A compliance & ethics program on a dollar a day

Introduction

Roy Snell, former CEO and co-founder, Society of Corporate Compliance and Ethics, Health Care Compliance Association

I have listened to those who are reluctant to implement compliance programs complain for many years. I must admit, I am not sure I understand how you could oppose making an effort to follow the law and maintain an ethical culture. As is the case in many controversial issues in which someone’s position is weak or they have a limited grasp of the subject matter, they tend to exaggerate and make vague assertions/assumptions. In this case, those who are reluctant claim compliance programs are expensive. 

Of course you could, if you wanted to, spend any amount of money on compliance and ensure your efforts are expensive. Some have indeed created expensive compliance programs. However, the idea that any company that wants a compliance program must spend a lot of money is without merit. The claim that some companies—those that are small and medium sized—are too small to implement a compliance program is not accurate. Anyone with any business experience and who is being honest knows that any business operation can be managed efficiently or inefficiently. Compliance is no different. You can implement an effective compliance program with a small investment if you know what you are doing. 

People who do not know what they are doing tend to go overboard or assume you have to do outrageously extravagant things to be effective. But people who know what they are doing tend to do things efficiently. I have never met a compliance professional who knew what they were doing claim that small companies couldn’t afford to do anything. I have seen inexperienced “advisors” help companies spend way too much on compliance because they didn’t know what to do, so they suggest doing large, clunky, bureaucratic processes. I have seen people invest millions in a compliance program and because they invested that money so unwisely I would not give you a plugged nickel for their efforts. I watched one firm pay a consultancy millions of dollars to write about forty three-ring binders full of policies and procedures. It was probably one of the all-time compliance program boondoggles. The company thought they had done something, the consulting firm made money, and in the end, the paper turned yellow. Compliance is not just about policies spread out over reams of paper (or megabits of computer capacity) or other bureaucratic steps that drain resources and waste time. Compliance programs are about using compliance tools intelligently and in concert to effectively prevent, find, and fix problems.

We have been long overdue to respond to the false allegation that for a compliance program to be effective you have to throw a ton of money indiscriminately into a pool of consultants and policy writers. Joe Murphy recently showed me a document he wrote, A Compliance & Ethics Program on a Dollar a Day. I recounted our collective frustrations about the false allegations and asked him to let us publish this as a pamphlet. I suggested we “paper the world with the document.” Naturally, we decided to make sure that it was inexpensive, so we settled on offering it free to anyone. In fact, we are distributing it free electronically for anyone who wants it. They, in turn, can use and circulate it wherever they want (just keeping SCCE’s and Joe’s name on it). There is one obvious caveat. This is intended for smaller companies. We do not imply that large companies in high?risk industries can implement compliance programs for a dollar a day. However, those who operate compliance programs in larger companies can surely become more cost effective by studying Joe’s effective and efficient strategies. Any program can be made to be more effective and cost efficient. Therefore, anyone can benefit from Joe’s perspective on cost?effective compliance efforts.

A Compliance & Ethics Program on a Dollar a Day: 

How Small Companies Can Have Effective Programs

Joseph E. Murphy, CCEP, CCEP-I 

You own or manage a company that is not a Fortune 500 giant, but not something you run out of your living room. You’ve heard that government enforcement agencies expect companies to have compliance and ethics programs or maybe you have seen reports about the industry leaders establishing these programs, and you want to know what this is about. Why should you consider having a “compliance and ethics program?” What will it do for your business and is it something you can afford?

In large companies and other organizations today, there is a strong movement to develop methods to prevent violations of law and unethical conduct. Among such companies, there are substantial, formal programs. These companies have dedicated staffs and significant budgets for this activity. They have adopted extensive codes of conduct, deployed online computer-based training programs, and hired major law and accounting firms to help in this task. Is this something your firm should be looking into?

What is a compliance and ethics program?

You might expect that a compliance and ethics program is some exotic legal structure invented by the big accounting and law firms, or a set of detailed legal rules the government wants companies to follow. But in reality programs that work are about two things: a management commitment to do the right thing, and effective management steps to make that happen. It is about making sure that all those who work for the company know what to do, and believe that the company is serious about acting legally and ethically. The same types of management tools that make a company run successfully also need to be used to make sure it runs legally and ethically. 

