With regard to ethics, training and communication initiatives should reflect

Although a one-size-fits-all compliance and ethics program does not exist, the Chapter Eight of the Guidelines Manual[3] outlines seven basic compliance elements that can be tailored to assist organizations in developing an effective compliance and ethics program. It is critical that there is demonstrated commitment to these seven basic elements:

1. Standards, policies, and procedures

2. Compliance program administration

3. Communication, education, and training

4. Monitoring and auditing

5. Internal reporting systems

6. Discipline for noncompliance

7. Investigation and remediation measures

Every organization strives for this effective program in the hopes of gaining some level of protection for having an effective compliance and ethics program. In addition, the elements have been massaged by the compliance and ethics industry, as they have been implemented in actual compliance and ethics program models. The industry has now defined the following as the components of an effective compliance and ethics program (not all inclusive):

• Code of conduct and relevant compliance policies and procedures

• Oversight and accountability by the board for the compliance program

• Education, communication, and awareness

• Delegation of authority

• Enforcement, discipline, and incentives

• Monitoring and auditing

• Internal investigations, including a root cause analysis and corrective action plans

• Consistent and fair discipline

• Risk assessments

• Effectiveness assessments of the compliance and ethics program

• Ongoing program improvement

While the cost and the time involved may seem daunting, the cost of not having an effective compliance and ethics program could be much higher. Compliance is not cheap. Yet as a Department of Justice official notes, “[C]ompliance programs make good sense—both good common sense and good business sense. Compliance programs help prevent companies from committing crimes in the first place. Even if they fail to do so, partially successful compliance programs may help companies qualify for leniency. Either outcome easily warrants your companies’ efforts to adopt and strengthen compliance programs.”[4] An effective compliance and ethics program is a sound investment.

It is always important to note that each organization needs to tailor its compliance and ethics program to its specific mission and ethical values. Your organization may have stricter guidance that includes additional elements. This manual does not include every compliance and ethics element used by every organization globally. But it tries to address the standard used by most organizations—the elements listed above.

Additionally, note that while the seven elements provide a standard structure and framework for the compliance program, every compliance program can and should look different from another organization’s compliance program. A compliance program should be tailored to the size and complexity of the specific organization and should be operating according to that organization’s unique risk profile. And as your organization changes, the risk profile evolves, and the regulatory landscape shifts, the compliance program must keep pace and evolve to remain effective.

Many new compliance and ethics officers come into programs that have none of these elements. Some come into their new office with some or broken pieces of these elements. Keep in mind that effective compliance programs do not happen overnight.

Element 1: Standards, Policies, and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages ethical conduct and a commitment to compliance with applicable regulations and laws.

The first of the Guidelines Manual’s prescribed compliance elements requires that “The organization shall establish standards and procedures to prevent and detect criminal conduct…‘Standards and procedures’ means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.”[5] These two documents, the standards or code of conduct and the policies and procedures, become the tools upon which you can build your compliance and ethics program.

Code of Conduct

First and foremost, the code of conduct demonstrates the organization’s overarching ethical attitude and its system-wide emphasis on ethics and compliance with all applicable policies, laws, and regulations. The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes the board, management, staff, vendors, suppliers, volunteers, and independent contractors, which are frequently overlooked groups. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards of the code of conduct. The code should be written in a simple and concise manner that is reader friendly. It is not recommended that an organization include policies and procedures in its code. Scenarios and examples are great to explain how to handle a situation. An eighth-grade reading level is recommended. Simple and concise does not mean generic, however. The contents of the code of conduct will need to be tailored to the organization’s culture and risk profile and to its industry and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in a foreign language, or even braille as appropriate. Policies and procedures should not be included in the code, but a link to those that are relevant should be considered for inclusion.

The code of conduct provides a process for proper decision-making for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements or standards into performance reviews, and compliance with the standards must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including termination—for serious violations of the standards of conduct must be mentioned to emphasize the organization’s commitment.

Content Checklist

• Demonstrates system-wide emphasis on compliance with all applicable laws and regulations

• Written plainly and concisely so all employees can understand the standards

• Translated into other languages, as appropriate

• Includes links to internal policies and external regulations

• Includes expectations for employee actions with internal affairs and other employees, as well as with external affairs and contractors and clients

• Mentions organizational policies without completely restating them

• Is consistent with company policies and procedures

• Includes management’s responsibility to explain and enforce the code

Communicating to Employees Checklist

• Employees must receive, read, and understand standards

• Compliance officer, supervisor, or qualified trainer explains standards and answers questions

• Employees attest in writing upon hire and annually they have received, read, and understood standards

• Employee compliance with standards enforced through appropriate discipline when necessary

• Discipline for noncompliance with the code stated in standards

Purpose Checklist

• To present overarching guidelines for employees to follow

• To confirm that all employees comprehend what is required of them

• To provide a process for proper decision-making

• To require that employees put standards into everyday practice

• To elevate corporate performance in basic business relationships

• To confirm that the organization upholds and supports proper compliance conduct

In addition, see Appendix 2-A, “Sample Letter to Vendors,” for an example of a letter describing the company’s code of conduct.

