Chapter 2: Foundational Materials and Program Infrastructure
Essential Elements of an Effective Ethics and Compliance Program
Don't show this message again
By Debbie Troklus, CHC-F, CHRC, CCEP-F, CHPC, CCEP-I; and Sarah Couture, RN, CHC, CHRC
Although a one-size-fits-all compliance and ethics program does not exist, the Chapter Eight of the Guidelines Manual outlines seven basic compliance elements that can be tailored to assist organizations in developing an effective compliance and ethics program. It is critical that there is demonstrated commitment to these seven basic elements:
Standards, policies, and procedures
Compliance program administration
Communication, education, and training
Monitoring and auditing
Internal reporting systems
Discipline for noncompliance
Investigation and remediation measures
Every organization strives for this effective program in the hopes of gaining some level of protection for having an effective compliance and ethics program. In addition, the elements have been massaged by the compliance and ethics industry, as they have been implemented in actual compliance and ethics program models. The industry has now defined the following as the components of an effective compliance and ethics program (not all inclusive):
Code of conduct and relevant compliance policies and procedures
Oversight and accountability by the board for the compliance program
Education, communication, and awareness
Delegation of authority
Enforcement, discipline, and incentives(Video) Five Key Elements of an Effective Ethics Program
Monitoring and auditing
Internal investigations, including a root cause analysis and corrective action plans
Consistent and fair discipline
Effectiveness assessments of the compliance and ethics program
Ongoing program improvement
While the cost and the time involved may seem daunting, the cost of not having an effective compliance and ethics program could be much higher. Compliance is not cheap. Yet as a Department of Justice official notes, “[C]ompliance programs make good sense—both good common sense and good business sense. Compliance programs help prevent companies from committing crimes in the first place. Even if they fail to do so, partially successful compliance programs may help companies qualify for leniency. Either outcome easily warrants your companies’ efforts to adopt and strengthen compliance programs.” An effective compliance and ethics program is a sound investment.
It is always important to note that each organization needs to tailor its compliance and ethics program to its specific mission and ethical values. Your organization may have stricter guidance that includes additional elements. This manual does not include every compliance and ethics element used by every organization globally. But it tries to address the standard used by most organizations—the elements listed above.
Additionally, note that while the seven elements provide a standard structure and framework for the compliance program, every compliance program can and should look different from another organization’s compliance program. A compliance program should be tailored to the size and complexity of the specific organization and should be operating according to that organization’s unique risk profile. And as your organization changes, the risk profile evolves, and the regulatory landscape shifts, the compliance program must keep pace and evolve to remain effective.
Many new compliance and ethics officers come into programs that have none of these elements. Some come into their new office with some or broken pieces of these elements. Keep in mind that effective compliance programs do not happen overnight.
Element 1: Standards, Policies, and Procedures (a Code of Conduct)
An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages ethical conduct and a commitment to compliance with applicable regulations and laws.
The first of the Guidelines Manual’s prescribed compliance elements requires that “The organization shall establish standards and procedures to prevent and detect criminal conduct…‘Standards and procedures’ means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.” These two documents, the standards or code of conduct and the policies and procedures, become the tools upon which you can build your compliance and ethics program.
Code of Conduct
First and foremost, the code of conduct demonstrates the organization’s overarching ethical attitude and its system-wide emphasis on ethics and compliance with all applicable policies, laws, and regulations. The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes the board, management, staff, vendors, suppliers, volunteers, and independent contractors, which are frequently overlooked groups. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards of the code of conduct. The code should be written in a simple and concise manner that is reader friendly. It is not recommended that an organization include policies and procedures in its code. Scenarios and examples are great to explain how to handle a situation. An eighth-grade reading level is recommended. Simple and concise does not mean generic, however. The contents of the code of conduct will need to be tailored to the organization’s culture and risk profile and to its industry and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in a foreign language, or even braille as appropriate. Policies and procedures should not be included in the code, but a link to those that are relevant should be considered for inclusion.
The code of conduct provides a process for proper decision-making for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements or standards into performance reviews, and compliance with the standards must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including termination—for serious violations of the standards of conduct must be mentioned to emphasize the organization’s commitment.
Demonstrates system-wide emphasis on compliance with all applicable laws and regulations
Written plainly and concisely so all employees can understand the standards
Translated into other languages, as appropriate
Includes links to internal policies and external regulations
Includes expectations for employee actions with internal affairs and other employees, as well as with external affairs and contractors and clients
Mentions organizational policies without completely restating them
Is consistent with company policies and procedures
Includes management’s responsibility to explain and enforce the code
Communicating to Employees Checklist
Employees must receive, read, and understand standards(Video) Webinar - Seven Elements of an Effective Compliance Program
Compliance officer, supervisor, or qualified trainer explains standards and answers questions
Employees attest in writing upon hire and annually they have received, read, and understood standards
Employee compliance with standards enforced through appropriate discipline when necessary
Discipline for noncompliance with the code stated in standards
To present overarching guidelines for employees to follow
To confirm that all employees comprehend what is required of them
To provide a process for proper decision-making
To require that employees put standards into everyday practice
To elevate corporate performance in basic business relationships
To confirm that the organization upholds and supports proper compliance conduct
In addition, see Appendix 2-A, “Sample Letter to Vendors,” for an example of a letter describing the company’s code of conduct.
