1. Compliance and Ethics Program Best Practices:
Assessing Your Program and Moving It Up the Maturity Curve
by James Meacham, CCEP, CRISC and the SAI Global Advisory Services Team
2. 2 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Foreword
by Paula Davis, SAI Global
The complexity of global legislation is a perennial issue
for our customers. In a fast-evolving and increasingly
international market-place, ensuring that a business meets
the overlapping demands of legislation, regulation and
industry standards is probably one of the most significant
challenges to overcome - and it can be time-consuming or
expensive (or quite probably both!) to make sense of the noise and translate it into a
pragmatic and effective compliance program.
This whitepaper outlines a framework for compliance program assessment, which
references the globally-recognised US Federal Sentencing Guidelines using its key
elements as the blueprint for an effective compliance program. Whilst the paper makes
reference to the USSG throughout, it’s worth pointing out that the framework it describes
and the recommendations it makes are equally applicable to other global guidelines and
industry best practice. Take for example the UK Ministry of Justice anti-bribery guidelines,
the UK Office of Fair Trading competition law guidance and similar guidance issued by
the French and EU competition authorities. Although they may not use the same form of
words, the same key themes emerge time and again, as the concept of ‘proportionality’
comes centre stage.
In our experience, these ‘variations on a compliance theme’ can be distilled into 5 key
underlying principles, which form the backbone of guidelines issued by enforcement
agencies around the world:
1. risk identification
2. appropriate policies, procedures and controls
3. effective training and communication
4. monitoring, audit and response
5. continual evaluation and improvement
(The diagram on page 3 illustrates this point)
3. 3Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
So, although at first glance this whitepaper is based on the USSG, the need for and
benefits of compliance program assessments are universal and the good guidance
recommendations contained in this document will serve as an effective compliance risk
management framework no matter the size or scale of your business or the industry-
specific risks to which you are exposed.
Paula Davis
Director, Compliance Program Operations EMEA
SAI Global
Elements of an Effective Compliance Program
Standards and procedures to
prevent and detect criminal
conduct
Leaders understand/oversee the
compliance programme.
Deny leadership roles to people
who have engaged in misconduct
Communicate standards and
procedures of compliance and
conduct effective training
Monitor and audit, maintain
reporting mechanism
Provide incentives and discipline
violations
Respond quickly to allegations
and modify programme
Note: General provision requires
periodic risk assessment
Risk assessment for effective
internal controls and
compliance programme
Policy that is clear and visibly
states that bribery is prohibited
Training – periodic,
documented
Responsibility – individuals at
all levels should be responsible
for monitoring
Strong, explicit and visible
support from senior managers
Oversight by senior corporate
officers with sufficient
authority and resource
Programmes to address
specific risk areas
Business partners
due diligence
Accounting – effective internal
controls for accurate books
and records
Guidance – provision of advice
to ensure compliance
Reporting violations
confidentially with no retaliation
Discipline for violations
of policy
Regular re-assessment
and revisions
USSG 7 Elements OECD 13 Good
Practices
Top Level Commitment
Risk Identification
Risk Assessment
Risk Mitigation
Review
Public commitment
to compliance
In-house contacts and experts
Information, training and
awareness-raising
Audits and alert systems
A monitoring system
UK OFT French Competition
Authority
Commitment from senior
management
Code of conduct and compliance
policies and procedures
Oversight, autonomy
and resources
Risk assessment
Training and continuing advice
Incentives and disciplinary
measures
Third party due diligence
Confidential reporting and
internal investigation
Continuous improvement:
periodic testing and review
DOJ Antitrust
Risk Identification /
Risk Assessment
Policies, Procedures
and Controls
Training and
Communication
Monitoring, Auditing
and Response
Evaluate and
Improve
4. 4 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Over the past several years, the compliance and ethics landscape has witnessed
several developments with major implications for all companies. From the vigorous
enforcement initiatives in the US, to the issuance by the Organization for Economic
Cooperation and Development (OECD) of Good Practice Guidance on Internal Controls,
Ethics and Compliance (Guidance), to various legislative and administrative initiatives
including heightened anti-bribery laws in the United Kingdom and Brazil and additional
interpretations relating to bribery cases issued in China, the impetus for companies to
develop and maintain effective compliance and ethics programs has only increased.
Additionally, more than half of the ten largest corporate fines in US history were imposed
or accepted in recent years. In the US, in 2012 alone, over USD$30 Billion were assessed
in corporate fines, and in 2013 individual corporate fines exceeded USD$13 Billion.
