Home > Risk > An Effective Compliance Program

An Effective Compliance Program

Deloitte has published a short piece as part of their CFO Insights, Compliance programs: What separates “good enough” from “great”? (They are talking about a combined ethics and compliance program.)

It’s a decent read; good enough to spark a conversation on the topic.

I believe this is a topic relevant to those responsible for governance, in executive management, as well as those in risk, compliance, assurance, and information security roles.

The introduction is excellent:

The U.S. Federal Sentencing Guidelines and, more recently, promulgations by the Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance have called for companies to develop effective compliance risk mitigation programs and safeguards to protect against internal and external threats of corruption and fraud. Yet, despite decades of experience in developing such practices, the results appear to remain uneven at best, which is especially concerning at a time when risks are increasing.

Consider the stunning growth of social media, mobile technologies, and big data, for example, which has ushered in a new era of transparency, exposing illegal transactions and raising profound new ethical questions about the way business is conducted. Ethics and compliance executives may have come a long way in developing sophisticated measures to prevent, detect, and mitigate risk of malfeasance. But given that those who wish to violate the rule of law are using more sophisticated tactics, “good enough” in compliance is just not good enough today.

But then Deloitte falls back on what I consider an over-simplification of the issue. They identify five areas where a great compliance and ethics program can be distinguished from that is just “good”:

  1. Tone at the Top
  2. Corporate Culture
  3. Risk Assessments
  4. Testing and Monitoring
  5. Chief Ethics and Compliance Officer

The points they make are good mother-and-apple-pie comments. But do they add anything for a CFO or other executive? I doubt it.

I doubt many executives are familiar with the requirements of the U.S. Federal Sentencing Guidelines[i] that Deloitte references in the first sentence of its publication. Here is the key section, which Deloitte should (in my opinion) have considered referencing.

The highlights are by me.

8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

  1. exercise due diligence to prevent and detect criminal conduct; and
  2. otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

  1. The organization shall establish standards and procedures to prevent and detect criminal conduct.
  2. (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within highlevel personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

  1. The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
  2. (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

  1. The organization shall take reasonable steps

(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

  1. The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
  2. After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

The Commentary that follows this text has some interesting language, including:

“Standards and procedures” means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.

To meet the requirements of subsection (c), an organization shall:

(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:

(i) The nature and seriousness of such criminal conduct.

(ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business. If, because of the nature of an organization’s business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.

(iii) The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.

The Background section, which closes this part of the Guidelines, closes with this:

The requirements set forth in this guideline are intended to achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable. The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.

I believe the guidance that the compliance program be risk-based is an essential element.

Every CFO – every senior executive and board member of an organization potentially subject to prosecution under U.S. law – should understand that a risk-based approach that leads to reasonable prevention and detection of criminal conduct provides a significant level of protection to the organization, let alone any personal liability they might have.

What do you think?

I welcome your comments.

[i] As a reminder, the U.S Federal Sentencing Guidelines are used by U.S. Federal judges in determining sentences for individuals or organizations convicted of federal crimes.

  1. September 1, 2014 at 7:16 AM

    Management, with the advice of legal and compliance has done the basic five noted by Deloitte. Doing more of these won’t improve things. I believe the real “meat” left on this is in the middle of the organization. Despite having an anonymous compliance line, employees are still frightened by the prospect of retaliation. And with good cause. I can’t tell you how many times I’ve seen a member of the investigation team more interested in determining the identity of the caller instead of working to get to the truth of the allegation. To get to great, we have to understand all of the cultural drivers in our company and develop a plan that works with and around that. Executive management understands the risk. They live with it every day. Bringing up sentencing guidelines can help, but those are still too generic for practical application.

  2. Cameron
    September 1, 2014 at 7:29 PM

    The international standard ISO 19600 Compliance Management Systems is close to finalisation and draws heavily on the Australian Standard AS 3806 Compliance Programs that was originally developed in 1998 as a result of a request from and with input by regulators. This provides real guidance rather than motherhood statements.

    The Compliance Standard is intended to consist of over-arching guidelines on what companies could and should do, in order to respect ever-increasing compliance obligations, irrespective of how they originate. Companies will be able to use the Standard to benchmark their framework against international best practice. This benchmarking will provide assurance that, in the event of an isolated case of non-compliance, the program could be used to mitigate any potential penalties handed down by regulators or the courts.

    ISO 19600 draws heavily on the Australian and New Zealand model. There is a greater emphasis on the risk-based approach to compliance. There is also recognition of the role of the three lines of defence. In the ISO standard, there is a real emphasis on ensuring business takes responsibility for their role in the compliance framework.

    http://www.compliance.org.au/news/view/1961
    http://www.esv.info/download/zeitschriften/BUCO/leseprobe_2.pdf

  3. September 3, 2014 at 10:19 PM

    For an example of the way in which Broadleaf used a risk management process, aligned with ISO 31000, to review a company’s risks associated with its code of conduct (and things like the UK Bribery Act, US FCPA and so on), please see http://broadleaf.com.au/work/business-ethics-stress-testing-with-risk-management/.

  4. John Beckett
    September 8, 2014 at 6:44 AM

    A brief comment. For a multinational company a great deal of attention has to be focused on making sure that all offices, in all countries, understand what needs to be done. I have seen employees comment that while it might not be ok in the US it is in their country so they would consider doing a questionable action. The message needs to be well publicised throughout the organization to protect one and all.

  5. September 8, 2014 at 4:53 PM

    An important outcome that emerged from our work was that communicating a message by itself is not sufficient. Additional controls are needed, and those controls must be suitable for the local environment. What works in places like the US, UK or Australia may not be sufficient in countries with different customs, regulations and business environments.

  1. September 8, 2014 at 9:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: