance policies and procedures should be developed by every organization: structural and substantive. The structural policies create the framework—the nuts and bolts of how the compliance and ethics program will operate. The substantive policies define the applicable regulations that apply to the organization and how to operate compliantly within those regulations. They also indicate the risk areas applicable to an organization and describe appropriate and inappropriate behaviors about those risk areas. Both the structural and the substantive policies and procedures are essential to a compliance and ethics program so that the rules to which employees will be held accountable and the method for enforcing the rules are clearly documented.
Structural policies and procedures should be developed to address the following:
-
Directives or mission of the compliance and ethics program
-
Revision of existing and creation of new policies and procedures (including distribution and updating requirements)
-
Compliance program oversight, including role and responsibility of the board of directors, the CEO, the compliance officer, and the compliance and ethics committee, if applicable
-
Educational requirements
-
Nonretention of sanctioned individuals and noncontracting with sanctioned contractors or vendors
-
Policy for method for anonymous reporting and nonretaliation for reporting[6]
-
Auditing practices
-
Monitoring practices
-
Method for responding to reports of possible misconduct
-
Method for responding to internal and external requests for documents or to external investigations, search warrants, and/or subpoenas[7]
-
Disciplinary action plan
-
Self-disclosure process
-
Record retention
-
Operational accountability[8]
Substantive policies and procedures should be developed to address the following:
-
Process for preparing financial reports (including preparation of worksheets and supporting documents)
-
Process for preventing inappropriate actions in specific risk areas
-
Process for ensuring appropriate behavior in specific risk areas
-
Types of and processes for internal assessments of risk areas
-
Content and frequency of audits
-
Documentation requirements
Policies and procedures, like the code of conduct, must be living documents, not just in a binder on a shelf or online. They must become an integral part of the day-to-day operations of the organization. That is what regulators will look for. Are the policies and procedures appropriate, considering the organization’s risks? How are the policies and procedures applied every day? Are they incorporated into performance reviews? Educational programs? Are they reviewed and updated according to a schedule and in a timely fashion? Revising policies and procedures is something like painting the Golden Gate Bridge: Just when you think you’re finished, you have to start again at the beginning. Again, standards of conduct, policies, and procedures are the tools of compliance and ethics, but they must be used and sharpened to be effective.
Element 2: Compliance Program Administration
An organization should have the appropriate high-level personnel overseeing the compliance and ethics function, with a specific executive given overall responsibility. These compliance personnel should have accountability as to the success or failure of the compliance and ethics program. Adequate resources must be dedicated to implementing the program. The organization’s governing structure—in many cases the board of directors—must exercise reasonable oversight of the implementation and effectiveness of the program.
An organization should designate a compliance officer to serve as the focal point for compliance activities. Whether the position is full time or part time will depend on the size, scope, and resources of the organization. Also, according to the Guidelines Manual, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access any and all documents that are relevant to compliance and ethics activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other billing and accounting records. In the big picture, “appropriate authority” comes from the unquestionable backing by the CEO and board of directors or its equivalent, typically the sources of ultimate authority and respect.
Appropriate authority and the full backing of the board of directors and management are consistent with the Guidelines Manual ’s call for “Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program….To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”[9] This is logical, because it is generally the board that launches the compliance initiative and/or approves the hiring of the compliance officer. Board members should be actively involved in interviewing and hiring the compliance officer. The board will be an important part of the compliance officer’s reporting structure.
There are considerable conflicts involved in having the compliance officer report to the general counsel or to the chief financial officer. Separation of compliance from legal and finance, when possible, helps ensure that legal reviews and financial analyses are independent and objective. Many compliance officers report directly to the organization’s CEO and/or the board of directors. It is most important that the compliance officer be independent.
The size and setting of your organization will influence its reporting structure. It is recommended that the board or its appointed committee have at minimum a “dotted line” or indirect reporting relationship with the compliance officer.
The compliance officer’s duties also will vary depending on size and scope of the program. The main focus of the position should be the day-to-day operations of the compliance and ethics program. Primary responsibilities should include the following:
-
Designing, implementing, overseeing, and monitoring day-to-day operations of the compliance and ethics program
-
Reporting on a regular basis to the organization’s governing body, CEO, and compliance and ethics committee
-
Assessing effectiveness of the compliance program and revising the program periodically as appropriate
-
Developing, coordinating, and participating in a multifaceted educational and training program
-
Ensuring that independent contractors and agents are aware of the organization’s compliance and ethics program requirements
-
Serving as a source of information for employees, management, contractors, and the board
-
Ensuring that appropriate background checks are done to eliminate sanctioned individuals and contractors
-
Assisting with internal compliance review and monitoring activities
-
Independently investigating and acting on matters related to compliance
-
Conducting risk assessments and working with management to prioritize risk and develop mitigation plans
Compliance is still a relatively new field. Most compliance officers therefore may not have extensive previous experience in compliance. This unique position requires an individual who understands the nature of the business or industry, is capable of understanding and questioning financial and billing statements, is knowledgeable of applicable legal requirements and sanctions that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is firm yet approachable. Whatever the tenure or the educational level, the compliance officer, as the focal point of the program, must be a figure who is respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix 2-C, “Sample Compliance Officer Job Description.”)
