Content uploaded by Alan S. Gutterman
Author content
All content in this area was uploaded by Alan S. Gutterman on Jun 13, 2023
Content may be subject to copyright.
Elements of Effective Compliance Programs
1
Elements of Effective Compliance Programs
Alan S. Gutterman
_______________
§1 Introduction
In general, a compliance program can be understood to be an internal management
system that educates the officers and employees of a company about laws and regulations
relevant to the business activities of the company and establishes processes and
procedures to guide and monitor the behavior of those persons. There are no legally
mandated standards for compliance programs; however, numerous attempts have been
made to identify and define the essential elements of an effective corporate compliance
program. In the accounting world, for example, the American Institute of Certified
Public Accountants has issued a Statement on Auditing Standards (SAS No. 99, also
known as AU 316) “Consideration of Fraud in a Financial Statement Audit,” which
contains an appendix with examples of measures that companies can use to prevent,
deter, and detect fraud. The influential Federal Sentencing Guidelines for Organizational
Defendants (“Sentencing Guidelines”) established by the United States Sentencing
Commission also identify several areas that should be assessed to determine the
effectiveness of a company’s efforts to manage its ethical and compliance risks.
1
Specific types of programs, such as those necessary for compliance with export and
import laws and regulations, will be influenced by guidelines developed by the agencies
chiefly responsible for administration and enforcement in those areas. Finally, there is a
rapidly growing body of case law, notably the Caremark case, which is helping to define
certain legal principles regarding compliance programs.
2
Each compliance program should be tailored to the unique circumstances of the
company, including the size of the company, the level of regulation applicable to the
company’s business activities, and its past compliance history. In any case, however, the
program should be broad in its scope of application; and extend beyond all officers and
employees of the company and its subsidiaries and branches to include outside
consultants, advisors, independent contractors, and business partners such as distributors,
agents, sales representatives, licensees, and joint venture partners. While there is no one
standard, the following elements are generally recognized as important to creating and
maintaining an acceptable compliance program:
• The company should prepare a set of clear and realistic goals and objectives that are
documented and monitored in an enterprise-wide annual compliance plan. The plan
should identify the major legal and regulatory risks confronting the company,
1
USSG §§ 8A1.1 et seq. For discussion, see “Legal and Regulatory Basis for Compliance Programs” in
“Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the
Sustainable Entrepreneurship Project (www.seproject.org).
2
For discussion of the Caremark case, see “Legal and Regulatory Basis for Compliance Programs” in
“Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the
Sustainable Entrepreneurship Project (www.seproject.org).
Elements of Effective Compliance Programs
2
describe the scope and company of the compliance system, and allocate responsibility
for each aspect.
• The compliance program must be formally adopted at the highest levels of the
company, preferably by the board of directors and the members of the senior
management team. In addition to formal endorsement of the program, however, the
directors and senior executives must continuously emphasize the need to establish
and maintain a culture of legal compliance throughout the company.
• The compliance plan should include a clearly defined structure and unambiguous
reporting lines that preserve independence and demonstrate senior-level commitment.
A single person should be identified as the chief compliance officer with authority to
direct the program, disseminate information, and launch investigations of suspected
violations. The chief compliance officer should be a member of the senior
management team and report independently to the audit committee of the board of
directors and to the chief executive officer.
• The company must allocate funds for sufficient staff, tools, and other resources to
create an effective compliance program. The compliance department should have its
own separate budget, and compliance personnel assigned to business units should not
be exposed to conflicts with those units with respect to availability of resources and
personnel policies.
• The board of directors should adopt a formal code of business conduct for the
company and its officers, employees, and agents; and other elements of the
compliance program should be set forth in written documents, such as policies and
procedures setting forth guidelines to be followed by company employees.
• A formal education and training program should be established for all employees
throughout the company, including personnel in foreign countries. Written materials
prepared in simple and straightforward language should be made available as training
tools for employees to explain applicable laws and regulations and the company’s
procedures in order to ensure compliance. In addition, the company should provide
training classes, training videos, discussion groups, testing, and other forms of
training interaction.
• The compliance plan should include clear procedures and restrictions regarding
delegation of authority for activities and decisions that might impact the legal
obligations of the company. For example, the authority of officers and managers to
execute certain types of contracts should be spelled out in detail.
• The compliance plan should include procedures for monitoring changes in the legal
and regulatory environment and the overall risks confronting the company in the
course of its day-to-day business operations. As changes occur, appropriate
modifications and updates should be made to the compliance program and the
company’s policies and procedures.
• Regular audits of the program should be conducted by the compliance group and, as
necessary, independent consultants to verify that personnel are complying with the
program and that appropriate records are being maintained. The audit process should
also assess the effectiveness of the compliance program and identify areas in need of
improvement. The results of each audit should be reported to the board of directors
or its audit committee with recommendations for changes to the program.
Elements of Effective Compliance Programs
3
• The program must include mechanisms for enforcement through investigation and
discipline, as well as procedures to encourage employees to report possible violations
to the compliance officer without fear of retaliation. A program that is merely
announced and not enforced will not be considered effective, and will not create any
advantage for the company.
• The program should include guidelines and procedures for ensuring that the company
complies with the wide array of recordkeeping requirements imposed on United
States businesses. Plans should be developed and implemented for collecting the
necessary documents and other records, organizing them for easy access, and
retaining them for periods required under applicable laws and regulations.
If a company does not have a legal compliance program in place, or has decided to make
significant changes to its existing policies and procedures, the first step is coming up with
a set of guiding rules and principles for structuring an effective program. There is no
shortage of resources in this area, and the right plan for a particular company generally
incorporates ideas developed by commentators, other companies in the specific industry,
and regulatory agencies. In general, companies have based the structure and design of
their compliance programs on the recommendations made in the Sentencing Guidelines,
SOX and guidelines and pronouncements issued by governmental agencies that regulate
the activities of the particular business (and, thus, are more likely to be involved in an
investigation of wrongdoing by the company). In addition, the growing interest in
development of compliance programs and creation of codes of conduct has led to creation
of several websites dedicated to various aspects of business ethics, including the
materials made available by organizations such as the Center for Business Ethics, the
Corporate Executive Board, the Ethics Resource Center and the Institute for Global
Ethics.
§2 Approval of compliance plan by board of directors
The Sentencing Guidelines make it clear that an effective compliance program must
promotes an organizational culture that encourages ethical conduct and a commitment to
compliance with the law. The proper cultural foundations must be established by the
“tone at the top,” which refers to the commitment of the members of the top management
to the core values underlying the compliance program. Accordingly, the compliance
program should be formally launched by preparation of a written corporate compliance
plan that has the support and attention of top management. Typically, the plan follows the
guidelines established and publicly announced by the various regulatory agencies, and
focuses on demonstrating that the elements of an effective compliance program have
been integrated into the company and processes that the company is establishing. For
example, it is common for the plan to address the standards of conduct, which are often
included by reference to a separate code of business ethics; the role of the chief
compliance officer and the compliance committee; the communication of standards and
procedures to employees; monitoring, auditing, and reporting; responses to violations and
discipline; and the role of the board of directors, including its audit committee and
perhaps another special committee formed to focus on compliance matters.
Elements of Effective Compliance Programs
4
One of the first steps in setting up a compliance program is to garner the endorsement of
the senior executives of the company and, ultimately, the endorsement and approval of
the company’s board of directors. Director approval of the compliance program should
be just one of the elements in a comprehensive initiative by the board to properly
discharge its oversight obligations with respect to the business of the company. Board
approval should include a clear and direct board resolution adopted after a serious
discussion of the advantages, costs, and goals of the compliance program.
In making the presentation to the board, counsel should consider a number of "sales
strategies." For example, counsel should select some type of criminal activity that could
potentially occur during the course of the particular company's business, and compute the
penalties and fines that might be imposed under the Sentencing Guidelines. Then,
counsel should compute the amount of the fine or penalty that would be eliminated or
reduced if the company had an effective compliance program in place. This is a great
way to show directors just how much money can be saved by the corporation if a legal
compliance program is in place. A similar calculation of the "benefits" of self-reporting
should also be made; however, hopefully the legal compliance program will make it less
likely that the corporation will ever need to report a violation.
The directors should also be provided with a summary of the guidance offered up by
significant cases and guidelines developed by various regulatory agencies. In some
cases, the directors might even be given a mini-seminar on the fact patterns in the
important cases to give them some context. Finally, directors should be reminded that the
existence of a legal compliance program may be a powerful tool in dissuading a
prosecutor from bringing a criminal action against the corporation in the future.
Directors should understand that establishment of a legal compliance program is probably
the best preventive measure that the corporation can use to minimize the risk of
problems. It should be considered an insurance policy, with time and effort being a
premium that needs to be paid as a cost of managing the modern corporation.
§3 --Board-level compliance and risk management committee
As mentioned above, compliance with laws and regulations applicable to the company’s
business activities and identifying and managing the risks associated with those activities
are two of the fundamental duties and obligations of the board of directors. The
emergence of sustainability as a new factor for consideration in boardrooms has
expanded the compliance duties to include adherence to voluntary standards that the
board has committed to with respect to governance and environmental and social
responsibility and broadened the definition of risks to include environmental and social
issues and challenges. While creating a separate board committee to focus on compliance
and risk management is not a new phenomenon, such committees have grown in
importance. Some companies separate compliance and risk management into two
different committees and companies may also place board-level groups assigned to
Elements of Effective Compliance Programs
5
compliance and/or risk management as subcommittees of another standing committee of
the board, such as the audit committee.
3
In a December 2016 report on how board committees among S&P 500 companies had
evolved to address new challenges, the EY Center for Board Matters reported that
compliance committees among those companies were typically responsible for oversight
of programs and performance relating to legal and regulatory risks and the
implementation and maintenance of the company’s code of conduct and related matters.