US regulators have made it clear that, under the US Federal Sentencing Guidelines for
Organizations (Guidelines), an effective compliance and ethics program can protect an
organization from prosecution even when its employees are found to have engaged in
criminal conduct. In announcing its decision not to prosecute Morgan Stanley for the
corrupt practices of one of its employees, the US Department of Justice commented
favorably on Morgan Stanley’s corporate compliance program detailing its up-to-date
policies, frequent and extensive training program and related certification and disclosure
requirements, ongoing due diligence and transaction monitoring, and its prompt and
appropriate response to the conduct its processes uncovered1
. The US Securities and
Exchange Commission also commented favorably on the actions taken by Ralph Lauren
in building a more robust compliance program to address identified risks in the release
announcing its decision not to prosecute the company in connection with bribes paid by a
subsidiary in Argentina2
.
The risks of having an ineffective program - or one that is merely “checking the box” - and
the benefits of having an effective program, have multiplied with the increased complexity
and stepped-up legislative, judicial and enforcement developments over the past several
years. As a result, it is more crucial than ever to know how your program compares to
both legal/regulatory requirements and best practices.
1
http://www.justice.gov/opa/pr/2012/April/12-crm-534.html
2
http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171514780. After outlining the company’s cooperation with the investigation, Kara
Brockmeyer, the SEC’s FCPA Unit Chief, added, ‘This NPA shows the benefit of implementing an effective compliance program. Ralph Lauren Corporation
discovered this problem after it put in place an enhanced compliance program and began training its employees. That level of self-policing along with its
self-reporting and cooperation led to this resolution.’
Introduction
5. 5Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
A compliance and ethics program maturity curve provides an effective framework for
you to make this evaluation. While a maturity curve simplifies the complex relationships
among the elements of a compliance program, it can be a useful tool for plotting
your program’s status. The journey from “Basic” to “Best Practice” is not, however, a
linear process. It is possible, for example, to have an education and communication
program that would be considered Best Practice while having a Code of Conduct that
is considered Basic. But knowing where each of your program elements would fall is an
invaluable and necessary aid for assessing your program and deciding whether it is time
to take some additional steps.
T O G E T W H E R E Y O U WA N T T O G O -
Y O U N E E D T O K N O W W H E R E Y O U A R E .
According to the Department of Justice, “an effective compliance program is dynamic
and ever-evolving; it cannot exist only on paper.” Yet, for many companies, the paper
approach to compliance and ethics — what we call a “Basic” program – has historically
been the norm. Adhering to a “check-the-box” mentality, the individuals with operational
responsibility for these types of programs both design and measure effectiveness of the
compliance and ethics efforts at a Basic level, at best. For some companies, it may be
a conscious effort to do the minimum required to show that they have put a compliance
program in place. For others, it may be a first step in the development of a more
comprehensive program.
As programs have matured and additional focus has been placed on program
effectiveness, many organizations have decided that the Basic approach to ethics
and compliance is not sufficient. For some of these organizations, their goal is to have
BASIC
• Initial risk assessment
• Code and policies created
• Annual communications
• General training curriculum
• Training completions tracked
• Hotline established, publicized
• Reporting infrastructure company-
wide
BEST PRACTICE
• Comprehensive, ongoing risk
assessment
• Code/policies designed and branded
• Ongoing, strategized
communications
• Dynamic, mixed training strategies
• Self-governing ethical culture
• Compliance widely measured and
communicated
EXPERIENCE
RESOURCES
6. 6 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
their programs achieve “Best Practice”, embedding their program in the company’s
business function and including robust systems for implementation, measurement, and
management which help to reduce risks and promotes a culture of accountability and
responsibility. These companies recognize that while Best Practice programs frequently
require more resources, time and support than less mature programs, they are also more
effective at identifying and resolving risks prior to a costly compliance and ethics failure
and in establishing a positive and productive work environment that can attract, and
retain, the best employees.
The roadmap for evaluating your organization’s placement on the maturity curve, and for
advancing up the curve, is not one-size-fits all, in spite of the relatively straightforward
nature of the model. For example, a company can have a Basic risk assessment process
but a Best Practice learning and communications program and a reporting system
that falls somewhere in between. While a comprehensive program assessment, which
evaluates all the necessary components of a compliance and ethics program in depth,
provides the most effective way for an organization to evaluate the status of its compliance
and ethics program, this paper will provide compliance and ethics professionals with
insights into evaluating their programs and some suggestions for moving their company up
the maturity curve no matter where their program is today.
Where to Look for Guidance
One of the greatest challenges in any compliance and ethics program is staying up-
to-date on changes and trends that impact compliance and ethics, from regulatory
changes to enhancements in technology. For many US companies, the foundation for
corporate compliance and ethics programs has historically been, and continues to be, the
Guidelines. Adopted in 1991 and most recently amended in 2008, the Guidelines serve
as a reference tool for Federal courts in punishing
criminally culpable organizations. The Guidelines
also serve to deter unethical or illegal conduct by
providing incentives for companies to proactively
adopt “effective” compliance and ethics programs.