As the compliance and ethics profession has grown and matured, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective compliance officer. There are now several compliance-related certification and degree programs.
Moreover, compliance officers are also stewards of a public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The SCCE’s Code of Professional Ethics for Compliance and Ethics Professionals addresses three principles, which are broad standards of an aspirational nature. They include:
Principle I: Obligations to the Public—Compliance and ethics professionals should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.
Principle II: Obligations to the Employing Organization—Compliance and ethics professionals should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.
Principle III: Obligations to the Profession—Compliance and ethics professionals should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.[10]
These principles and the accompanying more detailed rules of conduct should be reviewed, studied, and adhered to by all compliance officers. To view the entire code and an analysis of its meaning, see Chapter 1.
The compliance officer may be the focal point of a compliance and ethics program, but they cannot be the only point. An essential role of the compliance program is engaging leaders, managers, and employees, so those in the organization understand that being compliant is everyone’s responsibility.[11] The formation of a multidisciplinary compliance committee can be an effective addition to the program and can help empower leaders and managers to actively promote compliance and “own” compliance in their areas of purview. The compliance committee should be established to advise the compliance officer, assist in the implementation of the compliance program, and further engage leaders and/or managers in compliance. The organization will benefit from having varying perspectives, such as operations, finance, audit, human resources, social work, and legal, as well as employees and managers of key operating units on the committee.
The compliance officer’s role within the compliance committee can vary. In some organizations, the compliance officer sits on the committee. In others, the compliance officer may even chair the committee. Regardless of who chairs the committee, the compliance department will likely be responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.
Compliance committee functions, in addition to aiding and supporting the compliance officer, may include, but not be limited to, the following:
-
Analyzing specific risk areas
-
Assisting with the development of standards of conduct, policies, and procedures
-
Annually reviewing the compliance plan
-
Reviewing relevant industry guidance and new information regularly and integrating it into the compliance and ethics program
-
Determining the appropriate strategy to promote compliance
-
Participating in the risk assessment process
-
Empowering and helping hold accountable operational leaders and managers for compliance in their areas of purview (i.e., reporting on specific risk remediation efforts and internal controls)
The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance and ethics program. Furthermore, the committee should be made up of individuals representative of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer the compliance and ethics activities and risk areas within their department, and in turn communicate back to their respective departments the organization’s compliance and ethics requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization.
Element 3: Communication, Education, and Training
A continuation of the living standards of conduct is found in this element. An organization should include routine general compliance and focused education, communication, and awareness of its compliance and ethics program in its everyday organizational structure.
Education and training are the first—and possibly the most important—lines of defense for a compliance and ethics program. In a time in which the pages of regulations governing industry and business practices number in the hundreds of thousands, education is the best strategy for prevention. Training should be separated into two sessions. The first is an annual general session on compliance and ethics for all employees. The second session would cover more specific information for appropriate personnel.
Ten Things to Include in Your Basic Compliance and Ethics Course
-
Information on the code of conduct
-
Your organization’s specific compliance and ethics philosophy
-
Employees’ obligation to report suspected noncompliance
-
Nonretaliation policy
-
Policies regarding confidentiality
-
Hotline and other compliance program contact information
-
Expectation that vendors will meet the same compliance and ethics standards as staff
-
Levels of discipline for employees involved in compliance and ethics violations
-
Expectation that all identified issues will be investigated by the compliance office in a timely manner
-
Proper retention of documents
General training sessions are meant to heighten awareness among all employees and communicate and emphasize (and then update and reiterate) the organization’s commitment to ethical business behavior, which affects all employees. The organization should designate in a policy the number of general compliance educational hours per year that each employee will be required to take. For a frame of reference, a minimum of one hour annually for basic training in compliance and ethics areas should be required for any compliance and ethics program. As noted earlier, all employees should receive a copy of the standards of conduct and the key compliance and ethics policies and procedures. These, plus basic information about the organization’s compliance and ethics program and how it operates, are the core of general training.
Examples of general education are:
-
Ethics
-
Code of conduct
-
Hotline
-
Employees obligation to report suspected issues of noncompliance
Specific/focused training in high-risk areas is critical for specialized personnel. These employees should be given general compliance and ethics training with an emphasis on compliance and ethics risk areas specific to these employees’ job functions. It may be more appropriate to provide this specific training, which goes above and beyond the general training, in the form of one-on-one or on-the-job training to ensure that compliance and ethics is integrated into the employee’s daily activities and doesn’t remain a theoretical concept.
Examples of focused/specific education are:
-
General prohibitions on paying or receiving remuneration to induce business referrals
-
Proper preparation of financial statements
-
Proper preparation of truthful marketing and advertising materials
-
Proper documentation of services rendered or items provided
-
How to identify misconduct
A written annual education plan should outline what roles should be trained, what content they should be trained on, duration and timing, educational methods, etc. Include not only employees, managers, and leaders in your education plan, but also volunteers, vendors, contractors, board members, and other relevant members of your organization. In the education plan for specific departments, consider individual department content needs, timing, methods, duration of training, and a strategy for securing managerial buy-in. An uncooperative manager can directly or indirectly, consciously or unconsciously, deter staff from attending. The manager must emphasize the importance of training by encouraging employee attendance. That may mean juggling schedules or requiring others to “pick up the slack” during education sessions when a unit may be left shorthanded. Consulting with managers in advance about content needs, and especially timing issues, can prevent conflicting priorities later.
