Difference between revisions of "Corporate Compliance Programs - Top Elements"

From Knowledge base
Jump to: navigation, search
(Levels of Standards and Controls)
 
(8 intermediate revisions by one user not shown)
Line 7: Line 7:
 
* Board of Directors
 
* Board of Directors
  
The Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program.  The Board should receive periodic compliance briefings.
+
The Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program.  The Board should receive periodic compliance briefings. 1. Top-Level, Top Down management which is committed to ethical conduct, compliance with all laws and foster a culture of ethical conduct and compliance. 
  
 
* Ethics Committee and/or Audit Committee
 
* Ethics Committee and/or Audit Committee
Line 44: Line 44:
 
====Levels of Standards and Controls====
 
====Levels of Standards and Controls====
  
* (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough.  
+
=====(1) Code of Conduct=====
 +
Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough.  
  
*(2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices.  
+
=====(2) Standards and Policies=====
 +
Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices.  
  
*(3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.
+
=====(3) Procedures=====
 +
Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.
  
  
Line 55: Line 58:
 
===4. Training ===
 
===4. Training ===
  
Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice's (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.
+
A strong compliance program trains  company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct.  
  
There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company's high-risk markets, then expand geographically and through the ranks of employees.
+
====Measures====
  
Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.
+
*Who is trained?
  
It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.
+
*How is the training conducted?
 +
 
 +
* How often?
  
 
===5. Oversight - including monitoring, auditing and responses===
 
===5. Oversight - including monitoring, auditing and responses===
  
The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company's employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.
+
====Monitoring====
 +
A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis.
 +
 
 +
====Auditing====
 +
Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records.
 +
 
 +
====Remediating and Correcting====
 +
 
 +
What are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.
 +
 
 +
==Ethics and Compliance Program Principles==
 +
 
 +
1. Continual oversight
 +
2. Establishment and maintenance of Code of Business Conduct (CoBC) and Corporate Framework (CF).
 +
3. Establishment and maintenance of procedures that are proportionate to the compliance risks, the extent of its involvement in certain areas of compliance risk (bribery, USG contracting), size of the Group, and nature, scale and complexity of the Group.
 +
4. Periodic, informed and documented assessment of exposure to criminal conduct by Group employees and, where appropriate, its suppliers, partners, and other third parties, with appropriate steps to design, implement or modify business ethics awareness,  compliance program and internal control system to reduce the risk of criminal conduct.
 +
5. Performance of appropriate due diligence on employees, including potential employees, or third parties who will perform services for or on behalf of the Group to mitigate risks of compliance with criminal laws and to ensure persons who have engaged in illegal activities, unethical misconduct, or conduct in conflict with the CoBC and CF  are not promoted or hired to positions of management or other substantial authority
 +
6. Periodic and practical communications of, and training on, the Group’s ethical standards, policies, procedures and ethics program, to employees and, as appropriate suppliers, partners and other third parties to ensure that the standards, policies and procedures are embedded and understood
 +
7. Monitoring and auditing of business practices, policies, and internal controls for compliance with the CoBC and CF and to prevent criminal conduct
 +
8. Periodic evaluation of the program’s effectiveness
 +
9. Establishment, maintenance and continued publicized system of an internal reporting mechanism by which employees may report suspected instances of improper conduct and which encourages employees to make such reports.
 +
10. Promoting or enforcing the program through incentives and disciplinary actions for improper and criminal conduct or failing to take reasonable steps to prevent or detect improper or criminal conduct.
 +
11. Timely response to and disclosure of criminal conduct where appropriate/credible evidence exists.
 +
 
 +
==Compliance Program Plan==
 +
 
 +
Strategic
 +
• Establish annual USG Compliance Program Plan for management review and agreement
 +
• Establish Policy on Policies
 +
• Review existing policies and identify new policies (ie., Do we need a policy on a Contract Management System)
 +
• Establish annual Compliance Workshop
 +
o Institute and define this annual workshop/training
 +
• Enhance existing training plan, identifying SAI training, and other supplemental training needed.
 +
• Quarterly updates distributed no longer than 30 days after the end of a quarter
 +
• Revisit Leadership Team Charter and team members, making sure the proper people are attending, and meeting the objectives or re-defining objectives.  Consider having a Compliance Communication/Group Discussion team in addition to the leadership team, or the need and success of a leadership team.
 +
• Establish USG Compliance assessment program
 +
• Institutionalize the USG Compliance “How To” and Guidance Manual
  
Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.
+
Tactical
 +
• Site Visits 
 +
• Proactive in resolving DCAA open items and issues 
 +
• Responding to BU requests for assistance, guidance, or advice on a timely basis
 +
The USG Compliance Program success is contingent upon:
 +
• Buy in from Management
 +
• Active participation, collaboration, and resources
 +
• Appropriate Budget for Compliance Workshop
 +
• Budget for travel
 +
• Other priorities not taking precedent
  
Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.
 