Organizations that, at a minimum, implement the
eight required Guideline elements for an “effective”
ethics and compliance program may be eligible, at
sentencing, for a three-point reduction of its culpability
score. Perhaps even more crucial for compliance
and ethics professionals, according to the statements
made in the Morgan Stanley and Ralph Lauren cases,
companies that can prove that they have established
an “effective” program may be able to completely avoid
a finding of culpability even when their employees are
found to have engaged in criminal conduct.
The roadmap for evaluating
your organization’s placement
on the maturity curve, and
for advancing up the curve, is
not one-size-fits all, in spite of
the relatively straightforward
nature of the model.
7. 7Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
E I G H T K E Y E L E M E N T S U N D E R T H E U S F E D E R A L S E N T E N C I N G
G U I D E L I N E S F O R O R G A N I Z AT I O N S
Under the Guidelines, compliance and ethics professionals must ensure that
their companies’ programs include, at a minimum:
• Standards and procedures to prevent and detect criminal conduct
• Oversight by governing authority and high-level personnel
• Due care in delegating substantial authority
• Effective communication and training
• Monitoring, auditing and reporting
• Appropriate incentives and discipline
• Response and prevention
• Risk assessment
In addition to the Guidelines, there are many other important resources impacting the
establishment and ongoing maintenance of a corporate compliance program. On a
global scale, in its Guidance, the OECD has taken a strong stance in combating bribery
and elevating the role of compliance and ethics programs. Among its best-practice
recommendations are: obtaining support from senior management; realizing the value
of risk assessment; and understanding the effectiveness of incentives and discipline in
combating bribery and corruption. Likewise, various laws and regulations in the corporate
compliance area are other important resources. For example, the UK Bribery Act 2010
(Bribery Act) provides useful guidance on what constitutes the “adequate procedures”
that an organization should put in place to prevent bribery by persons associated with it.
Other US legislation, such as the Dodd-Frank Act of 2010 (Dodd-Frank) and the
Sarbanes-Oxley Act of 2002 (SOX), may also play a large role in the implementation and
maintenance of an effective compliance and ethics program. SOX effectively mandates
that publicly traded companies have Codes of Conduct and make their Codes publicly
available and requires that these companies make anonymous incident reporting avenues
available to employees and representatives. Similarly, for organizations doing business with
the US government, the Federal Acquisition Regulation (FAR) requires that contractors
(and even subcontractors) implement a Code of Ethics and conduct ongoing compliance
and ethics training. Dodd-Frank provides potentially enormous financial incentives for an
organization’s employees to forego internal reporting avenues (e.g., supervisors, hotlines
or web submissions) and to alternatively report evidence of corporate wrongdoing directly
to federal authorities. To encourage employees to report their concerns internally, many
companies have taken steps to raise employee awareness of available internal reporting
avenues and to further target risky behavior on a proactive basis.
8. 8 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
US compliance and ethics professionals can find additional guidance in case law relating
to the fiduciary duties of the directors and officers of an organization and corporate
officers, including the Caremark 3
case and Stone v. Ritter 4
and their progeny. For
example, the court in Miller v. McDonald 5
found that corporate officers (including the
general counsel) might be held criminally liable for failing to implement proper compliance
and ethics systems, including systems for monitoring.
In the US there are many other available resources for companies to monitor trends and
best practices, including Department of Justice (DOJ) memoranda and Corporate Integrity
Agreements (CIAs) promulgated by the Office of the Inspector General, as well as industry
and trade association publications. Because of the important role the DOJ plays in
investigating and prosecuting organizations, its communications (including DOJ charging
memoranda, Deferred Prosecution Agreements and Non-Prosecution Agreements) can
also provide valuable insights. Likewise, most CIAs specifically outline the remedial steps
that pharmaceutical and other healthcare organizations must take after illegal conduct
has occurred, placing great emphasis on the role of compliance and ethics programs.
Lastly, input and perspectives from other members of the compliance and ethics field
(specifically those within a company’s industry) can be invaluable as the organization sets
up and builds its program.
Setting the Foundation: Board and Senior
Management Support
For most organizations, the compliance and ethics program is the responsibility of the
governing authority (e.g., board of directors), which must oversee and support it. For some
compliance and ethics programs, it is often difficult to obtain or retain the attention of the
board. Despite the direction in the Guidelines and in Stone v. Ritter and Caremark, some
boards are not convinced that a strong program is necessary in the absence of a large-scale
compliance and ethics failure.
A Basic program needs proper support from the company’s governing authority. Without
this support, it is nearly impossible for the compliance and ethics program to gain traction.
Appropriate support must include a seat at the table to obtain necessary resources for an
effective program.