Policies and Procedures

Whereas a code of conduct provides guidelines for business decision-making and behavior, the compliance and ethics policies and procedures are specific, and address identified areas of risk. Most organizations already have an employee manual that outlines all human resource-related policies and procedures, and they may have other operational policies and procedures specific to certain business practices or operations. Whenever possible, compliance policies and procedures should be integrated into existing policies, and all policies within an organization should be consistent with laws, regulations, industry requirements, and general compliance. In fact, as part of the implementation of a compliance and ethics program, and while in the process of drafting compliance policies and procedures, all other policies within the organization should be reviewed and revised as necessary. While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it.

Develop your policies and procedures carefully. Organizations should have procedures that guide the development of policies. Take care that they are realistic, measurable, and enforceable. Lofty goals and platitudes may seem appealing, but they are too frequently open to interpretation. Involve those that are affected by the policy in its development. Assure that the policies have a stated timeline for revisions and that someone is identified as accountable for the policy.

Two types of compliance policies and procedures should be developed by every organization: structural and substantive. The structural policies create the framework—the nuts and bolts of how the compliance and ethics program will operate. The substantive policies define the applicable regulations that apply to the organization and how to operate compliantly within those regulations. They also indicate the risk areas applicable to an organization and describe appropriate and inappropriate behaviors about those risk areas. Both the structural and the substantive policies and procedures are essential to a compliance and ethics program so that the rules to which employees will be held accountable and the method for enforcing the rules are clearly documented.

Structural policies and procedures should be developed to address the following:

• Directives or mission of the compliance and ethics program

• Revision of existing and creation of new policies and procedures (including distribution and updating requirements)

• Compliance program oversight, including role and responsibility of the board of directors, the CEO, the compliance officer, and the compliance and ethics committee, if applicable

• Educational requirements

• Nonretention of sanctioned individuals and noncontracting with sanctioned contractors or vendors

• Policy for method for anonymous reporting and nonretaliation for reporting[6]

• Auditing practices

• Monitoring practices

• Method for responding to reports of possible misconduct

• Method for responding to internal and external requests for documents or to external investigations, search warrants, and/or subpoenas[7]

• Disciplinary action plan

• Self-disclosure process

• Record retention

• Operational accountability[8]

Substantive policies and procedures should be developed to address the following:

• Process for preparing financial reports (including preparation of worksheets and supporting documents)

• Process for preventing inappropriate actions in specific risk areas

• Process for ensuring appropriate behavior in specific risk areas

• Types of and processes for internal assessments of risk areas

• Content and frequency of audits

• Documentation requirements

Policies and procedures, like the code of conduct, must be living documents, not just in a binder on a shelf or online. They must become an integral part of the day-to-day operations of the organization. That is what regulators will look for. Are the policies and procedures appropriate, considering the organization’s risks? How are the policies and procedures applied every day? Are they incorporated into performance reviews? Educational programs? Are they reviewed and updated according to a schedule and in a timely fashion? Revising policies and procedures is something like painting the Golden Gate Bridge: Just when you think you’re finished, you have to start again at the beginning. Again, standards of conduct, policies, and procedures are the tools of compliance and ethics, but they must be used and sharpened to be effective.

Element 2: Compliance Program Administration

An organization should have the appropriate high-level personnel overseeing the compliance and ethics function, with a specific executive given overall responsibility. These compliance personnel should have accountability as to the success or failure of the compliance and ethics program. Adequate resources must be dedicated to implementing the program. The organization’s governing structure—in many cases the board of directors—must exercise reasonable oversight of the implementation and effectiveness of the program.

An organization should designate a compliance officer to serve as the focal point for compliance activities. Whether the position is full time or part time will depend on the size, scope, and resources of the organization. Also, according to the Guidelines Manual, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access any and all documents that are relevant to compliance and ethics activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other billing and accounting records. In the big picture, “appropriate authority” comes from the unquestionable backing by the CEO and board of directors or its equivalent, typically the sources of ultimate authority and respect.

