Chapter 2: Foundational Materials and Program Infrastructure

Components of an Effective Compliance and Ethics Program

By Jason L. Lunday[1]

Introduction

Frameworks

Since the mid-1980s, organizational compliance and ethics (C&E) efforts have been structured around frameworks, starting with the Defense Industry Initiative on Business Ethics and Conduct in 1986, which targeted US defense contractors. In 1991, The U.S. Sentencing Commission promulgated another framework, the Federal Sentencing Guidelines for Organizations (FSGO), that gave other companies and organizations a reason to consider instituting compliance and ethics management. The FSGO used a “carrot-and-stick” approach to encourage organizations to adopt its framework. The approach worked by mitigating sanctions for organizations convicted of federal crimes if they had previously implemented effective compliance and ethics management activities, and exacerbating such sanctions for organizations that failed to adopt this framework. What’s more, through the FSGO, federal prosecutors had leeway in charging organizations, and judges had discretion in determining the fine range based on an organization’s compliance and ethics efforts.

Since 1991, other influential frameworks have augmented our understanding of successful C&E management, including the following:

  • 2002 US Sarbanes-Oxley Act

  • New York Stock Exchange (NYSE) Corporate Governance Standards (303A.10 Code of Business Conduct and Ethics); and the Finance Industry Regulatory Authority (FINRA) Corporate Governance Requirements (5610 Code of Conduct)

  • US Federal Acquisition Regulations (FAR) Subpart 3.10—Contractor Code of Business Ethics and Conduct

  • US Department of Justice Guidelines for Federal Prosecution of Business Organizations

  • Organisation for Economic Co-operation and Development (OECD) Good Practices Guidance on Internal Controls, Ethics and Compliance

  • UK Bribery Act Adequate Procedures

  • US Department of Justice/Securities and Exchange Commission FCPA Best Practices.

(This is not a complete list of C&E-related frameworks.)

Continuing Framework Evolution

The FSGO and other frameworks have evolved since their inception. This demonstrates an evolving understanding of what constitutes successful C&E management. For instance, with the FSGO, these revisions have included new emphasis on ethics in a program, a focus on an organization’s ethical culture and the importance of a C&E risk assessment and program continuous improvement, as well as credit for a strong C&E program, even if misconduct is tied to an employee.

C&E Management Components

The FSGO and other frameworks that influence our contemporary understanding of C&E management suggest several components for effective management. These components include:

  1. C&E program management: structure, accountability, oversight, and recordkeeping

  2. Ethical culture and leadership engagement

  3. Risk assessment

  4. Standards of conduct, policies, and procedures

  5. Communications and education

  6. Delegation of authority

  7. Guidance and reporting channels

  8. Misconduct handling: investigations, discipline, remedies, and reporting to authorities

  9. Incentives for compliance and ethics

  10. Monitoring and auditing

  11. C&E program assessment and improvement

  12. Third-party management

Ethics and Compliance Program Value Proposition

Though C&E programs are not always required under the law, many companies opt to implement a program partly to mitigate potential penalties and other sanctions that could be levied against them should something go wrong. This is exactly what the US Sentencing Commission had hoped for. Further, such programs can offer much more value than a mitigation of any sentences. Wise leadership understands the business argument—even imperative—for effectively managing C&E and how doing so not only contributes to the bottom line but also to the organization’s long-term success. Such benefits can:

  • Reinforce a company’s core purpose and values and their link to operational success.

  • Establish and reinforce leadership’s expectations for the way to conduct the organization’s business, both for baseline and aspirational conduct.

  • Build employees’ abilities to address C&E issues and leadership’s efforts to build and maintain a responsible business culture.

  • Better align the organization, its hierarchies, operational units, functions, and locations around a common set of operating principles and standards that helps to foster a uniform, consistent approach to conducting business—one that employees, customers, and others can rely on.

  • Improve internal controls, especially regarding C&E risks.

  • Better communicate the organization’s commitment and approach to responsible conduct to customers, suppliers, regulators, and other stakeholders.

  • Strengthen employee engagement, employee retention, and recruitment of desired applicants.

Paper Versus Effective Programs

Much has been written about the challenges of a paper program that is not likely to meaningfully reduce C&E violations. Such a program is one where an organization has taken certain steps called for in a framework, such as a code of conduct, various policies, some training, and a reporting hotline, but no real effort is made to ensure that these efforts work or are meaningful. An effective program typically indicates one where management:

  • Implements steps that provide the best possibility of an effective program.

  • Periodically assesses use and effectiveness of the program.

  • Takes steps to improve program performance based on these assessments.

Tailoring the Program

Every organization is different: in size, industry, geographic reach, local culture, leadership’s objectives and risk appetite, and other factors. A compliance and ethics framework is just that—a place to start, not a recipe. It serves as an overarching methodology with which each organization can craft its own specific strategies and plans. In some cases, certain framework components may not appear to apply. Each organization’s management must thoughtfully consider how a framework should be applied to their organization to yield the best outcomes.

Resources within this Manual

  • “The History of the Organizational Sentencing Guidelines and the Emergence of Effective Compliance and Ethics Programs,” by Kathleen Cooper Grilli, earlier in chapter 2.

  • “Beyond the Sentencing Guidelines: Governing Directives, Guidelines, and Standards from the United States,” by Rebecca Walker, earlier in chapter 2.

In the following sections, Objectives, Considerations, Activities, and Assessing Success provide common and often important factors for an organization’s leadership to consider but are not meant to be exhaustive of all factors. Each organization needs to identify the factors most relevant to its own situation.

1. C&E Program Management: Structure, Accountability, Oversight, and Recordkeeping

Example Standards

  • The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program [and] shall exercise reasonable oversight….

  • High-level personnel… shall ensure that the organization has an effective compliance and ethics program….

  • Specific individual(s) within high-level personnel shall be assigned overall responsibility….

  • Specific individual(s)… shall be delegated day-today operational responsibility… Individual(s) with operational responsibility shall report periodically to high-level personnel and… to the governing authority… on the effectiveness of the compliance and ethics program.

  • Such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. (US Sentencing Guidelines Manual, Chapter 8)

Objectives

A C&E program’s structure, accountability, oversight, sufficiency of resources, and recordkeeping are all critically important to the program’s level of effectiveness. The FSGO provides important guidance regarding this component. At the same time, each organization should identify a solution that best fits its needs and characteristics. These decisions affect the program’s overall operations: A system that is too onerous and bureaucratic will likely yield a program that stalls; if the system is too lean, the program is unable to make a meaningful impact on employees’ behaviors.

Considerations

When determining the appropriate program management, an organization should look at some key factors, which include:

  • The organization’s hierarchical structure (i.e., centralized vs. decentralized, management reporting scheme, the type and function of oversight bodies)

  • The scope of the C&E program (for instance, which business units will it most impact?)

  • The C&E program’s independence from other functions, its leadership’s seniority level, and reporting lines to senior leadership and the board

  • Key regulatory oversight and industry trends that will influence the C&E program’s priorities

  • The expected role of human resources, internal audit, information technology, and other support functions (how can these functions help contribute to the program’s success?)

  • The adequacy of resources needed to build and maintain an effective C&E program

  • Development of a strategic plan that addresses industry benchmarking and best practices, priorities from a risk assessment, and the availability of relevant resources

  • The need to maintain records that demonstrate the C&E program’s activities and outcomes

These issues will influence how the organization can best design its C&E program and ensure it is appropriately accountable to achieve expected outcomes.

Activities

The steps to develop and maintain the C&E program management typically include the following:

  • Designation of an oversight body—the organization’s governing body (e.g., board of directors or one of its subcommittees) almost always serves this role.

  • Designation of high-level leadership with overall responsibility for the C&E program.

  • Designation of operational (i.e., day-to-day) C&E leadership—typically assignment of a chief C&E officer. It also may include a leadership-staffed C&E committee, which can have oversight, program management, or coordination roles.

  • C&E program structure—this includes the C&E officer’s reporting line to organizational leadership and the oversight body, the program’s functions (such as training, investigations, communications), and any additional staffing, such as liaisons in different business units, locations, and functions.

  • Periodic reporting on C&E program activities, outcomes, and effectiveness to organizational leadership and the oversight authority, usually by the operational E&C leader.

  • Coordination of the C&E program with other groups, such as business units, location offices, and support functions.

  • Education of the oversight body and organizational leadership of their respective C&E program responsibilities.