Specific areas of focus for this committee included the environment, health and safety
and technology. The functions of a compliance committee might overlap with the risk,
public policy and sustainability committees. Sectors most likely to have a compliance
committee included health care, energy and financial.
4
With respect to risk management committees, the preparers of the EY report found that
these committees generally were responsible for making recommendations for the
articulation and establishment of the company’s overall risk tolerance and risk appetite;
overseeing enterprise-wide risk management to identify, assess and address major risks
facing the company, which may include credit, operational, compliance/regulatory,
interest, liquidity, investment, funding, market, strategic, reputational, emerging and
other risks; and reviewing and discussing management’s assessment of the company’s
enterprise-wide risk profile. The functions of a risk management committee might
overlap with the finance and compliance committees. Sectors most likely to have a risk
committee included financial services (almost 75% of the companies in that sector had a
risk committee), industrials, utilities, consumer discretionary, information technology and
consumer staples.
5
The charter for a board-level compliance and risk management committee should include
a statement of purpose that addresses both compliance and risk management, recognizing
that the two areas overlap substantially. From a compliance perspective, the purpose of
the committee can be stated to include oversight of the company’s implementation of
compliance programs, policies and procedures, including the company’s code of conduct,
that are designed to respond to the various compliance and regulatory risks facing the
company; and assisting the board of directors and the other committees of the board,
notably the audit and governance committees, in fulfilling their oversight responsibilities
for the company’s compliance and ethics programs, policies and procedures. When
defining compliance, the focus should not only be on relevant laws and regulations but
also any voluntary standards that the board has agreed should be adhered to with respect
to the day-to-day conduct of the company’s operations and other activities. A Global
Compact publication recommended that the purpose statement of a risk management
committee should include ensuring that the risks and opportunities arising from current
3
For further discussion of compliance and risk management committees, see “Compliance and Risk
Management Committee” in “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared
and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).
4
http://www.ey.com/Publication/vwLUAssets/EY-board-committees-evolve-to-address-new-
challenges/$FILE/EY-board-committees-evolve-to-address-new-challenges.pdf
5
Id.
Elements of Effective Compliance Programs
6
and emerging corporate sustainability trends are included and addressed in the company’s
Enterprise Risk Management program and that the board is informed of material issues
relating to current and emerging economic, social and environmental trends.
6
While the name of the committee may imply that compliance and risk management
should be considered side-by-side, many companies view the primary focus of the
committee to be risk management and that compliance risks are just one of many risks
that identified and evaluated along with other operational and business risks. Given the
potential scope of any company’s operational, business and compliance risks, it is
important for the board to thoughtfully allocate primary responsibilities for certain types
of risks among the board’s various committees to ensure that the appropriate focus and
expertise is applied to those risks. For example, in the charter of its risk and compliance
committee the board of directors of Target made it clear that the entire board would retain
oversight responsibility over the company’s key strategic risks, as well as the company’s
reputation and corporate social responsibility (“CSR”) efforts (which could also have
been assigned to a separate board-level committee formed to oversee CSR), and oversight
responsibility for certain other risk areas were assigned to other committees of the board
(i.e., the audit and finance committee would handle financial reporting, internal controls
and financial risks; the infrastructure and investment committee would handle risks
related to the company’s capital expenditures, major expense commitments and
infrastructure needs; the human resources and compensation committee would handle
compensation incentive-related risks, organizational talent and culture, and management
succession risks; and the nominating and governance committee would handle
governance structuring, board succession and public policy engagement risks).
It is common practice to break out the description of the scope of duties and
responsibilities in the committee charter into compliance and risk management. With
respect to compliance matters, the compliance and risk management committee should be
charged with overseeing the company’s activities in the area of compliance that may
impact the company’s business operations or public image, in light of applicable
government and industry standards, as well as legal and business trends and public policy
issues.
7
The mandate of the committee can be quite extensive, especially for companies
operating in highly regulated industries and markets, and generally includes establishing,
in conjunction with the senior management of the company, programs regarding
operational and legal compliance and sound business ethics for the company; overseeing
the company’s relationships with its principal regulatory authorities; reviewing matters
relating to the education, training and communications to ensure the company’s
compliance and ethics policies and procedures are properly disseminated, understood and
followed; and monitoring and reviewing the company’s activities to ensure that legal
requirements and high standards of business and personal ethics are communicated
within the company and are being met by the company, its officers and employees and
the company’s business partners.
6
The Essential Role of the Corporate Secretary to Enhance Board Sustainability Oversight: A Best
Practices Guide (United Nations Global Compact, September 2016).
7
http://www.amgen.com/about/how-we-operate/corporate-governance/corporate-responsibility-and-
compliance-committee/
Elements of Effective Compliance Programs
7
As for risk management, Deloitte suggested that the committee should be concerned with
overseeing the company’s risk exposures and risk management infrastructure; addressing
risk and strategy simultaneously, including consideration of risk appetite, and advising
the entire board on risk management strategy; monitoring risks; and overseeing and
supporting the efforts of the CRO, the company’s management risk committee and other
groups within the organization formed to monitor risks and implement risk programs.
8
Deloitte noted that it was important to determine how the risk committee will stay
informed on developments in risks so it can evolve in its response to them and suggested
that such committees develop procedures to ensure that members stay abreast of leading
practices as risks evolve and understand the new risks associated with new businesses
and locations and how changes in regulations increase or decrease risk. The committee
should also benchmark risk governance practices of peers, remain current on risk-related
disclosure requirements and conduct annual evaluations of committee performance.
Among the items in a comprehensive list of duties and responsibilities with respect to risk
management included in the committee charter of Brierty were the following:
• Maintaining an up-to-date understanding of areas where the company is, or may be,
exposed to risk and compliance issues and seek to ensure that management are
effectively managing those issues;
• Providing input to the board and senior management regarding the company’s risk
profile and tolerance,
• Assessing and monitoring appropriate risk management and internal control systems
to ensure that risk is managed at levels determined to be acceptable by the board;
• Reviewing the adequacy and effectiveness of the company’s policies and procedures
which relate to governance, risk management and compliance and updating these
policies and procedures where required;
• Making recommendations to the board on the appropriate risk and risk management
reporting requirements to the board and the committee;
• Providing advice to the board and the CEO on relevant corporate level performance
indicators and targets for risk management and compliance activities;
• Undertaking an annual review of risk management policy and underlying strategies
and procedures to ensure its continued application and relevance;
• If considered necessary by the committee, establishing a periodic and independent
review of the implementation and effectiveness of the risk management policy to
provide objective feedback to the board as to its effectiveness;
• Receiving and considering reports on risk management and compliance programs and
performance against policy and strategic targets;
• Providing the board with advice and recommendations regarding the appropriate
material and disclosures to be included in the section of the company’s annual report
which relates to the company’s risk management and compliance policies;
8
http://www.deloitte.com/view/en_US/us/Services/additional-services/governance-risk-
management/67caded005014310VgnVCM3000001c56f00aRCRD.htm
Elements of Effective Compliance Programs
8
• Ensuring that the board, before it approves the company’s financial statements for
any financial period, is provided with declarations from the CEO and the CFO that in
their opinion, the financial records of the company have been properly maintained
and that the financial statements comply with the appropriate accounting standards
and give a true and fair view of the financial position and performance of the
company and that this opinion has been formed on the basis of a sound system of risk
management and internal control which is operating effectively;
• Reviewing the adequacy of the company’s insurance coverage; and
• Ensuring that management has embedded an appropriate risk management culture in
the organization and that risk management is an integral part of the company’s
decision-making process.
§4 Selection and composition of compliance team
The compliance program will only be as good as the people appointed to the compliance
team, and the members of the board of directors need to make some fundamental
decisions in this regard at the time that the program is initially endorsed. As the company
grows, it will typically establish a compliance office to exercise overall control over the
compliance activities of the company. Enterprises in the United States and Europe have
embraced the concept of a stand-alone compliance function, based on the recognition that
compliance activities are best handled by an independent staff that provides support and
information to the board of directors and senior managers who have the ultimate
regulatory responsibility for compliance. However, while there are analogies to the way
in which companies have established their internal audit function, compliance specialists
must balance the need for independence with the practical requirement that the
compliance function must work closely with business units on a day-to-day basis to assist
managers and employees throughout the company in identifying and resolving potential
compliance risks and issues.
§5 --Executive compliance committee
As part of the adoption of the compliance plan, the board of directors should endorse an
appropriate structure for the compliance function that can be appended to the plan. A
common element of the organizational structure relating to compliance is an “executive
compliance committee” composed of the persons occupying the following positions: the
chief financial officer, senior vice president of human resources, chief compliance officer
(described below), general counsel, corporate controller, chief information officer, chief
privacy officer and chief sustainability officer. Ex officio members of the committee
should include the CEO, the chief operating officer/president and a representative of the
company’s internal audit group. Other participants, either as members of the committee
or in a supporting role, could include representatives from each of the company’s
business units and the director of the company’s enterprise risk management systems.
The committee should draw upon the services of outside consultants, such as attorneys
with expertise relating to specific compliance issues. In recent years the mandate of such
committees has expanded beyond compliance with laws, regulations and listing
Elements of Effective Compliance Programs
9
standards, in the case of public companies, to include voluntary standards that the board
has acceded to relating to environmental, social and governance matters.
First and foremost, an executive compliance committee, which should explicitly be
required to report to the board’s compliance and risk management committee, serves as a
valuable forum for leaders from throughout the organization to identify and discuss
compliance issues and share best practices and leverage opportunities for collaboration.