Appropriate authority and the full backing of the board of directors and management are consistent with the Guidelines Manual ’s call for “Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program….To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”[9] This is logical, because it is generally the board that launches the compliance initiative and/or approves the hiring of the compliance officer. Board members should be actively involved in interviewing and hiring the compliance officer. The board will be an important part of the compliance officer’s reporting structure.

There are considerable conflicts involved in having the compliance officer report to the general counsel or to the chief financial officer. Separation of compliance from legal and finance, when possible, helps ensure that legal reviews and financial analyses are independent and objective. Many compliance officers report directly to the organization’s CEO and/or the board of directors. It is most important that the compliance officer be independent.

The size and setting of your organization will influence its reporting structure. It is recommended that the board or its appointed committee have at minimum a “dotted line” or indirect reporting relationship with the compliance officer.

The compliance officer’s duties also will vary depending on size and scope of the program. The main focus of the position should be the day-to-day operations of the compliance and ethics program. Primary responsibilities should include the following:

• Designing, implementing, overseeing, and monitoring day-to-day operations of the compliance and ethics program

• Reporting on a regular basis to the organization’s governing body, CEO, and compliance and ethics committee

• Assessing effectiveness of the compliance program and revising the program periodically as appropriate

• Developing, coordinating, and participating in a multifaceted educational and training program

• Ensuring that independent contractors and agents are aware of the organization’s compliance and ethics program requirements

• Serving as a source of information for employees, management, contractors, and the board

• Ensuring that appropriate background checks are done to eliminate sanctioned individuals and contractors

• Assisting with internal compliance review and monitoring activities

• Independently investigating and acting on matters related to compliance

• Conducting risk assessments and working with management to prioritize risk and develop mitigation plans

Compliance is still a relatively new field. Most compliance officers therefore may not have extensive previous experience in compliance. This unique position requires an individual who understands the nature of the business or industry, is capable of understanding and questioning financial and billing statements, is knowledgeable of applicable legal requirements and sanctions that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is firm yet approachable. Whatever the tenure or the educational level, the compliance officer, as the focal point of the program, must be a figure who is respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix 2-C, “Sample Compliance Officer Job Description.”)

As the compliance and ethics profession has grown and matured, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective compliance officer. There are now several compliance-related certification and degree programs.

Moreover, compliance officers are also stewards of a public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The SCCE’s Code of Professional Ethics for Compliance and Ethics Professionals addresses three principles, which are broad standards of an aspirational nature. They include:

Principle I: Obligations to the Public—Compliance and ethics professionals should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.

Principle II: Obligations to the Employing Organization—Compliance and ethics professionals should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.

Principle III: Obligations to the Profession—Compliance and ethics professionals should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.[10]

These principles and the accompanying more detailed rules of conduct should be reviewed, studied, and adhered to by all compliance officers. To view the entire code and an analysis of its meaning, see Chapter 1.

The compliance officer may be the focal point of a compliance and ethics program, but they cannot be the only point. An essential role of the compliance program is engaging leaders, managers, and employees, so those in the organization understand that being compliant is everyone’s responsibility.[11] The formation of a multidisciplinary compliance committee can be an effective addition to the program and can help empower leaders and managers to actively promote compliance and “own” compliance in their areas of purview. The compliance committee should be established to advise the compliance officer, assist in the implementation of the compliance program, and further engage leaders and/or managers in compliance. The organization will benefit from having varying perspectives, such as operations, finance, audit, human resources, social work, and legal, as well as employees and managers of key operating units on the committee.

The compliance officer’s role within the compliance committee can vary. In some organizations, the compliance officer sits on the committee. In others, the compliance officer may even chair the committee. Regardless of who chairs the committee, the compliance department will likely be responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.

Compliance committee functions, in addition to aiding and supporting the compliance officer, may include, but not be limited to, the following:

• Analyzing specific risk areas

• Assisting with the development of standards of conduct, policies, and procedures

• Annually reviewing the compliance plan

• Reviewing relevant industry guidance and new information regularly and integrating it into the compliance and ethics program

• Determining the appropriate strategy to promote compliance

• Participating in the risk assessment process

• Empowering and helping hold accountable operational leaders and managers for compliance in their areas of purview (i.e., reporting on specific risk remediation efforts and internal controls)

The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance and ethics program. Furthermore, the committee should be made up of individuals representative of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer the compliance and ethics activities and risk areas within their department, and in turn communicate back to their respective departments the organization’s compliance and ethics requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization.

Which is one of the goals of ethics training?

What are the elements of an effective ethics training program?

Which of the following is not the goals for ethics training?

Which of the following is the main objective of ethics?