Why would you want a compliance and ethics program?

Companies have compelling reasons to make this effort. The first point of reference is something called the Federal Sentencing Guidelines. Under these standards, which Federal judges in the U.S. use in sentencing, a company that is convicted of a federal crime will face extraordinarily large fines. But if a company self-reports, cooperates with the government, and has an effective compliance and ethics program, it receives a steep reduction in fines: a 95% cut. This is a development that has caught the attention of many, but there is much more that has kept interest high in this area.

Obviously, the best reason to have a compliance and ethics program is to prevent a violation in the first instance. Businesses have been hit with enormous fines; businesspeople who break the law have faced lengthy prison terms. The associated cost of litigation and the impact of a damaged reputation need no elaboration. An especially important benefit is that even if a violation does occur, a diligent self-policing program is something enforcement authorities have said they will consider in determining how to handle any possible case against a company. Your company might avoid being prosecuted or at least receive more lenient treatment. It can also save you from being cut off from all government business (debarred). In some areas of the law, a program can even save you from liability if you are sued (e.g., certain types of sexual harassment); it can also be used to fight punitive damages claims. 

Enforcement agencies outside the U.S. are also looking for companies to adopt compliance and ethics programs. The OECD, a treaty organization of the most economically developed democracies, has joined with other nations in a commitment to prosecute foreign bribery. These countries, including the U.S., have committed to promote compliance and ethics programs and have issued a guidance document on steps to take in such programs. Whether a violation occurs in the U.S. or in another country, a company will want to have a good story to tell enforcement authorities about its efforts to follow the laws and act ethically. 

A program that builds management skills and a structure of business control not only may stop your company from becoming a criminal—it may also help save you from becoming a victim of others’ waste, fraud and abuse. The Association of Certified Fraud Examiners has determined that the typical company loses 5 to 6 percent of its annual revenue to fraud—a good program can cut that expensive risk. 

Nor are the benefits just defensive. Increasingly, blue chip companies are looking to do business with third parties they can trust. A smaller company with the sophistication to implement a compliance and ethics program is a much safer and more desirable business partner for these large companies. If you are a smart businessperson you can use your compliance and ethics initiatives as a way to network with larger companies to open doors that would otherwise have been inaccessible to you. And one additional consideration: Do you want to sell your business and retire rich some day? You may find the buyer asking you about your company’s compliance and ethics program as a regular part of pre-acquisition due diligence. The blue chip companies already have compliance and ethics programs in place, and they want to know they are not buying into trouble when they look at your company.

Are compliance and ethics programs the exclusive domain of the advantaged few? 

Fortunately, this is not an area where bigger is necessarily better. The degree of formality required for an effective program depends on factors such as a company’s size. Because of this, smaller companies can actually be at an advantage over larger entities.  As the European Commission’s competition law enforcement agency recognized, “Small and medium-sized companies have the advantage that the ‘tone from the top’ can more easily be disseminated to the employees, who are fewer in number.” While the top executive at a Fortune 500 company cannot know every employee, the head of a smaller company can have personal contact with employees and have an easier time conveying the message that integrity counts. With a real commitment from the top, and with the right advice, a smaller company can have an effective program that can not only gain as much credit as those in the larger companies, but can actually have an effect in avoiding legal and ethical trouble, and even improve a company’s business performance. That is because the single most important ingredient is one that costs nothing: Being serious and making a commitment to ethical business. This leads to an important caution: You should only proceed with a compliance and ethics program if you are serious about doing the right thing. A sham program is worse than none at all.

Where do you start? 

The most important guide for compliance and ethics programs starts in one of the last places you might think to look—the standards federal judges in the U.S. use when sentencing criminals. For convicted companies, these standards, the Federal Sentencing Guidelines, tell a judge how heavy the fines will be. But the Guidelines also offer an enormous break for companies that have effective compliance and ethics programs, report violations and cooperate with the government. To be “effective,” the compliance program must be “diligent,” and meet seven minimum standards. Unlike much of what you may encounter in government standards, these Sentencing Guidelines standards are, for the most part, a good guide because they are management oriented. The list is very close to what an experienced manager would use to manage any business project. Also, their impact is not limited to sentencing; these same standards influence other parts of the legal system and have been an enduring international resource.

