Establishing an Effective Compliance Program: An Overview to Protecting Your Organization

by Holland & Knight LLP


Establishing an effective Compliance and Ethics Program ("Program") has become a necessity to protect any highly regulated organization. At its core, an effective Program protects an organization by detecting and preventing improper conduct and promoting adherence to the organization's legal and ethical obligations. In 1991, the U.S. Sentencing Commission established the most recognized standards for an effective Program within its Sentencing Guidelines Manual ("Guidelines"). These Guidelines are closely aligned with the principles set forth in compliance guidance that various agencies have developed over time. These include guidance related to investment companies, companies interacting with foreign officials, hospitals, nursing homes, pharmaceutical companies, and government contractors to name a few. These Guidelines and this guidance have been used by organizations to design and implement their Programs. While there is no "one-size-fits-all" Program for every organization, there are several core components that must exist to have an effective Program. These components are set forth below.

Standards and Procedures

An organization must have standards of conduct and internal controls reasonably capable of reducing the likelihood of criminal and other improper conduct (Guidelines, § 8B2.1(b)(1)). The foundation of these controls should be a code of conduct. The code should contain an overall description of the program and address in a practical manner the compliance risks that are relevant to the organization. It should identify clearly those who are responsible for administering the program, the role of the governing authority, and provide general guidance on the business behavior expected of all employees. The code should also identify clear channels for reporting misconduct or violations of the code, and make clear that disciplinary action will be taken if an employee violates the code.

In addition to the code, an organization needs to have more specific policies and procedures to provide detailed guidance on the approach the organization wants employees to follow, or avoid, in its business relationships. These more detailed policies and procedures should address legal and regulatory risks relevant to the organization's business. These can be policies that address areas such as conflicts of interest, political contributions, agent and vendor due diligence, internal accounting practices, anti-corruption expectations, record retention, government funded projects, export controls, and custom issues. Depending on the industry, there are several guidance manuals, such as those identified above,that attempt to explain the types of areas that should be addressed.

Organizational Leadership and Culture

The organization's governing authority, which usually refers to the Board of Directors or if the organization does not have a Board of Directors, should be knowledgeable about the content and operation of the Program and exercise reasonable oversight over its implementation and effectiveness. Specific individuals among high-level management should be assigned overall responsibility for the Program. One or more individuals should be assigned responsibility for the "day-to-day" operations of the program. Those individual(s) should have direct access to the governing authority and report to it periodically. This direct access is necessary to ensure that compliance information is channeled to those with the ultimate accountability for the organization. Those responsible for running the program should have adequate resources to operate the program effectively. What is deemed adequate will vary depending on the size and operations of the organization.

It is further expected that corporate leadership strive to foster a culture that promotes compliance with the law. This "culture of compliance" can be achieved through publicly rewarding compliant behavior and making clear that the reporting of non-compliant behavior benefits the organization and will not be met with retaliation.

Reasonable Efforts to Exclude Bad Actors From Managerial Ranks

An organization should take reasonable steps to ensure that individuals with substantial authority have not engaged in illegal activities or conducted themselves in a manner inconsistent with the Program. This usually requires that the organization employ screening procedures to check a person's background and criminal history. This would include background checks and following up with prior employers or references in connection with hiring and promoting. In addition, there may be more industry specific checks required depending on the organization's operations. For example an organization that receives federal contracts and certain types of federal assistance and benefits should consider steps to determine whether its employees are listed on the government's Excluded Parties List System (EPLS). The EPLS identifies those tagged with administrative and statutory exclusions across the entire government, as well as individuals barred from entering the United States. Similarly, an organization that receives revenue or payments from federal healthcare programs, like Medicare and Medicaid, should consider steps to ensure that employees are not listed on the OIG Excluded Parties List. This list is maintained and published by the OIG and lists all persons and entities who have been "excluded" from participation or involvement in federal health care programs.

Training and Education

An organization should ensure that the Program's code of conduct, policies and procedures are widely promulgated and that employees are trained on the programs objectives and relevant policies (Guidelines, § 8B2.1(b)(4)). Proper training should be required for all employees including the governing authority, the organizational leadership, the organization's employees, and, as appropriate, the organization's agents. Proper training typically includes training on the code of conduct, and basic components of the compliance and ethics program. Depending on the size of the organization, additional specialized training should also take place for the various policies and procedures applicable to specific employees who need them to properly perform their jobs. It is recommended that training be tracked, attested to, documented, and followed-up.