Adult learning styles vary. Some learn through listening, others through seeing, and many by doing. So, to keep education vital and engaging to a diversified staff, the key is to develop a variety of educational formats (e.g., videos, lectures, brown bag lunches, and roundtable discussions). Brown bag lunches and roundtable discussions can be especially effective for targeting a specific training need, and they can provide feedback to the trainers and ultimately to the compliance and ethics personnel as to what is going on in the departments. Your organization may already have various forums you can tap into, such as department meetings or all-staff meetings for targeted education. Look for ways compliance and ethics education can fit into the ways employees are being educated on other issues; integrate compliance and ethics into existing training so it blends with the fabric of the organization.
Ideas for Training Adult Learners
-
Make it relevant
-
Use real-life scenarios
-
Encourage interaction
-
Begin with the end in mind
-
Teach to all types of adult learning styles
-
Those who learn through listening (use active repetition, songs, skits, etc.)
-
Those who learn through seeing (use handouts, videos, PowerPoint presentations, etc.)
-
Those who learn by doing (use hands-on projects, role-playing, etc.)
-
-
Use resources wisely
-
Live training may be most effective but unrealistic for very large organizations
-
Use live training for orientation of new employees, new complex regulations, and remedial education
-
Online training courses may not be perfectly tailored to an organization, but may still convey the general compliance concepts appropriately, track who has and has not been trained, and use resources more efficiently
-
Provide longer, more intensive training sessions to employees in certain areas of responsibility and more general compliance and ethics training to all other employees
Should compliance and ethics education be voluntary or mandatory? At the end of general training, every employee, as well as contracted consultants, should be required to sign and date a statement that confirms their knowledge of and commitment to the standards of conduct. This attestation should be retained in the employee’s personnel file. If the organization decides to make the general compliance education mandatory, it should be enforced. Penalties for those that do not take the education should be communicated and enforced.
Sample Attestation/Acknowledgement Form
This is to acknowledge that I have received and reviewed Our Organization’s Code of Conduct. I agree to comply with the standards contained in the code and all related policies and procedures, as is expected as part of my continued employment or association with the organization. I acknowledge that the code is only a statement of principles for individual and business conduct and does not constitute an employment contract. I will report any potential violation of which I become aware promptly to my supervisor or the compliance officer. I understand that any violation of the code of conduct or any corporate compliance policy or procedures is grounds for disciplinary action, up to and including discharge from employment.
Date
Name (please print)
Signature
Ideally, educational opportunities should become more and more plentiful, easier to attend, and word will spread about their value. Ultimately, those who should attend will realize it will benefit them as well as the organization. While 100% attendance may be difficult to achieve, organizations should implement a policy and then hold employees accountable. A note or a personal call to a supervisor asking for support can be effective. Ultimately, the goal is to show improvement in educational attendance.
Other organizations take a harder line. For example, some organizations offer training free of charge for two months. During that time, educational sessions will be scheduled at practically any time, including nights, weekends, and holidays to best accommodate all employees’ schedules. For those who choose not to attend during the two-month window, their department will be billed $100 for the same training in subsequent months that would have been “free” to the department the previous two months. Moreover, scheduling of the make-up sessions is not as accommodating. In the fourth month, the charge continues to go up. This strategy can be very effective, but it requires the support of the executive staff and finance office.
The benefits of compliance and ethics education and training must be communicated from the top. Attendance by top management, especially at an annual basic program, sends a powerful message. If the CEO can make time, others will follow suit. Other incentives include multiple offerings at alternative times to facilitate attendance. Also, consider the time commitment involved. Everyone today is too busy. Explore with unit managers the pros and cons of two one-hour sessions versus one two-hour session, for example. Food, even simple fare such as donuts, however trite it may sound, does serve as an incentive. Achieving 100% attendance will never be easy. You will need to be creative to find ways to motivate voluntary attendance.
It should be clear by now that compliance cannot be a one-shot educational event. Your compliance and ethics committee can help in assessing the best approach for such issues as whether to make education mandatory or voluntary and how to structure education and training options within the organization. Again, your organization’s culture is the driving force. Education is your best strategy for prevention. The old adage still rings true: An ounce of prevention is worth a pound of cure. Remember to tend to your own educational needs as well. The more you know, the better you can identify and meet the educational needs of employees.
Element 4: Monitoring and Auditing and Risk Assessment
An organization should have in place a system and schedule for routine monitoring and auditing of organizational transactions, business risks, controls, and behaviors. The organization’s system should use a consistent process and generate consistent data. Audits should include a review of the response and resolutions applied during the period, both proactive and reactive.
An effective compliance and ethics program is a process of constant assessment. No one can expect 100% compliance from day one. The key is to strive for it and have a process for continually improving on compliance and ethics activities. Regulators’ emphasis on the importance of assessment and resulting and ongoing program improvement is evident in that deferred prosecution agreements call for regular monitoring at least annually.