While the Sentencing Guidelines are the premier template they are not the only one. Another prominent standard issued by the OECD, a treaty organization that includes the U.S., is the Good Practice Guidance. While the OECD document is focused on preventing foreign bribery, it does list practical steps that, for the most part, would work for any program. We draw on that also, as well as experiences of other companies, in discussing how to set up a program on a small-business budget.

Do you need high-priced experts to have an effective program? 

While others might disagree, we believe the answer is “no.” However, there are times when it is important to get help. For example, at the first sign that there may be violations of law in your company, it is best to obtain experienced legal counsel. Remember, too, that the ideas in this memo are offered to you as starting points. This memo is not intended as a substitute for sound legal advice. When you need legal advice, you should consult competent legal counsel.

We believe a company can have an excellent compliance and ethics program without major out-of-pocket expenses. There are just a few items you should purchase to start. We recommend that whoever you put in charge of your compliance and ethics program should seriously consider joining the Society of Corporate Compliance and Ethics (“SCCE”). The annual cost is $325 for an individual membership, and the benefits of being part of a professional compliance and ethics organization are substantial. But even without membership your compliance and ethics professional should take full advantage of all the free resources available through the SCCE’s website, www.corporatecompliance.org. We do not count as expenses anything you already have for the business, such as a computer, smartphone, internet access, etc. These are not things you would purchase just for a compliance and ethics program.

The out-of-pocket expense of implementing a compliance and ethics program can be trivial, but the effort is not. The key ingredient is not money, but diligence. You need to be serious and follow through.

A Dollar?  Really?  Isn’t it much more?

There is also an obvious question about personnel costs.  The “dollar a day” is dealing with money spent to buy things. But wouldn’t a company also have expenses to pay people for their compliance work?  If you keep the focus on what counts most – commitment – the reason for the dollar-a-day reference becomes clearer. Commitment does not cost money, but has an enormous impact.  While the compliance steps do take some time, in a small business they can be done without hiring additional people. You may have heard the saying, “work expands to fill the time available.”  In small businesses it is not unusual for everyone to be very busy.  But I will share a real life story about this.  I used to visit a business that was very small – just a handful of people.  They were pressed to the wall in terms of time commitments. Yet I remember one fall when I went in and saw on the wall one of the most detailed and complicated charts I had ever seen. It had to have taken a ton of work.  What was it?  The Fall football pool chart. When there is something we really consider important somehow we find the time to do it. Also, much of what is described in this paper are basic management steps you should already be doing as part of an efficient business. 

Also, be careful not to confuse the cost of compliance with the cost of a compliance program. For example, if you manufacture medicines there is no alternative to spending money to comply with the law.  But then your choice is to obey the law or to try to save money by breaking the law. If your business depends on illegal conduct you are looking in the wrong place for advice.  But if you want to ensure your people follow the law, then the points spelled out here are for you.   

STEPS TOWARD A DILIGENT COMPLIANCE AND ETHICS PROGRAM

Here are the basic compliance and ethics elements drawn from the Sentencing Guidelines, the OECD Good Practice Guidance, and company practices, with ideas for how to meet these elements effectively without major expense. Under each element there are numerous examples on things you can do. You have many options on these examples, but to hit the minimum standards and have a program that works, be sure you have addressed each topic. 



Starting points.

1.   Go online to the website of the Society of Corporate Compliance and Ethics, www.corporatecompliance.org. There are enormous amounts of resources available here for free. Cost: $0. 

2.   Go on LinkedIn and join SCCE’s group and other relevant compliance groups.  You can network with peers globally, read helpful materials and posts, and ask questions to get help.  Basic membership is free. Cost:  $0 


3.   Network with other companies, big and small. One great characteristic of the compliance and ethics field is that sharing is considered part of the profession. Whether it is a neighboring business, a supplier, or a customer, they may have their own compliance and ethics officer and useful materials they would share with you. You can contact the compliance and ethics officers at big companies you do business with (or want to impress) for copies of their materials. Feel free to ask others, but make sure each thing you get actually makes sense for your company. Cost: $0.