In addition, the committee should have very specific mandates including oversight of the
development, issuance, distribution and review of the company’s code of conduct and
other appropriate compliance policies; communications with employees and contractors
regarding compliance policies and expectations and oversight of employee and contractor
compliance training; development and administration of reporting and complaints
processes; monitoring and auditing compliance with code of conduct, policies and legal
requirements; enforcement and discipline; and response and prevention. The committee
should also be responsible for preparing disclosures regarding compliance matters to be
included in the company’s traditional regulatory reports and sustainability reports.
§6 --Central compliance office and chief compliance officer
The compliance office will be responsible for establishing compliance policies and
procedures throughout the company, and may also be involved in other functions such as
crisis management. Responsibility for operation of the compliance office should be
vested in a chief compliance officer (“CCO”) who is considered to be a member of the
senior management group of the company and who reports to the chief executive officer
and, as necessary, to the audit committee of the board of directors. Every effort should
be made to protect the independence of the CCO by providing a separate employment
contract to him or her. Given the demands of the CCO position, it is not surprising the
companies often look to attorneys, internal auditors, or former investigative agency
employees. In any event, the CCO must have a broad compliance background and
specific experience working with companies that have operated in the same product and
geographic markets. The CCO should be at a sufficiently high level in the organizational
structure of the company to ensure the cooperation of all personnel in the event that a
compliance investigation is required or a compliance reform is necessary. Selection of a
top official is helpful in persuading employees that compliance is an important and
valued goal for the company.
Selection of the CCO should be accompanied by company of a compliance project team.
It is best if the project team includes top management, legal counsel, the chief internal
audit officer of the corporation, and persons in various departments who may already
have some responsibility for legal compliance in a specific area (e.g., environmental,
health and safety, employment laws, etc.). The use of a project team encourages persons
from throughout the company to get involved in the legal compliance program, and gives
them a sense of ownership that can be carried over into the implementation phase. A
central project team should also facilitate creation of uniform policies that can be
followed throughout the company.
Elements of Effective Compliance Programs
10
The CCO, with the advice and consent of the compliance project team, should put
together a staff that can implement the programs and procedures to be included as part of
the compliance effort. Among other things, staff members should be able to conduct
internal investigations and work with outside resources and other departments within the
company, such as legal and accounting. It is essential that the compliance function be
staffed by persons with the requisite competencies to handle the compliance risks that
may arise with respect to each entity, business unit, product, territory, and transaction in
the company. Staff must not only be versed in all of the laws and regulations that apply
to the company’s business activities, they must also be able to effectively and
independently enforce and monitor all the required policies, standards, and procedures.
The compliance office itself will be broken down into several groups, including legal and
risk management. The legal staff within the compliance office will be primarily
responsible for drafting of policies and procedures, issuing opinions and advisories
regarding compliance issues, and staying current with applicable laws and regulations.
Many companies are creating special departments to deal with emerging issues that
promise to have global impact such as corporate social responsibility and management,
and protection of personal data and information. The central compliance office will work
with dedicated teams within the company that may have been formed to deal with
specific legal and regulatory compliance issues such as product safety and environmental
conservation. In addition, of course, compliance personnel will need to work with
colleagues performing similar tasks in other functional areas, particularly legal and
human resources. In fact, it is important for the CCO to have a good working
relationship with the general counsel and the head of the human resources function to be
sure that conflicts do not arise and resources are being efficiently distributed.
§7 --Regional compliance offices for foreign activities
As the company grows and enters foreign markets, the organizational structure of the
compliance function must be modified to take into account the fact that regulators in
foreign countries will focus on dealing with legal entities (i.e., branch offices and local
subsidiaries). At that point, global companies often establish one or more regional
compliance offices which will be responsible for administering compliance activities in
designated geographic territories (e.g., Europe and East Asia (including China and Hong
Kong)). Each regional compliance office has its own chief compliance officer, who
reports directly to the company’s CCO, and sufficient staff and other resources to issue
instructions to branches and subsidiaries in the region relating to compliance issues and
activities. Among other things, the regional compliance offices can translate and localize
the company-wide codes and policies adopted by the board of directors and senior
management, and can also deal directly with specific laws and regulations in various
countries. Obviously, this expanding compliance network creates potential difficulties in
terms of independence and consistency that will require careful attention and monitoring
by senior management. When setting up compliance offices in foreign countries,
companies often rely on local counsel to assist in providing information on the applicable
laws, regulations, and business customs.
Elements of Effective Compliance Programs
11
The company must be prepared to allocate sufficient resources to adequately staff the
central compliance function, and each of the compliance departments established within
business units and in regional markets outside of the United States. Among the factors
that need to be taken into account are the overall staffing of the company; the types of
activities engaged in by the company; the geographic scope of the company’s business
activities; the number and type of business relationships with outside parties; and the
specific network of United States and foreign laws applicable to the company’s business
activities. Staffing at specific foreign offices will depend on the local governance and
regulatory environment, and the manner in which the company is able to utilize
technology and communications tools to streamline and centralize the compliance
process. For example, a robust global accounting system can facilitate remote review and
analysis of transactions in foreign countries that will reduce the need for local personnel.
It is also possible to conduct interviews and training using online tools. In all cases, the
compliance function should have its own budget for staffing apart from individual
business units, and thus avoid potential conflicts with those units with respect to
recruitment, compensation, assessment of performance, and promotion.
§8 --Risk management in business functions and activities
Companies should realize that managing and reducing the legal risks associated with day-
to-day business activities requires more than a compliance program, and that policies and
procedures must be implemented in other business functions and activities to ensure that
the company meets its legal and ethical obligations. In fact, while the CCO is primarily
responsible for identifying and managing most of the legal risks that may be faced by the
company, it is still common for other senior managers to be responsible for special areas
such as employment discrimination, environmental law, workplace safety, and securities
laws (i.e., insider trading).
Since ethical conduct and corporate compliance begin and end with the employees
involved in day-to-day business activities of the company, creation and maintenance of a
successful and effective compliance program begins at the hiring stage, and then
continues with ongoing training and education. The company should conduct
background checks before hiring employees, and thoroughly investigate each candidate’s
education, employment history, and personal references. Additional inquiries may be
necessary for certain positions, particularly when the employee will be involved in
sensitive transactions and/or working with substantial amounts of funds or proprietary
information. The company’s ethical values and code of conduct should be rigorously
covered when training new employees; and ongoing education programs should be
conducted on a regular basis throughout each employee’s career with the company.
Finally, the company should incorporate into regular performance reviews an evaluation
of how the employee has contributed to maintaining the desired ethical values and
honoring the code of conduct. See the further discussion below of institutionalizing
ethical conduct requirements including the designation of a “chief ethics officer”.
In addition, risks associated with product design and performance can really be best
managed through implementation of strict quality control procedures that apply
Elements of Effective Compliance Programs
12
throughout the manufacturing process. Accordingly, companies should consider
consolidating the activities of formerly separate divisions or business units that handled
standardization of components and technologies, material and component procurement,
customer satisfaction, product environment analysis, and product design process. By
combining these activities, companies can achieve greater effectiveness and efficiency,
and implement specific initiatives that can reduce potential problems arising from
product defects. Specifically, companies can tap the expertise of each of the combined
functions to develop rigorous evaluation standards for components, processes, and
finished products, and can develop guidelines for selection and approval of suppliers. In
that vein, many companies are substantially reducing their pool of suppliers, and focusing
on locating partners willing to invest in standardization and quality enhancement that will
ultimately reduce the company’s product risks.
9
Line managers should, of course, bear responsibility for compliance efforts within their
respective functional areas. However, given the time and expense normally associated
with the monitoring and reporting usually required for the compliance program to be
effective, it often makes sense to place responsibility for monitoring and reporting
outside of the normal line management structure. If compliance measures are left solely
to the line manager, he or she may be tempted to skimp on compliance efforts out of
concern that the costs thereof will hamper the manager's efforts to attain his or her profit-
related performance goals.
§9 Priorities and schedules
Once the compliance team has conducted an assessment of the existing compliance
environment, it should begin to establish priorities. Of course, highest priority should be
given to the areas which carry the most significant levels of potential legal risk and
financial exposure. In most cases, the first areas to work on include accounting and
finance; human resources; health and safety; and environmental issues. Depending on
the activities of the company, a good deal of attention may need to be paid to protection
of intellectual property, insider trading, and/or political contributions. The CCO should
establish a schedule, and priorities, for developing procedures and providing training
programs to managers and employees. For example, the CCO may want to begin by
developing, or updating, the company’s general code of conduct, and then proceed with
training and educational programs.
One way to prioritize a company’s legal needs is to look at its “value chain,” that is the
series of steps that the company must complete in order to create, produce, sell and
service its products and services, and at the specific regulatory environment in which the
company operates. For example, obtaining and maintaining all necessary licenses and
permits to conduct business is a priority issue and should be considered as the most
important. The second priority should be creating and managing the intellectual property
portfolio upon which the company depends. Next should be tending to current litigation
9
For further discussion of risk assessment procedures, see “Risk Assessments” in “Compliance: A Library
of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship
Project (www.seproject.org).
Elements of Effective Compliance Programs
13
matters that are material to the business and financial condition of the company. The
fourth item might be documenting key strategic relationships with outside business
partners and setting up an internal system for review, execution and storage of all
material contracts.
The foundation for establishing priorities should be laid during the initial interviews with
senior executives of the company. Executives of companies that are just starting out
often think that implementation of a comprehensive system of internal controls, including
compliance programs, is a luxury they cannot afford, and instead focus their time and
money on initiatives of more immediacy to the survival of the company such as new
product development, marketing and advertising programs, and improvement of
manufacturing facilities. Internal controls are deferred under the rationale that they are
only necessary when the company reaches the size and sophistication of more established
competitors. Unfortunately, experience shows this attitude to be shortsighted, and
surveys find that a significant percentage of the failure rate for emerging companies,
regardless of the talent and management experience of their founders and senior
executives, can be attributed to inadequate internal controls and compliance procedures.
