Elements of an Effective Compliance Program
In his FCPA Blog, Richard Cassin has written about an effective compliance program. He notes that the purpose of an "effective compliance program" is to prevent and detect criminal conduct. In his listing his provides suggestions for what constitutes an "effective compliance program." Cassin based his guidance on the United States Federal Sentencing Guidelines. He suggested the following:
1. A Written Program. A company must have standards and procedures in place to prevent and detect criminal conduct.
2. Board Oversight. A public company’s Board of Directors must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight of its implementation and effectiveness.
3. Responsible Persons. One or more individuals among a company's high-level personnel must be assigned overall responsibility for the compliance program.
4. Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance program. They must report periodically to high-level personnel on the effectiveness of the compliance program. The individuals must have adequate resources, appropriate authority, and direct access to the Board or Audit Committee.
5. Management's Record of Compliance. A company must use reasonable efforts not to hire or retain personnel who have substantial authority and whom a company knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance program.
6. Communicating and Training. A company must take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance program, to directors, officers, executives, managers, employees and agents—by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.
7. Monitoring and Evaluating; Anonymous Reporting. A company must take reasonable steps a) to ensure that its compliance program is followed, including monitoring and auditing to detect criminal conduct, b) to evaluate periodically the effectiveness of the compliance program and c) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby a company’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
8. Consistent Enforcement—Incentives and Discipline. A company’s compliance program must be promoted and enforced consistently throughout a company through appropriate a) incentives to perform in accordance with the compliance program and b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
9. The Right Response. After criminal conduct has been detected, a company must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to a company’s compliance program.
10. Assessing the Risk. A company must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance program to reduce the risk of criminal conduct identified through this process.
In the coming weeks, we will review each of these suggested guidelines and provide nuts and bolts recommendations for you to use in crafting your own effective compliance program.