Regulators call for audits to focus on programs or divisions, including external relations with third-party contractors, especially those with substantive exposure to government enforcement action.
Risk Assessment
A compliance risk assessment will provide a broad baseline risk platform, a snapshot, or essentially a list of all the compliance risks that need mitigation. Management should be involved in identifying the organization’s risk. As previously discussed, performing risk assessments in collaboration with the compliance committee is a great way to leverage diverse perspectives and connect operational leaders and managers with risk mitigation. Once the risk matrix is developed, each risk should be scored as to level of risk for the organization, prioritized, and controls identified. The last step is to develop a work plan to assure that prioritized risks are mitigated.
It is suggested that you identify whether your organization already performs some type of risk assessment. Enterprise risk management (ERM) processes are common among most industries today. It can be beneficial to combine compliance and ethics risk assessment with your organization’s ERM or other type of risk assessment. If the ERM or risk assessment has not had a compliance and ethics component previously, you should conduct a risk assessment of compliance and ethics areas. If you are starting without the assistance of a current company-wide risk assessment, materials relating to ERM processes or risk assessments will be beneficial to you in developing a risk assessment methodology. There are also many vendors who will assist you in developing and performing your risk assessment.
There are certain risk areas common to many types of organizations that should be assessed:
-
Contractual issues
-
Financial reporting
-
The Foreign Corrupt Practices Act
-
Privacy
-
Security
-
Record retention
-
Marketing
-
Conflicts of interest
-
Other
Other risk areas to be reviewed will depend on the type of organization. For example, publicly traded companies should have their financial statements and supporting worksheets audited regularly. Nonprofit organizations should monitor that their mission is being fulfilled and earmarked funds are being used appropriately. Government contractors should include the examination of whether illegal kickback arrangements have been entered into in their risk assessment. Food distributors should ensure that all Food and Drug Administration regulations are being met. Restaurants should monitor compliance with the Department of Health’s requirements. Any areas of risk previously identified either internally or by an outside agency should be looked at carefully and regularly.
The risks identified during your assessment will be used to formalize the components of your compliance and ethics program. The identified risks will also assist you in prioritizing your efforts toward an effective compliance and ethics program. It is suggested that you perform an overall risk assessment not just as a baseline or annually, but on an ongoing basis. The ongoing risk assessment will help you monitor the progress of your program (e.g., if a risk level is lowered year after year, your controls and program are effective), as well as identify any new risks that have developed. Keep in mind that any time you identify a new risk, it should be prioritized into your existing risk profile.
Auditing and Monitoring
You should routinely audit and monitor the success of your program. A concurrent or prospective audit will identify and address potential problems as they arise and before they cause harm to another party. If a problem does indeed exist, you will be required to correct the related process and any policies or procedures that reflect the process and communicate the change to all affected parties. Then you will need to go back in a predetermined amount of time (e.g., three months and perhaps again in six months) to review the process and resulting documents to ensure that the problem has been resolved. It may be determined upon repeated review that further corrective actions may be necessary, including disciplinary action against employees who continually fail to correct the problem after repeated retraining.
Monitoring, or regular review, is also necessary to determine whether compliance elements, such as dissemination of standards, training, and disciplinary action, have been satisfied. It also will target potential deficiencies and areas where modifications might be in order. A good place to begin an internal assessment is interviewing employees. Employees have a wealth of knowledge, and surprisingly, they often enjoy participating in the process of improving the organization they work for and will offer an unexpected amount of information. Ask them openly about risk, their daily activities, and if they feel the established processes and procedures are sound. Ask if the policies and procedures are followed. Periodically send out questionnaires to staff for feedback or conduct focus groups. Remember to always reassure employees that the organization maintains a strict nonretaliation policy, and that employees will not be retaliated against for reporting suspected misconduct.
Set up systems for regular and sometimes random review of records, both final documents (e.g., invoices, cost reports, financial statements) and supporting documents (e.g., invoices, worksheets, notes, legal opinions, financial analyses, schedules, budgets, expenses). Data collection and tracking are the heart and soul of review because they provide trend analysis and a measure of progress. The government recommends the compliance officer or reviewer consider the following techniques:
-
On-site visits
-
Interviews with personnel involved in management, operations, contracting, marketing, finance, and other related activities
-
Questionnaires developed to solicit impressions of a broad cross section of the organization’s employees and staff
-
Reviews of written materials and documentation prepared by the different divisions of the organization
-
Trend analyses or longitudinal studies that seek deviations, positive or negative, in specific areas over a given period
-
Reviews of internal and external complaints filed
-
Inclusion of compliance and ethics language in job descriptions and performance evaluations
-
Inclusion of compliance-related questions in exit interviews (responses to which should be reported to the compliance officer)
-
Sample compliance-related exit interview questions:
-
How do you feel about communications in your unit?
-
How about communications overall?
-
How do you think the organization lives up to its code of conduct?
-
Do you have any concerns about ethical issues or compliance-related practices? If so, please explain.