The key is to secure the support of executives so that compliance procedures can
gradually be introduced, with the understanding that they will usually need to be
customized to the size and available resources of the company.
When implementing or expanding a compliance program, attention should be paid to the
impact that the actions might have on day-to-day operations and employee morale.
Hopefully, with the proper education and messaging from senior management, a
compliance program will be seen as a positive step in the evolution of the company
toward an enterprise that is committed to embracing best practices of successful global
companies. On the other hand, however, companies that do not think the process through
may find that the announcement of new compliance procedures creates concern among
employees, and significantly slows the flow of communication through the company. For
example, questions may arise as to why the program was initiated, and whether there may
have been some violation or other wrongful conduct that triggered the change. Also,
implementation of a “help line” might lead to a chill in information sharing if employees
have concerns that their colleagues will be “snitching.” In order to make sure that
compliance programs are smoothly implemented and accepted by employees, the
compliance officer should consider involving employees in the design of the program,
and seek input from employees as to how certain measures might fit with the company’s
culture and workflow.
§10 Compliance standards and communication tools
Two of the most important practical requirements for an effective legal compliance
program under the Sentencing Guidelines are the establishment of compliance standards
to be followed by officers and employees of the company and the development of
communications tools for informing and educating officers and employees about the
compliance program and the steps they need to be taken to avoid illegal activities.
Accordingly, the biggest job for the compliance team is to design and implement a
Elements of Effective Compliance Programs
14
compliance program that clearly describes the company’s compliance standards and
ensures that those standards have been disseminated throughout the company and are
continuously reinforced through formal training and the actions that are valued by the
company as it carries out its workflow and evaluates and rewards the behavior of
executives, managers and employees.
The compliance team should develop a mix of strategies for communicating compliance
standards throughout the company. For example, information can be disseminated
through codes of conduct; policy and procedure manuals that explain the goals and
requirements of the compliance program; and training programs. Dissemination of
information should be accompanied by other procedures and practices to ensure the
compliance program achieves the anticipated goals and objectives. For example, written
materials should be supplemented by ongoing training sessions and meetings among
employees of the company to discuss the relevant standards. In addition, reporting
mechanisms (e.g., a “help line”) should be implemented to allow employees to report,
anonymously if desired, actual or potential violations of regulations and company
policies, and to seek clarification on questions that may arise with respect to
interpretation and enforcement of compliance procedures. An oversight process should
also be established to regularly monitor use and enforcement of the compliance
procedures, and measure how effective the program is in reducing risks of regulatory
violations and other misconduct. Finally, incentives should be built into the company’s
regular policies and procedures with respect to reviewing the performance of managers
and employees and making decisions regarding compensation, promotions, and job
responsibilities.
The most effective communicators are the senior executives of the company, since they
are uniquely positioned to impress on employees how important the procedures are, and
the penalties that will be imposed if the standards are violated. Other strategies should
also be used to create and reinforce a “compliance culture” within the company, such as
informal discussions of compliance standards or issues between managers and their
subordinates; briefings at new employee orientations; memoranda and speeches by senior
managers; group meetings and briefings; articles in company periodicals; and posted
notices. A fuller discussion of establishing a control environment and encouraging
ethical conduct is provided below.
§11 --Conduct codes
The foundation of the compliance program is a code of conduct that sets the basic
internal standards to be observed by all directors, officers, and employees of the company
in order to establish, maintain, and strengthen the business ethics and compliance systems
throughout the company. When preparing a code of conduct, it is customary to include a
description of the legal and regulatory requirements that apply to the company business
and operations; examples of specific types of conduct that will actually or potentially
violate those requirements; and a description of the methods that the company intends to
use to ensure that the code is followed, including specific penalties that the company may
apply. Beyond specific examples, the code may also include a statement of certain core
Elements of Effective Compliance Programs
15
company values and principles which may serve as a guide for employees to select
appropriate and lawful behavior in situations that have not been discussed in advance as
part of the code. In that regard, it is typical for the code to include a general statement of
the company’s intent to engage in ethical business practices with respect to such areas as
respect for human rights, safety of products and services, environmental conservation,
and information disclosure.
The code of conduct should be disseminated to all employees of the company,
particularly employees working in foreign countries. Assuming that the company has
adopted a structure that includes regional compliance offices, those offices will be
responsible for translating the code into local languages, and making sure the code is
explained and understood. Employees should also have access to the code on the intranet
websites of the individual branches and subsidiaries within the company. In addition, the
code should be part of the company’s compliance training and education programs; and
each employee should be required to execute and deliver an initial attestation that they
have received and reviewed the code, as well as an annual attestation thereafter
throughout their employment with the company that confirms their continued
understanding of their duties and obligations under the code. Finally, dissemination of
detailed codes and policies of business conduct have become an important part of the
external relations policies of many companies and such codes or policies will often be
posted on the company’s website as part of the governance materials available for view
by the investment community.
§12 ----Contents of conduct codes
The primary objective of the code of conduct is to describe the company’s formal
programs to ensure that employees comply with applicable laws and regulations. One
way to accomplish this is to reference the external compliance standards suggested under
Sentencing Guidelines and demonstrate the steps that have been taken by the company to
adhere to those standards. In the course of describing the compliance program, the code
should discuss the procedures available to employees for raising concerns about the
conduct of others in the company and for simply asking questions when the employee is
faced with a dilemma or potential conflict. For example, readers should be provided with
information on any “hot line” procedures that have been established, and the code or
policy should clearly state the company’s prohibitions against retaliation against
employees that make complaints in good faith.
Since the code of conduct is directed at all employees within the company, it is important
to include a description of the rules and guidelines that the company intends to adhere to
with regarding to workplace activities and relationships. In this area, reference should be
made to solid human resources practices, including all the types of things that might lead
to a claim against the company under the employment laws. Among other things, the
code or policy should discuss company rules relating to unlawful harassment and
discrimination, workplace health and safety, substance abuse, conflicts of interest, outside
employment and electronic communications.
Elements of Effective Compliance Programs
16
The code of conduct should also discuss the rules and regulations that are relevant to the
day-to-day conduct of business activities with key outside partners of the company,
including its customers and suppliers. Each of these partners, as well as the general
community, will demand assurances that the company conducts itself in a manner that
complies with the law and with commonly accepted standards of business ethics in the
relevant industry. Areas of greatest concern include representations and warranties to
customers regarding the company’s products and services, sound contracting practices,
compliance with antitrust and competition laws and protection of confidential
information disclosed to the company by its business partners.
In addition, the code of conduct should demonstrate that the company is mindful of its
duties and obligations to its shareholders, particularly outside investors not actively
involved in the day-to-day activities of the company. In the case of companies subject to
the Sarbanes-Oxley Act of 2002, the code of conduct should confirm that adequate
internal controls are being maintained and that investors are being provided with full and
accurate disclosure of financial and business information on a timely basis.
10
Beyond
that, however, investors must be assured that company insiders are not engaged in
unlawful trading of the company’s securities based on information that has not been
disclosed to the marketplace. The code should also demonstrate that the company is
taking adequate steps to protect its tangible and intangible assets, including its intellectual
property rights.
Finally, the code of conduct should demonstrate recognition of the company’s role and
obligations within its broader communities. For example, employees should be provided
with guidelines relating to participation in political activities. Companies involved in
business activities outside of the United States must be mindful of local customs and
practices, as well as the wide range of laws regulating corrupt practices, boycotts, export
controls, formation and operation of joint ventures and immigration. Finally, depending
on the type of business, attention may also need to focus on environmental regulation and
rules governing transport of hazardous materials and certain types of goods.
§13 ----Dissemination of conduct codes
The code of conduct should be disseminated with a cover letter from the company’s CEO
to demonstrate the commitment of senior management to the principles set forth in the
code. In the letter the CEO should emphasize the importance of business conduct and
personal integrity in the day-to-day activities of the company. The message should be
addressed to several different audiences. First, the CEO should speak directly to the
employees of the company since they are the people who will be the real face and voice
of the company to its constituencies. Employees are constantly reminded of the need to
achieve objectively measurable results in their dealings with the business partners of the
company; however, the CEO must also make it clear that the means of achieving those
results is just as important. Second, the CEO should always be mindful that the message
10
For discussion of Sarbanes-Oxley Act of 2002, see “Legal and Regulatory Basis for Compliance
Programs” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and
distributed by the Sustainable Entrepreneurship Project (www.seproject.org).
Elements of Effective Compliance Programs
17
will be read by members of the investment community, if applicable, regulators and
representatives of the company’s business partners. As such, the CEO should emphasize
the tangible steps that have been taken to establish the requisite internal controls to
monitor the compliance program.
§14 ----Self-assessment tools
The code of conduct can have greater value to the user if it includes tools for self-
assessment. One method that might be used is inclusion of a list of questions for
managers that relate to the actions that they take, or fail to take, with respect to the
underlying principles of the code of conduct. Among the questions that might be posed
are the following:
• Does the manager actively support the company’s compliance initiatives and training
activities?
• Does the manager understand, and disseminate information about, the company’s
“hot line” procedures?
• Is the manager properly informed about the company’s policies regarding discipline
procedures when employees commit illegal or unethical acts?
• Does the manager believe that business integrity is a valued characteristic in the
company’s personnel assessment procedures and in the relationships that exist among
employees under the supervision of the manager?
• Does the manager believe that he or she has created an environment that encourages
open communications with employees about ethical problems that may arise in the
course of conducting business?
§15 --Policy and procedure manuals
Companies may supplement conduct codes through a series of published rules, practices,
and procedures that apply to the activities of particular types of employees. For example,
if a company is engaged in extensive sales activities, it might consider adopting separate
compliance practices and procedures that address conduct issues that may confront
members of the sales force. Training procedures and instructions for new employees,
regardless of the functional area in which they will be working, should include directions
on how to avoid unlawful conduct. In deciding where and when to implement special
rules and procedures, consideration should always be given to the legal compliance risks
associated with a particular activity and/or job category.