4.   Use groups where you are already a member. These may be trade industry associations, local chambers of commerce, or groups like Rotary. They provide opportunities for networking on compliance and ethics issues, and also a forum for outside speakers to provide information for free that is useful for your program. Cost: $0.

5.   Keep a record of everything you do as part of your program. Keep this in your computer and/or on the cloud—it’s not necessary to use paper printing it out. (But be sure you back-up your computer—if you are not already doing so, start today, not for compliance and ethics purposes but because your business could be at risk.) Cost: $0.

A. Risk assessment. Know what compliance and ethics risks your business faces and address them based on how dangerous they are. 

1.   Read your trade journals and business press. If you already read The Wall Street Journal, read some of their reports on violations and compliance problems other companies are having. Did another company get in trouble in an area that also affects your business? Is someone in your industry under investigation? Learn from their mistakes and make sure you have included this area in your compliance and ethics program. If you do not subscribe to any business publications or The Wall Street Journal then occasionally stop in the library and read them there. Keep a written record that you are doing this. Cost: $0.

2.   Look at the online codes of conduct of companies in similar businesses. These codes typically address many of the risks they and you face. Include these in your risk assessment. Cost: $0.

3.   If you are in a trade association, ask them to have outside speakers such as lawyers address the group on potential compliance and ethics issues. You can also do this on a more general basis in groups like Rotary. Add this input into your risk assessment. Cost: $0.

4.   Have your trade association conduct compliance and ethics risk assessment meetings or discussions and use their information in your own assessments. Cost: $0.

5.   Go through a list of legal risk areas and think about which ones might affect your business. Which ones have already meant trouble for others in your industry? Document each thing you do as a result of these risk inputs, so it never appears that you ignored a risk that might apply. Cost: $0.

6.   If you form an internal compliance and ethics committee, include as a regular agenda item a discussion of what risks the company faces. Be sure to keep minutes of these discussions. Cost: $0.

B. Have standards and procedures to prevent violations.

1.   “Standards” typically include codes of conduct. Go online and look at what other companies have said in their codes of conduct. Companies on the major stock exchanges now post their codes of conduct online, so there is an enormous amount of free research available. Cost: $0.

2.   Write a statement of your company’s commitment to law and doing the right thing. Sit at your laptop, write it, and then circulate it to others in your company for their comments. Then revise it in response to useful suggestions, and then post it on your website, if you have one. If not, email it to all your people. Cost: $0.

3.   Set up a file on your computer. Label it “[your company’s] compliance and ethics program.” Put in there everything that shows you have a program. Cost: $0

4.   Write a code of conduct for your business. You can access plenty of them via the Internet. Copyright law requires that you get another company’s permission if you want to copy their exact language, but no permission is required if you just copy ideas. In the compliance and ethics field people are generally willing to share what they have done, so you may not have difficulty getting permission to copy language on specific points you want to use. You can provide copies of your code to employees electronically for no cost. If you want to make hard copies there is a cost. If you have a 20-page code, printing 100 copies would cost you $31.20 for paper and copying.

      Be careful with your code; as with other program documents, if you are very careful you can do this safely. But you might want to pay a lawyer to review it when you are done. There are risks if you write the wrong things. For example, you want to be sure the code will not be interpreted as an employment contract. Also, if you have unionized employees, check with your lawyer about whether and how your code can apply to them. But one caution in dealing with lawyers. If the lawyer says he/she has to research this, get another lawyer. Only use a lawyer who already knows what a code of conduct is and does not expect you to pay for his/her education. 

5.   It is smart to start a program with a board of directors (or equivalent) resolution. If you have an in-house lawyer, you can get this for free. If you do not, you can work from other resolutions you already have, by declaring that the company is committed to complying with law, and hereby resolves to institute a formal program to assure compliance with laws and ethical business practices. In the same resolution, elect your chief ethics and compliance officer (“CECO”—a term we will use throughout). Another source for form resolutions would be major companies. Cost: $0.

6.   Consider going beyond mere legal compliance, and setting a policy to conduct business ethically, with integrity, applying best practices, etc. Explain why this is good for the business. Cost: $0.

7.   Procedures, or “controls,” are also important to be sure everything is legal and ethical. For significant expenditures make sure there are always two signatures required. This helps prevent both fraud and illegal conduct. Cost: $0.