In the case of Best Practice programs, the company’s board is proactive, typically understands
the value of the compliance and ethics program and is, therefore, more prone to allocate
resources to better ensure that the program is in fact effective. A Best Practice program
includes regularly scheduled quarterly reports on potential compliance risks from the Chief
Ethics and Compliance Officer to the board or board committee (often, the audit committee),
with more frequent reports as needed. In addition, the board and members of senior
3
In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996)
4
Stone v. Ritter, 911 A.2d 362 (Del. 2006)
5
Miller v. McDonald, 2008 WL 1002035 (Bankcy. D.Del. Apr. 9, 2008)
9. 9Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
management are sure to align the goals of the compliance and ethics program with other
strategic corporate initiatives and business goals. By creating a positive “tone at the top”, both
the board and senior management demonstrate the importance of compliance and ethics to all
stakeholders.
In a Best Practice Program, the organization establishes a strong infrastructure to support the
program. This includes a compliance committee with representatives from applicable areas -
from sales to human resources to the legal and audit departments - that meets on a regular
basis to review the operation and effectiveness of the program. It also includes the appointment
of a single chief ethics and compliance officer who oversees all compliance and ethics program
operations and reports to senior management and the board (or designated board committee)
regarding the status of the program on a regular basis. An independent ethics and compliance
department, separate from the legal and finance departments, and headed by a chief
ethics and compliance officer who reports directly (or, at a minimum, a dotted-line reporting
relationship) to the board (or board committee), is the preferred structure.
Assessing the Organization: Risk Assessment and
Cultural Assessment
Regardless of where the organization is on the maturity curve, it is equally necessary for the
organization to gauge its risks and to understand its corporate identity.
R I S K A S S E S S M E N T
Every company must identify, prioritize and then manage its risks. For Basic programs,
risk assessments typically involve an informal, ad hoc discussion with, or a surveying of,
senior leaders regarding the risks that are of the highest priority within their business units.
General risk management efforts include enhancing existing processes or procedures,
updating organizational policies and implementing new (or renewed) training and
communication programs. The governing authority of the company (e.g., the board of
directors or board committee) requires some form of risk management report on an annual
basis to help it assess the effectiveness of the organization’s compliance and ethics efforts.
Support of Board and Senior Management
for Basic Programs
Support of Board and Senior
Management for Best Practice
Programs
▪▪ Supposed to oversee the program
▪▪ Difficult to obtain or maintain board’s attention
▪▪ Need large-scale compliance and ethics failures to
convince board that program is necessary
▪▪ Should give the individual overseeing the compliance
and ethics program an opportunity to obtain
resources
▪▪ Understand the value of an effective compliance
and ethics program
▪▪ More prone to allocate necessary resources
▪▪ Receive quarterly reports on major compliance and
ethics risks from Chief Compliance Officer
▪▪ Align goals of program with strategic corporate
initiatives and business goals
▪▪ Strong “tone at the top”
10. 10 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
In Best Practice programs, risk assessments are far more detailed and comprehensive,
delving deeper into the company’s business units and workforce in their various
locations, and are done periodically or on an ongoing basis. Best Practice programs
solicit quantitative and qualitative input and utilize surveys, interviews and focus groups
to solicit feedback from employees at all levels. In addition, Best Practice program risk
assessments integrate with enterprise-wide risk management systems, assessing the
organization and its activities as a whole, including lines of business, organizational
structures, recent organizational changes, industry practices and geographic scope of
operations. After gathering and analyzing all of this information, the compliance and ethics
professionals running Best Practice programs prioritize risks (e.g., low, medium or high),
keeping in mind that the Guidelines focus on criminal conduct but also recognizing that
a strong corporate culture can provide important protection. With additional input from
business unit leaders, the company with a Best Practice program implements a risk
management plan, and the executive management team helps monitor program progress
on an ongoing basis. In some companies, both the risk assessment and risk management
responsibilities fall to the audit group but the compliance and ethics professionals have
some level of involvement in the risk assessment process and are fully aware of the
assessment results.
It is essential, for all programs, from Basic through Best Practice programs, to report all
findings, whether they are positive or negative, and to be prepared to address identified
risks.
Risk Assessment in Basic Programs Risk Assessment in Best Practice Programs
▪▪ Conduct periodically
▪▪ Collect input from senior business leaders
regarding highest priority risks
▪▪ Identify and prioritize risks (e.g., low,
medium or high)
▪▪ Create risk mitigation plan
▪▪ Present risk management report to board of
directors
▪▪ Board of directors should assess
effectiveness
▪▪ Be prepared to address identified risks
▪▪ Conduct annually
▪▪ Collect input from senior business leaders
and employees at all levels
▪▪ Utilize surveys, interviews and focus
groups
▪▪ Prioritize risks (e.g., low, medium, high)
▪▪ With additional input from business unit
leaders, create risk mitigation plan
▪▪ Executive team should monitor progress
▪▪ Audit group may be responsible for risk
assessment and risk management efforts
▪▪ Keep board of directors informed
throughout the risk assessment process
▪▪ Integrate with enterprise-wide risk
management systems
▪▪ Be prepared to address identified risks
11. 11Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
C U LT U R A L A S S E S S M E N T
Understanding and communicating the company’s values and beliefs is a fundamental
responsibility of the compliance and ethics function. To provide employees and other
constituents with a common set of values and beliefs, companies need not only the input of
senior leaders, but also the input of employees and other constituents.
