An Effective Compliance Program
Deloitte has published a short piece as part of their CFO Insights, Compliance programs: What separates “good enough” from “great”? (They are talking about a combined ethics and compliance program.)
It’s a decent read; good enough to spark a conversation on the topic.
I believe this is a topic relevant to those responsible for governance, in executive management, as well as those in risk, compliance, assurance, and information security roles.
The introduction is excellent:
The U.S. Federal Sentencing Guidelines and, more recently, promulgations by the Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance have called for companies to develop effective compliance risk mitigation programs and safeguards to protect against internal and external threats of corruption and fraud. Yet, despite decades of experience in developing such practices, the results appear to remain uneven at best, which is especially concerning at a time when risks are increasing.
Consider the stunning growth of social media, mobile technologies, and big data, for example, which has ushered in a new era of transparency, exposing illegal transactions and raising profound new ethical questions about the way business is conducted. Ethics and compliance executives may have come a long way in developing sophisticated measures to prevent, detect, and mitigate risk of malfeasance. But given that those who wish to violate the rule of law are using more sophisticated tactics, “good enough” in compliance is just not good enough today.
But then Deloitte falls back on what I consider an over-simplification of the issue. They identify five areas where a great compliance and ethics program can be distinguished from that is just “good”:
- Tone at the Top
- Corporate Culture
- Risk Assessments
- Testing and Monitoring
- Chief Ethics and Compliance Officer
The points they make are good mother-and-apple-pie comments. But do they add anything for a CFO or other executive? I doubt it.
I doubt many executives are familiar with the requirements of the U.S. Federal Sentencing Guidelines[i] that Deloitte references in the first sentence of its publication. Here is the key section, which Deloitte should (in my opinion) have considered referencing.
The highlights are by me.
8B2.1. Effective Compliance and Ethics Program
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
- exercise due diligence to prevent and detect criminal conduct; and
- otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
- The organization shall establish standards and procedures to prevent and detect criminal conduct.
- (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within highlevel personnel shall be assigned overall responsibility for the compliance and ethics program.
(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
- The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
- (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
(B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
- The organization shall take reasonable steps—
(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
- The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
- After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
The Commentary that follows this text has some interesting language, including:
“Standards and procedures” means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.
To meet the requirements of subsection (c), an organization shall:
(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
(i) The nature and seriousness of such criminal conduct.
(ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business. If, because of the nature of an organization’s business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.
(iii) The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.
The Background section, which closes this part of the Guidelines, closes with this:
The requirements set forth in this guideline are intended to achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable. The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
I believe the guidance that the compliance program be risk-based is an essential element.
Every CFO – every senior executive and board member of an organization potentially subject to prosecution under U.S. law – should understand that a risk-based approach that leads to reasonable prevention and detection of criminal conduct provides a significant level of protection to the organization, let alone any personal liability they might have.
What do you think?
I welcome your comments.
[i] As a reminder, the U.S Federal Sentencing Guidelines are used by U.S. Federal judges in determining sentences for individuals or organizations convicted of federal crimes.