InfoPAK Effective Compliance and Ethics Programs … · 2 !!!!! Effective Compliance and Ethics...

InfoPAKSM

Effective Compliance and Ethics Programs for the Small Law Department – Doing More With Less

Sponsored by:

2

Effective Compliance and Ethics Programs for the Small Law Department – Doing More with Less Updated August 2010 Provided by the Association of Corporate Counsel 1025 Connecticut Avenue, NW, Suite 200 Washington, DC 20036 USA tel +1 202.293.4103 fax +1 202.293.4107 www.acc.com This InfoPAKSM provides corporate counsel with an overview of the Federal Sentencing Guidelines’ requirements for an effective ethics and compliance program and suggests useful strategies for the small legal department for creating and maintaining such a program. This document reorganizes and distills the baseline “hallmarks” set out in the guidelines into ten essential tasks, with numerous tools and sample resources included. The information in this InfoPAKSM should not be construed as legal advice or legal opinion on specific facts, and should not be considered representative of the views of Corpedia, Inc. or ACC or any of its lawyers unless so stated. This InfoPAKSM is not intended as a definitive statement on the subject but rather to serve as a resource providing practical information for the reader. This material was compiled by Corpedia, Inc. For more information on Corpedia, Inc., visit www.corpedia.com or see the “About the Author” section of this document.

For more ACC InfoPAKs, please visit http://www.acc.com/infopaks

3

Contents I. Introduction and Overview .................................................................................................. 5

II. The Business and Legal Cases for Compliance.................................................................. 5

A. The Business Case................................................................................................................................. 5

B. The Legal Case: The Federal Sentencing Guidelines– Not Just About Crime and Not Just About Sentencing ............................................................... 6

III. One Size Does Not Fit All.................................................................................................... 7

IV. The Top Ten Essential Tasks ............................................................................................... 8

A. Task One: Create an Appropriate Organizational Structure...................................................... 8

1. Federal Sentencing Guidelines Requirements............................................................... 8

2. Gain Support Without Adding Headcount ................................................................... 9

B. Task Two: Assure Individuals Responsible for the Program have Adequate Resources, Appropriate Authority, and Direct Access to the Board..................10

1. Adequate Resources.........................................................................................................10

2. Appropriate Authority .....................................................................................................10

3. Direct Access to the Board ............................................................................................11

4. Accessing Resources.........................................................................................................11

C. Task Three: Educate Your Board: What Does Effective Oversight Look Like? ...................12

1. The “Responsible Corporate Officer Doctrine” .......................................................12

2. Changes to Delaware Law ..............................................................................................12

3. What Does Effective Oversight Look Like? ................................................................14

D. Task Four: Assess Your Legal and Regulatory Risk.....................................................................15

E. Task Five: Establish Appropriate Standards and Procedures ....................................................17

1. Code of Conduct ..............................................................................................................18

2. Policies and Procedures ...................................................................................................18

F. Task Six: Establish an Effective Training and Communications Program................................19

1. Communicate, Communicate, Communicate.............................................................19

2. Train on Your Key Compliance Risk Areas................................................................21


4

G. Task Seven: Establish a Reporting Mechanism (Ethics Hotline).................................................. 23

H. Task Eight: Implement the Carrot and Stick Approach................................................................ 24

I. Task Nine: Screen and Test the Tone at the Middle .................................................................... 25

J. Task Ten: Keep Your Program Effective – Monitoring, Auditing, Assessing, and Revising ................................................................................ 25

1. Monitoring and Auditing .................................................................................................... 25

2. Periodically Evaluating Effectiveness................................................................................ 26

V. Conclusion.............................................................................................................................. 27

VI. About the Author.................................................................................................................. 28

VII. Sample Tools, Forms, and Policies...................................................................................... 29

A. Tool One: Organizational Structures for Corporate Compliance ............................................ 30

B. Tool Two: Sample Chief Compliance Officer Position Description.......................................... 37

C. Tool Three: Sample Corporate Compliance Committee Charter............................................ 41

D. Tool Four: Sample Compliance Policy and Procedure ................................................................. 42

E. Tool Five: Sample Periodic Report to the Board........................................................................... 46

F. Tool Six: Roadmap for an Effective Compliance and Ethics Program – Ten Things the Board Must Know (Presentation)......................................................................... 50 G. Tool Seven: Sample Investigation Matrix ......................................................................................... 59

H. Tool Eight: Sample Employee Compliance Survey......................................................................... 60

I. Tool Nine: Sample Employee Exit Interview Questionnaire....................................................... 68

VIII. Additional Resources ............................................................................................................ 70

IX. Endnotes................................................................................................................................. 73


5

I. Introduction and Overview There are myriad studies and surveys showing – especially in the wake of the economic downturn – that the pressure on in-house counsel to do more is growing.1 One major responsibility that often falls to a corporation’s legal department is ethics and compliance; when the legal department is small (five lawyers or less), implementing and maintaining a compliance program is yet another task piled on to an already very full plate. Even when a compliance committee approach is used, as is seen in 59 % of corporations currently,2 and the day-to-day responsibilities of program management are not immediately within the purview of the legal department, the department’s resources are still frequently sought. Accordingly, the purpose of this InfoPAKSM is to update the guidance that has been provided to smaller law departments in the past, and to provide personnel who are tasked with compliance with: background information on the requirements of a compliance program, practical advice on how to establish and run an effective program, and tools to use when evaluating and administering such a program.

II. The Business and Legal Cases for Compliance For some time, the overwhelming argument for an effective compliance program was simply the threat of regulatory activity and the legal “credit” an organization could receive for having such a program. While the importance of regulatory activity certainly should not be discounted, there is another argument — the business case — that we turn to first.

A. The Business Case A key component of the business case for an effective ethics and compliance program can be found in the costs resulting from non-compliance, including fines, penalties, the threat of debarment, and legal fees. While those costs alone can be quite significant, other costs must be factored in as well, including loss of employee morale and productivity, retention costs, and brand degradation. Indeed, recent research indicates it can take a brand six to ten years to fully recover from a significant compliance failure – and that the total costs of a failure are five to ten times the costs of fines and penalties, on average.3 Other research has shown that ethical companies outperform their competitors in the long run, sometimes by nearly double. The following graph compares the stock performance of companies identified by the Ethisphere Institute as the “100 World’s Most Ethical Companies,” against the S&P 500 and FTSE indexes over the past several years.4


Copyright © 2010 Corpedia, Inc., and Association of Corporate Counsel

6

This performance boost stems from avoiding the litany of costs above from non-compliance. Employees working for well-run, ethical organizations are more productive, tend to work for their organizations longer (lowering overall recruiting costs and raising productivity), and tend to be happier in their job. A recent survey of Stanford MBA graduates revealed that they would be willing to take a pay-cut of as much as 15 % to work for a company with a good ethical reputation.5 Companies with good compliance programs really do live the old adage “an ounce of prevention is worth a pound of cure,” spending less money on reactive investigations and more time on proactive training and communications.

B. The Legal Case: The Federal Sentencing Guidelines – Not Just About Crime and Not Just About Sentencing

Business justifications aside, the existence of a substantial and growing regulatory framework justifies the creation and continued development of a robust compliance program in organizations of all sizes. An effective compliance and ethics program is one of two factors in the Federal Sentencing Guidelines that can reduce an organization’s sentence (whether a fine, suspension, disbarment, or other punitive action) in the event of criminal conduct by one of its employees or agents (the other factor is whether the organization self-reports, cooperates with prosecutors, and/or accepts responsibility).6 Following the Congressional mandate in the Sarbanes-Oxley Act, the United States Sentencing Commission amended the Guidelines to ensure they are sufficient to “deter and punish organizational criminal misconduct.” In so doing, the Commission noted “the prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.” Proposed revisions to the Guidelines (likely to be adopted in the fall of 2010) expand on the existing hallmarks of an effective ethics and compliance program. Under these amendments, organizations will receive additional credit for having an effective ethics and compliance program, even when the organization’s high-level personnel are involved in an offense, so long as four criteria are met: (1) the compliance professional has “direct reporting obligations” to the governing authority such as the audit


7

committee of the board of directors; (2) the compliance program is effective at ferreting out wrongdoing; (3) the misconduct is self-reported; and (4) no individual with operational responsibility for the program participated in, condoned, or ignored the illegal conduct.7 The criterion of particular relevance to a small legal department is that the individual with operational responsibility for the program must have “direct reporting obligations” to the board of directors or its designated committee. The associated comments state that “direct reporting obligations” are situations where that individual has “express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program.”8 This recent change underscores the increased importance of providing timely information to the board regarding misconduct, as well as information about the organization’s compliance program generally. In addition, the U.S. Department of Justice factors the existence of a robust compliance program into the decision of whether or not to settle or otherwise waive prosecution of a corporation under investigation. Thus, a robust compliance program can not only reduce a company’s fine or sentence in the event of a prosecution, but it can also assist a corporation in initially avoiding formal prosecution in the event of misconduct by an employee or agent. The DOJ is not the only agency active in this area–the Securities and Exchange Commission, operating under the framework of the Seaboard Report, recently established a task force focused specifically on fraud and corruption. Recent changes to the Federal Acquisition Regulations (“FAR”) mandate “minimum internal controls,” a code of business conduct and ethics, and training for government contractors of a certain size and any subcontractors they may have. Finally, recent changes to Delaware corporate law as well as an increased willingness of regulators to apply the responsible corporate officer doctrine and place senior executives in jail have raised the profile of compliance efforts. All of this means that considering the Sentencing Guidelines or any of their agency counterparts irrelevant, except in a sentencing scenario, puts a corporation at extreme risk. In the event that something goes wrong, the regulators involved both domestically and overseas, will generally ask both before and during sentencing:

■ Is the organization’s compliance program well designed?

■ Has it been implemented or is it only a “paper program?”

■ Is it effective?

■ Is it staffed sufficiently?

III. One Size Does Not Fit All The recent changes to the FAR set forth ethics and compliance program requirements closely mirroring the hallmarks established by the Guidelines for contractors doing business with the federal government. While the FAR and the Guidelines list several aspects to be included in such a program, they do not provide detailed guidance as to how organizations should address each element, leaving those decisions



8

to the organization’s discretion. Therefore, when developing a compliance program for your organization, in addition to giving thought to factors such as the size and structure of your company and the industry in which it operates, you should also consider the risks your company faces, looking to both risks that are systemic to your organization and risks that are unique to your industry. This InfoPAKSM is intended to help the small legal department enhance their program, and so the baseline “hallmarks” set out in the Guidelines are reorganized and distilled below into ten essential tasks. Resource issues are addressed and tools are supplied as they relate to each task. However, the Guidelines include some built-in flexibility to allow you to design your program to fit your organization and industry, so take into consideration the following questions:

■ First, what industry are you in? Benchmark your program against best practices of companies in your space and of your size. While the Guidelines serve as a framework, regulators generally understand that one size does not fit all, and the activities and practices of leading companies in your industry will influence how your program is judged.

■ Second, what size is your organization? The Guidelines clearly recognize that compliance obligations will differ based on each company’s differing risks; the larger the organization as a whole (though not, alas, the size of the organization’s legal department or the amount of resources allocated to compliance), the larger and more formal the program must be.

■ Third, what does your organization’s history tell you about its risks? Prior misconduct must be addressed both by disciplining the individual involved and by fixing the holes in the program that allowed such misconduct to happen in the first place.

Using these elements of risk—industry, size, prior history—allows the small legal department to direct resources in such a way that they will have the greatest impact.

IV. The Top Ten Essential Tasks A. Task One: Create an Appropriate Organizational Structure

1. Federal Sentencing Guidelines Requirements The Guidelines require that “high-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program as described in this guideline” and that “specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program.”9 Under the Guidelines, “‘High-level personnel of the organization’ means individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization. The term includes: a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration or finance; and an individual with a substantial ownership interest.”10 Proposed changes to the Guidelines also require (discussed supra) that the person responsible for the program have a direct reporting line to the Board of Directors, and there is also an increasing preference


9

being shown by regulators (though it is not yet explicitly required by the Guidelines) for a structure that splits the roles of Chief Compliance Officer and General Counsel, which can put significant strain on the resources of, smaller legal department.

2. Gain Support Without Adding Headcount In general, compliance departments are slimly staffed; the majority of organizations surveyed by the Association of Corporate Counsel and Corpedia had fewer than five full-time employees dedicated to managing their companies’ ethics and compliance programs.11 Since simply adding employees is likely not a viable option in the current economic climate, an effective way to gain support for compliance goals is through the appointment of ‘compliance champions’. Compliance champions are often instituted by organizations to lend assistance to overtasked compliance departments. In addition to helping with the rollout of compliance initiatives, compliance champions can serve as conduits for gathering information on certain business units or operations in select geographic areas. This function is invaluable, particularly when the compliance champions serve in locations that are somewhat isolated from corporate headquarters. Compliance champions can also help spread the corporate message through a unique voice, helping the company develop a culture of compliance organically from within the ranks of employees, rather than simply handing it down from the top. Periodic meetings of compliance personnel and your organization’s compliance champions can also be immensely informative, aiding in the collaborative development of new training and communication initiatives and affording an opportunity to discuss ethics and compliance issues or reports, which can then be monitored and tracked. While compliance personnel will still be tasked with overseeing and organizing compliance initiatives at a high level, compliance champions will be able to assist greatly in effectively implementing and directly monitoring these initiatives. Where a small legal department should look specifically to find compliance champions is slightly different for each organization, but companies will generally lean on compliance-related positions such as human resources, internal audit, and finance personnel. This is not always necessary, though ultimately, you should be looking for leaders, whether formal or informal, to who others look for guidance. Consult with business unit leaders and ask them whom employees naturally go to with questions in their regions or units. Once these personnel have been identified, they should be provided with training on the compliance program: why it matters, the resources it makes available to them, and who to contact with questions. They can then serve as a conduit for ongoing compliance-related communications, discussed in Task Six, infra. If the compliance champion approach is taken, the person tasked with overseeing the program must be sure to regularly check in with them to see what questions are being asked and what issues are being raised. Use these included tools:

■ Sample Organizational Structures for Corporate Compliance (Tool One, Section VI).

■ Sample Chief Compliance Officer Position Description (Tool Two, Section VI).



10

B. Task Two: Assure Individuals Responsible for the Program have Adequate Resources, Appropriate Authority, and Direct Access to the Board

The Guidelines and FAR require “[a]ssignment of responsibility [for an ethics and compliance program] at a sufficiently high level and adequate resources to ensure effectiveness of the business ethics awareness and compliance program and internal control systems.”12 Once the organization designates the individual(s) with overall and day-to-day responsibility for its ethics and compliance program, create an organizational chart accurately reflecting the reporting lines to and from those persons. Under the Guidelines, these reporting lines should include a direct reporting line from the person with overall or day-to-day responsibility to the Board (or a Board committee).13 Make sure to update the chart to reflect organizational changes as they occur. For larger organizations, consider using a compliance committee to ensure effective oversight–assigning the entire program to a single employee can quickly become overwhelming or they may fall behind when other tasks arise. Oversight personnel should also always have an eye towards efficiency, consolidating tasks whenever possible and prioritizing risks, paying attention to those with the greatest likelihood and/or the greatest potential severity.

1. Adequate Resources When determining whether your compliance program has adequate resources, consider:

■ The size of your organization (by number of employees or total assets).

■ The industry you are in (particularly the regulatory environment – is your industry highly regulated, lightly regulated, or a stated target of regulatory attention?).

■ The complexity of your company’s transactions.

■ The geographic range of your operations (either directly or through use of distributors, resellers or agents).

■ Applicable industry practices.

■ Potential areas of significant risk/liability (discussed in Task Four, infra).

Benchmarking your program against your peers is also particularly important regulatory authorities are increasingly considering not just whether a program meets or exceeds the standards set forth in the Guidelines but also whether the company is doing as much as or more than its peer organizations.

2. Appropriate Authority When considering whether the person(s) with day-to-day responsibility for the program has appropriate authority, ask:

■ Do they convey the right “tone from the top?”


11

■ Do they secure the assistance, cooperation, and attention of high-level personnel?

■ Do they have experience and seniority comparable to compliance officials in peer companies?

■ Do they have the authority to establish compliance policies and procedures?

■ Do they have direct access to the board and are they comfortable using it?

It can often be tempting to assign responsibility for a compliance program to a relatively low-level employee, since they may have more time to devote to the program and fewer other responsibilities to distract them. However, such an assignment might appear to downplay the importance of the program. A better course of action is to assign responsibility for the program to someone of sufficient seniority and authority and utilize other resources (including other employees, such as the compliance champions discussed supra) to help them effectively oversee the program.

3. Direct Access to the Board Board oversight is becoming an increasingly critical component of an effective program–indeed, the revisions to the Guidelines make direct access to the board a key element. Direct access is important for bringing two types of information directly to the board without the potential filtering or influence of senior members of the organization: reports on the current features and performance of the program and reports of top-level executives’ involvement in or support for inappropriate conduct. Giving these kinds of reports directly to the board assists the board in fulfilling its oversight obligations, which, as discussed in Task Three, infra, has become even more critical after recent changes to Delaware law and other legal guidance.

4. Accessing Resources The challenges associated with implementing and administering an effective program without adding headcount is a major rationale behind the use of ethics and compliance committees. Indeed, survey results show that small companies in particular use such an approach: 75 percent of smaller organizations reported using such a committee.14 A committee approach can be used to develop an overall compliance plan, track trends occurring across the organization, and deploy your risk assessment (discussed in Task Four, infra). Committee members can also help communicate the goals and objectives of the program throughout the organization, diversifying the tone from the top and integrating it more fully throughout your organization. Use these included tools:

■ Sample Corporate Compliance Committee Charter (Tool Three, Section VI).

■ Sample Compliance Policy and Procedure (Tool Four, Section VI).



12

C. Task Three: Educate Your Board – What Does Effective Oversight Look Like?

The Guidelines require that the board (or an appropriate subcommittee) be “knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”15 Additional developments since the adoption of the Guidelines, including the use of the responsible corporate officer doctrine, changes to Delaware law, and proposed changes to D&O insurance terms, have made board involvement in the compliance and ethics program even more critical.

1. The “Responsible Corporate Officer Doctrine” The responsible corporate officer doctrine arose from two U.S. Supreme Court cases decided over thirty years apart.16 In essence, the doctrine holds that corporate officers and directors can be held criminally liable for corporate violations of public welfare statutes imposing strict liability under the following conditions: the individual occupies a position of responsibility and authority in the corporation, has the power to prevent the violation, and fails to do so. Consequently, liability attaches even when the officer or director did not participate in or authorize the unlawful act, but merely failed to prevent it–in the two cases referenced above, the Court found corporate officers liable despite the fact that they lacked involvement or personal knowledge of the violation. Over time, federal and state prosecutors have successfully applied this doctrine to executives for violations arising in the health care industry, as well as violations of the Sherman Act, securities laws, and environmental laws. Additionally, the U.S. Attorney’s Office and the DOJ have made comments implying that they will increasingly use this doctrine to hold directors and officers responsible for corporate malfeasance in civil and criminal antifraud actions.17 With this increased discretion, a prosecutor’s decision to seek liability for a certain director may now hinge upon factors such as the committee on which the director served, their meeting attendance, or their role in general.18 Along with the potential for civil liability under Delaware corporate law for violating the director’s duty of loyalty, this doctrine has made serving as a director a much more dangerous proposition than in the past and requires the exercise of much greater care.

2. Changes to Delaware Law

a. In re Caremark

In 1996, Delaware’s Court of Chancery’s opinion in In re Caremark made waves in the compliance and corporate law communities.19 Although the outcome of the case itself was not particularly significant, its dicta proved to be groundbreaking in the ethics and compliance field. As reflected in the Court’s opinion, Caremark (a prescription benefits manager that has since merged with CVS) had a practice of entering service contracts with physicians who improperly prescribed Caremark products and services to Medicare patients. While these contracts were not legally prohibited, they did raise the specter of unlawful kickbacks. Caremark’s board of directors attempted to monitor these contracts internally and even sought legal advice regarding their permissibility. Nevertheless, after


13

the Department of Health and Human Services and DOJ instituted an investigation, Caremark and two officers were indicted. The company pled guilty to a single felony count of mail fraud and agreed to pay approximately $250 million in civil fines and criminal reimbursements. Following the resolution of the case, several shareholder derivative suits were filed and consolidated, alleging that Caremark’s board of directors breached their fiduciary duty of care by not being aware of employee misconduct. According to the court’s opinion, under their duty of good faith, directors have an obligation to ensure not only that a corporate information and reporting system exists, but also that the board finds the system adequate. The court issued the following standard for assessing director liability when directors are unaware of employee misconduct that leads to corporate liability:

Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation . . . only a sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exits – will establish the lack of good faith that is a necessary condition to liability.20

While this standard was dicta, it instituted a much keener awareness of the importance of board oversight of ethics and compliance programs and had a substantial impact on related best practices.

b. Stone v. Ritter

Ten years after Caremark, the Delaware Supreme Court clarified its language in Stone v. Ritter,21 a similar shareholder derivative action brought against fifteen present and former directors of AmSouth Bancorporation. The suite alleged that the directors failed to ensure the existence of a reasonable compliance and reporting system for violations of the U.S. Bank Secrecy Act and other money laundering laws, resulting in $50 million of fines and penalties against the bank. In writing the Stone opinion, the court directly addressed the extent to which a director must ensure the existence of an information and reporting system and otherwise oversee an ethics and compliance program. In essence, the Stone Court reiterated much of the Chancery Court’s dicta in Caremark. In addition, the Stone Court built on its much-heralded earlier decision in In re Walt Disney Co., which stated that directors’ duty of good faith is separate from their duties of loyalty and due care.22 The court then explained that the duty at issue in Caremark and Stone, to establish and oversee compliance systems, is a subset of the duty of loyalty–an important distinction because unlike situations where directors fail to exercise due care, corporations cannot limit or eliminate directors’ liability for violating their duty of loyalty. The Stone Court also reaffirmed the necessary conditions for holding directors liable for a failure of oversight set out in Caremark. Directors may be held liable if they completely failed to implement a reporting or information system or controls or, “having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.”23 The Stone decision has significantly impacted the field of ethics and compliance largely because it converts the dicta of Caremark into law, incontrovertibly declaring that directors may be liable for damages resulting from legal violations committed by employees of their corporation. Under Stone, if



14

directors fail to implement a reporting or information system or fail to monitor such systems, they are liable for any misconduct (and furthermore, as a breach of their duty of loyalty, their liability is unlimited). Stone is also interesting for the factors it looked to in determining whether board oversight of AmSouth’s ethics and compliance program was adequate, which drew heavily on those in the Guidelines, focusing primarily on the structure of oversight of compliance systems at the bank (e.g., the position of the compliance officer and the role of the board’s oversight committee), but also discussing the qualifications and organization of the staff designated to implement the program, training, and policies, as well as the effectiveness of the monitoring systems in place. These changes, plus the recent trend of many insurance companies to consider compliance program oversight in their D&O insurance premium review process, make it even more critical to provide the Board with the training and information necessary to effectively discharge their obligations. Training is often dismissed by directors, and many people may think they receive overlapping training by sitting on more than one company’s board. However, mandating specific training on the organization’s code of conduct and the organization’s individual and industry-specific risk areas is critical for directors. Not only does such training protect the organization, it also protects the directors themselves from civil and/or criminal liability.

3. What Does Effective Oversight Look Like? Since the implementation of Sarbanes-Oxley, most corporations have notified their audit committees when the corporation receives allegations of suspected misconduct and the company responds to those allegations.24 A majority of companies also require board approval of the company’s code of conduct and any related major policies.25 Communication of such information continues to be very important but is still far short of the amount of information required for the board to exercise appropriate oversight. Boards must receive expanded information regarding the company’s compliance activities in order to be in full compliance with the requirements of the Guidelines. For example, boards should also periodically receive information about:

■ The structure of the compliance program and whether the compliance officer has sufficient authority and resources to implement the program.

■ The structure of the company’s reporting system and the company’s policies for responding to suspected misconduct.

■ The types of compliance training employees and others are required to complete and any modifications to those training requirements.

■ The company’s risk assessment process, its results, and the methods developed by the company to prioritize and address the risks it identifies.

■ The way in which the company audits the implementation of the compliance program and looks for substantive violations, especially in high-risk areas.

■ Employees’ perceptions of the culture of compliance at the corporation, management’s commitment to compliance, and any fear of potential retaliation for reporting suspected misconduct.


15

This information should be provided to the board on a timely and regular basis. Under the Guidelines, it is appropriate and an emerging best practice to provide summary or overview information on the company’s program to the entire board on an annual basis, and in most companies, compliance officers report to the board’s compliance subcommittee at least quarterly.26 Use these tools:

■ Sample Periodic Report to the Board (Tool Five, Section VI)

■ Sample PowerPoint Presentation for the Board To Educate the Members About Their Compliance-Related Responsibilities (Tool Six, Section VI)

■ “The Importance of Board Oversight” white paper, available upon request from [email protected].

D. Task Four: Assess Your Legal and Regulatory Risk The Guidelines require that as part of implementing a compliance program “the organization shall periodically assess” the effectiveness of the program to ensure that the program is not merely a stagnant or placeholder “paper program,” but instead is a living, growing entity which quickly responds to new or changing risks.27 Recent changes to SEC regulations have made board oversight (and the consequences of a lack thereof) an additional reason to conduct regular compliance program risk assessments. Compliance program risk assessments (not to be confused with ERM assessments) are designed to prevent and address misconduct by measuring the likelihood of misconduct (i.e., whether employees understand and follow the rules), the likelihood of the company discovering that misconduct (i.e., whether employees and supervisors are comfortable asking questions and raising concerns) and thus getting credit under the Guidelines for self-disclosure, and the ability of the compliance program to reduce the former and increase the latter. Despite the clear benefits of a robust risk assessment, a staggering number of companies continue to spend compliance dollars without first determining whether the expenditure will actually serve its purpose. For example, survey results reveal that only 39 % of organizations conducting business outside the United States provide a mandatory training session on bribery and corruption. Even more surprising, only 25 % of organizations subject to the Sarbanes Oxley Act have mandatory training on financial integrity and only 21 percent offer training specifically on SOX compliance.28 In order to avoid seeing your organization’s compliance spending return only marginal results, refashion it so that it centers upon the compliance risks your organization faces. By engaging in an ethics and compliance risk assessment, your organization can analyze the effect risks have on the organization, prioritize these risks, and develop options and actions to reduce the threat they pose. However, organizations often confuse or conflate ethics and compliance risk assessments with general corporate-wide risk assessments, and are uncertain about the scope, frequency, and structure they should use. As an increasing number of organizations have begun to institute ethics and compliance risk assessments, many leading practices have started to emerge, such as:



16

■ Examine all major areas of misconduct. A common mistake organizations make when conducting compliance risk assessments is limiting the potential universe of risks assessed to a preconceived list of likely high-impact risks. Rather, a proper ethics and compliance risk assessment considers the full realm of potential risks systemic to the average organization, as well as those that are unique to the industry in which the organization operates.

■ Examine risk contextually. To be effective, the ethics and compliance risk assessment must examine the controls, processes, and procedures designed to prevent compliance failures, as well as assess the effectiveness of individuals in positions of substantial authority in recognizing and preventing compliance breakdowns. Examining risks not only on their own, but also within the context of the organization’s ability to plan for, prevent, or mitigate those risks is crucial to properly prioritizing a response.

■ Address current and potential risks. An effective ethics and compliance risk assessment should consider risks that currently exist, as well as any activities that are currently legal but could reasonably be questioned and cause issues in the future.

■ Review internal and external information. Ethics and compliance risk assessments should include an examination of internal corporate documents, historical incidence reports, and information from the industry at large. To be adequately predictive, the ethics and compliance risk assessment should include not only compliance breakdowns and failures, but also near misses.

■ Include participants from all levels of the organization. When collecting and assessing potential risk areas, ethics and compliance risk assessments should involve personnel across various disciplines and seniority levels. This can be accomplished through workshops, focus groups, surveys, and interviews.

■ Consider impact and likelihood of occurrence. Compliance risk assessments should weigh risk areas according to their organizational impact and likelihood of occurrence. By assigning quantifiable weights or ratings to each relevant risk area, organizations will be able to rank them appropriately.

■ Document the outcome. The outcome of the compliance risk assessment should be documented and converted to a defensible action plan. This plan should include not only a description of the process followed in the assessment, but also the actions that were subsequently taken to design, implement, or modify the compliance program.

■ Be defensively objective. The compliance risk assessment process should assess fairly the full universe of the organization’s potential risks, including existing acceptable industry practices. Resist the temptation to ignore or deemphasize risks simply because they may be costly to address either from a financial or internal political vantage point.

■ Quantify each risk area. The ethics and compliance risk assessment process should allow for quantification of each risk area. A compliance risk assessment that goes beyond “likelihood” and “severity” can be more useful in prioritizing compliance budget spending and activities, as well as in justifying any incremental controls, policies, processes, or spending that must be implemented. Furthermore, if executed correctly, such quantification can be used to measure program effectiveness, a Guidelines criterion for effective ethics and compliance programs.

■ Conduct compliance risk assessments periodically. The frequency at which an organization chooses to conduct ethics and compliance risk assessments and schedule follow-up reviews may depend on the nature of the organization’s industry, but if the methodology and process


17

is adequately defined, assessments can reasonably be conducted on an annual basis. Since operating environments, regulations, and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on less frequently than every two years.

■ Measure employee knowledge. The ethics and compliance risk assessment should include a measurement of employee knowledge and awareness of the compliance program and supporting controls. Doing so can help pinpoint the areas in which communication and training programs need to be improved.

■ Measure the culture. Ask employees at all levels about their understanding of where to ask questions and their comfort level with doing so.

■ Benchmark. The compliance risk assessment should benchmark against peer organizations when possible. In addition to industry peers, organizations that are peers in terms of size and geographic scope may also provide effective benchmarks. This is particularly important as organizations are increasingly expected to meet “accepted or applicable industry practices” under the Guidelines.

■ Coordinate with internal auditors. It is often quite useful to coordinate ethics and compliance risk assessments with internal audits. Completing a compliance risk assessment produces the following results for the internal audit process: it aligns company focus and resources to address areas of greatest significance to the organization and it allows the auditor to design a program that tests the most important internal controls.

Use this tool:

■ “Framework for Conducting Effective Compliance and Ethics Risk Assessments,” ACC InfoPAKSM.

E. Task Five: Establish Appropriate Standards and Procedures The Guidelines require that the organization “establish standards and procedures to prevent and detect criminal conduct.”29 Similarly, FAR require that contractors must “[e]stablish standards and procedures to facilitate timely discovery of improper conduct in connection with Government contracts.”30 Well written, comprehensive, and effectively communicated policies, procedures, and controls play a critical role in reducing the likelihood of ethical or legal misconduct and helping to establish a satisfactory state of compliance for an organization. Written standards should be clearly drafted and appropriate for both the size of the organization and the industry in which it operates–the standards must be literally and linguistically accessible to employees. To establish a firm foundation for your ethics and compliance program, your organization should first focus on developing such written standards if they do not already exist or reviewing and modifying (if necessary) existing written standards.

http://www.acc.com/legalresources/resource.cfm?show=19642



18

1. Code of Conduct An organizational code of conduct is the bedrock of any ethics and compliance program. Although the Guidelines do not specifically discuss instituting a code, FAR mandates that companies have such a policy in place.31 When drafting or revising your organization’s code, ensure that it includes appropriate coverage of all necessary risk topics, based on the results of your ethics and compliance risk assessment. Topics should also be given emphasis relative to their likelihood and severity as determined by the risk assessment. Here are some best practices to consider when drafting or revising your code:

■ Ensure that it is written in an engaging tone, using concise language that your organization’s employees will clearly understand.

■ Ensure that the language used is at an appropriate level for most or all employees.

■ Include learning aids to address risk topics that are the most difficult to comprehend, and clarify areas that are problematic for your organization or are frequently the subject of employee reports.

■ Work to establish a positive tone by incorporating references to your organization’s values and/or mission statement.

■ Implement an introductory letter from your organization’s chief executive officer, president, or chairperson to set a strong “tone from the top” early in the document.

■ Ensure that your code’s layout is easy to read and utilizes a graphic design branded to your organization.

Since the code is not only a vehicle for your organization to communicate its policies, but also a marketing piece for your ethics and compliance program in general, be sure to take advantage of the opportunity and give the document a prominent introduction. Some ways to raise awareness include sending periodic emails to employees anticipating the document’s rollout, posting information about the code on your organization’s intranet, and distributing token marketing materials or giveaways (such as pens, post-its, etc.) reviewing aspects of the code or important related information, such as how to contact your organization’s ethics hotline. Once the code has been released, it should be readily available to your organization’s employees, preferably via both your company’s intranet and external website. As your organization continues to grow and expand its operations, you should periodically revisit the code. Current best practices are to revise the code approximately every three years, but more frequent revisions are often necessary in light of significant legal, regulatory, or internal organizational changes.

2. Policies and Procedures The code cannot serve as the only written guidance you provide to employees; instead, your organization should also maintain standalone policies and procedures that address its key compliance risk areas more specifically. While your organization does not necessarily need to create standalone


19

policies for every risk area it faces, depending on the likelihood and severity of each risk and your organization’s tolerance level for such risk, you may choose to address certain issues in greater depth outside the code of conduct, such as through an employee manual, handbook, or standalone policies. If your company maintains standalone policies, make sure to reference them in the appropriate sections of the code and hyperlink to the policies in the electronic version of the code. Similarly, standalone policies should be uniformly structured, clear and succinct, written at the appropriate grade level, and translated as necessary. Like the code, standalone policies should undergo a periodic revision process, which you may want to consider delegating to an employee or group of employees based on their expertise or experience with various practices and policies. Use these tools:

■ “Best Practices in Code of Conduct Development” White Paper, available upon request at [email protected].

■ Benchmark your existing code of conduct at www.ethisphere.com.

■ Numerous examples of sample policies and codes of conduct are available at http://www.acc.com/legalresources/forms/index.cfm.

F. Task Six: Establish an Effective Training and Communications Program The Guidelines require that an organization “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program” to all levels of employees, including agents and other third parties working on its behalf.32

1. Communicate, Communicate, Communicate One of the most cost-effective ways to use information gained from a compliance risk assessment is to shape an organization’s compliance communication program. As the Guidelines note, a communications program should help “promote an organizational culture that encourages ethical conduct and a commitment to compliance within the law,” more commonly known as “setting the tone from the top.” Compliance communication should be driven by managers at all levels of the organization in order to effectively instill and distribute this tone. In addition, all possible communications options should be seized and utilized. In order to ensure that these communications are efficient and effective, they should take place according to a written communications plan. Every organization with an ethics and compliance program should also have a discrete plan for communicating it. This plan should be multiyear in scope and tailored to your organization’s risks. Although compliance communication should certainly be a particular focus when rolling out a significant training initiative, it should not be confined to a particular time of the year. Instead, communications should be provided consistently over time in order to maintain employee awareness of ethics and compliance issues. Your organization’s communication plan should clearly describe your communications initiatives, the format in which they will be delivered, and the person responsible for implementing them. The topics



20

selected for discussion should relate directly to those risk areas prioritized in the compliance risk assessment. Likewise, if your organization faces risk in a particular area and is rolling out a major training initiative to address that risk, you will likely want to reinforce that topic in your compliance communications. However, you may also want to focus communications efforts on related or secondary risk topics that are not being responded to with a major training initiative. Also, although communications are often distributed across an entire employee population, targeting your communications to specific groups, locations, or departments is an excellent idea, especially if the risk identified relates to such a particular subset of employees. The form that communication takes is primarily limited by your creativity and your organization’s culture. For high-tech organizations, a paper newsletter may not be appropriate, while a short video clip regarding a topic of concern may be. For organizations where a significant number of employees do not have access to a computer, a paper newsletter might be a more effective means of communication. You may also want to consider branding your communications program by creating a slogan to appear on all compliance communication materials, providing an opportunity for employees to quickly identify ethics- or compliance-related communication. This slogan can then also serve as a marketing piece for your company’s compliance program and appear on marketing items such as posters, mugs, and post-its. Additional best practice guidance includes:

■ An organization should provide numerous alternative static and interactive online and offline supporting resources and tools. There is no guarantee that after completing a training program, employees will retain all the legal and ethical concepts applying to their individual job functions. Furthermore, there will surely be periods in which employees are simply far removed from training in legal compliance concepts important to their job execution and cannot recall certain points. As such, many companies’ compliance training programs focus on building a culture of awareness and communications that can be used when guidance is needed. For example, when an employee recognizes a red flag but is not sure how to respond, he or she should turn to an ethics hotline or additionally provided reference materials.

■ An effective supporting communications plan is characterized by variation, frequency, and consistency. It is a mistake for an organization to focus only on compliance communications during a certain portion of the year, such as a fiscal quarter, when training programs are being rolled out. While it would be logical to place a greater emphasis on communications during such a focused initiative, some form of sufficiently visible communications should be present throughout the year to maintain a minimum level of employee awareness of ethics and compliance issues.

As an example of a way to continuously promote ethics and compliance, some companies have used video case studies that are freely available through the nonprofit organization Leaders on Ethics (www.leadersonethics.org). Its website showcases current and retired executives discussing real life ethical and compliance dilemmas they have encountered during their careers and how those dilemmas were resolved either to their satisfaction or dissatisfaction (and, if the latter, what they would have done differently).

■ Organizations should recognize the importance of communicating appropriate incentives and discipline relating to the compliance program, discussed in Task Eight, infra. As such, it is a leading practice to inform the employee population of the pros and cons of diligently adhering to the organization’s compliance program. In addition, companies have begun


21

dedicating a portion of an employee’s performance review to discussing their commitment to the compliance program.

■ Some companies have benefitted from communicating summary disciplinary information to enhance the credibility of their compliance systems. While an effective training program proactively encourages employees to report observed misconduct through available internal reporting channels, in practice, many employees remain reluctant to do so. Commonly, they fear retaliation or feel that the employer will not act on the report. To counter this belief, an increasing number of organizations are sharing details or reports with their employees on disciplinary actions taken and investigations opened following reports of misconduct.

■ A good compliance communications plan emphasizes the employees’ responsibility to report misconduct. Along with incentives and discipline, a good communications program will specifically point out to employees, as local law allows, that it is their responsibility to report any ethical and legal misconduct they observe through the available channels. Therefore, the best compliance communications programs make it clear to employees that failing to report observed criminal conduct, even if they are not a firsthand participant, will not insulate them in the event the misconduct is later discovered.

■ The communications plan needs to set the tone from the top by including a strong message from executive leadership. Studies have shown that employee perceptions of the organization’s executive leadership’s commitment to compliance and ethics have a significant impact on employees’ behavior. Some of the leading ways organizations can heighten executive visibility in their compliance and communications program include:

• Executive leaders, such as the CEO or even members of the board, record personal

introductions to the training programs.

• Enrollment emails assigning employees training appear to come from the CEO or another member of the executive leadership team.

• Executive leadership sends periodic email and written communications to employees discussing the importance of compliance and ethics and encouraging the use of available reporting systems and other resources if employees observe misconduct or need guidance on an issue.

2. Train on Your Key Compliance Risk Areas The results of ethics and compliance risk assessments are commonly used to modify organizations’ existing training programs by refocusing on and emphasizing those risks which are considered the most important by the assessment. When determining how to use information gained from a compliance risk assessment to revise the organization’s compliance program, your organization should strongly consider modifying its three-to-five year training plan (and if your organization does not currently have such a plan, it is highly recommended that you consider developing one). Although it may be tempting to create a training program curriculum outlining only the first year of the initiative and then making decisions about subsequent years’ curricula during the annual budget cycle process, this is a mistake and can result in an inherently biased view of compliance training programs, and implicitly the overall compliance program, as an annual project, rather than a constant activity. As a result, it becomes more difficult to create a truly ongoing and sustainable process and institutionalized



22

compliance principles in the daily operations of your organization. Instead, the compliance training plan should be viewed as a living document and updated frequently to account for organizational and risk area changes. Training can be an expensive endeavor if it is not well planned, appropriately and effectively delivered, and closely monitored, especially for multinational enterprises that are attracted to the relative ease with which they can roll out e-Learning training programs to thousands of employees. To ensure that your compliance training budget is wisely spent, your organization should give careful consideration to the mode and mechanism by which training will be implemented. In general, there are three common modes of training, e-Learning, instructor-led training (ILT) and document-based training (also known as workbook training), each of which have their own positive and negative features. For instance, e-Learning is consistent, trackable, and measurable, enabling organizations to transcend the challenges posed by language or distance barriers. In addition, e-Learning training courses typically allow the employee to complete training at a convenient time during his or her workday. However, e-Learning programs may still be costly, especially when considering potential infrastructure issues and translation needs. And, for many companies, while eLearning may be appropriate for training on broadly applicable risks that span a country or around the globe, many risks may be more localized and only require training in a specific area. Further, e-Learning does not allow for face-to-face interaction, removing the human element from training efforts, and does not provide a mechanism for employee questions to be instantly answered. ILT, on the other hand, allows for face-to-face contact both with instructors and other employees, which allows for employees to receive instant feedback and can lead to productive discussions among employees about the issues covered by the training session. However, ILT can be logistically difficult to deliver and requires an investment of human capital in both the development and delivery of the materials. Finally, workbook learning may be the best option for employees who are stationed in remote locations and/or do not have computer access, but it can be less effective for employees who are not naturally visual learners, and has many of the same drawbacks as e-Learning: it provides no face-to-face contact, and can be somewhat difficult to localize. It is important to consider all of the potential delivery mechanisms for in-depth training–not only eLearning, ILT, and workbook learning, but also more creative ideas such as brief, emailed scenario problems, training mini-sessions, or presentations provided during sales or business meetings. Also, be creative in the method of delivering training information. Some training sessions could be effectively presented by a manager at a working lunch. Train-the-trainer sessions may be appropriate in locations where managers speak English but those reporting to them do not, especially where the training issue also implicates cultural concerns. Consider delivering “spot training” via short animated training segments provided via email that include entertaining but substantive training on a particular risk topic. Regardless of the method of delivery, though, you should always focus on the high-risk areas first, targeting those individuals that are most likely to face the training issue in question.


23

By broadening your training delivery methods and focusing delivery to those audiences that are most likely to face the issue of concern, you are afforded an opportunity to save on costs and focus on getting your message across in the most effective manner for the target training population. Use this tool:

■ “Compliance Training and E-Learning Programs: Leading Practices in Designing, Implementing, and Supporting Risk Assessment and Communication Strategies,” ACC InfoPAKSM.

G. Task Seven: Establish a Reporting Mechanism (Ethics Hotline) The Guidelines dictate that companies must “have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or see guidance regarding potential or actual criminal conduct without fear of retaliation.”33 There is a common perception that the promise of anonymity and confidentiality is stronger when an outside provider is used to operate such mechanisms, and many companies act accordingly. However, a leading practice is to also maintain an internal hotline for employees to receive guidance on ethical dilemmas, and any company subject to Sarbanes-Oxley is required to have such an anonymous hotline. Consequently, your first step towards meeting these requirements should be instituting a hotline mechanism for employees to either ask questions or report suspected legal or ethical misconduct. This hotline should allow callers to make a report. The hotline should be designed to treat information submitted as confidentially as possible, and anonymous reporting should be available wherever it is allowed by law (for instance, if you have employees operating in the European Union, you will need to ensure that any hotline communications do not run afoul of EU data privacy laws). Many of the mechanisms discussed above in Tasks Five and Six can be effectively utilized to publicize the hotline, including posters, stickers, an icon on your internal website, or a link in the online version of your organization’s code of conduct. When communicating the hotline’s availability to employees, be sure to reiterate the organization’s commitment to non-retaliation as well, since fear of retaliation is the most often cited reason for not reporting misconduct. Also be sure to document every step taken to show the development of the program. If you choose to outsource your hotline, you should request benchmarking information from your provider on how many calls you are getting compared to other companies in their client base, as well as guidance and ideas on how to appropriately distribute information about your hotline throughout your organization. Such outside assistance can be especially helpful when making sure you are not running afoul of EU regulations.

Calls to the hotline should be tracked and analyzed as part of your overall risk assessment process and the data gained can be exceptionally helpful. The development of an investigatory process should accompany the hotline development. Specifically, a best practice is to create a matrix assigning primary and secondary responsibility for conducting investigations to departments or functions (human resources and internal auditing departments are the most common) in order to ensure that reports or questions




24

don’t fall through the cracks. Also, when assigning investigatory responsibility, develop an investigator’s manual and/or investigator training material to educate those who will be conducting investigations on how to interview witnesses, preserve confidentiality, and document results. Use this included tool:

■ Sample Investigation Matrix (Tool Seven, Section VI).

H. Task Eight: Implement the Carrot and Stick Approach The Guidelines require that “the organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in [misconduct] and for failing to take reasonable steps to prevent or detect [misconduct].”34 The FAR, on the other hand, require only the disciplinary aspect of enforcement.35 To incentivize performance in conformity with the Guidelines, consider instituting a performance review process including questions or categories directly addressing ethical behavior. These might include “compliance with the letter and spirit of all applicable laws and regulations” or “exercising integrity and honesty at all times” or “living our values in all you do.” Conducting thorough risk assessments, establishing antifraud programs, ensuring all supervisors complete their necessary training, and appropriately following due diligence procedures for third party partners are all examples of concrete compliance related performance standards which can be quantified and analyzed. Examples of steps to effectuate and apply these standards include:

■ Incorporating the standards into the employee’s goals, objectives, plans, job descriptions, etc.

■ Securing input from subordinates, peers, and managers in the appraisal process to ensure a complete and meaningful assessment of whether the employee is meeting standards.

■ Incorporating compliance related evaluations into compensation decisions.

Compliance-related performance assessments should also be considered when making promotion decisions. Utilize training metrics, hotline statistics, and culture survey results to promote personnel who fully support the compliance program. Successfully promoting compliance-minded employees will significantly contribute to the company maintaining a culture of ethical conduct and helping the company fulfill the Guidelines’ focus on self-disclosure of any wrongdoing. Red flags raised in the assessment process should be communicated to the appropriate personnel and addressed promptly. This process should involve and foster a very close working relationship with HR, internal audit, and risk departments. Your organization’s disciplinary process should be designed to implement punishments that fit the offense. Offenders should be disciplined for illegal or unethical conduct to the extent allowed by local law, but exacting extreme or disproportionate punishments may unintentionally institute a culture of fear and unduly lower employee morale. Your organization should also be prepared to discipline supervisors who know of misconduct and fail to report it or act with reckless disregard of possible misconduct.


25

Finally, your organization should implement a clear discipline policy setting forth procedures for determining the proper punishments for unethical or illegal conduct.

I. Task Nine: Screen and Test the Tone at the Middle The Guidelines require that a company “use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”36

The Guidelines define the personnel affected as follows:

■ “‘Substantial authority personnel’ means individuals who within the scope of their authority exercise a substantial measure of discretion in acting on behalf of an organization. The term includes high-level personnel of the organization, individuals who exercise substantial supervisory authority and any other individuals who, although not a part of an organization’s management, nevertheless exercise substantial discretion when acting within the scope of their authority.”37

■ “‘High-level personnel of the organization’ means individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.”38

When screening candidates for such positions, conflict of interest certifications, online screening processes, reputation, expertise, and appropriate databases should be your principal tools. Two increasingly popular mechanisms for ensuring due care is taken are ethics and compliance performance evaluations (including the use of hotline statistics) as discussed in Task Eight, supra, and culture surveys, discussed in Task Ten, infra.

In addition, don’t overlook the information that can be gathered from exiting employees by implementing an exit interview procedure including questions about ethics and compliance. Exiting employees can provide insight into events that occurred during their tenure within a division or region that they were not comfortable disclosing during their employment. Implementation of these processes is often best left to HR, but the legal department should contribute advice on who to screen and how.

J. Task Ten: Keep Your Program Effective – Monitoring, Auditing, Assessing, and Revising

The Guidelines require that a company consistently monitor and audit their business activities to detect misconduct, as well as “evaluate periodically the effectiveness” of its compliance program.39

1. Monitoring and Auditing The Guidelines do not specify or suggest what appropriate monitoring and auditing activities might be, but instead leave that determination to individual organizations. However, numerous best practices have emerged, including:

■ Leverage internal auditing resources. Whether you have adopted the approach of using a



26

compliance committee or not, develop an excellent working relationship with your auditing department and get involved in their audit plan development to look for ways to obtain

compliance-related information from their work (e.g., travel and expense report audits, information security audits, contract compliance audits, etc.)

■ Develop an investigation matrix, investigator manual, and investigation protocols in order to easily deputize personnel in other departments. Utilizing human resources personnel and

others outside the legal department to conduct investigations, answer questions, and respond to concerns is imperative, but you must also make sure they are completing these tasks effectively and consistently, so that nothing falls through the cracks.

■ Track hotline reports and talk to managers to find out what kinds of compliance questions employees are raising. Help managers see compliance as a tool that can help them make their jobs easier, rather than an obstacle course for employees to maneuver.

2. Periodically Evaluating Effectiveness Risk assessments are discussed in detail in Task Four, supra, but their applicability to periodically evaluating the effectiveness of the compliance program should not be discounted. One element of risk assessment not discussed in depth above was the use of culture surveys. Companies are increasingly turning to culture surveys to measure four critical components of an effective compliance program:

■ An employee’s knowledge of how to report a concern.

■ An employee’s willingness to raise a concern.

■ An employee’s perception of the company’s tolerance for retaliation.

■ An employee’s belief in the extent to which his or her manager “walks the walk.”

The data obtained through a fairly straightforward ten to twelve question survey can be immensely useful. Many companies find the best response rates occur when employees believe and trust that the survey is anonymous; for that reason, you may want to employ an outside vendor to administer the survey. In addition, outside vendors can generally provide benchmarking data to provide guidance on whether your results are similar to your peer companies’. Utilizing technology to centralize and administer the survey can be very efficient, and the flexibility it offers may lead to a better response rate.

Use these tools: ■ “Framework for Conducting Effective Compliance and Ethics Risk Assessments,” ACC

InfoPAKSM.

■ Sample Employee Compliance Survey (Tool Eight, Section VI).

■ Sample Employee Exit Interview Questionnaire (Tool Nine, Section VI).



27

V. Conclusion It is no overstatement to say that every single day, a company makes headlines for some kind of alleged misconduct. It is the function of compliance programs to make that scenario less likely at an organization and to ensure that when something goes wrong, the impact on the company and uninvolved employees is minimized. As best practices continue to emerge and the Federal Sentencing Guidelines become only a minimum threshold rather than the gold standard, compliance officers should be increasingly visible within their business units and among their company’s executive leadership.



28

VI. About the Author Corpedia Corporation, founded in 1998, offers a wide variety of innovative and user-friendly compliance and ethics solutions. Developed and implemented by a team of experts with years of experience and industry insight, our compliance risk assessment solutions identify, quantify and provide actionable plans for mitigating and preventing compliance breakdowns. Our e-learning programs bolster these assessments by familiarizing employees with all facets of regulations affecting their company and offering the most measurable outcomes for their compliance and ethics initiatives. With over 500 customers in more than 150 countries, including Walmart, Time Warner, OfficeMax, Dun & Bradstreet and PepsiCo, Corpedia delivers the right compliance and ethics solutions to the right people at the right time—every time. For more information, call 877.629.8724.


29

VII. Sample Tools, Forms, and Policies A. Tool One: Organizational Structures for Corporate Compliance

Organizational Structures for Corporate Compliance

Tool One.

“Effective Compliance and Ethics Programs for the Small Law Department - Doing More with Less”

ACC InfoPAKSM



30

Introduction

The organization of the compliance function may be structured along lines that make the most sense for the company. It should, however, take into account a number of considerations that are reflected in the proposed structures:

•  the Board and senior management have oversight responsibilities for the function;

•  individuals responsible for the day-to-day operations of the function should report to the Board (or appropriate subgroup);

•  individuals responsible for the day-to-day operations of the function should have “appropriate authority”; and

•  the structure should address conflicts of interest (e.g., overseeing the compliance of a supervisor).


31

Organizational Structure #1

Compliance Organization within Legal Department where Chief Legal Officer (CLO) has day-to-day responsibility for operation of the Compliance Program and is also the Chief Compliance Officer.

(CCO).

CEO

CCO and CLO

Audit Committee of Board

Staff Staff



32


Compliance Organization within Legal Department where Chief Legal Officer does not have day- to- day responsibility for operation of the Compliance Program, but is Chief Compliance Officer.

CEO

CCO and CLO


VP for Compliance with responsibility for day-to-day operation

of Compliance Program

Staff

Staff


33


Stand alone Compliance Organization where some compliance functions have direct reporting relationship elsewhere with dotted line reporting to CCO.

CEO

HR

Audit Committee of the Board

CCO CLO Treasurer

Compliance Officer for Anti-Money Laundering

Associate General Counsel for Compliance

(provides counsel to CCO) Field Compliance Officers Compliance Officer

for Fair Employment Matters



34


Stand alone Compliance Organization where all compliance functions report to CCO.

CEO

CCO


HR CLO Treasurer

Compliance Officer for Fair Employment Matters

Compliance Officer for Anti-Money Laundering

Field Compliance Officers


35


Compliance Organization for small company where Compliance Program is operated from within the Board by Independent Director.

Independent Director on Board

Senior company employee responsible for the

day-to-day operations of the Compliance Function

Director Director



36


Compliance Organization for small company where Compliance Program is operated from within the Board by Non-Independent Director.

Director

Senior company employee responsible for the

day-to-day operations of the Compliance Program

Director Audit

Committee Director


37

B. Tool Two: Sample Chief Compliance Officer Position Description

Note: This position description contemplates that the compliance function will be a “stand alone” operation and that the Chief Compliance Officer will have responsibility for compliance, ethics, and investigations and act as the overall coordinator, but not have principal responsibility for certain compliance activities (e.g., anti-money laundering) that may be located outside of the compliance function. This position description is purposefully detailed to identify for consideration those duties that might be assigned to the Chief Compliance Officer.

Chief Compliance Officer

Position Description The Chief Compliance Officer is a Senior Vice President level position and head of the Office of Ethics and Compliance (OEC). The Chief Compliance Officer reports directly to the CEO and to the Audit Committee of the Board. The principal responsibility of the Chief Compliance Officer is to establish, maintain, and oversee an effective compliance and ethics program for the Company which is consistent with: (1) the provisions of the Federal Sentencing Guidelines established by the United States Sentencing Commission; and (2) such other statutory, regulatory and ethical requirements as may be applicable to the Company. (Compliance Program). DUTIES The duties of the Chief Compliance Officer include, but are not limited to, the following: Tone at the Top. Working with other senior management to establish a “tone at the top” that reflects the company’s commitment to ethical business conduct and compliance with the letter and spirit of the law in all aspects of the Company’s operations. Code of Conduct. Having principal responsibility for the administration of the Company’s Code of Conduct (Code), including:

■ Revising and updating the Code, from time to time as may be appropriate, with any substantive revisions subject to the approval of the Audit Committee;

■ Publishing the Code (and revisions to the Code) and otherwise making it readily available to Company employees;

■ Providing Company employees with advice interpreting the provisions of the Code;

■ Taking such actions as may be appropriate to investigate and enforce the Code;

■ Creating, publishing, maintaining, and interpreting such additional policies and procedures as may be appropriate to fully implement the provisions of the Code or to otherwise meet the requirements of applicable statutes, regulations, or ethical standards.



38

Board. Working closely with the Audit Committee of the Board (and the full Board as appropriate) to undertake such compliance related activities as the Board may direct or may otherwise be required, including keeping the Board apprised of the following in a timely manner:

*Note: For these purposes it is assumed that the Chief Compliance Officer will also be responsible for the day-to-day operations of the compliance function. If that function is delegated, the relationship with the Board will change.

■ The content and operation of the Compliance Program so as to enable the Board to exercise reasonable oversight for the Compliance Program;

■ Whether the Compliance Program has adequate resources;

■ Any allegations against an officer of the Company; where the allegations involve significant accounting or financial improprieties; or where, if proven true, the actions or failure to act would have a significant impact on the Company; or any other conduct by an employee which the Chief Compliance Officer believes should be brought to the Board’s attention; and

■ The compliance related performance of any senior personnel for whom the Board (or a subgroup thereof) evaluates performance and makes determinations regarding compensation.

Senior Management. Acting as the liaison with senior management, including:

■ Keeping them apprised of their obligations under the Compliance Program,

■ Including establishing and maintaining an appropriate “tone at the top:

■ Assisting and coordinating with them to implement compliance activities in their business operations; and

■ Evaluating their compliance related performance.

Risk Assessment. Directing and/or participating in regular risk assessments of the activities and operations of the Company, the results of which shall be used to, among other things, establish or appropriately modify the components of the Compliance Program. Corporate Integrity Line. Managing the Corporate Integrity Line (CIL) and implementing activities relating to its underlying purpose, including:

■ Assuring that the CIL is operated in an effective manner (including that complaints may be made confidentially and anonymously) and employees are provided with access to the CIL at such times of day and in such manner as the Chief Compliance Officer determines appropriate;

■ Creating, publishing, and administering a policy regarding an employee’s obligation to report conduct that possibly violates applicable laws, regulations, the Code and/or ethical standards and the avenues for reporting such misconduct including the CIL;


39

■ Training Company managers about how to maintain an open working environment where employees feel free to raise issues without fear of retaliation, how to respond to an

employee’s complaint and when to refer it to the OEC, and that retaliation against any employee raising a good faith complaint or participating in a Company authorized investigation is the basis for disciplinary action;

■ Screening the calls received by the CIL and directing those calls that are not appropriate for the CIL (e.g., questions regarding employee benefits) to other places in the Company where they may be more appropriately handled, and initiating investigations in response to complaints;

■ Maintaining records on the number, nature, and resolution of the calls received and periodically providing reports to the Board and senior management of the same, provided, however, that where requested by the employee the confidentiality and/or anonymity of the caller shall be maintained;

■ Periodically analyzing and testing the effectiveness of the CIL and making such modifications to the CIL as may be appropriate; and

■ Based on an analysis of the complaints received through the CIL or through other reporting mechanisms, making appropriate changes to the Compliance Program and directing such other remedies as may be appropriate.

Investigations. Initiating and conducting internal corporate investigations as follows:

■ As the primary investigator where the OEC’s internal resources and expertise are sufficient, senior management (EVP and above) are not principally implicated, or the OEC does not have an apparent or actual conflict of interest;

■ As the manager of outside independent investigators and experts where it is not appropriate for the OEC to conduct the investigation.

The Chief Compliance Officer shall also be responsible for determining and causing remedial measures to be implemented, based on the findings of an investigation and for revising or modifying the Compliance Program, if appropriate, to prevent and deter future similar misconduct. Training and Communications Program. Implementing and conducting an effective compliance training and communications program, including:

■ Providing compliance related training for the Board, executive and senior level management, and all other employees which shall be appropriate for their respective roles and responsibilities;

■ Providing training for the Company’s agents if the Chief Compliance Officer determines it is appropriate to do so; and

■ Disseminating other communications as may be appropriate to convey and reinforce applicable laws and regulations, ethical standards, the Code, and other Company policies and



40

procedures.

Compliance Related Performance Standards.

■ Coordinating with Human Resources to implement compliance related performance standards for all of the Company’s employees so that the employee’s failure or success in meeting such standards will be considered in compensation and related matters;

■ Recommending appropriate disciplinary measures for a non-performing employee, as appropriate.

Screening Employees. Coordinating with Human Resources, Internal Security and the Chief Legal Officer to develop criteria for screening potential and current employees for misconduct inconsistent with an effective Compliance Program. Maintenance, Modification and Assessment of the Compliance Program. Undertaking such actions as are necessary to assure the continued effectiveness of the Compliance Program, including:

■ Modifying the Compliance Program to reflect new laws and regulations applicable to the Company, new operations and activities undertaken by the Company, and such other changes as may require modification;

■ Modifying the Compliance Program after misconduct has been identified to enhance prevention and detection activities so that similar misconduct will not occur in the future;

■ Undertaking monitoring activities designed to prevent and detect misconduct including violations of the Compliance Program;

■ Coordinating with Internal Audit so that the Compliance Program itself is regularly audited and that when the operations and activities of the Company’s business units and support functions are audited such audit regularly reviews whether such operations and activities are consistent with the Compliance Program; and

■ Not less than every three years engaging an independent third party to evaluate the Compliance Program and, based on that evaluation, undertaking appropriate modifications to the Compliance Program.

Compliance Committee. Serving as the chair of the Compliance Committee and regularly reporting to senior management and the Board on its activities.


41

C. Tool Three: Sample Corporate Compliance Committee Charter

Charter of the Corporate Compliance Committee

Purpose. The purpose of the Corporate Compliance Committee is to provide counsel and advice to the Chief Compliance Officer by high-level personnel in the Company in his/her implementation and administration of the Office of Ethics and Compliance and the Company’s Compliance Program (Program) to ensure that the Program meets applicable legal and regulatory requirements and appropriate industry standards. Membership. The Committee shall be comprised of the following:

■ the Chief Compliance Officer who shall chair the Committee;

■ the Chief Legal Officer;

■ the Chief Financial Officer;

■ the Senior Vice President for Internal Audit;

■ the Senior Vice President for Human Resources; and

■ two other Senior Vice Presidents as may be designated by the CEO and who shall serve rotating terms of two years.

Meetings. The Committee shall meet no less than quarterly and at such other times as may be determined by the Chief Compliance Officer or if requested by two other members of the Committee. The Chief Compliance Officer shall appoint a member of his/her staff who shall serve as the secretary for the Committee and maintain minutes for each meeting. Quorum. Four members of the Committee shall constitute a quorum for purposes of determining whether a meeting can be held. Committee members may vote by proxy for another Committee member at a meeting, but the assignment of a proxy vote cannot be considered for purposes of determining whether a quorum exists. A proxy may not be assigned to anyone who is not otherwise a member of the Committee.



42

D. Tool Four: Sample Compliance Policy and Procedure

Policy and Procedures For Tracking Attendance at

Customized Compliance Training Sessions Statement of Purpose: All business units are required to track and document employee attendance at mandated customized compliance training sessions and report quarterly on the status of attendance to the Office of Ethics and Compliance (OEC). These procedures set forth the process for meeting this requirement. The OEC will, after appropriate consultation with the business unit, advise the business unit of what compliance training is mandated for the business unit. Certain compliance training may be mandated for all Company employees. The OEC (rather than the business unit) will be responsible for tracking and documenting web based compliance training that is required for all employees in the Company. Forms: Attached for the use of the business unit are: (1) a blank quarterly reporting form (Exhibit A) and Attendance List (Exhibit B); and (2) a sample quarterly reporting form with a sample attachment that has been filled out as a guide (Exhibit C). Exhibit A needs to be filled out by the business unit and submitted to the OEC each quarter. However, business units are required to submit underlying training documentation (Form B) with their quarterly report only when they have achieved 100% accountability for attendance (this can include acceptable absences for persons on leave). Training documentation should include copies of training materials that were provided to employees. Timeliness. All employees are required to take mandated compliance training in a timely fashion. To facilitate this process at least one live training session will be provided for each course and thereafter that training session will be made available in a recorded form for employees who were unable to take the live training session. Training must be taken no later than thirty (30) business days after the date the recorded session is made available. The exception to this rule is for employees who are out of the office on approved extended leave (e.g., maternity, short term disability, leave under the Family and Medical Leave Act, etc.) who must take the recorded course no later than thirty (30) business days after their return to the office. In consideration of the fact that they may have multiple courses to take, new employees have ninety (90) business days to take a required course after they start work with the Company. Managers are responsible for assuring that their employees take their courses in a timely fashion. Required Audience. Customized training courses may be mandated for an entire business unit or only certain individuals within the business unit. It is the responsibility of the business unit to identify those individuals who are required to take a mandated course. Repository: All training documentation received by the OEC will be filed in the official OEC files. Business units should also keep a copy of the documentation.


43

EXHIBITS A. Quarterly Training Report B. Attendance Lists C. Sample Quarterly Training Report with Attendance List

Exhibit A

Quarterly Compliance Training Report

Business Unit:_________________________________________________________________ Report for Quarter:_____________________________________________________________

Compliance Training Course

Business Unit Employees Required to take Training

Required Date of Completion

Percentage of Training Competed

Comment

Exhibit B

Attendance List for Live Session Business Unit: ____________________________________________________________ Compliance Training Course: ________________________________________________ Date of Live Session: ______________________________________________________ Attachments (if any): ______________________________________________________ Required Attendees Signature of Attending Employee Employee Number 1. 2. 3.



44

4. 5. 6. 7.

Attendance List for Recorded Session Business Unit: ___________________________________________________________ Compliance Training Course: _______________________________________________ Required Attendees Signature of Attending

Employee Employee Number

Date Course Taken

1. 2. 3. 4. 5. 6. 7.

Exhibit C

Sample Quarterly Compliance Training Report Business Unit: Human Resources ____________________________________________ Report for Quarter: 2 ______________________________________________________ Compliance Training Course

Business Unit Employees Required to take Training

Required Date of Completion

Percentage of Training Completed

Comment

1. Insider Trading

All HR Officers Q1 100% See attached attendance list.

2. Fair Employment and Recruiting

All HR Recruiters Q3 75% Attendance lists to be submitted end of Q3.

3. Form I-9 and Employment Eligibility Verification

All HR Employees responsible for processing New Hires

Q4 0% Course to be offered in Q4.


45

Attendance List for Live Session Business Unit: Human Resources ___________________________________________ Compliance Training Course: “Insider Trading: Don’t Even Think About It!” _________ Date of Live Session: January 20, 2006 _______________________________________ Attachments (if any): PowerPoint Slides from course ____________________________ Required Attendees Signature of Attending Employee Employee Number 1. Jane Doe Jane Doe 5555 2. Tom Jones Tom Jones 3241 3. John Smith John Smith 5346 4. Trevor Higgins Trevor Higgins 9075 5. Susan Kent

Attendance List for Recorded Session

Business Unit: Human Resources ____________________________________________ Compliance Training Course: “Insider Trading: Don’t Even Think About It!” __________ Required Attendees Signature of Attending

Employee Employee Number

Date Course Taken

1. Susan Kent Susan Kent 6789 2/15/06 2. 3. 4. 5. 6. 7.



46

E. Tool Five: Sample Periodic Report to the Board

MEMORANDUM To: [Company] Board of Directors From: [Name] Chief Compliance Officer Date: January 20, 2006 Re: Annual Report to the Board for 2005 I. Introduction and Background As we discussed previously, the Federal Sentencing Guidelines set forth the components of an effective ethics and compliance program (Compliance Program). Among those components is that the Board be knowledgeable about the content and operation of the Compliance Program and reasonably oversee its implementation and effectiveness. This Report addresses this requirement by outlining the operations and activities of the Compliance Program for 2005 and providing additional information about our proposed activities for 2006. II. Meeting the Requirements of the Guidelines A. Tone at the Top Senior Management has worked to develop and maintain an organizational culture that encourages ethical conduct and commitment to compliance with the law by establishing an appropriate “tone at the top.” Included among [the Company’s] activities for 2005 in this regard were:

■ [Example: The company town hall meeting co-chaired by the CEO and the Chairman of the Audit Committee where they answered employee questions and talked about the standards of conduct that they expect employees to meet.]

B. Activities of Senior Management and the Chief Compliance Officer Senior officials in the Company have been very active in overseeing the effective operation of the Compliance Program in 2005, including:

■ [Example: The Corporate Compliance Committee has met six times in the past year to provide counsel and advice relating to the Compliance Program, including addressing such important matters as appropriate employee discipline, subjects for required compliance training, and establishing compliance related performance standards. Minutes from Committee meetings are attached as Exhibit A.]


47

■ [Example: Every Senior Vice President has been responsible for implementing a compliance plan for his/her business unit that addresses such matters as compliance training, internal policies and procedures, and implementing other compliance requirements for that business unit. A sample of a plan is attached as Exhibit B.]

In addition to my general responsibility for the day-to-day operations of the Compliance Program, in 2005 I have:

■ [Example: At the request of the Chair of the Audit Committee, undertaken a review of five years of Company internal investigations for the purpose of identifying any possible systemic problems.]

C. Resources

■ [Example: The approved budget for the Office of Ethics and Compliance (OEC) for 2005 was $______ and its approved staffing was _____ fulltime employees. The approved budget for 2006 is $_____ and its approved staffing is _____ fulltime employees. The OEC budget request for 2006 was $_____ and its staffing request was for _____ additional employee[s]. The OEC’s budget request was based on the need for additional resources to: (1) provide new compliance training; (2) monitor internal compliance with our Document Retention and Confidentiality Policies; and (3) meet the new requirements of the Homeland Security Act applicable to [the Company] that go into effect in June of 2006.

OEC has a request into the Controller’s office to reconsider our budget request. Action on that request is expected in the next month. If the approval is not granted, new compliance training will be restricted and one of the monitoring projects will be dropped. For the Board’s information attached as Exhibit C is a survey printed in XYZ Magazine that reflects the budgets for compliance programs for peer companies in our industry.] D. Compliance Standards and Procedures To meet the requirement that our Company have appropriate standards and procedures in place to prevent and detect misconduct, in 2005 the OEC issued and provided training for affected employees on the following new policies:

■ [Example: the Foreign Corrupt Practices Act Policy, given our new operations and activities outside of the United States. A copy of the Policy is attached as Exhibit D.]

The OEC also significantly revised and provided supplemental training for affected employees on existing policies, including:

■ [Example: the Gifts and Entertainment Policy, given the changes in the federal law relating to Members of Congress. A copy of the Policy showing changes is attached as Exhibit E.]



48

E. Compliance Training Programs In 2005, in addition to providing existing courses to new employees, the OEC provided the following new significant compliance related training courses to [Company] employees who required them:

■ [Example: “Limitations on Corporate Political Activities” (45 attendees from the Office of Communications and the Office of Government Affairs).]

■ [Example: “Sexual Harassment: Don’t Try it Here” (required on a company-wide basis for all 6,000 employees).]

F. Compliance Program Evaluation In 2005 the Compliance Program itself was evaluated in several respects:

■ [Example: An employee survey seeking input on the Compliance Program was distributed to all employees. A copy of the results of the survey is attached as Exhibit F.]

■ [Example: a sample monitoring of four business units was conducted by the OEC to determine their conformity with certain requirements of the Compliance Program. A summary of the OEC’s findings is attached as Exhibit G.]

G. Matters Relating to Possible Employee Misconduct

■ [Example: In 2005 employees indicated their willingness to use the Corporate Integrity Line to raise issues of possible misconduct: 10 anonymous complaints were received and 15 complaints were made where the complainant was identified. Most reports are made directly to OEC staff. In 2005 the OEC investigated 85 matters relating to possible employee misconduct and oversaw one independent third party investigation of such allegations. A chart setting forth the nature of the matters reviewed and the resolution of them is attached as Exhibit H.

The OEC provides the Chair of the Audit Committee with monthly updates of matters being reviewed by the OEC and reports immediately to the Chair if the allegations made: (1) are against a [Company] officer; (2) involve significant accounting or financial improprieties; (3) if proven true would have significant impact on the Company; or (4) are of such a nature that the Chief Compliance Officer believes the Chair should be informed.] H. Other Activities

■ [Example: Compliance Standards: In mid 2005 the OEC began work with Human


49

Resources to develop specific compliance related performance standards for all [Company] employees. These standards were published to employees in December of 2005. They will be considered and applied for employee performance appraisals for 2006. The OEC and HR also worked with the Board’s Compensation Committee to incorporate the standards into evaluations of executive management and they will be considered and applied for executive management performance appraisals for 2006.

III. Initiatives for 2006 In 2006 the OEC will direct and/or participate in the following new initiatives:

■ [Example: Responding to the new regulation of the United States Department of the Treasury, effective January 2007, that will require [the Company] to create an anti-money laundering program for certain of the Company’s financial operations.]

I look forward to meeting with the Audit Committee next week to further discuss this report and the operations and activities of the Compliance Program and answer any additional questions the Committee might have. In addition, I am happy to provide additional information to members of the Board who are not on the Audit Committee and may be contacted at (XXX) XXX-XXX or at [email protected].



50

F. Tool Six: Roadmap for an Effective Compliance and Ethics Program – Ten Things the Board Must Know

Roadmap For An Effective Compliance And Ethics Program

The Top Ten Things the Board Must Know

TOOL SIX.

“Effective Compliance and Ethics Programs for the Small Law Department - Doing More with Less”

ACC InfoPAKSM

2

Not Just About Sentencing

• United States Sentencing Guidelines (“Guidelines”), which address criminal conduct, are the foundation for compliance and ethics programs that address all misconduct (“Program”).

• 2004 Amendments to the Guidelines set forth specific goals for Programs.

• The Department of Justice and the SEC measure Programs against Guidelines’ standards when considering actions against entities.

• Other government agencies such as HHS, EPA and State also use the Guidelines as the principle benchmark for Programs.


51

3

Key Requirements for Program

1. Board needs to be knowledgeable about and oversee the Program.

2. Must establish a “tone at the top” that demonstrates corporate commitment to ethical conduct and compliance with the law.

3. Requires an organizational structure where senior personnel have overall responsibility for the Program and individual responsible for day-to-day operations has appropriate authority and access to the Board or subcommittee of the Board.

4. Program must have adequate resources.

5. The Company must have appropriate corporate standards and procedures designed to achieve compliance.

4

Key Requirements for Program (continued)

6. Effective compliance training should be provided and Board needs to participate.

7. A confidential and anonymous disclosure mechanism (“hotline”) is required.

8. Must provide incentives to perform consistent with Program and apply consistent disciplinary measures for misconduct (“carrot and stick”).

9. Risk Assessment drives the Program.

10. The Program needs to be kept effective and regularly evaluated and revised as appropriate.



52

5

Board Must Know About and Oversee Program

Guidelines Require

“The [Board] shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” (§8B2.1(b) (2) (A)).

Implementation

•This training.

•Regular written reports

•[to be supplied]

6

Tone at the Top

Guidelines Require

• Establishment and maintenance of an organizational culture that “encourages ethical conduct and a commitment to compliance with the law.” (§8B2.1 (a) (2)).

Implementation

• [to be supplied]


53

7

Organizational Structure

Guidelines Require

• High level personnel who have substantial control over the organization or who have a substantial role in making policy are responsible for the compliance program. (§ 8B2.1(b) (2) (B).

• Day-to-day operational responsibility for the program delegated to individuals who report to high level personnel. Individuals responsible for day-to-day operations must have . . . appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority (§8B2.1(b) (2) (C)).

8

Implementation of Organizational Structure

[to be revised appropriately]



54

9

Program Must Have Adequate Resources

Guidelines Require

Individuals responsible for day-to-day operations must have adequate resources . . ..(§8B2.1(b) (2) (C)).

Implementation

• Budget for Program for last year: $_____

• Staffing for Program for last year: ______

• Budget for Program this year: ______

• Staffing for Program this year: ______

10

Compliance Standards and Procedures

Guidelines Require “The organization shall establish standards and procedures [standards of conduct and internal controls] designed to prevent and detect [misconduct].” (§8B2.1 (b) (1)).

Implementation

• [to be supplied—discussing code of conduct, policies etc.]


55

11

Compliance Training

Guidelines Requirements “The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [the Board, high level personnel, substantial authority personnel, the company’s employees, and as appropriate, the company’s agents] by conducting effective training programs and otherwise disseminating information appropriate to such individual’s respective roles and responsibilities.” (§8B2.1(b) (4) (A)).

12

Compliance Training (continued)

Implementation

• [to be supplied—identifying training courses, when given, who took them (by category), what is to be provided in the future etc. ]



56

13

Hotline

Guidelines Require “The organization shall take reasonable steps---(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual [misconduct] without fear of retaliation.” (8B2.1(b)(5)(C)).

Sarbanes-Oxley imposes similar requirements.

Implementation

• [to be supplied]

14

Carrots & Sticks

Guidelines Require “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in [misconduct] and for failing to take reasonable steps to prevent or detect [misconduct].” (§8B2.1(b)(6)).

Particularly important with regard to senior management who must set the “tone at the top” and whose performance and compensation may be considered by the Board.


57

15

Carrots & Sticks (continued)

Implementation [to be supplied]

16

Risk Assessment

Guidelines Require “The organization shall periodically assess the risk of [misconduct] and shall take appropriate steps to design, implement, or modify [the Program] to reduce the risk of [misconduct] identified through this process.” (§8B2.1(c)).




58

17

Program Needs to be Kept Effective and Regularly Evaluated

Guidelines Require “The organization shall take reasonable steps—(A) to ensure that

the organization’s compliance and ethics program is followed, including monitoring and auditing to detect [misconduct]; and B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program.” (§8B2.1 (b) (5) (A&B)).

“After [misconduct] has been detected, the organization shall take reasonable steps to respond appropriately to the [misconduct] and to prevent further similar [misconduct] including making any necessary modifications to the organization’s compliance and ethics program.” (§8B2.1 (b) (7)).

18

Program Needs to be Kept Effective and Regularly Evaluated (continued)



59

G. Tool Seven: Sample Investigation Matrix Incident Type Legal Resource HR Resource Finance Resource Accounting/Audit Irregularities Secondary -‐ Name Primary -‐ Name Fraud Secondary -‐ Name Primary -‐ Name Improper Loan to Executives Secondary -‐ Name Primary -‐ Name Insider Trading Secondary -‐ Name Primary -‐ Name Kickbacks Secondary -‐ Name Primary -‐ Name Release of Proprietary Information Primary -‐Name Secondary -‐ Name Retaliation against whistleblowers Primary -‐Name Secondary -‐ Name Unauthorized Discounts Secondary -‐ Name Primary -‐ Name Conflicts of Interest Primary -‐Name Secondary -‐ Name Customer relations Secondary -‐ Name Primary -‐ Name Discrimination Secondary -‐ Name Primary -‐ Name Employee Relations Secondary -‐ Name Primary -‐ Name Falsification of Records Primary -‐Name Secondary -‐ Name Fraudulent Insurance Claims Secondary -‐ Name Primary -‐ Name Policy Issues Primary -‐Name Secondary -‐ Name Product Quality Secondary -‐ Name Primary -‐ Name Safety Secondary -‐ Name Primary -‐ Name Sexual Harassment Secondary -‐ Name Primary -‐ Name Substance abuse Secondary -‐ Name Primary -‐ Name Theft of Cash Secondary -‐ Name Primary -‐ Name Theft of Goods/Services Secondary -‐ Name Primary -‐ Name Theft of Time Secondary -‐ Name Primary -‐ Name Wage/Hour Issues Secondary -‐ Name Primary -‐ Name Workplace violence/Threats Secondary -‐ Name Primary -‐ Name



60

H. Tool Eight: Sample Employee Compliance Survey The Purpose of this survey is to secure your input about the Company’s corporate culture and our Compliance Program. Your participation is totally anonymous. Please fill out the survey and deposit it in the designated receptacle in the company cafeteria or place it in interoffice mail directed to the attention of the Office of Ethics and Compliance, Room 452, Corporate Headquarters, Any town, USA. Corporate ethics and compliance is everyone’s business. Your input is essential for the Office of Ethics and Compliance (OEC) to improve our Compliance Program. Thank you for your time. The Office of Ethics and Compliance

(Tool eight begins on the next page)


61

CODE OF BUSINESS CONDUCT (fill in one)

1. I have been given a copy of the Company’s Code of Business Conduct (Code).

True False Don’t KnowO O O

2. I have taken training about the Code.


3. I refer to the Code for guidance.…

Once a Week Every 2 weeks Once a month Practically Never

Never

O O O O O O

4. I can find a printable copy of the Code on the Company’s Intranet Home Page.


5. !e last time my manager mentioned the Code was…

Less than a week ago

Within the past 2 weeks

Within the past month

Within the last 6 months

Never mentions it

O O O O O

B. REPORTING POSSIBLE WRONGDOING

1. !e Company maintains a hotline (“Integrity Line”) where employees can report good faith allegations of possible violations of law, regulations, the Code, or unethical conduct (Wrongdoing) anonymously.




62

2. !e number for the Integrity Line appears on the Company’s Intranet Home Page.


3. I believe I can make a truly anonymous report to the Integrity Line.


4. Under Company policy I may report good faith allegations of possible Wrongdoing to any of the following (fill in all that apply). O my supervisor O the O"ce of Ethics and Compliance O the Chief Compliance O"cer O any o"cer of the Company O the HR representative assigned to my division. O the Integrity Line O the Audit Committee of the Board of Directors 5. I would be the most comfortable reporting good faith allegations of pos-sible Wrongdoing to the following (Rank choices from 1-5; 1 being the place/per-son to whom you would be least likely to report and 5 being the place/person to whom you would be most likely to report. Rankings may be used more than once). ___ my supervisor ___ the O"ce of Ethics and Compliance ___ the Chief Compliance O"cer ___ any o"cer of the Company ___ the HR representative assigned to my division. ___ the Integrity Line ___ the Audit Committee of the Board of Directors


63

6. I believe that if I made a good faith allegation of possible Wrongdoing the following would take place:

Strongly agree

Agree Neutral Disagree Strongly Disagree

Don’t Know

There would be a thorough investigation of my allegation regardless of the rank, position, productivity, etc. of the person being investigated.

O O O O O O

If the allegation turned out to be true, the employee would be appropriately disci-plined regardless of the rank, position, productivity, etc. of the employee.

O O O O O O

I might be retaliated against (disciplined, demoted, transferred, etc.) for making the report.

O O O O O O

I might be indirectly retaliated against (e.g., treated as not being a team player, subjected to unjusti!ed criticism, etc.) for making the report.

O O O O O O

7. I made a good faith report(s) of possible Wrongdoing in the past to the following (fill in all that apply). [If this question does not apply to you, please proceed to Section C]

O my supervisor O the O!ce of Ethics and Compliance O the Chief Compliance O!cer O an o!cer of the Company O the HR representative assigned to my division. O the Integrity Line O the Audit Committee of the Board O Other (please specify) __________________________

8. Fill in all of the responses/results that you believe apply to your previous report(s).

O I believe that I was directly retaliated against (e.g., disci-plined, demoted, transferred, etc.) for making the report.

O I believe that I was indirectly retaliated against (e.g., not treated as a team player, subjected to unjustified criticism, etc.) for making the report.

O Nothing was done to my knowledge.O I was satisfied with the result.

O Other (please specify) ____________________________



64

C. CORPORATE CULTURE1. Senior Management: At our company, the senior management (SVPs

and above) demonstrates by both word and deed that they are commit-ted to the following (fill in one):

Strongly agree

Agree Neutral DisagreeStrongly Disagree

Don’t Know

Ethical business practices and compli-ance with all applicable laws, regula-tions, and provisions of our Code.

O O O O O O

Putting compliance and ethical conduct before production goals or other corpo-rate objectives.

O O O O O O

Creating an open working environment where employees may raise issues of concern and have them fully addressed without fear of retaliation.

O O O O O O

Taking the Compliance Program seri-ously by participating in training, talking about the Code, avoiding con!ict of interests, etc.

O O O O O O

Holding their subordinates accountable for ethical business practices and com-pliance with all applicable laws, regula-tions, and provisions of our Code.

O O O O O O

Applying the Company’s policies and Code consistently and fairly to all em-ployees

O O O O O O

Raising issues of concern to their peers rather than just “going along to get along.”

O O O O O O

2. Peers: At our company my Peers in my division demonstrate by both word and deed that they are committed to the following:

Strongly agree


Don’t Know

Ethical business practices and compliance with all ap-plicable laws, regulations, and provisions of our Code.

O O O O O O

Putting compliance and ethical conduct before produc-tion goals or other corporate objectives.

O O O O O O

Holding their peers accountable for ethical business practices and compliance with all applicable laws, regu-lations, and provisions of our Code.

O O O O O O

Raising issues of concern with their supervisor and hav-ing them fully addressed rather than just “going along to get along.”

O O O O O O


65

3. Supervisor. At our company my supervisor demonstrates by both word and deed that s/he is committed to the following:

Strongly agree


Don’t Know

Ethical business practices and compliance with all applicable laws, regulations, and provisions of our Code.

O O O O O O

Putting compliance and ethical conduct before production goals or other corporate objectives.

O O O O O O

Creating an open working environment where subordinates can raise issues of concern and have them fully addressed without fear of retaliation.

O O O O O O

Taking the Compliance Program seriously by participating in training, talking about the Code, avoiding any con!ict of inter-ests, etc.

O O O O O O

Holding his/her subordinates accountable for ethical business practices and compliance with all applicable laws, regulations, and provisions of our Code.

O O O O O O

Applying the Company’s policies and Code consistently and fairly to all employees.

O O O O O O

Raising issues of concern with his/her supervisor or peers rather than just “going along to get along.”

O O O O O O

D. COMPLIANCE PROGRAM

1. OVERVIEWStrongly

agreeAgree Neutral Disagree

Strongly Disagree

Don’t Know

I know where to go when I have questions about the Compli-ance Program, our Code, or our Company’s Policies.

O O O O O O

I know how to make a good faith report about possible Wrongdoing by a Company employee.

O O O O O O

I know what my responsibility is for making a good faith report about possible Wrongdoing by a Company employee.

O O O O O O

I am knowledgeable about the responsibilities I have for compliance with applicable laws and regulations, the Code, and other matters relating to ethical conduct in my job posi-tion.

O O O O O O

I feel that I have received adequate training regarding ap-plicable laws and regulations, the Code, and other matters relating to ethical conduct that a"ect the Company’s opera-tions.

O O O O O O

I feel that I have received adequate training regarding ap-plicable laws and regulations, the Code, and other matters relating to ethical conduct that a"ect my job position.

O O O O O O

I believe the Chief Compliance O#cer is committed to complying with applicable laws and regulations, the Code, and other matters relating to ethical conduct that a"ect the Company’s operations.

O O O O O O

I believe the CEO is committed to complying with applicable laws and regulations, the Code, and other matters relating to ethical conduct that a"ect the Company’s operations

O O O O O O



66

2. INFORMATION AND TRAINING REQUIREMENTS

!e following is a list of topics addressed in our Code and the related Policies that support the Code. !e Code and the Policies are available online on the HomeP-age of the Company’s intranet and are also posted in a pdf. version so that they may be printed in hard copy. Please indicate below whether you would like more information or training about these provisions of the Code or related Policies or if you feel you have had su"cient information or training on these subjects.

Topic I would like more informa-tion or training on this subject.

I have su!cient information or training on this subject.

Code of Conduct O O

Fair Employment (equal employment, sexual harass-ment, etc.)

O O

Ethical Responsibility Policy (duty to report Wrongdo-ing, reporting mechanisms, etc.)

O O

Antifraud Policy O O

Antitrust and Fair Business Practices O O

Con"ict of Interests and Disclosures O

Customer Privacy O O

Con#dentiality O O

Gifts and Entertainment O O

Government Inquiries and Investigations O O

Corporate Charitable Contributions O O

Political Activities O O

Insider Trading O O

Financial Standards and Accounting Practices O O

Workplace Standards of Conduct O O

Substance Abuse O O

Intellectual Property (Copyright, Trademarks, & Patents)

O O

Technology Use O O

Leave Policies O O

Travel Policies O O

Corporate Communications Policies (speaking with the media, endorsements, use of Company name, etc.)

O O

Other (please #ll in)____________________________________________________________________________

O O


67

E. EMPLOYEE PROFILE

1. !e following best describes my job level (check all that apply): O Non-manager O Manager (1-5 employees) O Manager (5-10) employees O Manager (10 + employees) O Vice President O Senior Vice President O Executive Vice President and above

2. I have been with the Company: O less than a year O 1-3 years O 3-5 years. O 5-10 years O 10-15 years O 15 + years

3. I work in (optional) O the Executive O"ces O Human Resources O Legal Department O Controller’s O Internal Audit O Compliance O [Supplement with Other Departments]

4. Additional Information

If there is any additional information that you would like us to know about how the Company’s culture and Compliance Program may be improved, please let us know by filling out the form below or by e/mailing us at [email protected] or calling us at (XXX) XXX-XXXX. Please do NOT use this form to report pos-sible Wrongdoing.

!ank you for your participation in this important process.

Jane DorightChief Compliance O"cer

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



68

I. Tool Nine: Sample Employee Exit Interview Questionnaire Background. The exit interview can present an excellent opportunity to measure the effectiveness of the compliance program and to secure information about possible misconduct. Employees who are leaving the company may feel more comfortable about sharing information and giving them an opportunity to do so may allow the company to identify and correct problems before or instead of having those problems referred to a regulator or other authorities. The individual who is conducting the exit interview must be properly trained to ask follow-up questions to the ones posed below so that important matters will be appropriately explored. If misconduct is alleged, the interviewer must secure sufficient details to allow the company to pursue the matter. Such interviews are frequently conducted by company employees (HR or compliance or both), but other companies outsource the function in the belief that departing employees will be more candid with a third party. The following questions are suggested and they should be supplemented with inquiries tailored to your Company’s operations and activities.

Employee Exit Interview Questions

■ Do you feel that you received adequate training regarding the Company’s Code of Conduct, ethical standards, and related policies?

■ Was there any training that you did not receive that you would have liked to receive?

■ What was the most effective method that the Company used to provide you with training or other information about the Code of Conduct, ethical standards, or related policies?

■ What do you think the Company can do to improve its communications with employees about the Code of Conduct, ethical standards, and related policies?

■ Do you feel that senior management (SVPs and above) acts ethically and complies with the law, the Code of Conduct and related policies?

• How about your peers?

• How about the managers in your chain of command?

■ Do you think this Company has an open working environment where employees feel comfortable raising issues for resolution without fear of retaliation?

■ Are you leaving the Company because of any legal or ethical concern you have about its operations or activities?

■ Were you ever asked to engage in any conduct that you thought was legally or ethically questionable?

■ Did you know how to anonymously report possible misconduct at the Company?

■ Did you ever observe or otherwise become aware of possible misconduct at the Company and decide not to report it?

• Why did you decide not to report it?


69

• What was the misconduct that you observed or became aware of?

■ Is there anything about the Company’s compliance program or possible misconduct at the Company that I did not ask you about that you think I should know?



70

VIII. Additional Resources

A. ACC Docket Articles Mark Garfinkel, “Do it Diligently: How a New Best Practices Process Can Slash Expenses,” ACC Docket 27, no. 9 (Nov. 2009): 80-91, available at http://www.acc.com/legalresources/resource.cfm?show=721428. James A. Nortz, “Business Ethics: Red Pill or Blue for You?,” ACC Docket 27, no. 6 (July 2009): 106, available at http://www.acc.com/legalresources/resource.cfm?show=423649. Robert M. Echols, “Building a Best Practice FCPA Compliance System: Monsanto Company’s Perspective,” ACC Docket 27, No. 1 (Feb. 2009), available at http://www.acc.com/legalresources/resource.cfm?show=130590. James A. Nortz, “Business Ethics: Compliance and Ethics Program Performance Metrics,” ACC Docket 25, no. 5 (June 2007): 92-93, available at http://www.acc.com/legalresources/resource.cfm?show=14499. Joseph C. Hutchison, “The Acid Test for Your Compliance Program,” ACC Docket 24, no. 4 (Apr. 2006): 72, available at http://www.acc.com/legalresources/resource.cfm?show=14693. James A. Nortz, “Business Ethics: Re-wiring the Company for Compliance & Ethics,” ACC Docket 24, no. 2 (Feb. 2006): 75, available at http://www.acc.com/legalresources/resource.cfm?show=14716.

Dinah Seiver, “Setting Up a Compliance Department from Scratch,” ACC Docket 21, no. 9 (Oct. 2005): 22-31, available at http://www.acc.com/legalresources/resource.cfm?show=20822. Teresa T. Kennedy ET AL., “About That Compliance Thing: Creating and Evaluating Effective Compliance Programs,” ACC Docket 22, no. 10 (Dec. 2004): 24-43, available at http://www.acc.com/legalresources/resource.cfm?show=17013. James A. Nortz, “Business Ethics: Put Some Life into Your Program,” ACC Docket 22, no. 2 (Feb. 2004): 56-69, available at http://www.acc.com/legalresources/resource.cfm?show=721428. “GE: Governance Changes That Contribute to a Culture of Compliance,” ACC Docket 21, no. 5 (Mar. 2003): 20, available at http://www.acc.com/legalresources/resource.cfm?show=151432. “Marketing Compliance: How to Sell Your Company on Protecting Itself,” ACC Docket 18, no. 9 (Oct. 2000): 55-70, available at http://www.acc.com/legalresources/resource.cfm?show=84597. “Compliance is a Dirty Word,” ACC Docket 17, no. 1 (Jan. 1999): 40, available at http://www.acc.com/legalresources/resource.cfm?show=101874.


71

B. ACC Annual Meeting Material Karl Chen ET AL., “The Counsel’s Role in the Ethics & Compliance Programs,” ACC 2009 Annual Meeting, Session 106, available at http://www.acc.com/legalresources/resource.cfm?show=736638. Gerard Cavaluzzi ET AL., “Effective Compliance Programs on a Shoestring Budget,” ACC 2009 Annual Meeting, Session 410, available at http://www.acc.com/legalresources/resource.cfm?show=741065. John Beccia III ET AL., “Challenges Faced When Establishing an Enterprise-Wide Compliance Risk Management Program,” ACC 2007 Annual Meeting, Session 208, available at http://www.acc.com/legalresources/resource.cfm?show=19957. Jeffrey L. Antoon ET AL., “Collaboration on Compliance,” ACC 2005 Annual Meeting, Session 309, available at http://www.acc.com/legalresources/resource.cfm?show=20312. Monica Caston ET AL., “Best Practices for Building an Effective Corporate Compliance Program,” ACC 2005 Annual Meeting, Session 912, available at http://www.acc.com/legalresources/resource.cfm?show=20253. Theodore L. Banks ET AL., “You Have An Effective Code of Compliance- Now What? Running An Effective Compliance Program,” ACCA 2003 Annual Meeting, Session 811, available at http://www.acc.com/legalresources/resource.cfm?show=20490. Michel P. Floes ET AL., “Best of ACCA Chapters Establishing & Managing a Compliance Program,” ACCA 2002 Annual Meeting, Session 404, available at http://www.acc.com/legalresources/resource.cfm?show=20592.

Sol Glasner ET AL., “Implementing Compliance Programs for the Small Department,” ACCA 2001 Annual Meeting, Session 403, available at http://www.acc.com/legalresources/resource.cfm?show=20708.

C. ACC InfoPAKSMsSM “Compliance Training and E-Learning Programs: Leading Practices in Designing, Implementing, and Supporting Risk Assessment and Communication Strategies,” ACC InfoPAKSM (July 2010), available at http://www.acc.com/legalresources/resource.cfm?show=19710. “Framework for Conducting Effective Compliance and Ethics Risk Assessments,” ACC InfoPAKSM (July 2010), available at http://www.acc.com/legalresources/resource.cfm?show=19642. “Corporate Compliance,” ACC InfoPAKSM (Aug. 2009), available at http://www.acc.com/legalresources/resource.cfm?show=19684. “In-House Counsel Standards Under Sarbanes-Oxley,” ACC InfoPAKSM (Jan. 2006), available at http://www.acc.com/legalresources/resource.cfm?show=19652. “Sarbanes-Oxley Primer for the Small Law Department,” ACC InfoPAKSM (Sept. 2005), available at http://www.acc.com/legalresources/resource.cfm?show=19647.

D. ACC Webcasts “Effective Compliance and Ethics Programs: Guidelines for Implementations and Maintenance,” ACC Webcast (Sept. 8, 2005), available at http://www.acc.com/legalresources/resource.cfm?show=16426.



72

E. Other Resources Sally March, “Compliance in Troubled Times,” ACC Europe Annual Conference 2009 Program Material (June 2009), available at http://www.acc.com/legalresources/resource.cfm?show=800615. Heather R. Badami ET AL., “Structuring a Corporate Compliance Function,” ACC 2006 Corporate Counsel University Program Material, Session 702, available at http://www.acc.com/legalresources/resource.cfm?show=20212. “Sample Corporate Compliance and Ethics Plan,” ACC Sample Form and Policy (Mar. 2006), available at http://www.acc.com/legalresources/resource.cfm?show=13009. “Law Department’s Role in Developing and Implementing Compliance and Ethics Programs,” ACC Leading Practices Profile (July 2005), available at http://www.acc.com/legalresources/resource.cfm?show=16802. “Compliance Tools,” ACC Sample Forms and Policies (July 2005), available at http://www.acc.com/legalresources/resource.cfm?show=13033.

73

IX. Endnotes

1 “Benchmark Survey of In-House Counsel Roles and Attitudes in Relation to Compliance, Ethics and Corporate Social Responsibility Activities,” ACC/Corpedia Survey (2010), available at http://www.acc.com/legalresources/resource.cfm?show=806873. 2 Id. 3 Ethisphere Institute, Brand Promise: What’s Your Ethical Brand Value, http://ethisphere.com/brand-promise-whats-your-ethical-brand-value/ (last visited July 14, 2010). 4 Ethisphere Institute, 2010 World’s Most Ethical Companies, http://ethisphere.com/wme2010/ (last visited July 14, 2010). 5 Sharon Allen, The New ROE: Return on Ethics, FORBES, July 21, 2009, http://www.forbes.com/2009/07/21/business-culture-corporate-citizenship-leadership-ethics.html 6 U.S. SENTENCING GUIDELINES MANUAL ch. 8, introductory cmt. (2009). 7 Id. § 8C2.5(f)(C) (Amendments Submitted to Congress 2010). 8 Id. cmt. n.11. 9 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(2)(B)-(C) (2009). 10 Id. § 8A1.2 cmt. n.3(b). 11 “Benchmark Survey,” supra note 1. 12 See Federal Acquisition Regulations, 48 C.F.R. subpt. 52.203-13(c)(2)(ii)(A) (2009). 13 See U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(2)(C) (2009). 14 “Benchmark Survey,” supra note 1. 15 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(2)(A) (2009). 16 See United States v. Park, 421 U.S. 658 (1975); United States v. Dotterweich, 320 U.S. 277 (1943). 17 Jamie Reeves, Duck! Incoming One-Two Corporate Compliance Punch, http://www.boardmember.com/Article_Details.aspx?id=4327&page=1 (last visited July 14, 2010). 18 Michael Peregrine and T. Reed Stephens, DOJ Using RCD To Target Directors, DIRECTORSHIP, March 5, 2010, http://www.directorship.com/doj-using-rcod-directors/ (last visited July 14, 2010).

19 In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996). 20 Id. at 971. 21 Stone v. Ritter, 911 A.2d 362 (Del. 2006). 22 In re Walt Disney Co. Derivative Litig., 906 A.2d 27 (Del. 2006). 23 Stone, 911 A.2d at 370. 24 “Benchmark Survey,” supra note 1. 25 Id. 26 Id. 27 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(c) (2009). 28 “Benchmark Survey,” supra note 1. 29 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(1) (2009). 30 Federal Acquisition Regulations, 48 C.F.R. subpt. 52.203-13(c)(2)(i)(A) (2009). 31 See id. subpt. 3.1004(b) (2009). 32 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(4)(A) (2009). 33 Id. § 8B2.1(b)(5)(C). 34 Id. §8B2.1(b)(6). 35 Federal Acquisition Regulations, 48 C.F.R. subpt. 52.203-13(c)(2)(ii)(E) (2009) (stating that a covered contractor’s internal control system shall provide for “[d]isciplinary action for improper conduct or for failing to take reasonable steps to prevent or detect improper conduct”). 36 U.S. SENTENCING GUIDELINES MANUAL § 8B2.1(b)(3) (2009) 37 Id. § 8A1.2 cmt. n.3(c). 38 Id. § 8B1 cmt. n.4. 39 Id. § 8B2.1(b)(5)(A)-(B).

InfoPAK Effective Compliance and Ethics Programs … · 2 !!!!! Effective Compliance and Ethics...

Documents

Transcript of InfoPAK Effective Compliance and Ethics Programs … · 2 !!!!! Effective Compliance and Ethics...