  
I have found that the Baker 'Five Essentials' approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.
 
  
[[Category:Governance & Compliance]]
+
[[Category:Corporate Governance and Compliance]]

Latest revision as of 12:56, 17 February 2021

Contents

Top 5 Elements of an Effective Compliance Program

1. Leadership

Tone at the Top

  • Board of Directors

The Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program. The Board should receive periodic compliance briefings. 1. Top-Level, Top Down management which is committed to ethical conduct, compliance with all laws and foster a culture of ethical conduct and compliance.

  • Ethics Committee and/or Audit Committee
  • Group Executive
  • Senior Management

Transparent and Active Commitment

Key Individual Roles

  • Chief Compliance Officer

Authority??

  • General Counsel

2. Risk Assessment

A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

Risk Areas:

  • Regulation Risk
  • Business Opportunity Risk
  • Pricing


  • .Transaction/Accounting Risk

Risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise. They should be performed periodically throughout the year. The should be performed by a group such as your Accounting and Finance, Internal Audit, Contracts, and Risk Management. The outcome of the risk assessment establishes the "Program Plan" for the upcoming period for the compliance and internal audit departments.

3. Standards and Controls

Levels of Standards and Controls

(1) Code of Conduct

Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough.

(2) Standards and Policies

Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices.

(3) Procedures

Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.


Note: FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

4. Training

A strong compliance program trains company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct.

Measures

  • Who is trained?
  • How is the training conducted?
  • How often?

5. Oversight - including monitoring, auditing and responses

Monitoring

A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis.

Auditing

Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records.

Remediating and Correcting

What are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Ethics and Compliance Program Principles

1. Continual oversight 2. Establishment and maintenance of Code of Business Conduct (CoBC) and Corporate Framework (CF). 3. Establishment and maintenance of procedures that are proportionate to the compliance risks, the extent of its involvement in certain areas of compliance risk (bribery, USG contracting), size of the Group, and nature, scale and complexity of the Group. 4. Periodic, informed and documented assessment of exposure to criminal conduct by Group employees and, where appropriate, its suppliers, partners, and other third parties, with appropriate steps to design, implement or modify business ethics awareness, compliance program and internal control system to reduce the risk of criminal conduct. 5. Performance of appropriate due diligence on employees, including potential employees, or third parties who will perform services for or on behalf of the Group to mitigate risks of compliance with criminal laws and to ensure persons who have engaged in illegal activities, unethical misconduct, or conduct in conflict with the CoBC and CF are not promoted or hired to positions of management or other substantial authority 6. Periodic and practical communications of, and training on, the Group’s ethical standards, policies, procedures and ethics program, to employees and, as appropriate suppliers, partners and other third parties to ensure that the standards, policies and procedures are embedded and understood 7. Monitoring and auditing of business practices, policies, and internal controls for compliance with the CoBC and CF and to prevent criminal conduct 8. Periodic evaluation of the program’s effectiveness 9. Establishment, maintenance and continued publicized system of an internal reporting mechanism by which employees may report suspected instances of improper conduct and which encourages employees to make such reports. 10. Promoting or enforcing the program through incentives and disciplinary actions for improper and criminal conduct or failing to take reasonable steps to prevent or detect improper or criminal conduct. 11. Timely response to and disclosure of criminal conduct where appropriate/credible evidence exists.

Compliance Program Plan

Strategic • Establish annual USG Compliance Program Plan for management review and agreement • Establish Policy on Policies • Review existing policies and identify new policies (ie., Do we need a policy on a Contract Management System) • Establish annual Compliance Workshop o Institute and define this annual workshop/training • Enhance existing training plan, identifying SAI training, and other supplemental training needed. • Quarterly updates distributed no longer than 30 days after the end of a quarter • Revisit Leadership Team Charter and team members, making sure the proper people are attending, and meeting the objectives or re-defining objectives. Consider having a Compliance Communication/Group Discussion team in addition to the leadership team, or the need and success of a leadership team. • Establish USG Compliance assessment program • Institutionalize the USG Compliance “How To” and Guidance Manual

Tactical • Site Visits • Proactive in resolving DCAA open items and issues • Responding to BU requests for assistance, guidance, or advice on a timely basis The USG Compliance Program success is contingent upon: • Buy in from Management • Active participation, collaboration, and resources • Appropriate Budget for Compliance Workshop • Budget for travel • Other priorities not taking precedent

Retrieved from "http://www.govcwiki.org/index.php?title=Corporate_Compliance_Programs_-_Top_Elements&oldid=13155"