While codes, policies, procedures, employee manuals, and other materials are an
important and commonplace part of any compliance program, they should be prepared
with care and the realization that the contents thereof might eventually be deemed a
binding contract with the employees of the company. For example, employers should be
careful about referring to “due process,” “fairness,” or “hearings” when discussing
disciplinary procedures and investigations in their employee manuals. Similarly, it is not
wise to include language that might be implied as a promise by an employer not to
discharge employees without “cause” and, in fact, it generally recommended that the
Elements of Effective Compliance Programs
18
company include a specific statement that reiterates its right to terminate an employment
at any time consistent with “at will” employment principles. Compliance policies should
only contain promises and undertakings that the company is prepared to keep, such as
responding promptly to reports of misconduct that may be lodged by employees. The
same principle applies to other communications regarding compliance made by senior
executives and managers in speeches and training sessions.
§16 --Training programs
One of the key goals and objectives of a compliance program is education and the
elimination of ignorance as an excuse for noncompliance. This can first be accomplished
by regular publications on important and current compliance issues. To foster continuity,
these publications can be issued as compliance guides so employees can begin to
recognize a consistent message, underscoring its importance. Next, the compliance group
can hold training conferences in all areas where the company has significant business
operations. Ultimately, the group should have an extensive inventory of training videos
and manuals, publications, and access to topic experts. The materials must be regularly
updated and expanded.
The schedule and budget for implementing the compliance program should provide for
extensive training. Training should begin at the top with the board and key managers
within the company, and then proceed down the company chart until all employees are
introduced to the program and its goals and objectives. The CCO, or a designated chief
trainer, should be closely involved with training efforts in the top levels of the company.
Once training of senior personnel has been completed, the CCO or chief trainer should
educate other persons to provide training programs, and provide them with resources
required to do the training. The most effective training takes place at the operating unit
level and is directed to employees directly involved in activities likely to involve risks
covered by the compliance program. This means effective training must be job-specific.
While such customization will result in increased costs due to the need to create tailored
programs, it also means increased overall effectiveness and a reduced likelihood of
violations and penalties.
Beyond increasing variety through customizing programs, another important trend has
been the explosion in the number of methods available for delivery of compliance
training programs and information. This includes printed materials, training videos that
educate employees regarding substantive laws and the company’s own policies and
procedures and CD-ROM or web-based interactive multimedia training programs. It is
now common for larger companies to establish internal “intranet” sites to post the key
compliance program documents and copies of relevant laws and explanatory materials.
A side benefit of using web-based training is that third-party resources can be listed on
the corporate compliance department’s intranet website. This should also mean that
global resources can be used, including those in every major country in which the
company does business. A website is also relatively easy to update and changes can be
communicated quickly via e-mail with links back to the site.
Elements of Effective Compliance Programs
19
Companies often use a combination of the tools and methods described above to create
their compliance education programs. For example, written materials, such as handbooks
and manuals, can be supplemented by video training that includes automated testing
procedures that can be conducted at the company’s compliance website. Decisions in this
area depend on several factors, not the least of which is the cost per person of developing
a particular training item. For example, a high quality CD-ROM training product,
including animation, might cost up to $1,000,000 for initial production. This may exceed
the budget for many companies; however, once the initial work has been done, the costs
of maintenance are small in relation to other training methods.
While technology has proven to be very helpful in delivering compliance-related
information to managers and employees, particularly in making it easier for personnel to
access the information at times and places that are most convenient for them, companies
should not rely totally on impersonal educational tools. It is still important to plan and
schedule traditional classes and seminars that include face-to-face interaction between
trainers and managers and employees. Not only is participation easier to track, but these
sessions also provide an opportunity to gather feedback regarding the efficacy of the
training materials and also generate ideas for additional topics that should be covered in
the future.
The content of the training program will, of course, vary depending on the particular
activities of the business unit in which the employee works. Typically, companies will
offer generalized, baseline training to familiarize employees with the common issues they
are likely to confront on a regular basis. Beyond that, the training program may include a
few examples of technical issues that would require consultation with counsel and/or
senior managers. The purpose of these examples is to remind employees that completing
the training program does not automatically make them experts in a given area. As far as
subject matter is concerned, companies often provide training that goes beyond the
dissemination of written documents in the following areas: employment discrimination
and harassment; antitrust; customer and patient privacy; environmental laws; the federal
Foreign Corrupt Practices Act; import/export laws and regulations; protection of trade
secrets and other intellectual property rights; safety and security; insider trading; and
industry-specific regulations and practices.
Once the training program has been established, steps must be taken to verify that
employees have, in fact, participated. With seminars and other types of face-to-face
training, sign-in sheets should be used and retained for future reference. Review of
written materials and CD-ROMs is a bit more difficult to track; however, the company
should at least maintain records regarding distribution of such materials to employees,
perhaps with an additional requirement that employees return some form of signed
certification to the company within a fixed period following receipt of the materials.
Companies may be able to put materials on an Intranet site where they can be accessed by
employees and usage can be easily tracked.
Many companies now require employees involved in regulatory-specific activities to be
regularly tested against established standards of knowledge and make successful
Elements of Effective Compliance Programs
20
completion of the tests and related training a condition to ongoing employment and/or
promotion. However, while these new technology tools have many advantages and
should be used when available, they cannot be relied on completely. On-site visits by
members of the corporate compliance department emphasizing the importance of the
company’s compliance plan are invaluable and cannot be overlooked.
§17 --Reporting mechanisms
The company should establish procedures that can be used by employees and business
partners to report concerns about, and potential violations of, the code of conduct and the
company’s other compliance rules and guidelines. Many companies incorporate these
procedures into company policy statements and employee handbook provisions. The
CCO should consider a variety of reporting mechanisms, including an ombudsman, a
hotline, or a separate post office box outside the company mail structure to which
employees may send information regarding problems without concern about being
discovered. In addition, the company should adopt a formal policy that facilitates
reporting of potential claims and other events that might result in liability for the
company.
It is now commonplace for companies to set up internal “help line” systems that
employees can use to report possible violations of law and internal policies, and these
systems should be well publicized in the company compliance literature and training
sessions. A help line, sometimes referred to as an "ethics line", "advice line" or
“hotline,” is often cited as a great tool for encouraging employees to report problems they
might otherwise be reluctant to discuss directly with managers or colleagues, such as
violations of law or sexual harassment. Employees should be assured that reports made
honestly and in good faith will be treated with respect and that the makers of such reports
will not experience retaliation in any form. Provision should be made for allowing
employees to make reports anonymously if they so choose.
Hot lines can be run in-house or an outside party, such as the Pinkerton agency, can be
used to operate the company's hot line. Outside parties should be able to offer skilled
employees trained in eliciting information from callers while maintaining the requisite
degree of confidentiality and trust. A fairly recent development has been the launch of
“information channels” that can be used by business partners of the company, such as
suppliers and customers, to report activities of company employees and agents that might
violate laws or company policies.
In large companies, consideration should be given to so-called "whistleblower systems"
which provide procedures that can be followed by employees who want to report criminal
conduct to senior managers without fear of retribution. Once a suspected violation has
been reported or otherwise discovered, it is essential for the company to follow an
established procedure for dealing with the issue. In the event of a suspected violation, the
CCO, usually in conjunction with corporate counsel, should investigate the claim.
Depending on the outcome, the company should take appropriate follow-up steps, such as
ceasing any ongoing activities which may be in violation of the law, sanctioning the
Elements of Effective Compliance Programs
21
employee, consulting outside counsel to conduct an independent investigation or
contacting the appropriate governmental agency with responsibility for administering the
law. Whistleblower systems are an important part of the compliance program as
anecdotal evidence shows that many employees who sue their employers over violations
of law might not have brought the action if they felt their concerns were adequately
responded to by the company.
§18 --Oversight process
An appropriate oversight process must be developed as part of the compliance program.
Certainly, effective oversight requires the active involvement of management, since
managers are best placed to evaluate on a day-to-day basis the activities of employees in
complying with the code of conduct and other internal controls. In addition, however, the
board of directors, principally through its audit committee, must assume responsibility for
evaluating management’s performance with respect to identification and assessment of
risks and establishment of internal controls. The company’s internal auditors are also
important participants, given the need for them to determine whether a breach of internal
controls has been committed, and their role in assisting management in identifying and
evaluating risks and recommending steps that can be taken in order to improve
compliance. Finally, independent auditors must assume an expanded role in advising
management and the audit committee about the adequacy of the company’s internal
controls.
11
§19 --Incentive programs
Ideally, incentives for adhering to compliance standards should be created through
adoption of compensation, performance review, and promotion standards that specifically
take into consideration whether or not an employee has complied with legal requirements
and related company standards. In practice, however, there is still much to be done in
matching compliance with rewards in the form of salary, bonus, and positive job
performance reviews.
Consider, for example, the feedback generated by the South Texas College of Law
Corporate Compliance Center in its “2005 Best Practices Survey,” which was based on
information provided by respondents that were primarily public companies with more
than 5,000 employees, more than $1 billion in annual revenues, and large in-house legal
departments (i.e., more than ten lawyers). The results of that Survey showed that less
than half of the respondents evaluated an employee’s contribution to or participation in
the compliance and ethics program as part of their periodic employee performance
reviews. Of those companies that did respond positively, some noted that compliance
was identified as a “core competency” for each employee and/or that compliance was
part of the annual performance appraisal process and thus impacted annual bonuses. Of
those companies that did respond positively, common practices included mandatory
11
For further discussion of risk assessment procedures, see “Risk Assessments” in “Compliance: A Library
of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship
Project (www.seproject.org).
