What is the best way for your company to structure an effective ethics and compliance program?
Video 7: How to Establish an Effective Compliance Program Under the FCPA?
What is the best way for your company to structure an effective ethics and compliance program? Tom Fox believes it all begins with tone at the top. To have a successful compliance program, you must have a commitment from senior management without which your paper program may be ineffective. However, with great commitment absolutely everything must be documented.
Tone at the Top
It all begins with the tone of senior management. There must be a commitment to having an effective compliance program. If there is not such a commitment, it does not matter what paper program is in place, you FCPA compliance program will not be effective.
What are the Essential Elements of an Effective Compliance Program?
There are several national and international standards as to what constitutes an effective compliance program. These include the 10 Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance, the UK Ministry of Justice’s Six Principals of an Adequate Procedures Compliance Program and the OECD 13 Good Practices of an Effective Compliance Program. All of these guides can be boiled down to five essential elements:
- Leadership-is management actively committed to compliance.
- Risk Assessment-you must assess your risk and manage your risks.
- Standards and Controls-do you have a Code of Conduct and appropriate FCPA policies, procedures and internal controls.
- Training and Communication-how do you train your employees and how is the message of compliance transmitted throughout your organization
- Monitoring, Auditing and Response-how do you test and manage your program going forward and how do you deal with any problems.
Document, Document, Document
After you have set up your compliance program, everything must be document. The only way to defend yourself and your program from a FCPA enforcement action is to document your efforts going forward. Remember, if it is not documented, in a regulator’s eyes it never happened.