-
(See Appendix 2-D, “Sample Audit Review Form.”)
Who is responsible for coordinating the monitoring and for conducting the internal audit? Is this an internal auditor’s responsibility, the compliance and ethics office’s responsibility, or perhaps a combination of the two? First, to avoid duplication or overlap, consider if there are other departments in your organization performing audits. Start with the finance department and the regular financial statement audits usually provided by outside certified public accountant consultants. Also, quality improvement or quality assurance activities are usually underway at all levels of the organization. These activities can dovetail with the monitoring and auditing elements of an effective compliance and ethics program. Auditors will need experience in the areas they are observing. Consider internal ad hoc groups—compliance SWAT teams—to monitor specific issues or review potential problem areas. References should be carefully checked for any outside auditors employed by the organization.
Any questions posed to or communications with government offices, regulatory agencies, or industry associations will be taken into account in an audit or review. The larger your organization, the greater the difficulty documenting such contacts. Be sure to take notes when you have a telephone conversation with the government or other regulatory agency. Ask for written confirmation of the information provided, and always keep your own notes of the conversation, including the date, time, and contact name, as well as the specifics of the conversation.
Audits and reviews must be documented and reported. Regulators call for regular reporting to senior company officers. For example, government guidance calls for written evaluations to be presented to the CEO, governing body, and members of the compliance committee no less than annually. When a facility is part of a larger corporate entity, monitoring and auditing activities should be a key feature of any annual review. Appropriate reports on audit findings should be periodically provided and explained to a parent organization’s senior staff and officers.[12]
Reports to management, the governing body, and the compliance committee should include findings or suspicions of misconduct with an action plan to address and resolve the potential problem.
If Your Audit Finds a Government Issue
If the investigation finds that there was no violation, all is well. However, if, after the internal investigation, there is reason to believe the organization’s misconduct constituted a material violation of law, then the organization, in collaboration with counsel, must take steps to disclose the violation to the government.
Voluntary disclosure is not only the right thing to do; it also provides certain financial advantages, as fines may be reduced, and administrative advantages if a good faith effort to comply creates a more pleasant working atmosphere between the organization and the investigators. Voluntary disclosures should be conducted under advice of counsel.
Types of Issue Investigation Questions
What is the origin of the issue? An accounting concern may be the result of a systematic practice, a third-party inquiry, or misconduct by individuals. A systematic, noncompliant accounting practice may have been tied to a new system implementation or the result of faulty advice received from a consultant.
When did the issue originate? A systematic accounting practice may warrant internal inquiry into the origin of the practice and the extent of its impact on the organization. Improper accounting methods by one individual may require scrutiny of their entire employment history as well as a review of directions that person may have received from management.
How far back should the investigation go? Investigation standards for one organization may not apply to another. Some will begin by reviewing the past year’s accounting records. Others may start with a month of prior records. Regardless of the methods used, key stakeholders must determine the parameters of its investigation based on a reasonable approach that is justified under the circumstances.
Can extrapolation of a statistical sample be used? Statistical sampling and extrapolation may be warranted for some investigations, especially in the healthcare arena, where it is often too difficult or costly to determine the exact cause of a problem that involves improper billing. Caution is warranted, however. Samples of improper billing, for instance, may not accurately represent all of an organization’s billing practices.
It is understood, of course, that any identified problem must be corrected immediately. Restitution of overpayments especially should be prompt, and when the problem is rectified, the issue should be added to the list of topics to be addressed with regular internal monitoring.
It is also possible that an enforcement agency could approach the organization with information about an alleged violation. In such an instance when there is an investigation, rumors and speculations will run rampant. It will be especially important to keep staff informed about what is going on. To get the message to employees, consider different ways to get the message out. For example:
-
A high-ranking official in the organization should send an all-staff memo or email
-
Hold an all-staff meeting to get the word out and answer questions
-
Keep managers and department heads updated so they can “drill down” the message
-
Provide opportunities for feedback and more questions from staff
Most importantly, the organization’s policies and procedures should include instructions for employees on what to expect and how to handle contact from the government about an investigation. Legal counsel must be actively involved in drafting these policies. Search warrant policies and procedures should clearly identify who is responsible for carrying out those procedures (usually the legal department). In the event of an on-site government investigation, legal counsel must be notified immediately, and to the extent possible, all nonessential employees should be sent home or relocated during the government search. The search warrant should be carefully reviewed to ensure only identified documents are seized. Also, the compliance officer should be present during the search, keeping a detailed, written account of all activities and an itemized inventory of documents inspected or removed from the premises.
Delegation of Authority
An organization should have assurances that discretionary authority is not delegated to personnel who are likely to act illegally. It is imperative that your organization maintains control of two components for this issue. First, the organization must ensure that the individuals that sit in positions of authority are individuals the organization can trust in such positions. Drug screenings, background checks, and references will increase your confidence that you have met the element with new employees. The application form itself should ask the applicant to note any incidents of criminal conviction or exclusion action. This proactive strategy can prevent hiring a sanctioned individual (itself prohibited by the government). Such cautions apply to contracts with outside vendors as well. In addition, management and the board must become familiar with these individuals and not allow any particular individual to operate in a vacuum or in an unreviewable stance. This can be handled partly by policies, as discussed earlier. However, the key is that management and the board be actively involved in the workings of each authorized individual.