In Basic programs, there is a tendency for compliance and ethics professionals to focus
on their own perceptions — or the perceptions of selected senior leaders — of the
company’s culture or what they want that culture to be. As a result, these programs tend
to focus primarily on legal compliance risks such as antitrust, bribery, insider trading
and the protection of company assets and information. Under this type of approach, the
professionals tend to “check the box” as they develop communications and messaging that
cover these basic risk areas.
In Best Practice programs, attitudinal or cultural surveys and assessments are important
means of soliciting feedback and understanding on the common values shared within
an organization. Whether through focus groups, online surveys or informal discussions,
attitudinal or cultural surveys will allow compliance and ethics personnel to gather, analyze
and synthesize employee perceptions and beliefs about
compliance and ethics, including tone at the top and
the role of mid-level managers. By studying not only the
first-hand views of the employees as a critical step in
risk analysis, more sophisticated cultural assessments
use the attitudes of employees to deduce indirect risks.
This information can then inform the compliance and
ethics program and illuminate where communication and
messaging is lacking and where it is most effective.
Attitudinal or cultural surveys and assessments also serve
as a springboard for leadership development and training
in a Best Practice program. By sharing results internally,
managerial and supervisory personnel can reiterate and
stress the organization’s values and the expectations for
professional behavior up and down the chain.
Building a Foundation: Policies
and Procedures
The foundation of any company’s compliance and ethics program is the Code of Conduct
or Code of Ethics (Code). The Code defines expectations and guidelines for employee
behavior and addresses issues that are most relevant to the company’s risk profile.
In Basic compliance and ethics programs, Codes are commonly risk-based and tend
to emphasize rules and use legalistic language. Codes for Basic programs are generally
applicable to all employees, as well as to boards of directors and members of executive
management. They may also apply to independent contractors and other third parties. In
By studying not only the
first-hand views of the
employees as a critical
step in risk analysis, more
sophisticated cultural
assessments use the
attitudes of employees to
deduce indirect risks.
12. 12 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
addition, the company makes the Code more easily available by hosting it on an intranet
or corporate website and may choose to distribute hard copies during the on-boarding
process. Basic program policies are often dense and difficult to read and understand, and
only reviewed on an ad hoc basis. And it is frequently difficult for employees to locate the
most recent versions of applicable policies.
In Best Practice programs, the Code is typically part of a much larger initiative that involves
ongoing reviews and updates, internal marketing, and training and communication. Reviewing
and updating could include revising relevant sections to conform to changes in law or policy,
or benchmarking the Code against industry peers and Global Fortune 500 leaders to help
ensure a comprehensive, relevant and engaging document. To gain optimal traction with
a company’s constituents, Codes in Best Practice programs tend to be values-based and
reflect common attitudes and shared beliefs. In addition, these Codes often reference more
detailed policies and procedures from which constituents can obtain additional guidance or
assistance. Best Practice programs feature fully-branded and highly graphical Code designs
that also serve as effective marketing collateral. The Code for a Best Practice program is a
global document reflecting the laws and regulations of the different jurisdictions in which the
organization does business. Globalization of the Code requires translating the document into
the primary languages of the organization’s employees.
Policies in Best Practice programs provide clear and comprehensive guidance, engaging
content and direct application to employees’ jobs. Best Practice programs manage their
policies proactively and make sure that policies are easy to find in a centralized location.
Codes in Basic Programs Codes in Best Practice Programs
▪▪ Define expectations and guidelines for
employee behavior
▪▪ Applicable to all employees, directors and
executive management
▪▪ Address issues that are most relevant to the
organization’s risk profile
▪▪ Typically risk-based, emphasizing rules and
using legalistic language
▪▪ Widely available and distributed during the
on-boarding process
▪▪ May include mandatory and annual
certification
▪▪ Define expectations and guidelines for
employee behavior
▪▪ Applicable to all employees, directors
and executive management, as well
as to agents, contingent workers and
subsidiaries (if applicable)
▪▪ Global document reflecting requirements
of different jurisdictions
▪▪ Translated into primary languages of the
organization’s employees
▪▪ Address issues that are most relevant to
the organization’s risk profile
▪▪ Typically values-based, reflecting common
attitudes and shared beliefs of constituents
▪▪ Refer to detailed policies and procedures
offering additional guidance or assistance
▪▪ Fully branded and highly graphical design
▪▪ Include mandatory and annual certification
▪▪ Part of overall program that includes:
–– Ongoing review and updates
–– Internal marketing
–– Training and communication
13. 13Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Best Practice programs also take steps to make sure that business partners comply with
the general principles set forth in their Codes. Some organizations adopt Codes that
are specifically applicable to their suppliers and require supplier certifications regarding
receipt, understanding and compliance.