Policies and Procedures
Whereas a code of conduct provides guidelines for business decision-making and behavior, the compliance and ethics policies and procedures are specific, and address identified areas of risk. Most organizations already have an employee manual that outlines all human resource-related policies and procedures, and they may have other operational policies and procedures specific to certain business practices or operations. Whenever possible, compliance policies and procedures should be integrated into existing policies, and all policies within an organization should be consistent with laws, regulations, industry requirements, and general compliance. In fact, as part of the implementation of a compliance and ethics program, and while in the process of drafting compliance policies and procedures, all other policies within the organization should be reviewed and revised as necessary. While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it.
Develop your policies and procedures carefully. Organizations should have procedures that guide the development of policies. Take care that they are realistic, measurable, and enforceable. Lofty goals and platitudes may seem appealing, but they are too frequently open to interpretation. Involve those that are affected by the policy in its development. Assure that the policies have a stated timeline for revisions and that someone is identified as accountable for the policy.
Two types of compliance policies and procedures should be developed by every organization: structural and substantive. The structural policies create the framework—the nuts and bolts of how the compliance and ethics program will operate. The substantive policies define the applicable regulations that apply to the organization and how to operate compliantly within those regulations. They also indicate the risk areas applicable to an organization and describe appropriate and inappropriate behaviors about those risk areas. Both the structural and the substantive policies and procedures are essential to a compliance and ethics program so that the rules to which employees will be held accountable and the method for enforcing the rules are clearly documented.
Structural policies and procedures should be developed to address the following:
Directives or mission of the compliance and ethics program
Revision of existing and creation of new policies and procedures (including distribution and updating requirements)
Compliance program oversight, including role and responsibility of the board of directors, the CEO, the compliance officer, and the compliance and ethics committee, if applicable
Nonretention of sanctioned individuals and noncontracting with sanctioned contractors or vendors
Policy for method for anonymous reporting and nonretaliation for reporting
Method for responding to reports of possible misconduct
Method for responding to internal and external requests for documents or to external investigations, search warrants, and/or subpoenas(Video) The 7 Elements of an Effective Compliance Program Explained
Disciplinary action plan
Substantive policies and procedures should be developed to address the following:
Process for preparing financial reports (including preparation of worksheets and supporting documents)
Process for preventing inappropriate actions in specific risk areas
Process for ensuring appropriate behavior in specific risk areas
Types of and processes for internal assessments of risk areas
Content and frequency of audits
Policies and procedures, like the code of conduct, must be living documents, not just in a binder on a shelf or online. They must become an integral part of the day-to-day operations of the organization. That is what regulators will look for. Are the policies and procedures appropriate, considering the organization’s risks? How are the policies and procedures applied every day? Are they incorporated into performance reviews? Educational programs? Are they reviewed and updated according to a schedule and in a timely fashion? Revising policies and procedures is something like painting the Golden Gate Bridge: Just when you think you’re finished, you have to start again at the beginning. Again, standards of conduct, policies, and procedures are the tools of compliance and ethics, but they must be used and sharpened to be effective.
Element 2: Compliance Program Administration
An organization should have the appropriate high-level personnel overseeing the compliance and ethics function, with a specific executive given overall responsibility. These compliance personnel should have accountability as to the success or failure of the compliance and ethics program. Adequate resources must be dedicated to implementing the program. The organization’s governing structure—in many cases the board of directors—must exercise reasonable oversight of the implementation and effectiveness of the program.
An organization should designate a compliance officer to serve as the focal point for compliance activities. Whether the position is full time or part time will depend on the size, scope, and resources of the organization. Also, according to the Guidelines Manual, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access any and all documents that are relevant to compliance and ethics activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other billing and accounting records. In the big picture, “appropriate authority” comes from the unquestionable backing by the CEO and board of directors or its equivalent, typically the sources of ultimate authority and respect.
Appropriate authority and the full backing of the board of directors and management are consistent with the Guidelines Manual ’s call for “Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program….To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.” This is logical, because it is generally the board that launches the compliance initiative and/or approves the hiring of the compliance officer. Board members should be actively involved in interviewing and hiring the compliance officer. The board will be an important part of the compliance officer’s reporting structure.
There are considerable conflicts involved in having the compliance officer report to the general counsel or to the chief financial officer. Separation of compliance from legal and finance, when possible, helps ensure that legal reviews and financial analyses are independent and objective. Many compliance officers report directly to the organization’s CEO and/or the board of directors. It is most important that the compliance officer be independent.
The size and setting of your organization will influence its reporting structure. It is recommended that the board or its appointed committee have at minimum a “dotted line” or indirect reporting relationship with the compliance officer.
The compliance officer’s duties also will vary depending on size and scope of the program. The main focus of the position should be the day-to-day operations of the compliance and ethics program. Primary responsibilities should include the following:
Designing, implementing, overseeing, and monitoring day-to-day operations of the compliance and ethics program
Reporting on a regular basis to the organization’s governing body, CEO, and compliance and ethics committee
Assessing effectiveness of the compliance program and revising the program periodically as appropriate
Developing, coordinating, and participating in a multifaceted educational and training program
Ensuring that independent contractors and agents are aware of the organization’s compliance and ethics program requirements
Serving as a source of information for employees, management, contractors, and the board
Ensuring that appropriate background checks are done to eliminate sanctioned individuals and contractors
Assisting with internal compliance review and monitoring activities(Video) The Seven Elements of Effective Compliance Burst 2
Independently investigating and acting on matters related to compliance
Conducting risk assessments and working with management to prioritize risk and develop mitigation plans
Compliance is still a relatively new field. Most compliance officers therefore may not have extensive previous experience in compliance. This unique position requires an individual who understands the nature of the business or industry, is capable of understanding and questioning financial and billing statements, is knowledgeable of applicable legal requirements and sanctions that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is firm yet approachable. Whatever the tenure or the educational level, the compliance officer, as the focal point of the program, must be a figure who is respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix 2-C, “Sample Compliance Officer Job Description.”)
As the compliance and ethics profession has grown and matured, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective compliance officer. There are now several compliance-related certification and degree programs.
Moreover, compliance officers are also stewards of a public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The SCCE’s Code of Professional Ethics for Compliance and Ethics Professionals addresses three principles, which are broad standards of an aspirational nature. They include:
Principle I: Obligations to the Public—Compliance and ethics professionals should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.
Principle II: Obligations to the Employing Organization—Compliance and ethics professionals should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.
Principle III: Obligations to the Profession—Compliance and ethics professionals should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.
These principles and the accompanying more detailed rules of conduct should be reviewed, studied, and adhered to by all compliance officers. To view the entire code and an analysis of its meaning, see Chapter 1.
The compliance officer may be the focal point of a compliance and ethics program, but they cannot be the only point. An essential role of the compliance program is engaging leaders, managers, and employees, so those in the organization understand that being compliant is everyone’s responsibility. The formation of a multidisciplinary compliance committee can be an effective addition to the program and can help empower leaders and managers to actively promote compliance and “own” compliance in their areas of purview. The compliance committee should be established to advise the compliance officer, assist in the implementation of the compliance program, and further engage leaders and/or managers in compliance. The organization will benefit from having varying perspectives, such as operations, finance, audit, human resources, social work, and legal, as well as employees and managers of key operating units on the committee.
The compliance officer’s role within the compliance committee can vary. In some organizations, the compliance officer sits on the committee. In others, the compliance officer may even chair the committee. Regardless of who chairs the committee, the compliance department will likely be responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.
Compliance committee functions, in addition to aiding and supporting the compliance officer, may include, but not be limited to, the following:
Analyzing specific risk areas
Assisting with the development of standards of conduct, policies, and procedures
Annually reviewing the compliance plan
Reviewing relevant industry guidance and new information regularly and integrating it into the compliance and ethics program
Determining the appropriate strategy to promote compliance
Participating in the risk assessment process
Empowering and helping hold accountable operational leaders and managers for compliance in their areas of purview (i.e., reporting on specific risk remediation efforts and internal controls)
The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance and ethics program. Furthermore, the committee should be made up of individuals representative of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer the compliance and ethics activities and risk areas within their department, and in turn communicate back to their respective departments the organization’s compliance and ethics requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization.
This document is only available to subscribers. Please log in or purchase access.
What are the 7 elements of an effective compliance program? ›
- Policies & Procedures.
- Chief Compliance Officer/Compliance Committee.
- Education & Training.
- Monitoring & Auditing.
- Responding To Issues.
- Connection to a Compliance Officer and reporting through a Compliance Committee. ...
- Written standards. ...
- Communication channels. ...
- Education and training. ...
- Auditing and Monitoring. ...
- Response. ...
To be effective, ethics and compliance programs should encourage reporting of misconduct; protect those who identify wrongdoing (whistleblowers); and facilitate timely responses that remediate misconduct in the event it is reported.What is the most important element of a compliance program? ›
A very essential aspect of a robust compliance program is training. From company officers, employees to third parties, everyone that forms a part of the organization internally and externally needs to be informed about compliance. This includes relevant laws and regulations, corporate policies, and barred conducts.What five important factors should an effective compliance program have? ›
- Risk Assessment.
- Standards and Controls.
- Training and Communications.