Second, the organization must control and maintain authority levels. This element gains its need not only from Sarbanes-Oxley (relating to financial controls and authority), but also from legal and compliance needs. The authority levels can be classified as contractual authority, substantive authority (who can commit the company in foreign trade transactions), financial access authority, order control authority, etc. Your organizational structure will determine the actual authorities needed and the levels provided. However, the compliance professionals in your organization should always have access to view such authority levels and include such levels in yearly assessments to determine if the organization has been able to maintain adequate control.
Studies show that most major white-collar crimes involving fraud are committed by first-time offenders. Therefore, performing background checks and reference checks will not ensure that you have hired an honest employee. Involvement in every employee’s business dealings and adequate controls will give your organization a fighting chance at preventing fraud before it happens or at least early in the process.
Element 5: Internal Reporting System
An organization should have policies and procedures in place to effectively enforce the organization’s compliance and ethics program and incentivize its employees to perform in accordance with the compliance and ethics program, including the obligation to report potential problems.
Hotline Reporting
There are a variety of methods for employees to report potential problems or to raise concerns. Regulators stress the importance of communication in the compliance process. The most important reporting system is an open door, and the best reporting system is one where the employee feels comfortable approaching their supervisor and openly discussing any potential problem.
For any reporting method to be effective, employees must accept that there will be no retaliation or retribution for coming forward. The concept of nonretaliation is fundamental to the compliance and ethics program, and a clearly stated policy regarding nonretribution is the first step. (See Appendix 2-B, “Sample Nonretaliation/Nonretribution Policy.”) The dangers are real. If employees suspect there could be retaliation, no one will come forward, creating fertile ground for whistleblowers and exposing the organization to unchecked risk. Remember, however, that a limitation should be included in the policy for good faith complaints or issues. Employees who concoct or report misinformation in bad faith should never benefit from such a policy.
Confidentiality is also key. Policies and procedures should assure to the extent possible confidentiality and anonymity in all reporting processes. (See Appendix 2-E, “Sample Confidentiality Statement.”) Confidentiality is closely tied with nonretaliation. For example, the decision-making process regarding a promotion can be tainted if the supervisor has been informed of an employee-candidate’s report of a problem. Policies and procedures need to offer assurances to the employee, but also must note that resolution of a problem, which could include legal action, may in certain circumstances require disclosure of identity. Legal counsel should be involved in the review of both the nonretaliation and confidentiality policies to be sure unrealistic promises are not made.
One common reporting method recommended by the government is the hotline or helpline. There are various arguments as to whether to provide a hotline internally or externally. The size and setting of the organization must factor into the decision. A large organization may need 24-hour coverage. For smaller organizations, 24-hour coverage may not be necessary, or may only be feasible through outsourcing. Also, cost and resources needed for training staff on how to handle calls and protect confidentiality must be weighed against the costs of a professional telephone service. If you decide to outsource, the contract should include the following:
-
The right to move the toll-free number to another vendor or bring it in-house
-
Assurances that security of the vendor computer system equals the security provided for the data within your own system
-
An electronic method of linking the incoming phone line with the computer of the person answering the call (to decrease the risk of your hotline calls being routed, even inadvertently, to another client of the vendor)
Whether a hotline is provided internally or externally, anonymity to the greatest extent possible is vital, keeping in mind that anonymity can never be promised. Hotline numbers and procedures must be clearly and readily communicated to staff, preferably not solely through a page in the employee policies and procedures manual. Permanent and prominent bulletin board postings ensure that everyone knows problems are to be reported and how to report them.
Once you have a hotline up and running, how do you assess its effectiveness? Does a high number of calls indicate an effective hotline? Not necessarily. If you have been able to create an environment where issues are raised through appropriate channels and the staff trusts they can report problems without fear of retaliation, you may not get a lot of calls. Also, in most organizations, at least 80% of hotline calls are human resources or employee relations issues (e.g., complaints about a supervisor’s behavior or a colleague’s allegedly insulting remark, or disagreements with the organization’s policy on overtime). Here again, consider your organization’s culture. The number of calls alone is not an indicator of effectiveness.
Issue Escalation and Investigations
Once a complaint is received or a question raised, it must be investigated regardless of how small it seems. Remember, to regulators, documentation is everything. All complaints must be logged and tracked. Many organizations assign a unique number to each call, so the caller can check on the status of the complaint by calling back and giving the assigned number. How the complaint was handled, by whom, and when should all be included in the documentation. (See Appendix 2-F, “Sample Hotline Information Sheet.”) The log sheet should be supplemented with a complaint-specific issue form. Noting that a complaint was received is not enough. Documentation of the specifics of the issue, the departments involved, findings, and actions taken is also necessary. (See Appendix 2-G, “Sample Compliance Issue Follow-Up Form.”) You also need a clearly stated procedure outlining the disposition of these forms—specifically, who gets copies and how information is incorporated into written reports.