For all compliance and ethics programs, from Basic through Best Practice programs, it is
important that employees read and understand the Code. To highlight Code compliance,
all compliance and ethics programs should include mandatory annual Code certifications
documenting that employees have read and understand the Code.
Reinforcing the Program: Education and
Communication
In any effective compliance and ethics program, education and communication will play a
vital role in both raising awareness and mitigating risk. Education equips the organization’s
employees and constituents with the necessary tools to act ethically and in accordance
with applicable laws and policies. Communication helps reiterate the educational
components and helps ensure retention.
Most Basic programs require employees to complete
a straightforward course that covers compliance
with the general principles outlined in their Code.
Their programs typically include at least one training
initiative each year. For some companies, the same
course is repeated each year without significant
changes.
For Basic programs, it is helpful to assess
the best means or methods for training and
communicating with wide audiences. Online training
and communication is an efficient and effective
approach, enabling organizations to reach a broad
audience and easily monitor completions. Live or
“face-to-face” training and communication brings
the message right to the employees’ workplace and
facilitates discussions among managers and peers.
It can be customized to reflect different business
environments, challenges and risks, and can be used
in concert with online learning to reinforce key points
and key risk areas for high-risk audiences. With both
approaches, it is equally critical that the company
decide whether the education and communication
will be voluntary or mandatory, and communicate
those expectations to constituents.
Best Practice programs
benefit from strong
“tone from the middle”,
whereby the organization’s
managers and supervisors
take an active role in the
educational initiatives and
help to further program
communications and
initiatives.
14. 14 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
All compliance and ethics programs should include annual education and communication
plans. Although many training priorities in Basic programs are identified on a reactive
or ad hoc basis, a more effective approach is to outline the annual training goals at
the outset of each year and to then reevaluate them on an ongoing basis to respond to
emerging issues and risks. Companies should also consider the results of any recent risk
assessments or cultural surveys and, at a minimum, include subject matters, deployment
timelines and responsible parties.
In Best Practice programs, annual education and communication plans are tailored to
specific locations, departments and/or risk groups. As indicated in both the Guidelines
and in recent CIAs, education and communication are both general and targeted, with
general training geared toward all employees (e.g., Code of Conduct) and targeted training
geared toward specific audiences (e.g., competition law training for sales employees),
with periodic communications using a variety of tools and methods to reinforce training
initiatives. Managers are trained on their role in a Best Practices compliance and ethics
program and are expected to reinforce program messages with their teams.
To establish general and targeted education plans for Best Practice programs, compliance
and ethics professionals will look not only at risk assessment or cultural assessment
results, but will also solicit input from cross-functional groups within the organization.
Best Practice programs designate compliance committees or compliance groups that
meet quarterly or annually to discuss the progress of the compliance and ethics program
and to assess education and communication needs and results. Best Practice programs
take steps to measure training effectiveness and modify content and delivery methods as
needed.
Best Practice programs also benefit from strong “tone from the middle”, whereby the
organization’s managers and supervisors take an active role in the educational initiatives
and help to further program communications and initiatives. In Best Practice programs,
education and communication for managers is seen as part of their professional
development, not simply compliance and ethics obligations. Enlisting middle managers
into the training process itself also helps them take ownership of compliance and ethics as
part of their jobs and helps embed compliance and ethics in the workplace.
Education and Communication in Basic
Programs
Education and Communication in Best
Practice Programs
▪▪ Assess best means or methods for delivery
(i.e., online versus live)
▪▪ Decide whether education and
communication will be voluntary or
mandatory
▪▪ Maintain annual education and
communication plan
▪▪ Assess best means or methods for delivery
(i.e., online versus live)
▪▪ Maintain annual education and
communication plan, using results of
risk assessments or cultural surveys as
reference
▪▪ Provide for general and targeted training
▪▪ Solicit input from cross-functional groups
within the company
▪▪ Maintain strong “tone from the middle”
▪▪ Require education and communication as
part of professional development plans
15. 15Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Staying Informed:
Reporting, Monitoring and Auditing
R E P O R T I N G
Providing constituents with avenues for raising concerns and reporting misconduct is
essential for any effective compliance and ethics program. While some companies use
managers and supervisors as the first line of defense for employee or constituent reporting,
others rely more heavily on communication channels such as hotlines and web submission
sites.
