Companies of all sizes and in any industry would need effective corporate compliance programs. An effective compliance program not only mitigates risk in terms of reducing the likelihood of mistakes that can lead to litigation, but also in terms of establishing a strong line of defense in the event of a state or federal investigation. While corporate entities have general compliance obligations, many companies have industry-specific compliance obligations as well, and maintaining comprehensive compliance is essential for overall corporate risk management.
“In today’s world, all corporate entities need to prioritize compliance. Companies need to promote compliance within their ranks, and they need to maintain comprehensive and well-documented compliance programs so that they can affirmatively demonstrate compliance when necessary.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
So, what does it take for companies to effectively mitigate their risk? Here is an overview of 12 key aspects of a successful corporate compliance program:
1. Compliance Needs Assessment
The first step toward building an effective corporate compliance program is determining what compliance measures are necessary. Companies cannot expect to adopt “off-the-shelf” programs, but instead must build tailored programs that reflect their specific risks and needs. Companies should also structure their program to work with their existing documentation and operational structure, and to facilitate necessary updates and modifications over time.
With this in mind, prior to embarking on developing a compliance program, corporate entities first need to conduct a compliance needs assessment. Again recognizing that companies’ needs will vary, some of the primary areas to be assessed include:
- Advertising and marketing
- Consumer finance
- Data security
- Federal compliance (i.e. FCPA, FDCA, FERC, and USDA)
- Government contracts
- Government programs
- Industry-specific compliance (i.e. healthcare or transportation)
2. Policies and Procedures
With a clear understanding of the company’s compliance risks and needs, the next step is to develop the company’s compliance policies and procedures. These should be comprehensive, custom-tailored documents that address all pertinent areas identified during the company’s compliance needs assessment.
The scope of a corporate entity’s compliance needs – and thus the scope of its policies and procedures – will be determined based on a variety of different factors. Taking data security as an example, the Federal Trade Commission (FTC) recognizes that company size and capital are pertinent factors; but, ultimately, companies must adopt policies and procedures that they believe are sufficient to prevent (and appropriately respond to) malicious attacks based on the types and volume of data they store.
3. Compliance Officer
The appointment of a compliance officer not only establishes a source of leadership and oversight for the company’s compliance efforts, but it also satisfies legal and regulatory requirements in many cases. Various federal authorities either require or recommend that companies appoint compliance officers—whether these individuals serve in a dedicated role or split time between compliance oversight and other job duties.
4. Training and Education
With policies and procedures in place, and with a compliance officer at the helm, the next major step in implementing a successful corporate compliance program is to provide training and education to the company’s workforce. Corporate entities should tailor their training and education programs to individual employees’ respective roles in helping the company maintain compliance, and they should implement measures to document all employees’ successful completion of required training programs.
In addition to initial training and education, ongoing training is a key aspect of maintaining compliance as well. As a result, companies should adopt periodic compliance training schedules, and they should ensure that managers and supervisors set aside time for employees to complete all required trainings.
Training and education are necessary aspects of implementation, but they are not sufficient on their own. Implementation of a corporate compliance program can involve numerous other measures as well—from posting notices and disseminating compliance materials to modifying operations and amending contracts with vendors.
Even the most comprehensive set of compliance policies and procedures will be ineffective if it just sits in a drawer. Once policies and procedures have been developed, the company’s compliance officer should then be tasked with taking the steps necessary to implement the policies and procedures on a company-wide scale.
6. Documentation of Compliance
Beyond developing compliance policies and procedures, corporate entities also need to have protocols in place to ensure the generation and storage of documentation of compliance on an ongoing basis. In addition to training certifications as referenced above, this can include documentation such as:
- Corporate minutes and resolutions
- Vendor contract audits
- Internal audit reports
- Inspection reports
- Memos regarding evaluation of potential compliance obligations
- Documentation of the company’s response to potential compliance violations
The purpose of maintaining this documentation is to be able to fully demonstrate compliance if asked to do so by state or federal regulatory authorities. However, as discussed in greater detail below, when demonstrating compliance during an external investigation, corporate entities must be cautious to ensure that they only provide such documentation as is strictly necessary to favorably resolve the inquiry.
7. Culture of Compliance
Throughout the implementation and documentation processes, corporate entities should consider ways to instill a culture of compliance. Employees who understand the importance of compliance and who are incentivized to assist in the company’s compliance efforts are significantly less likely to make mistakes that lead to external scrutiny. This can mean different things for different companies; and, as with all aspects of company culture, companies need to implement programs and practices that reflect the unique aspects of their workforces.
Developing a culture of compliance is not something that will happen overnight—especially if compliance has not been a publicized priority in the past. But, it is important, and there are various methods that companies can use to foster an appreciation for compliance among employees at all levels of their organizations.
8. Internal Reporting
One critical aspect of a culture of compliance is the ability for employees to report suspected compliance issues without fear of retribution. Employees should have the option to report their concerns anonymously, although some companies may find benefit in offering incentives to employees who come forward as well.
Companies should adopt and publicize specific channels for employees to report their compliance concerns; and, as discussed above, they should have protocols for thoroughly documenting the company’s response. All reported compliance concerns should be taken seriously, although what this means within the context of any particular set of circumstances may vary. Ultimately, the goal of internal reporting is to identify issues and remedy them as efficiently as possible, so companies should work on developing practical solutions that meet their specific needs and requirements.
9. Internal Auditing
Corporate entities cannot rely solely on their employees to report potential compliance concerns. They must also audit their compliance programs, and they must adopt internal auditing protocols that are sufficient to fully assess the sufficiency of the company’s compliance efforts. Generally speaking, internal audits should be overseen by the company’s compliance officer, who should work with the company’s compliance counsel to ensure that both (i) the scope of the company’s internal audits are adequate, and (ii) any issues uncovered during audits can be identified and addressed appropriately.
Minimally, corporate entities should conduct internal compliance audits on an annual basis. However, more-frequent audits may be necessary, and it may be necessary to conduct ad hoc audits in certain circumstances as well. For example, if an employee reports an issue or the company pursues a new line of business, this may be an event that triggers the need for a targeted assessment of the company’s compliance program.
10. Internal Enforcement
In addition to remedying any compliance deficiencies (which may involve revisiting the company’s compliance program as opposed to merely fixing a discrete compliance failure), corporate entities must also enforce employees’ duties of compliance. Companies should adopt documented enforcement policies, and they should consistently apply these policies when issues arise.
11. Monitoring for Necessary Updates
Just as corporate entities must audit their compliance programs on an ongoing basis, they must also continuously monitor for any necessary updates. Program updates can be necessitated by two main triggers: (i) changes in the company’s operations, and (ii) changes in the legal or regulatory landscape. In order to ensure that they remain compliant as their needs change, companies should rely on their compliance counsel to determine when program updates are necessary.
12. Investigation Preparedness
Finally, as mentioned above, one of the primary functions of a corporate compliance program is to provide a strong line of defense in the event of a state or federal law enforcement investigation. Maintaining comprehensive compliance documentation can be essential for resolving these investigations efficiently and without unnecessary risk exposure.
In addition to maintaining documentation of compliance, corporate entities should also have established protocols for responding to state and federal inquiries. There should be a clear chain of command and actionable steps for promptly implementing a legal hold, and the company’s compliance officer should promptly engage the company’s compliance counsel to intervene in the investigation, interface with the investigating agents, and execute the company’s defense.