Part 2: Why Strong Internal Compliance Programs Are Good Business
In our first look at internal compliance programs, we talked about their importance, given today's increasing government enforcement initiatives and robust whistleblower environment. We discussed how having a compliance program in place can help companies mitigate risk and have mechanisms in place to help identify issues and potential problems within the organization and fix them before a whistleblower brings legal action or government enforcement is initiated.
Building a compliance program from the ground up can be a significant and sometimes a seemingly overwhelming undertaking. However, an important place to start is with a risk assessment to determine where your business may have the most policy gaps, compliance failure risk or need for improvements. A risk assessment can be conducted at the enterprise level of the business or at a particular product, function or divisional level.
Most companies find that just as "Rome was not built in a day," neither is a robust compliance program. Management commitment to developing the program, conducting appropriate risk assessment(s) and committing to continuous compliance program improvement is a common formula.
Internal compliance programs can range in size, scope and complexity depending on a number of factors, including the size of the business or organization, complexity of the laws and regulations applicable to that business or organization and expectations of external regulators. However, there are some basic components that are typically included in a corporate compliance program.
Chief Compliance Officer
Many companies appoint a chief compliance officer (CCO) or equivalent to oversee the internal compliance program. Compliance oversight should include responsibility and accountability for overseeing all of the organization's compliance activity. The CCO may report to the chief executive, a general counsel and/or a board of directors. That CCO may have a staff of employees, as well as external experts, who work with the company or organization to implement the compliance program.
Code of Conduct
Many organizations have a code of conduct, which provides the overarching framework, philosophy and expectations of how that organization will conduct its business and what it expects of its employees.
Policies and Procedures
There should be a comprehensive set of policies and procedures in place across the various business functions, which are detailed and based on the principles of the code of conduct.
Communication and Training
Appropriate communication of and training for employees and contractors on the code of conduct and the policies and procedures are also a key components of an effective compliance program. Length of retention of records of communication and training should be evaluated.
Compliance Hotline and Reporting Mechanisms
Having a reporting mechanism that employees or external parties can use to report concerns to the company can be very useful. Receiving such reports can alert the company to a potential legal or regulatory violation and, in some instances, provide the company with an opportunity to remedy or address a situation before it escalates. Some companies provide a 24-7 hotline number operated by a third-party vendor that allows for anonymous reporting, should the reporter desire anonymity.
Employee Background Screening
In many businesses or in certain work areas of a business, conducting background screening of employees can be a vital part of a compliance program. It is important to understand what kind of background screening and questions are legally appropriate and which are not.
Investigation of Compliance Reports
Reports or allegations of misconduct should be thoroughly and promptly investigated. It is important to have a standard process for investigation, using the appropriate personnel from inside and outside the company or organization.
Monitoring and Auditing
Regular monitoring and/or auditing to determine compliance with and adherence to policies and procedures is important to know how well the internal compliance program is working – or if there are gaps.
If it is determined that a company policy or a law has been violated, then appropriate remediation will need to be evaluated. In some cases, employee discipline or consequences will need to be determined and implemented.
Of course, there will be costs associated with starting or enhancing an existing compliance program. However, it is the experience of many companies that from a cost/benefit standpoint, investing in compliance makes good business sense.
If you have any questions or need additional information, please contact Myra Selby at (317) 236-5903 or firstname.lastname@example.org or Lu Carole West at (317) 236-2277 or email@example.com or any member of the Ice Miller Government Enforcement, Investigations and Corporate Compliance Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.