Regulatory compliance is no longer an option to be implemented by only mega corporations. Any size enterprise is fair game to regulatory scrutiny, which renders the economic and reputational risks of noncompliance too costly at every level. But what elements comprise a strong compliance program and how many of those elements does your compliance program include?
Below we outline 12 key elements of a rock-solid compliance program. While this list is drawn from our experience in the commodities markets (CFTC, FERC and other regulators), we think these elements apply across many industries, regardless of regulator or business type. Still, we acknowledge that each enterprise is potentially unique and different regulators have different priorities. Nevertheless, we invite you to peruse our list to see how your company compares.
1. Strong compliance starts with a culture of regulatory compliance. The importance and desirability of compliance with all applicable regulations must be a shared value at all levels of the enterprise, from the board of directors to entry-level employees. Promoting and supporting every employee's efforts to achieve "strict compliance" with all applicable regulatory requirements, plus all internal company policies and codes of conduct, provides the backbone for a strong compliance program.
2. A compliance program must be designed to monitor, detect and prevent violations. It starts with a compliance manual that is well documented, clearly stated, easy to read, and innovative in the way it appeals to employees. Too many times, authors of a compliance manual stop when they have recited the applicable regulations and rules. Simply mandating that employees read and re-read the compliance manual falls short. A compliance manual must inform employees what the regulator and the company expect in terms of compliance, but an even better manual is an innovative tool that employees return to frequently in their day-to-day work.
3. After a company has suffered the embarrassment and expense of one or more regulatory penalties, its compliance program will likely be modified to involve oversight by the board of directors. But why wait for that to happen? Regulators take a favorable view when a company's board of directors (a) exercises reasonable oversight with respect to implementation and effectiveness of a compliance program, (b) is knowledgeable about the content and operation of the compliance program, (c) devotes significant meeting time to compliance issues, and (d) receives periodic updates regarding industry specific risks, as well as internally reported compliance issues.
4. A strong Compliance Program is supervised by an officer or other high‑ranking official of the company. This role could be split among different high-ranking officials, but with the goal being that the high-ranking official (a) has regular interaction with the persons assigned responsibility for implementation of the compliance program, and (b) provides regular updates to senior management regarding the status of the program and any issues.
5. The company should designate a "compliance official"—in other words a compliance officer. The individual should have independent access to the CEO and the board of directors and should report periodically to senior management. Depending upon the size of the company, the compliance officer may be a high-ranking official or a different individual serving in a separate role. In either case, the compliance officer should hold day-to-day operational responsibility for the compliance program and be given adequate resources and authority to effectively perform the functions of the job. Such responsibilities should be formally captured in a job description or other recorded means.
6. Companies should perform background checks on prospective employees who will have substantial discretion as part of their job function. Hiring an individual that the company knew or should have known has engaged in violations or comparable conduct at a prior employer will count against the company during a regulator's review of the company's compliance program. Checks should be performed at the time of hiring and when an individual is promoted into a position of authority (checks might include education, driving history, criminal history, employment history and regulatory enforcement proceedings).
7. A robust compliance program will include frequent and meaningful employee training. The frequency and quality of training should ensure that employees have a working knowledge of both governmental regulatory requirements and company expectations (i.e., the importance of compliance to the company). Training should be provided to employees at every level of a company; penalties are often highest when senior management is involved in a compliance violation.
8. An effective compliance program includes an ongoing process for auditing and monitoring conduct. For audits, the auditor should have whatever access is needed to effectively conduct the audit. The auditor should be independent from the group being audited. As for monitoring, the company should have in place an internal reporting system for monitoring conduct and reporting potential and actual violations. Employees should be encouraged to report misconduct and compliance issues promptly and, if desired, anonymously.
9. A compliance program should periodically assess risks—both actual and potential.Frequent review can ensure that new controls and compliance measures are implemented to meet newly identified risks. For example, an individual conspiring to manipulate a market, and aware of a company's current compliance tools, may develop a way to avoid detection. The company's compliance program must consider the risk and continuously improve its systems to monitor, detect and prevent inappropriate behavior. A company should also analyze peer company violations in order to implement controls to avoid similar violations.
10. Companies should periodically stress-test a compliance program's response to different hypothetical situations; such periodic assessment can ensure necessary revisions to detect, report and prevent noncompliant behavior. The frequency of evaluation should be determined by the amount of legal risk the company perceives based on industry trends, regulatory agency activity and its own compliance history.
11. A successful compliance program should promote and enforce the program consistently. Policies and procedures regarding compensation and promotion should take into account an employee's compliance or noncompliance.
12. A company's ability to take prompt corrective action in response to a violation may help limit exposure going forward. For many regulators, a company can reduce penalties for violations through prompt and full self-reporting to authorities, full cooperation with a regulatory investigation from the inception, disciplinary actions for noncompliant employees, and prompt action to correct the adverse impact on customers or third parties. It is best for an enterprise to understand these mitigating options and establish a process before a violation occurs.
So, how does your company's compliance program compare?