  • Development of a C&E records management plan that will support demonstration of the program’s activities and outcomes, especially with an audit or government inquiry.

Assessing Success

Determining the success of a C&E program’s management can be multi-layered. A regular program assessment can help identify success, indirectly. More specific indicators, however, may include effectiveness of program coordination efforts, the oversight body’s response to program reports and periodic evaluation of these reports, senior leaders’ satisfaction with the program, the program’s effectiveness in reaching employees throughout the organization, as some examples. This evaluation should be specific to the organization’s characteristics and needs and in the context of the board’s and senior leadership’s overall duties in promoting C&E. Of course, the existence of C&E program records will weigh heavily on the ability of its leadership to demonstrate actions and success.

Resources within this Manual

  • “Structuring the Chief Ethics and Compliance Officer and Compliance Function for Success,” by Donna C. Boehme, in chapter 3.

  • “Board Engagement, Training, and Reporting,” by Brian L. Whisler and Aleesha J. Fowler, in chapter 3.

2. Ethical Culture and Leadership Engagement

Example Standards

  • To have an effective compliance and ethics program… an organization shall… otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. (US Federal Sentencing Guidelines Manual, Chapter 8)

  • Any credible compliance programme must be built on a firm foundation of management commitment and supported by a ‘top-down’ compliance culture. (EU Commission “Compliance Matters” brochure)

Objectives

Numerous research studies articulate the distinction between C&E program activities and an organization’s broader ethical culture, which may be influenced by efforts outside of the C&E program.[2] This research also reinforces the importance of leadership at various levels in reinforcing an ethical culture. In fact, an effective C&E program should involve efforts to influence the organization’s ethical culture and to engage leadership as part of this effort and as both promoters and enforcers of the C&E program.

Considerations

In determining how to build, reinforce, strengthen, and sustain an organization’s ethical culture, C&E leadership should consider a number of factors. First and foremost, the organization’s leadership should be effectively engaged: They need to understand the importance of an ethical culture, the levels needed to build and sustain it, and their role in fostering it. This is especially true of the organization’s senior leadership, though it is also an important focus for mid-level and front-line leadership. A second key consideration is the role of the organization’s core purpose (or mission) and values in setting a compelling, long-term direction and the influence that has on employees’ conduct. Some companies distinguish between a “values-based” C&E program that is rooted in the organization’s core values versus a “rules-based” program, where laws and regulation serve as the overarching focus. Third, the role of the C&E program itself will play a critical role in reinforcing an ethical culture.

Activities

To begin with, it can be helpful for an organization to identify the organizational attributes that reflect an ethical culture. These attributes may include: its purpose, expressed values, heritage, and leadership style, to name a few. Also, the research referenced earlier can offer some important considerations. With this effort, the organization now can assess the current state of its ethical culture to determine the need for improvement and strengthening.

Next, leadership should identify how C&E program activities can influence the ethical culture. Many C&E program activities can have a role here—authoring and distributing a code of conduct and policies, communication and training, guidance and misconduct reporting channels, to name a few.

Of course, none of these efforts will have much effect if not supported by the organization’s leaders—to the extent that C&E staff can engage and enable leadership. C&E staff, working closely with the organization’s leadership at all levels, can have a profound impact on its ethical culture. Reinforcing the corporate purpose, values, heritage and style through setting standards of conduct; communicating and training employees to heed them; upholding them through incentives and disciplinary action; providing employees with guidance on responsible actions—all these are the “bread and butter” of an ethical culture. What’s important is actively engaging leaders at all levels to accept their role in influencing the ethical culture and reinforcing and supporting the organization’s C&E program. This may begin with assessing leadership’s current understanding of, commitment to and reinforcement of the ethical culture and C&E program so that C&E staff can identify ways to build and support leadership’s efforts.

Assessing Success

The organization should plan for initial and periodic assessment of the ethical culture and the degree to which leadership actively supports it. It also should assess the C&E program’s impact on the culture, such as through the effectiveness of C&E training, the code of conduct, investigative and disciplinary processes and other program activities. Assessment techniques can involve a review of C&E materials, employee surveys, management interviews, employee focus groups and other approaches.

Resources within this Manual

  • “The Role of Ethics, Compliance, and Culture in Reducing Risk of Misconduct,” by David Gebler, in chapter 1.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings