Corporate ethics and compliance is a complex field to master, and we can all benefit from a refresher crash course from time to time. For this reason, my next several blog posts will revisit some basics about the importance of corporate compliance, starting with the most fundamental question of all:
What is the Purpose of a Corporate Compliance Program?
The simplest definition is almost self-evident: a corporate compliance program exists to ensure that an organization complies with any laws or regulations that apply to it.
Once upon a time, that mostly meant dealing with regulatory reporting. The organization would need to file certain reports with the government from time to time — quarterly financial statements, health and safety alerts, annual billing reports for government grants or contracts, other types of reports; the list is endless — and compliance departments existed to confirm that the right data was recorded on the right forms, which were then filed with the proper agencies at the proper times.
Those basic concepts of adhering to rules, and documenting that adherence to the rules, still apply. Today, however, a corporate compliance program is much more about building and managing systems to ensure regulatory compliance all the time.
Why Have a Compliance Program?
Mostly because state, federal, and overseas prosecutors have stepped up their enforcement against corporate misconduct, including large monetary penalties. The best way for a company to avoid those penalties is to demonstrate that it genuinely was trying to obey the corporate compliance law, but a few scofflaws (either employees or other third parties working on your company’s behalf) violated the law anyway. Compliance programs generate that proof, which the company can then show prosecutors.
For example, if you train employees that bribing foreign government officials violates the Foreign Corrupt Practices Act (FCPA), and you can prove to the government: “Here are all our training records. You can see Bob took the training 12 times in 10 years. Here are our email records of him conspiring to violate the FCPA anyway” — if you can provide documentation like that, prosecutors are much more likely to pursue Bob personally, rather than sanction the company.
Failure to implement an effective compliance program would be equivalent to telling prosecutors, “Bob did what? He bribed who? Oh, uh — we had no idea. Our bad.” Suffice to say, that response rarely helps a company avoid penalties.
An effective corporate compliance program demonstrates that your organization is aware of the rules and laws that apply to it, and takes reasonable, sincere steps to stay on the right side of those rules and laws. That’s it, really.
The Expansion of Corporate Compliance Programs
In practice, compliance programs have assumed many more duties over the last decade or so, because the risks to organizations have expanded. Many of those risks are still rooted in some regulatory compliance issue: trade sanctions, data privacy, labor standards, environmental, and so forth. But those risks also now spill over into threatening a company’s reputation with consumers, business partners, and other stakeholders — and preserving reputation with those groups is a high priority for boards and CEOs.
For example, the company might have several mid-level or senior managers who sexually harass entry-level employees. The risk of regulatory investigation into that misconduct exists, but it’s relatively small compared to litigation risk (employees filing lawsuits), reputation risk (consumers scorching the company on social media), or operational risk (firing executives who might have been eyed for more senior roles).
Hence companies have policies and procedures to address harassment, data privacy, onboarding for customers or third parties, and so many other issues. The compliance program exists to ensure that those policies and procedures address the company’s risks in a practical, effective manner. That could mean anything from developing new training to investigating complaints to studying data about how thousands of employees are (or are not) following policy.
You don’t just need a policy that says, “Don’t harass.” You need a system to ensure the company is trying to prevent harassment. Or bribery. Or data leaks, or trade violations, or innumerable other risks.
It’s a fascinating line of work when you think about all its challenges. And all those challenges are here to stay.