I thought it would be interesting to hear it from the horse’s mouth once more. Speaking before the Society of Corporate Compliance and Ethics’ 12th Annual Compliance & Ethics Institute, Stephen L. Cohen, the SEC’s Associate Director of Enforcement, laid out what makes a good compliance program.
Among the hallmarks of a “robust” compliance program, Cohen listed the following in his remarks:
Governance: A strong compliance program begins with the “tone at the top.” This means that the board of directors and senior management must provide the Chief Compliance Officer (CCO) with the necessary resources, independence, standing and authority to be effective.
Culture and values: Firm leaders must promote integrity and ethical values in decision-making across the organization. According to Cohen, this means asking not just “can we do this, but “should we do this?”
Incentives and rewards: A company should put in place a performance management system and compensation that ensure that the right behavior is encouraged and rewarded.
Escalation, investigation and discipline: Employees must be able to raise concerns confidentially and anonymously, without fear of retaliation. Matters must be effectively investigated and resolved fairly and consistently.
Continual self-evaluation and improvement: Compliance programs do not exist in a vacuum. Firms must continually reassess business models, rules, ethical standards and compliance tools in light of new legal standards and emerging risks.
“Risk-taking in the area of legal and ethical obligations invariably leads to bad outcomes. Any company or person prepared to come close to the line when it comes to legal and ethical standards is already on dangerous ground,” he noted.
In my experience it’s the last point where many firms are lacking. Compliance programs should be living and breathing organisms that need to adapt to the ever-changing environment. One is never ever really “done” with them.