Elements of Effective Compliance Programs
22
ethics training and written acknowledgements of codes of business conduct as a condition
to receipt of bonus.
However, even among those companies that did respond positively, some indicated that
integration of compliance into performance evaluations was not being fully implemented
by managers. The bottom line seemed to be that, for most companies, the most common
incentive offered to employees for performance in accordance with the compliance and
ethics program was a positive comment in the employee performance evaluations.
Increases in salary and bonus came in a distant second, and other companies gave their
support through public recognition (e.g., internal newsletters) and increased job
responsibility.
§20 Establishing the control environment
The codes of conduct, compliance manuals, training and other tools described above are
absolutely essential elements of any compliance program. However, in addition to these
tangible tools there must be an underlying organizational philosophy, sometimes referred
to as the “control environment” in the auditing world, which establishes the foundation
for all other aspects of internal control within the company including compliance. The
main components of the control environment are integrity and ethical values;
commitment to competence; management philosophy and operating style; organizational
structure; and the board of directors. The control environment should cover not only
illegal acts (i.e., actions or omissions that constitute violations of applicable laws and
regulations) but also actions that might be considered dishonest or unethical and thus
reflect badly on the public perception of the company.
§21 --Integrity and ethical values
An effective compliance program seeks to establishing standards governing not only the
letter of the law but also the spirit of the law, which is often translated into guidelines that
mandate that business activities be conducted with integrity and with respect to ethical
values. Management establishes integrity and ethical values by enunciating the
behavioral and ethical standards that it expects of employees. These values must be
communicated and enforced by the personnel who create, administer and monitor
controls in the company. To emphasize their importance, the standards should, as
described above, be formalized in the company’s code of conduct and other policies. The
standards should discourage employees from being involved in acts that are or would be
considered by outsiders as illegal, dishonest or unethical. One way to discourage conduct
in violation of the company’s values is by removing or reducing the temptations and
incentives to participate in such activity. For instance, fraudulent financial reporting is
more likely to occur when employees are pressured to meet performance goals that they
feel are unrealistic. This problem is heightened when their compensation is tied to
achieving such goals.
§22 --Commitment to competence
Elements of Effective Compliance Programs
23
Management should ensure that employees have the requisite skills and knowledge to
perform their jobs. Lacking such skills and knowledge, they may not be able to
adequately perform their jobs and may be tempted to engage in activities that fall short of
the ethical standards demanded by the company. While managers may assert that they
want qualified employees, the real measure of their commitment is whether they are
willing to pay enough to attract employees with the appropriate education and
experience, to spend money to continue training them and to appoint sufficient
supervisors to monitor their performance and provide assistance to in building their skills
and self-esteem.
Since a commitment alone is not enough to produce compliance, many companies take
another step by requiring key employees to be bonded. Such bonds are necessary since
the most trusted employees usually have the most access to cash and other valuable
assets, as well as company records concerning them, and are more able to take advantage
of such trust by theft or embezzlement. For this reason, most companies purchase fidelity
bonds on employees handling cash and negotiable assets. Under such bonds, the bonding
company agrees to reimburse the employer up to certain agreed upon amounts for losses
resulting from theft or embezzlement by bonded employees. The bonds could be on an
individual employee basis, which is usually the case with small companies, or could be
blanket fidelity bonds covering a number of employees, which is usually the case with
larger companies. Before issuing the bonds, bonding companies investigate the
backgrounds of the covered employees, which gives additional assurance to employers
that their employees are qualified and have not been previously involved in questionable
activities. Additionally, since such companies are more likely to prosecute employees
involved in theft or embezzlement, employees may be discouraged from undertaking
dubious actions for fear of such prosecution.
§23 --Management philosophy and operating style
As a working principle, it can be argued that all companies have their own personality,
reflecting the business, traditions and existing employees. For this reason, management
differs from one company to another in many ways, including how it deals with financial
reporting and business risk. Some management may be quite aggressive in these regards,
including meeting or exceeding financial goals. They may be high-return oriented, but be
willing to take high risks to achieve the returns they want. Other management may be
less aggressive, and be willing to take lower returns in exchange for lower risks. The
operating style can also differ in the degree of formality. In an informal company, there
may be less emphasis on written reports, but more emphasis on meetings and face-to-face
conversations among employees and managers. In a formal company, little action may
be taken without a written report that is circulated to and approved by appropriate people.
§24 --Organizational structure
Another critical element of a company’s control environment is the organizational
structure. While somewhat simplistic, organizational structures are often classified as
centralized or decentralized. In the centralized model, all functional departments—
Elements of Effective Compliance Programs
24
research and development, manufacturing, sales and marketing, finance and information
technology—report directly to a small group of senior executive officers at the
company’s main headquarters office. A decentralized model distributes responsibility
and control over company assets out to various business units, each of which are
provided with a budget and autonomy to pursue their specific strategic goals and
objectives. Whether centralized or decentralized, a well-designed structure identifies and
allocates authority, responsibility and duties so that all of the employees are aware of
what they are expected to do and what authority and responsibility they have to do it. A
significant difference between the two structures is that, in a more centralized structure,
the central leadership group has a greater influence over other elements of the control
environment, including integrity, ethical values, philosophy, and style.
12
Regardless of the degree of centralization or decentralization, the organizational structure
should segregate responsibility for authorizing transactions, recordkeeping and custody of
assets. For instance, purchasing should authorize a purchase of raw materials, accounting
should keep the records concerning the purchase, and the warehouse should keep
materials once received. Similarly, the functions of accounting and finance departments
should also be segregated, since accounting is more closely tied to recordkeeping while
finance has a custody function. More specifically, under the direction of the controller,
the accounting department records financial transactions and reports on such transactions
through financial reports and tax returns. This department is also responsible for internal
control by maintaining independent records against which actual quantities of assets and
operations are compared. On the other hand, under the direction of the treasurer, the
finance department establishes credit policies, plans future cash needs and adopts plans to
meet those needs, including when and how to raise money to fulfill any projected
shortfalls. This department also has custody of bank accounts and other liquid assets,
including receiving cash payments, investing idle cash and making cash disbursements.
Beyond segregating responsibility, the organizational structure should be designed in a
way that holds managers accountable for their supervisory responsibilities. This means
that heads of departments must be evaluated on the basis of the performance of their
departments, so that, if department employees are not doing their jobs, the department
head is held responsible. For instance, if the accounting department is not keeping
adequate records, the controller must be held responsible; and, if the treasurer in charge
of the finance department is not adequately protecting the company’s assets, he or she
must be evaluated on that basis.
§25 --Board of directors
The last element of the control environment is the effectiveness of the board of directors
and any board committees to which specific responsibility regarding compliance matters
are delegated (e.g., audit committees). Review and approving by the board of directors is
a necessary launching point for any compliance program and members of the board of
12
For further discussion of centralization and organizational structure, see “Organizational Design: A
Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable
Entrepreneurship Project (www.seproject.org).
Elements of Effective Compliance Programs
25
directors need to be mindful of the significant liabilities to which they are exposed should
they fail to meet their obligations with respect to oversight of the company’s legal
compliance program. Counsel must carefully educate the members of the board of
directors about their responsibilities and assist them in establishing guidelines which they
can follow in the course of discharging their duties to the company. In the corporate
context, courts and commentators appear to be in agreement that directors can protect
themselves against liability, and enhance the quality of corporate governance, by
establishing a compliance program that ensures that the senior managers of the
corporation, and disinterested members of the board, regularly receive information
regarding the operations, business, and financial affairs of the corporation. Such a
program, if properly administered, is an effective means for directors to avoid potential
shareholder actions based on a claim that the directors breached their duty of care to the
company by failing to detect and prevent wrongdoing by its employees and agents.
There are some statistics available on steps taken by directors of larger public companies
to formalize their approach to compliance at the board level. For example, the report of
the South Texas College of Law Corporate Compliance Center on its “2005 Best
Practices Survey” indicated that roughly 60% of the respondents provided compliance
training to their directors and that the two most popular topics for training were conflicts
of interest and SOX. It should be noted, however, that the respondents were primarily
public companies with more than 5,000 employees, more than $1 billion in annual
revenues and large in-house legal departments (i.e., more than 10 lawyers). Other topics,
albeit less popular, that might be included in the curriculum are board members’ state
corporate law duties; bribery of government officials; business gifts; industry-specific
regulations; and corporate policies and procedures, including codes of ethics and conduct.
In most cases, respondents indicated that training was conducted by in-house personnel;
however, some companies also invited outside trainers to attend board meetings for
training sessions. Board members also attended outside courses given by various
companies, including law and accounting firms.
§26 Institutionalization of ethical conduct requirements
The changes of any compliance program being effective are significantly enhanced when
senior management of the company establishes and promulgates a strong corporate
culture of ethical conduct. The tone should be set by the board of directors and
consistently reinforced by the CEO and other members of the executive team through
meetings with, and presentations to, all employees of the company. In larger companies,
this generally includes videotaped presentations to all new employees that include the
CEO discussing the key ethical principles that are to serve as guides for the actions of all
of the employees.
§27 --Designation of chief ethics officer
The company’s pursuit of ethical behavior should be institutionalized and recognized as
part of its organizational structure. More and more companies are deciding to appoint
ethics officers to oversee a wide range of regulatory and ethical matters and launch and
Elements of Effective Compliance Programs
26
coordinate initiatives to ensure that the business objectives and culture of the company
are aligned with acknowledged and accepted ethical values and practices. Ethical issues
arise frequently in the modern business environment, and trained ethics officers can
develop and suggest solutions and make sure the company actually follows the policies,
guidelines and ethical standards it promotes. In particular, ethics officers can and should
be available on a daily basis to work with employees to assist them in making decisions
that are fair, lawful and ethical since it is unlikely that employees have even the most
basic education and training in the theory and practice of business ethics. More specific
reasons for creating an ethics officer position include providing assistance with meeting
regulatory compliance through development and implementation of ethics training
programs and ongoing measurement of results that can be reported back to top
management; improving the reputation and perception of the company with employees,
regulators and the general public; and creating and implementing an infrastructure for
reporting and managing ethical issues.
