(Want to get articles like this one by email? Here is the sign-up!)
We all talk about compliance “programs”, but what do we actually mean as a practical matter (separate and apart from the “effective compliance program” definition found in the US Sentencing Guidelines)? A comprehensive compliance program contains a number of written guidelines, in various forms, for employees and agents. Some of these are policies, while others are procedures or controls. What is the difference and how should they be used when setting up a compliance program?
A policy is a statement of where your company stands with regard to certain risks. Its expression could be in the form of a mission statement or a simple overarching rule. For example:
CPC is committed to conducting its business in an ethical, honest and transparent manner. Bribery and corruption are not consistent with the Group’s values and present significant risks to its business and it is therefore committed to the prevention, deterrence and detection of bribery and corruption.
Under the Group Anti-Bribery Policy it is prohibited to offer, give, solicit or accept a bribe, whether cash or other inducement to or from any person or company.
Corporate policies form the backbone of a compliance program. However, a policy alone usually does little to teach employees and agents how to act when faced with a particular temptation or risk. That’s where procedures come in.
Procedures provide employees and agents with guidance about how to act under certain circumstances, so as to ensure that they do not violate corporate policies. For example, employees may be required to submit a request for finance department approval demonstrating a legitimate business purpose before offering to pay travel and lodging expenses for a prospective commercial customer. Other examples include having prospective agents complete a due diligence questionnaire and having field employees complete their own due diligence checklists as part of the agent pre-hire process.
Software is available to help generate forms and manage and track these review procedures, among other tasks. For instance, allowing employees to request checklists and other forms through an intranet compliance site, and allowing supervisors to review and approve these forms through the same site, can both expedite processing and help maintain consistent adherence to the covered procedures. Certain systems also have dashboard visualization and audit trail capabilities.
Controls, by contrast, are specific checks or gateways. They are often administered by accounting personnel, and help ensure that policies and procedures are followed to (1) safeguard assets, (2) authorize certain transactions, (3) monitor disbursements, and (4) help support the accuracy and validity of records—both financial and compliance-related. With particular application to the Foreign Corrupt Practices Act (FCPA) sphere, some are as simple as a requirement for two authorized signatures on checks above a certain amount or being used for a specific purpose, or limits on how much cash an employee can get from petty cash. Others are much more detailed and may be mandated by applicable audit or creditor requirements. But they are aimed at the same end goal: control and oversight of funds leaving the company, including an appropriate degree of transparency as to where the funds go and whether or not they are intended for legitimate purposes.
Policies, procedures, and controls help shape the conceptual and textual framework of a compliance program. However, the heart of any compliance program is the corporate culture—and the degree to which compliance is aligned with or inconsistent with that culture. Senior management, in turn, is essential to inspiring a culture where policies, procedures, and controls are not seen as ”sales prevention,” but rather as an integral part of how the company operates. These various aspects of a compliance program are interdependent; for a program to be successful, each must be present and contributing.
In our next blog, we will continue discussing various compliance-related aspects of senior management’s role by focusing on how a company’s compliance function is resourced.