There also should be a written policy and procedure regarding how calls to the hotline, or input to any reporting mechanism for that matter, will be addressed. Specific steps for an investigation should be enumerated, and such a policy must limit distribution of information to protect confidentiality and nonretaliation commitments. Hotlines can seem like a sizeable expense, but in many, if not most, organizations they are a practical investment. The employee’s options shouldn’t be limited to government-sponsored hotlines.
In addition to hotlines, most organizations have in-house email systems. With the help of the information services department, email can often be configured so that problems can be reported but the compliance officer cannot determine who is sending the email. In today’s work environment, computers are commonplace, but they are not ubiquitous. Some jobs do not require a desk with access to a computer, and a centrally located general-access terminal could compromise confidentiality. For these reasons, email should not be the only reporting system. If adopting this sort of system as part of your reporting options, remember to emphasize in your procedures that anyone who wants to hear back will need to include their name in the body of the email, as there will be no way for the compliance officer to know who sent the email.
Another reporting option is a drop box for paper reports, a variation on the old suggestion box. Regular and frequent pickups will be important and multiple locations are encouraged, but be sure not to position it in an area of the organization with a security camera.
Reporting works both ways, and the compliance officer should take every opportunity to keep in touch with all levels of staff. Regular, ongoing communication is another form of education that reiterates commitment and can facilitate prevention of problems. Compliance and ethics communication can be incorporated into existing systems—a compliance and ethics column of frequently asked questions in the organization’s in-house newsletter, posters on bulletin boards, tent cards in the cafeteria, articles on an organization’s intranet, compliance content in department staff and organization-wide town hall meetings, etc. Good channels for communication must be in place and effective when changes or additions to policy or procedures occur. You may consider an email blast for special announcements, but use these sparingly, otherwise you will risk them not being taken seriously. Whatever communication you choose to use, be sure to keep copies in a binder or file so you can document what you are communicating, how, to whom, and when. All-employee emails, articles in the in-house newsletter, pages on the company’s intranet, brief presentations at all-employee meetings, and other methods of communication will reinforce that the compliance and ethics department is available to employees and provide documentation of the organization’s commitment to a culture of compliance and ethics.
Element 6: Discipline for Noncompliance
“Fair,” “equitable,” and “consistent” are the watchwords for enforcing the code of conduct and the policies and procedures. The place to start with enforcement is back at the beginning, with the code of conduct and the policies and procedures.
The organization’s compliance and ethics program should be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. Holding staff accountable with effective discipline and enforcement is essential for maintaining a strong culture of compliance, and incentives display the organization’s commitment to promoting compliance. Insufficient or inconsistent discipline and incentives can signal a culture that does not prioritize compliance. A policy on enforcement should include five main points:
-
Noncompliance will be punished
-
Failure to report noncompliance will be punished
-
An outline of disciplinary procedures
-
The parties responsible for appropriate action
-
A promise that discipline will be fair and consistent
It is important to emphasize that “sins of omission” as well as “sins of commission” will be subject to discipline. Failure to detect or report an offense is a serious act of noncompliance and equally as deserving of discipline as the actual misconduct. Compliance and ethics is an active, ongoing process that is everyone’s responsibility.
In this area, you are well advised to consult closely with the organization’s human resources department. There are no doubt disciplinary policies and procedures already in place with which you will need to be consistent, and which can serve as a model. One important piece of advice your human resources colleagues will probably give you is that you cannot discipline without having properly informed all employees of the rules. Although stated earlier, it is worth repeating that the policies and procedures must be clear, and they must be appropriately communicated to all employees. It is much more difficult to penalize someone for violating a policy they did not know about. Therefore, the first steps toward enforcement are (1) distributing standards of conduct and policies and procedures and (2) educating staff about them, including the consequences of noncompliance.
Written standards of conduct should address the procedures for handling disciplinary problems and those who will be responsible for taking appropriate action. Intentional or reckless noncompliance is to be disciplined with “significant sanctions,” which can range from oral warnings to suspension, privilege revocation (subject to any applicable peer review procedures), termination, or financial penalties as appropriate. Many organizations use progressive discipline. As the name implies, this is a multistep process where the penalties become increasingly more severe. Progressive discipline can aid in assignment of discipline that is appropriate to the severity of the infraction.
The first step in this process should be a supervisor’s conference. The goal of the supervisor’s conference is securing the employee’s understanding of the problem and a commitment to correcting the inappropriate behavior. Depending on the situation, the next step might be a conference with a higher level of authority, or it could be a written warning. The written warning is the more severe next step. It emphasizes the seriousness of the situation and stresses the urgency of modified behavior. It also should outline that the employee will face further disciplinary action, up to and including termination, if the behavior continues. Subsequent steps might include suspension without pay or imposition of a probationary period where the employee is advised to correct the behavior within a certain time period, say 30 days, or face termination. The final step is termination, once all other options have been exhausted. The severity of the infraction will determine the steps. Certainly, any step beyond the basic supervisor’s conference should involve the human resources department. Proper and thorough documentation will be essential.
