By now, you have no doubt heard from colleagues, contemporaries, independent auditors, outside counsel or a CLE/CPE program, or all of the above, that every public company must have an effective Compliance Program. You have learned that deterring “risky behavior” is at the top of the list for lawmakers and regulators, as evidenced by the Federal Sentencing Guidelines, proxy statement disclosures and the enactment of Dodd-Frank.
However, even after being bombarded with general pronouncements and information, you still may be unsure of what to actually do and where to start. This Compliance Program cheat sheet demystifies the what, why and how of enterprise risk management.
What is a Compliance Program? Don’t I already have one?
An effective Compliance Program, as contemplated by the various applicable laws and agencies, is an enterprise-wide, coordinated and comprehensive set of policies, procedures, roles and responsibilities structured to prevent and detect misconduct and promote an organizational culture that encourages ethical conduct and commitment to compliance with the law. Do you have one of those? The vast majority of public companies do not. Most companies have a collection of policies and procedures adopted over many years as various laws have been enacted. Many have not been reviewed recently and often little thought has been given to how they interrelate, the risks they address, their actual effectiveness and management/employee buy-in.
Aren’t Compliance Programs incredibly expensive?
They do not have to be. There will be costs, both in terms of money and resources, but they can be properly tailored to your company’s size and risk profile. Although it may be counter-intuitive, multiple studies clearly show that an effective Compliance Program actually saves many times its costs over the life of the program.
Who has time for this? I already have a day job.
Implementing an effective Compliance Program may seem daunting due to its enterprise-wide scope and multiple subject areas. The key to success is to build on the tools you already have in place and then bite off digestible tasks one piece at a time. An effective Compliance Program is built according to a well-constructed road map over time. It is not the result of a flurry of checklists that sap you of energy and are then stuck in a drawer.
Ok, you have convinced me. How do I get the ball rolling?
Take the path of least resistance by building on the enterprise risk management mechanisms already in place. The first step is to figure out what compliance policies and programs currently exist at your company and where they fall short of mitigating the risks faced by your organization.
1. Reconnaissance. Do some initial information gathering by pulling together existing policies and procedures. Often they are scattered across departments and business units, and the simple act of assembling them is a step forward.
2. Talk to People. Take members of senior and middle management to lunch or stop by their offices and ask them about what “keeps them up at night”, past compliance nightmares they have had and their “go-to” policies and procedures.
Talk to legal and compliance professionals from groups in which you are already a member about what compliance-oriented steps they are taking at their organizations. These may include trade industry associations, local chambers of commerce or bar associations.
3. Make a Solo Attempt. Based on your reconnaissance and internal and external discussions, make an initial attempt at identifying legal, compliance and reputational risks to the company, taking into account the probability and potential impact of noncompliance.
Review the steps for establishing and maintaining an effective Compliance Program outlined in the Federal Sentencing Guidelines (found at www.ussc.gov). Brainstorm as to how your company’s current compliance policies and processes meet, exceed or fall short of the Guidelines.
Also identify members of your risk management “dream team”; individuals that have the positions and leverage to champion compliance in the organization. These should include a Chief Compliance Officer, persons responsible for each risk subject area and individuals that may provide legal support to each. Keep in mind that it is best to choose individuals that are already informally managing risk in these areas.
4. Management Buy-In. Present your findings to key members of senior management, including the results of your informal risk assessment and examples of how the company falls short of the Guidelines. Use real-world examples that are pertinent to your company to demonstrate the positive impact an effective Compliance Program can have on the bottom line, both in terms of preventing violations in the first place and ultimately mitigating any financial or reputational exposure if something does go wrong. Have an open dialogue with senior management regarding how your organization can implement a Compliance Program that enhances the management process in a way that increases the organization’s chances of achieving its business goals.
5. Path Forward. The stage is now set for the program’s ultimate design and implementation, both enterprise-wide and within each risk area. Remember to use the enterprise risk management mechanisms that are already in place as a starting point and “tweak” them. For instance, if a specific department or business unit uses certain software for monitoring data and has success, it may be ideal for use enterprise-wide.
Also, do not be surprised that as your organization grows and changes, so too will its risk management needs. Continue the open dialogue with senior management and key personnel that you initiated at the start of the process. This will go a long way to recognizing any new risks the company faces and necessary changes in the way the organization addresses them.
The misperception that a Compliance Program must be based on complicated risk calculations and complex monitoring processes and procedures prevent many organizations from taking the necessary steps towards a coordinated, enterprise-wide effort to manage risk. The reality is that the path towards effective compliance consists primarily of taking inventory of what risk management mechanisms you have in place, assessing their scope and effectiveness and filling in the gaps. The reasons to implement effective Compliance Programs in the current climate, the clear trend in legislation and regulations and the proven increased bottom line value are too compelling to ignore.
Additional Articles from the Summer 2011 Public Company Forum:
The SEC’s New Whistleblower Rules: Now What?
Dodd-Frank Act Progress Report: Summer 2011