When creating the position of chief ethics officer, the company should prepare a
comprehensive job description in advance. The scope of the duties of the chief ethics
officer will depend on several factors including the business activities of the company;
the geographic reach of the company’s activities, including the countries in which the
company regularly deals with customers and other business partners; the specific laws
and regulations applicable to the business activities of the company; and whether or not
the company also has a chief compliance officer as part of its top management team. It is
important to note that companies have a variety of options when deciding how an ethics
officer would fit into their overall company. While not all ethical issues are legal issues,
there is certainly significant overlap, and many companies recognize this by creating a
combined legal compliance and ethics officer position. Another approach is to split the
jobs and put them both under the supervision of the general counsel of the company. Still
another option is for the chief legal officer (i.e., general counsel) to also be the chief
compliance officer and then create a separate ethics officer position within the general
counsel’s office. Finally, some companies rely on independent consultants to fulfill
many of the responsibilities of an ethics officer outlined below. In all cases, to be
recognized by regulators as a meaningful attempt at ensuring ethical and legal
compliance, the position must operate at a “substantial authority” level of management,
and the incumbent must have regular access to senior management and the audit or other
board committees exercising responsibility for ethical and compliance issues.
In any event, the chief ethics-oriented responsibilities of the position might include the
following:
• Responsibility and accountability for developing and directing the ethics and business
conduct function for the entire company;
• Providing leadership, oversight, and expert advice to ensure appropriate development,
interpretation, and implementation of the ethics policies and programs;
• Accountability for all program activities relating to standards of conduct, including
ethical relationships with employees, customers, contractors, suppliers, shareholders,
and other stakeholders;
Elements of Effective Compliance Programs
27
• Accountability for the company-wide confidential reporting program (such as a “help
line”) allowing employees, customers, suppliers, and other stakeholders to report
violations of ethics-related policies and guidelines without fear of retaliation;
• Establishing and administering a long-term strategy for improving the ethical profile
of the company through training programs and regular communications around
ethical and business conduct issues;
• Integrating new acquisitions into the ethics practices of the company;
• Coordinating investigations into alleged violations of the company’s ethics policies
and making recommendations for resolution of ethics-related problems and
misconduct;
• Developing systems and methods for measuring and quantifying the efficacy of the
company’s ethics-related programs and policies; and
• Making regular reports to senior management and the audit and other committees of
the board of directors regarding the company’s ethics program and policies.
Since the ethics officer position is relatively new, there is no standard set of educational
and experience requirements that can be applied in all circumstances. In fact, since one
of the most important roles of the ethics officer is to serve as the “conscience of the
company,” the choice often comes down to factors and impressions that are difficult to
objectively measure. Ethics officers are drawn from a wide array of disciplines,
including legal, human resources, finance, auditing, security, or line operations; however,
the top candidates generally are strong communicators, objective and thoughtful,
politically savvy and able to establish and maintain trust and credibility throughout the
company, able to assimilate and analyze information quickly, have common sense, and
have a record that demonstrates the highest level of personal and professional integrity.
The ethics officer must also have strong management skills, particularly when the officer
is given personnel and budgetary resources to launch and maintain the ethics program,
and have experience with developing and implementing training programs. Finally, the
ethics officer must have a thorough working knowledge of the business strategies of the
company, specific risk factors to which the company may be subject, and the laws and
regulations directly applicable to the business activities of the company.
Given the very specific duties and responsibilities of an ethics officer, it is strongly
recommended that persons occupying that position be subject to a formal written
employment agreement that specifically references all or most of the responsibilities
listed above. The agreement should clearly describe the authority of the ethics officer
and the reporting channels that apply to the position. For example, if the ethics officer
position is placed within the office of the general counsel, the agreement should indicate
that the officer will report to the general counsel. If the ethics officer is given budgetary
responsibility, the agreement should provide guidance as to how the officer should
prepare a proposed budget, obtain approval for the budget and administer the budget over
the course of the fiscal year. In some cases, the agreement will go beyond a general
description of responsibilities to incorporate specific targets for a given quarter or year,
such as promulgating a code of ethics for the company, completing a minimum number
of training programs, establishing a hotline procedure and launching compliance
programs in specified areas.
Elements of Effective Compliance Programs
28
§28 --Establishment of office of ethics and business conduct
Larger companies have established a separate Office of Ethics and Business Conduct
which is overseen by the chief ethics officer or a Vice President of Ethics and Business
Conduct who reports directly to the CEO and/or chairman of the board and to the audit
committee of the board of directors. The duties of this office include reporting on matters
of ethics and compliance. Another approach taken by larger companies has been the
creation of strategy-making groups for ethics and compliance matters. For example, the
firm may create an Ethics and Business Conduct Steering Committee that will meet on a
regular basis, perhaps quarterly, to consider and review the company’s compliance and
educational programs and monitor feedback from help lines and employee surveys. The
Committee would also review new regulations and information on best practices
throughout the industry. Membership should include the CEO, the chief operating and
financial officers, the general counsel and the vice presidents responsible for ethics and
business conduct, human resources and internal audits. Rotating members of the group
might include the heads of various business divisions so that they have an opportunity to
observe and learn the processes of ethics planning regularly taking place among the
members of the senior management team.
§29 --Business unit procedures for ethical conduct
As the company grows and additional business units are created, each major business unit
should consider establishing its own steering committee with responsibility for planning
and reviewing the ethics and business conduct activities within the specific unit. The
composition of the unit committee should parallel that of the senior management group
described above and should include all key managers of the unit, as well as the unit
officer primarily responsible for its ethics program. Each major business unit should also
have its own set of ethics directors and its own ethics officer. These directors and
officers would have responsibility for the coordination and oversight of ethics programs
in their particular unit and would also be involved in evaluating ethics issues and
establishing and enforcing ethics policies and practices. Unit-specific ethics officers also
have responsibility for conducting investigations into any allegations of misconduct and
for coordinating any resulting disciplinary action or any necessary corrections to existing
policies and procedures. Companies generally should make a concerted effort to
publicize the existence of, and complete contact information for, their ethics officers.
Each business unit should be required to prepare and submit to the board of directors and
the senior ethics officer for the company, on a regular basis, a compliance training
program that is tailored to the specific activities of the unit. The plan should include a
description of the type of training and the manner in which it will be delivered, the
persons who will receive the different types of training and the procedures that will be
used to track and report completion of each of the training activities. Training can be
delivered in a number of creative ways, such as web-based interactive multimedia and
CD-ROMs, PDAs, videos, classroom training, meetings and written materials.
Elements of Effective Compliance Programs
29
Working with Government Officials: Ethical and Legal Considerations
While conducting business activities in an ethical manner is presumably a fundamental principle in
building a reputable, successful and sustainable company there are also legitimate legal reasons for
including ethics in a company’s overall governance and compliance framework. US companies are subject
to a wide range of federal, state and local laws and regulations that are ethics-based and typically focus on
identifying and controlling activities and relationships involving government officials that are likely to
afford the company and/or its employees or agents an unfair advantage. Areas that raise the greatest
concerns, and which are likely to come up frequently in ordinary day-to-day business activities, include the
following:
• Anti-bribery laws prohibit the exchange of something for value with government officials as an
incentive for the official to take (or refrain from taking) an action within the official scope of authority.
• Providing government officials with gifts, gratuities, entertainment, meals, travel etc. may be construed
as an attempt to influence the official and thus are often prohibited, restricted and/or subject to
disclosure.
• Providing support to political campaigns in the form of cash contributions or otherwise is often
prohibited, restricted and/or subject to disclosure.
• Lobbying and business development activities directed at government officials is generally accepted
and allowed; however, such activities are often limited or restricted and/or subject to disclosure.
• When company employees and agent forge personal, professional and/or business relationships with
government officials or employees they run the risk of violating laws pertaining to conflicts of interest
• Recruiting and hiring government officials who have previously been involved in the company’s
business activities with the government or who will be representing the company in future dealings
with government units for which they were previously employed must be handled carefully.
• Companies interested in obtaining work under government contracts must understand and following
public procurement laws that define how bids are solicited and contracts are awarded and
administered.
The wide range of potential problem areas makes it challenging for companies to develop governance and
compliance programs and administer them efficiently. Certainly personnel involved in business
development and sales activities that include contact with government officials must be carefully trained
and monitored; however, many other people, from senior management to lower-level employees, may
unknowingly and innocently run afoul of laws pertaining to gifts and entertainment, conflicts of interest
and required disclosures of political contributions. In addition, human resources personnel must be alerted
to potential issues associated with hiring former government officials, a task that is complicated by the fact
that senior management often takes the initiative in broaching the idea with the official before consulting
with the human resources department.
Interesting and valuable information on “best practices” with respect to anti -corruption policies and
measures came from a compendium compiled in 2009 by United Nations Office on Drugs and Crime and
PricewaterhouseCoopers that surveyed what companies in the Fortune 500 Global Index (2008) were doing
with respect to fighting the influence of corruption in their businesses. As a general matter, the report,
titled “Anti-corruption policies and measures of the Fortune Global 500”, admonished companies to set a
minimum standard that complied with those set out in the United Nations Convention against Corruption.
Specific findings from a thorough survey of the policies and procedures of the various companies included
the following:
• While most of the companies expressed a “zero-tolerance” policy with respect to the corruption, many
failed to explicitly reference applicable laws and international treaties, provide assurances to managers
that they will not suffer criticism or any other consequences for losing business due to their refusal to
engage in corrupt practices and/or explicitly state the consequences that unethical and corrupt
behaviors could have for the enterprise, its employees, customers and investors.