A typical disciplinary action chain (steps may be repeated more than once or skipped depending on level and intentionality of offense):
-
Verbal warning
-
Written warning
-
Suspension
-
Fine(s)
-
Termination
Discipline should be commensurate with the offense. There are offenses, such as blatant acts of fraud, that warrant immediate termination, but most infractions will be relatively minor and most likely unintentional. These may best be handled with education or additional training. Education should never be labeled as punishment. When put in a positive and supportive context, it can effectively correct noncompliant behavior. Be sure your policies and procedures include remedial steps such as additional training.
Enforcement is not just about discipline, of course. Effective compliance programs leverage incentives to promote employee compliance. Goals and objectives for individuals and departments can include specific references to compliance. Achievement of those goals, especially when celebrated, is a positive reinforcement that encourages support for and enforcement of the compliance and ethics program. Performance appraisals need not focus solely on issues of noncompliance. They can, for example, note favorable or improved audit or review outcomes, participation in risk remediation, active promotion of the compliance and ethics program, etc. Your compliance and ethics program can be better enforced if you also find ways to reinforce with positive feedback. Additionally, effective compliance incentives signal to both employees and regulators that the organization prioritizes compliance and ethics.
Element 7: Investigation and Remediation
If there is ever a reason to believe that misconduct or wrongdoing has actually occurred, the organization must respond appropriately and promptly. Failure to respond or a delayed response can have serious consequences.
Violations of the compliance and ethics program and other types of misconduct threaten an organization’s status as reliable, honest, and trustworthy. Detected but uncorrected misconduct can seriously endanger the mission, reputation, and legal status of the organization. Ignoring a legitimate report of wrongdoing will also alienate employees, especially the person who reported the problem, and hence encourage qui tam action. Cover-ups usually cause more problems than they solve. In the event of misconduct, face the problem quickly and fix it. However daunting it may feel to be faced with the possibility of misconduct, remember that one of the goals of a compliance and ethics program is detection. Having found a problem is an indication your program is working.
If a serious or systemic issue, the first logical step is to meet with your in-house or external legal counsel. Together you can determine how serious the misconduct or wrongdoing is and develop an appropriate plan of action. An investigation should be conducted any time a potential violation is identified. Therefore, your plan of action will likely begin with a thorough internal investigation. Depending on the extent and seriousness of the alleged infraction, outside counsel or content experts may be needed. Your counsel will help decide whether the investigation should be handled under the attorney-client privilege, where disclosure, communications, and most documents can be kept in confidence. While an internal investigation is the first step, immediately take the necessary steps to stop or modify the procedures that are the alleged source of wrongdoing.
The internal investigation must be handled carefully and documented meticulously. When choosing an investigative team, look for those knowledgeable about the area in question but also capable of being objective. The compliance officer obviously should be a part of the team, but to emphasize commitment, participation by a member of the senior staff is desirable when possible. If outside consultants are used, the compliance officer still must be represented on the team. Handing the problem off to someone else is not a solution. Outside consultants will need to be directed, overseen, and evaluated just as closely as an internal investigation team, if not more so. The team should meet together as a group in the beginning to delineate the problem, decide on an approach or strategy, and get the guidance and support of senior management. All will need to be instructed on the timeline of the investigation, the process to be used, and the need for documentation. At minimum, the team should meet together again as a group at the end of the investigative process to discuss findings and plan the final report. Time is of the essence. The government calls for prompt reporting of misconduct to the appropriate governmental authority within a reasonable period.
As noted above, detailed documentation is critical. If it should be necessary to defend in a criminal or civil trial, a clear paper trail will make the process much easier. Thorough documentation will include the following:
-
A description of the potential misconduct and how it was reported
-
A description of the investigative process
-
List of relevant documents reviewed
-
List of employees interviewed
-
Employee interview questions and notes
-
A root cause analysis
-
Changes to policies and procedures, if appropriate
-
Documentation of any disciplinary actions
-
Investigation final report with management’s corrective action plan
The final report and any attached documentation are sensitive materials and should be distributed in limited quantities.
Ongoing Program Improvement
Appropriate compliance and ethics program improvements should be designed to reduce any identified risks or compliance violations. Continual improvements and changes must be made as the compliance and ethics program matures. If you have identified additional risks, issues, or violations, it is required that you improve whatever part of your compliance and ethics program “failed” or fell short. You will need to (1) address the issue or violation consistently within your program policies and procedures and (2) ensure that this particular risk, issue, or violation will not occur in the future and, if it does, implement a control to catch such an issue or violation early and immediately, if at all possible. This may mean a new policy or procedure. It may mean a new control or audit criteria. It may mean additional compliance and ethics training. You will be required, as part of addressing the risk, issue, or violation, to revamp your program to address the finding.
In addition, a compliance and ethics program is never static. The degree of required program improvement will be determined by the maturity of your compliance and ethics program. If you have come into an organization with no compliance and ethics program, your program will be changing dramatically for years to come. Resources will play a role, as well as the attitudes of the governing members of your organization. Diligence in establishing the essential elements will be your driving force for much of the beginning of your effort. However, once your program touches all the essential elements, there will always be improvements that can be made to each element. Chapters 3, 4, and many of the key risk area articles found in Chapter 5 can help you fine-tune your program. Remember, forward momentum is always something you want to be able to show the government if they ever require proof of your program.