Question

What are the various principals to consider When assessing the adequacy of compliance efforts in a company?

Answer 1

A brief understanding of corporate compliance

Corporate compliance is the ability to lead large groups of people toward achieving certain standards of conduct. An organisation has a body of people somehow affiliated with one enterprise (the “corporate” part) who must obey certain rules (the "compliance" part).

External corporate compliance is compliance with regulations i.e. the laws, rules, and other regulations from a government that spell out how an organization should conduct itself.
For example, all publicly traded businesses must publish quarterly financial statements; those statements must include certain financial data, calculated according to certain financial standards. Another example: no company can bribe officials of foreign governments to win business; that violates the Foreign Corrupt Practices Act (FCPA).

Internal compliance is where employees must comply with the internal policies and procedures of the company.
For example, the FCPA prohibits bribing foreign government officials. So companies develop internal policies for employees that, say, forbid paying for luxurious travel for foreign officials, or donating to charities that those officials operate. Then companies develop procedures for submitting expense reports to identify any suspicious payments employees might be trying to make anyway.

The cost of a compliance failure may result directly into penalties, settlements, legal fees, increased insurance costs, and management and board distraction. They may also result from damage to corporate reputation with its potential impact on stock price, customer and employee retention, credit ratings and the cost of capital. It is up to each company to implement the compliance programme that best suits its needs and the level of compliance risk it is willing to take.

Directors of the company are required to consider the legal and regulatory compliance framework provided by US Department of Justice, and ensure that the company has appropriate compliance-related reporting and information systems and internal controls in place. A company and its directors, officers, employees and shareholders always benefit from a corporate culture that emphasises compliance.

• The US Federal Sentencing Guidelines require organizations to develop a compliance program that can prevent, detect, and deter employees from engaging in misconduct.
• To be considered effective, compliance programs must disclose any wrongdoing, cooperate with the government, and accept the responsibility for misconduct.
• Codes of ethical conduct, employee training, hotline phone numbers, compliance officers, newsletters, brochures, monitoring employee conduct, and an enforcement system are typical components of a compliance programrequired to be established by a company.
• The risk of severe penalties can be reduced under the guidelines if the organization has established an effective compliance program.
• The significance of an effective program is that companies must exercise due diligence in seeking to prevent and detect criminal conduct by employees.

Purpose of Federal Sentencing Guidelines

Even when an employee’s actions go against company policy, the company can be held legally responsible, despite its best efforts to prevent unethical behavior. This applies only when the employee acts within the scope of employment. For example, an employee who deals drugs while on the job is not operating within the scope of employment, so the company would not be held liable for the offense. However, if an employee uses the account information of bank customers to steal money from them, the bank would be held responsible. The most common offenses related to companies include fraud, hazardous waste discharge, tax evasion, antitrust offenses, and food and drug violations. Punishment for corporate offenses is governed by Chapter 8 of the Federal Sentencing Guidelines for Organizations.

"Principles & Practices of High-Quality Ethics and Compliance Program" is the de facto standard for effectiveness in compliance programme design that is being set out in Chapter 8 of the US Federal Sentencing Guidelines.

The compliance steps from the Federal Sentencing Guidelines include the following :-

• Establish standards and procedures to prevent and detect criminal conduct, by formulating a code of ethics or statement of values.
• Senior management must be knowledgeable about the compliance and ethics program as well as oversee its implementation and make reasonable efforts to ensure its effectiveness.
• Make reasonable efforts to exclude any individual who has committed an illegal act or engaged in other activities inconsistent with a compliance and ethics program from substantial authority in the organization.
• Periodically communicate the aspects of the compliance and ethics program to its members by conducting training programs and disseminating relevant information.
• Ensure that the program is followed by (1) monitoring and auditing activities to detect criminal conduct, (2) periodically evaluating its effectiveness, and (3) employing systems that allow for anonymity or confidentiality if employees want to report criminal conduct without fear of retaliation. A common practice regarding this is a whistleblower hotline.
• Promote and enforce the program by offering incentives for performance in accordance with the program and instituting disciplinary measures for engaging in or failing to take reasonable steps to prevent/detect criminal conduct on the part of any employee/management.
• Respond to criminal conduct and take steps to prevent future and similar offenses when criminal conduct has been detected.

Periodic assessment of the compliance programme by the board or a board committee, helps to ensure that the programme continues to be fit for purpose by identifying areas for improvement.
The focus of the board’s assessment efforts should be on the company’s policies, systems, incentives, and resources, as well as how senior management communicates internally about the importance of compliance.

As per the Dept. of Justice guidelines following principles are to be followed while evaluation g a company's compliance program

1. Risk Assessment - The prosecutors should consider whether the company has analyzed and addressed the varying risks presented by the factors like, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations, while formulating its compliance program.
2. Policies and Procedure - Evaluators should examine whether the company has a code of conduct that sets forth the company’s commitment to full compliance with relevant Federal laws which is applicable to all company employees. Prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations
3. Training and Communications - Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.
4. . Confidential Reporting Structure and Investigation Process - A well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes proactive measures to create a workplace atmospherewhere complaints can be submitted to the comcerned management without fear of retaliation and whether the company has processes in place to protect whistleblowers.
   Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and disciplinary measures.
5. Third Party Management - A well-designed compliance program should apply risk-based due diligence to its thirdparty relationship. Prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors who are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transaction.
   For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.