• Communication of compliance policies to new employees and establishment of resource centers and
training programs was common among the surveyed companies; however, companies varied with
Elements of Effective Compliance Programs
30
respect to the frequency and scope of training initiatives and whether or not participation by employees
was mandatory.
• Almost all of the surveyed companies addressed gifts and entertainment in their policies and provided
employees with guidelines to consider when determining if an offered gift was unlawful or otherwise
inappropriate. In general, however, there was a lot of variation in concrete rules in this area. In some
cases, companies established a maximum, threshold value and were more permissive with respect to
gifts that did not exceed “social customs” or “socially expected” limits.
• Reporting on internal wrongdoings witnessed in the performance of corporate duties (i.e.,
“whistleblowing”) was commonly covered in the policies of the surveyed companies and almost all of
the companies maintained strong sanctions against retaliatory actions against whistleblowers.
• While “facilitation payments”, which are payments made with the purpose of expediting or facilitating
the performance by a public official for a routine action, are prohibited under the United Nations
Convention against Corruption, policies of the surveyed companies pragmatically recognized that such
payments were still a common means of conducting business in many countries. While some
companies did not allow such payments, others “discouraged” them and required advance notice to
senior management for approval. Companies also recognized exceptions such as situations where the
health or safety of an employee or his/her family is at stake. Some companies discourage facilitation
payments, but do not explicitly forbid them. In most cases, facilitation payments have to be reported as
such to the management.
• At the time of survey, in 2008, guidelines regarding corruption in the supply chain were relatively rare;
however, since that time “best practices” in this area have evolved to include dealings with suppliers
and many companies now explicitly require suppliers to sign on to codes of conduct.
• Relatively few of the surveyed companies mentioned external audits in their compliance policies and
procedures. In the same vein, policies generally did not include prohibitions on attempts to improperly
influence the conduct of external audits.
• Some of the surveyed companies established rules relating to policies activities of their employees and
the most common approach among that those companies was to prohibit their employees from paying,
promising, offering, or authorizing a payment of money or anything of value to a government official
or political party for the purpose of obtaining or retaining business or securing an improper advantage.
Managers and employees were typically not restricted from making contributions to political parties as
long as the contributions were allowed by applicable law and were vetted by the company for
appropriateness and recorded.
• Some of the surveyed companies had committed themselves to involvement in collective action against
corruption and has formed and/or joined anti-corruption organizations and established and maintained
regular contact with relevant international organizations or initiatives.
Companies typically address bribery and corruption extensively in their policies and procedures relating to
business activities in foreign countries in order to minimize the risk of potential liabilities under the US
Foreign Corrupt Practices Act and a wide range of anti-bribery laws that have been adopted outside of the
US. However, domestic bribery and corruption should also be covered in a company’s governance and
compliance program. One approach is for the board of directors to adopt a short-form general statement of
zero-tolerance policy regarding acts of bribery and corruption. A general statement such as this should
identify key risk areas, such as overseas collaborations, gifts and donations and public procurement, and
should lay out specific steps that will be taken including implementation of an anti-bribery and corruption
policy. Other companies opt for a comprehensive form of anti-bribery and corruption policy which covers
important issues such as the scope of policy coverage; how to obtain guidance on questions pertaining to
the policy; what acts constitute “bribery” and thus will be subject to the policy; training; whistleblowing;
audits; records and record keeping; and policies and procedures for specific areas such as gifts, hospitality
and expenses, facilitation payments, agents, distributors, suppliers and joint venture partners, dealing with
public officials, and political donations. Best practices call for providing readers with tools that they can
use in real time to answer fundamental questions such as “what is bribery” and what type of due diligence
should be conducted in assessing whether a prospective relationship with a third party raises unreasonable
corruption risks. Policies should be periodically reviewed and updated on a regular basis and should be
administered by a senior management official who is given adequate resources to develop and maintain an
effective compliance program. Risk assessments should be conducted on a regular basis to measure the
Elements of Effective Compliance Programs
31
effectiveness of the policy and related procedures. Other steps that should be taken include preparation and
of standard clauses relating to bribery and corruption issues for inclusion in key contractual documentation.
Sources: United Nations Office on Drugs and Crime, http://www.unodc.org/unodc/en/corruption/anti-
corruption-policies-and-measures-of-the-fortune-global-500.html
§30 --Assessment of ethics-related programs
The quality and effectiveness of the company’s ethics-related programs should be
constantly monitored through regular reviews, including an evaluation of the company’s
progress with respect to its training and advisory processes. Employees should also be
asked to provide, on a voluntary and confidential basis, their own assessment of the
ethical environment in the company. In many cases, employees can provide valuable
suggestions that can improve delivery of the message and the standard of conduct within
the company.
§31 Compliance programs for private companies
While many CEOs believe that compliance programs are just for public companies, there
is growing recognition that private companies, including family-owned businesses,
should implement new policies and procedures to create a compliance environment and
encourage managers and employees to take steps to ensure that the company meets it
obligations under applicable laws and regulations. For example, while SOX) applies only
to public companies, many private companies have taken the following steps to adhere to
the spirit of the legislation and prepare for the day when either they will become a public
companies or the regulations will be expanded to apply to them:
• Establishment of an independent audit committee and an internal audit function;
• Adoption of a formal code of ethics and formal internal controls and procedures;
• Recruitment and election of one or more independent members for the board of
directors, including persons qualified as “financial experts,” and implementation of
formal training programs on compliance issues for directors;
• Prohibitions on procurement of non-accounting services from the company’s
independent auditors and requirement of formal board approval of all non-audit
services;
• Adoption of formal policies relating to conflicts of interest;
• Regular review of benefit plans and management and director loan policies;
• Reviewing and changing current accounting practices;
• Preparation of a “Management’s Discussion and Analysis” section in the company’s
financial statements;
• Adoption of formal “whistleblower” procedures and reporting systems; and
• Certification of financial statements by chief executive and financial officers.
Even the implementation of these procedures creates substantial costs for private
companies. Among the expenses and other resource issues that might arise while
attempting to implement corporate reforms are higher costs of directors’ and officers’
liability insurance; higher fees payable to independent auditors; increased costs relating
Elements of Effective Compliance Programs
32
to expansion of company’s internal audit function; substantial increase in the amount of
time that management is diverted from business to tend to compliance issues; and
increased turnover among senior managers, particularly in the finance area, due to added
stress of dealing with compliance problems.
Private company adoption of elements of SOX is by no means a universal phenomenon;
however, various surveys of private companies indicate that a majority of mid- to large-
sized private corporations have already implemented SOX-based or other corporate
governance reforms in the last few years. The scope of the changes by any single
company depends on various factors, including budgetary constraints, requirements of
outside auditors and insurance carriers and the likelihood that compliance procedures will
be mandated in the future under federal or state laws. Many companies view compliance
programs as an essential part of a larger strategy of identifying and managing business
and financial risks. In addition, many private companies are required by their business
partners to adopt certain compliance procedures as a condition for conducting business
with those partners. Finally, as private companies increase the amount of business they
do in foreign countries they have little choice but to establish compliance programs that
reduce the risk of liability under import/export laws and other laws and regulations
relating to relationships with foreign businesses and governmental officials.
Elements of Effective Compliance Programs
33
____________________
About the Author
This Work was written by Alan S. Gutterman, whose prolific output of practical guidance and tools for
legal and financial professionals, managers, entrepreneurs and investors has made him one of the best-
selling individual authors in the global legal publishing marketplace. His cornerstone work, Business
Transactions Solution, is an online-only product available and featured on Thomson Reuters’ Westlaw, the
world’s largest legal content platform, which includes almost 200 book-length modules covering the entire
lifecycle of a business. Alan has also authored or edited over 100 books on sustainable entrepreneurship,
leadership and management, business law and transactions, international law and business and technology
management for a number of publishers including Thomson Reuters, Practical Law, Kluwer, Aspatore,
Oxford, Quorum, ABA Press, Aspen, Sweet & Maxwell, Euromoney, Business Expert Press, Harvard
Business Publishing, CCH and BNA. Alan has extensive experience as a partner and senior counsel with
internationally recognized law firms counseling small and large business enterprises in the areas of general
corporate and securities matters, venture capital, mergers and acquisitions, international law and
transactions, strategic business alliances, technology transfers and intellectual property, and has also held
senior management positions with several technology-based businesses including service as the chief legal
officer of a leading international distributor of IT products headquartered in Silicon Valley and as the chief
operating officer of an emerging broadband media company. He has been an adjunct faculty member at
several colleges and universities, including Berkeley Law, Golden Gate University, Hastings College of
Law, Santa Clara University and the University of San Francisco, teaching classes on corporate finance,
venture capital, corporate governance, Japanese business law and law and economic development. He has
also launched and oversees projects relating to promoting the civil and human rights of older persons and a
human rights-based approach to entrepreneurship. He received his A.B., M.B.A., and J.D. from the
University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the
University of Cambridge. For more information about Alan and his activities, please contact him directly
at alangutterman@gmail.com, follow him on LinkedIn, subscribe to his newsletters (Older Persons’ Rights
Project and Entrepreneurship | Human Rights) and visit his personal website. Many of Alan’s research
papers and other publications are also available through SSRN and Google Scholar.
Copyright Matters, Permitted Uses, Disclaimers and Suggested Citation
Copyright © 2023 by Alan S. Gutterman. All the rights of a copyright owner in this Work are reserved and
retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to
copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike
(CC BY-NC-SA) 4.0 License. The author, Alan S. Gutterman, declares that there is no conflict of interest,
and no financial support was received for the research, authorship and/or publication of this Work.
061323