Reporting channels are crucial for any compliance and ethics program. Mechanisms
such as hotlines and web sites aid companies in identifying issues or concerns that might
ordinarily go unreported or entirely ignored. In addition, hotline and web submission site
reporting often allow for anonymity, depending on local law. By providing for anonymity,
organizations enable employees and other constituents to voice issues or concerns with
more honesty and candor, and without the fear of retaliation.
As organizations move up the compliance and ethics maturity
curve, they take reporting a step further, providing additional
reporting avenues such as comment boxes, fax numbers and
mail and email addresses. Regardless of the form, organizations
must take steps to ensure the security and integrity of all available
reporting systems, including training managers and supervisors
who might handle employee reports or concerns. By requiring
adherence to standardized processes for addressing employee
issues and concerns, companies can minimize missteps and
ensure that reports are managed appropriately. Managers
and supervisors must also be cognizant of – and reinforce
– the organization’s anti-retaliation policy and maintain strict
confidentiality to the fullest extent possible.
Companies with Best Practice programs go a step further,
emphasizing the importance of open communications on issues
relating to compliance and ethics. Ethics and compliance has a seat at the table as a
functional part of the organization’s business, with visible and proactive support from senior
management. To best achieve an open Speak-Up culture, the program focuses on ethical
values in addition to strict compliance with legal and policy standards.
Various elements of a Best Practice program, from training to reporting systems, are
designed to help the company learn about and promptly handle questions and issues
before they become major problems. For many of these companies, the hotline is viewed
as a last resort – available as a resource but not something employees would typically use
so long as they can raise their question or concern directly with one of their managers.
Alternatively, some companies try to channel reports of misconduct to their corporate
compliance departments and/or hotlines based on the idea that these types of issues can
be best handled, and treated with greater confidentiality, at the corporate level.
If reports are either
mishandled or left
unresolved, the compliance
and ethics program will lose
credibility, and the value
of the available reporting
avenues will decrease.
16. 16 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Companies with Best Practice programs also pay close attention to trends in reporting
by looking at variables such as location of reports, timing of reports and the preferred
mechanisms for making reports. Best Practice compliance and ethics programs also
utilize widely available communication and marketing tools, such as posters, wallet cards
and paystub inserts, to promote a Speak-Up culture and remind constituents of their
reporting obligations and options. They provide employees with information about reports
that are made and the results of their investigations.
For all compliance and ethics programs, from Basic through Best Practice programs, it
is essential for the organization to address reports appropriately and in a timely fashion.
If reports are either mishandled or left unresolved, the compliance and ethics program
will lose credibility, and the value of the available reporting avenues will decrease. To
this point, an added level of transparency is recommended in a Best Practice program,
allowing parties involved in the reporting of an incident to have access to the real-time
progress or status of the incident investigation. This level of visibility builds trust in the
process and reinforces accountability in the management of reported incidents.
Reporting in Basic Programs Reporting in Best Practice Programs
▪▪ Allow managers and supervisors to serve as
first line of defense for reporting
▪▪ Provide mechanisms such as hotlines and
weblines
▪▪ Depending on local law, allow for anonymous
reporting
▪▪ Ensure confidentiality to the extent possible
▪▪ Handle reports appropriately and in a timely
fashion
▪▪ Ensure that managers and supervisors
adhere to standardized processes for
addressing employee or constituent issues
and concerns
▪▪ Provide mechanisms such as hotlines and
weblines
▪▪ Provide additional reporting options such
as comment boxes, fax numbers, mailing
addresses or email
▪▪ Take necessary steps to ensure security
and integrity in all available reporting
systems
▪▪ Pay close attention to trends in reporting
▪▪ Make constituents aware of reporting
avenues and anonymity through
communication and marketing
▪▪ Handle reports appropriately and in a
timely fashion
17. 17Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
M O N I T O R I N G A N D A U D I T I N G
Effective monitoring and auditing of the compliance and ethics program is a common
challenge for many organizations.
In most Basic programs, the biggest hurdle is establishing reliable measurements for
assessing program progress. As a starting point, compliance and ethics professionals who
manage Basic programs review training records to ensure high completion percentages.
Those individuals responsible for monitoring and auditing the program also evaluate existing
policies and procedures on an ad hoc basis to reflect changes in applicable laws and
regulations and for consistency with organizational messaging. Finally, compliance and
ethics personnel in Basic programs analyze reporting statistics, paying particular attention
to hotline and web submission reports.