Monitoring, Auditing and Evaluation of Program Effectiveness

An organization's Program should include monitoring and auditing systems that are designed to detect criminal and other improper conduct (Guidelines, § 8B2.1(b)(5)). This is an essential component of the Program as it allows the organization to evaluate whether it is effective and is being followed. In general, the audit should assess compliance with the code of conduct as well as the policies and procedures adopted to promote adherence with laws and regulations. Whether the audit is conducted internally by someone within the organization or by an outside entity, it should be done by individuals who are independent from the area being audited. In addition to evaluating the company's compliance with legal requirements, in order to evaluate effectiveness, the audit should gain an understanding from employees of the organization's ethical climate by asking employees whether they are comfortable reporting potential violations of the organization's policies or the law, how they view the organization's commitment to compliance, and whether there are risks that the Program is not addressing.

Effective lines of communication with employees regarding compliance concerns, questions, or complaints are critical. Employees must be comfortable speaking with a compliance officer or management regarding compliance concerns that may arise. Utilizing a reporting system, such as a hotline or helpline, is important to provide a means for employees and agents to report or to seek guidance about potential or actual improper conduct. The Guidelines and several compliance guidance also recommend that the reporting system incorporate a non-retaliation policy and that an organization should allow for anonymous or confidential reporting. The non-retaliation policy should be clearly documented, communicated to employees, included in training, and strictly enforced. Few things will chill a compliance reporting process more than if employees perceive that they will be punished in some way for reporting problems or asking for guidance.

Performance Incentives & Disciplinary Measures

An organization should promote and consistently enforce the Program through incentives and disciplinary actions. This should be done throughout all levels of the organization (Guidelines, § 8B2.1(b)(6)). What is an appropriate incentive on disciplinary action will be "case specific." Appropriate incentives could include rewarding material concerns that are raised and even rewarding helpful recommendations for improving the implementation of the Program. Appropriate disciplinary actions could range from a reprimand with additional training, to a demotion, to termination. Ultimately, in order to be effective, the incentive or disciplinary action should be proportional to the conduct.

Appropriate Remedial Action

If improper conduct has been detected, it is imperative that an organization take reasonable steps to both address it, and to prevent further similar misconduct (Guidelines, § 8B2.1(b)(7)). The failure to prevent or detect improper conduct in and of itself does not mean that a Program is ineffective. However, the Guidelines make clear that a "recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to" achieve an effective Program (Guidelines, §8B2.1 Commentary App. Note 2(D)). Thus, it is important for appropriate remedial measures to be taken. Such measures may include anything from disciplinary measures aimed at the person responsible for the improper conduct to modifying the compliance Program that is currently in place.

Risk Assessment

An organization should periodically assess the risk of improper conduct within its operations and take appropriate steps to design, implement or modify each element of the program to reduce the risk of improper or unethical behavior (Guidelines, § 8B2.1(c)). This assessment usually entails evaluating factors such as audit results, recent litigation or settlements, compliance complaints, employee claims, industry enforcement trends, and the existence and sufficiency of policies covering an area. Organizations are now implementing formal risk assessment processes, whereas before they were frequently done more informally. The organization should map the results of a risk assessment on a "matrix" to show the level of risk for each area examined, the likelihood of a violation and the likely damage to the organization from a violation. These "risk matrices" should then be used to help prioritize program activities for the coming year. An organization should conduct a risk assessment at least once a year.


The importance and complexity of compliance programs have skyrocketed in recent years. It has become a key element for employees, investors, regulators, and everyone interested in running, protecting, and evaluating an organization. Although some of the best guidance comes from the federal sentencing guidelines, by the time a problem gets to the sentencing stage, it is far too late to implement a compliance program. These eight components provide the essential foundation to begin -- today to protect any highly regulated organization. These components help to establish an effective compliance and ethics program by detecting and preventing improper conduct and promoting adherence to the organization's legal and ethical obligations. The time to start is now.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.