In Best Practice programs, monitoring and auditing evolves from measuring outputs
to measuring effectiveness. Monitoring and auditing can take place at the business
unit or department level, with the results informing the organizations more general risk
management plans. Having greater resources available, Best Practice programs often
benefit from direct insight into the inherent compliance and ethics risks throughout
the organization. Some common tools for extracting that information might include
questionnaires or surveys, employee interviews or exit interviews, focus groups and on-
site visits. In most Best Practice programs, the compliance and ethics function is able to
leverage, or work closely with, the audit group to monitor and audit the program.
Best Practice programs typically include integrated and centralized systems that track the
program, including training data, helpline calls, survey results and risk assessment findings.
Analytics, often in dashboard formats, provide on-demand reporting and allow for high level
views of applicable metrics and reports.
Enforcing the Program: Appropriate Discipline
and Incentives
Effective compliance and ethics programs include adequate and appropriate incentives
for employees to perform their jobs ethically and responsibly. In addition, companies
with effective programs clearly outline the potential disciplinary measures for engaging in
unethical or illegal conduct and consistently use these measures when and as appropriate.
For Basic programs, it is often difficult to get beyond “check-the-box” performance
evaluations and salary-based incentives. The company with a Basic program typically has
a place in the annual performance evaluation relating to ethics and compliance. However,
unless the employee has been subject to some form of disciplinary action for an ethics
or compliance violation, the employee typically gets a generic “meets expectation” score
in this area. Also, a common approach by many organizations is to withhold an employee
or constituent’s year-end commission or bonus until all requisite compliance and ethics
training is complete. In general, Basic programs tend to focus on the potential disciplinary
measures for, or consequences of, illegal or unethical conduct. They outline potential
consequences and discipline in the Code and other written policies primarily to better
protect themselves from potential litigation and compliance failures.
18. 18 Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
In Best Practice programs, there is a greater balance of salary-based and non-salary-
based incentives and successes are celebrated and/or rewarded. Companies with Best
Practice programs include ethics and compliance related performance objectives for
senior managers and down through the rest of the organization. Ethics and compliance
are considered in leadership development, promotions and rewards or recognition. In Best
Practice programs, the specifics continue to evolve in order to make sure that the program
provides appropriate and adequate rewards and incentives. In addition, Best Practice
programs aim to ensure that the disciplinary and enforcement processes are consistent,
despite being dependent on individual circumstances, and use various reporting and
monitoring systems to achieve this objective. Employees and constituents are also assured
that management will respond to reports of misconduct and that there will be no double-
standards for high performers. By not turning a blind eye to a violation of law or policy or
an ethical lapse, even when it involves top performers, and celebrating and/or rewarding
successes, the organization’s compliance and ethics program becomes even more
credible and effective.
Incentives and Discipline in Basic Programs Incentives and Discipline in Best Practice
Programs
▪▪ Difficult to get beyond salary-based
incentives
▪▪ Focus on the potential disciplinary measures
or ramifications for illegal or unethical
behavior
▪▪ Outline potential consequences clearly in the
Code or other written policies
▪▪ Tend to have greater balance between
salary-based and non-salary-based
incentives
▪▪ Non-salary-based incentives include
compliance and ethics as a consideration
in leadership development, employee
evaluations, promotions and rewards and
recognition
▪▪ Disciplinary and enforcement processes
more consistent
▪▪ Management will respond to misconduct
▪▪ No double-standards for top performers
19. 19Compliance and Ethics Program Best Practices: Assessing Your Program and Moving It Up the Maturity Curve
www.saiglobal.com/compliance
Program Assessment:
An Important Foundational Step
Whether your program is just getting off the ground or it is well established, the objectives
are the same: to reduce risk and promote ethical behavior. The previous sections provide
a framework for an organization to see where its ethics and compliance program sits on
an ethics and compliance program maturity curve. It is not easy, however, to measure the
extent to which your program is achieving its goals. A more formal program assessment,
which evaluates all of the necessary components of a compliance and ethics program (or
specific program elements) in depth, provides a more effective way for an organization
to evaluate the status of its program and to identify actionable steps for improving or
enhancing specific program elements.
Conclusion
Given the continuous change and evolution within the compliance and ethics arena,
the realization of a “fully-Best Practice” corporate compliance and ethics program is a
challenge. A more realistic approach for individuals who oversee compliance and ethics
programs is to both monitor and assess their programs and to be aware of important
developments in the regulatory landscape and in the ethics and compliance field. Both
international and US regulators and authorities continue to stress the importance of
effective compliance and ethics programs, and the onus is squarely on compliance and
ethics professionals to continue to push their organizations and boards of directors for
more visibility and greater support.
By incorporating some elements of both Basic and Best Practice programs, companies
can increase the effectiveness of their program and better avoid the stigma of a “check-
the-box” program. These steps can be most effective, however, when they are grounded
in and based on a formal assessment of the various elements of their compliance and
ethics program.