8.   Another control is to require that everyone take at least an occasional vacation where they stay away from the office. In fact, depending on where you are, the law may require that you give people time off (so there is no real cost to this). But fraud investigators will tell you it is difficult for a corrupt employee to keep fraud or other illegal conduct hidden unless the perpetrator is there all the time. So make sure everyone, especially long term, trusted employees, take time completely away from the office. Cost: $0.

9.   No matter who else is responsible for managing your books and money, you need occasionally to check things yourself, unannounced, when no one else is present. This is also a form of control, and another key preventive step against embezzlement and other illegal conduct. Cost: $0.

C. The compliance and ethics program should be managed by a senior compliance and ethics officer with oversight and strong support at the very top.

1.   Designate a senior manager you trust and whom employees respect as the CECO. For most small and medium businesses this is necessarily just one of the person’s responsibilities, but it should be built into the person’s position description. Cost: $0.

2.   If you have a board of directors that meets, have the CECO make regular reports about the program. Also have the CECO report at senior management meetings. Keep minutes of this. Cost: $0.

3.   Download SCCE’s Code of Professional Ethics for Compliance and Ethics Professionals for free from www.corporatecompliance.org/code, and have your company agree that it will apply for your CECO. Cost: $0.

4.   Have your CECO give a training presentation to the board or whoever is the highest authority in your company explaining what a compliance and ethics program is, and discussing the legal and ethical risks facing the company. Cost: $0.

5.   If your board has outside directors, recruit a CECO from another company to be on your board. This will give the board very useful compliance and ethics expertise. This person would just replace another board member, so if you pay board members there is no added cost. Cost: $0.

6.   At your next meeting of senior managers, talk with them about the program. Ask them to report at the next meeting about what they have done to promote the program in their shops. Tell them you are serious. Have someone take careful notes of this and save them in the compliance and ethics program file. Cost: $0.

7.   If you have multiple locations, have someone at each location with compliance and ethics responsibility and require progress reports to the CECO. Cost: $0.

8.   Make sure your CECO and those who do compliance and ethics work have real clout. Give them priority access to the board and the CEO. Commend them publicly. Cost: $0.

9.   For your biggest, most dangerous risks, you may also want to designate one manager as the point person on each of those risks, but working with the CECO. This helps ensure each hot topic gets covered. Cost: $0.

10. Look for every opportunity you can find to show your personal commitment to the compliance and ethics program. Words are OK, but actions are far better. For example, you should be the first to sign up and show up for any compliance and ethics training. Cost: $0. 

11. You should personally have a copy of the company’s code of conduct on your desk, open and used. Cost: $0. 

D. Use care in promotions and in hiring people for responsible positions. Do not put people you have reason to believe would break the law in positions where they can do so.

1.   Check references before you hire someone. If the person has a questionable past, document why you think he or she will be acceptable despite that record, and also follow the CECO’s advice on this. Be careful that you do not use this checking as an excuse for discriminating against protected groups. For example, arrest records should be off limits. In some jurisdictions you may be limited or barred from asking about prior convictions. Cost: $0.

2.   If you do business with the government, check online for a list of those who have been debarred. Check your employment candidates and third parties you might use against that list. Cost: $0.

3.   Check with your CECO before you promote anyone. Cost: $0.

4.   Do an Internet search of those you are hiring into management and sensitive positions. Document that you did this. Cost: $0.

5.   Do not give complete, unfettered authority to local or business unit chieftains. Unchecked local power is a prime source of business misconduct. Remember the expression, “trust, but verify.” Cost: $0.

E. Systems to address the risk of dealing with third parties.

1.   Do web searches before retaining agents, consultants and other business partners. Check with others who may be familiar with them. Know who you are doing business with. (It will only cost you if you do not do this.) Cost: $0.

2.   Email copies of your code of conduct to third parties you do business with. Cost: $0. 

3.   Include in contracts with third parties that you expect them to obey the law and act ethically in their dealings with and for you. You can probably get useful language for this on the Internet, from contracts with larger companies that your company has had to sign, or otherwise from peer companies. Cost: $0. 

4.   Send an email message to your suppliers and third parties acting for you, informing them of your gifts/conflicts policy and commitment to doing things right, and also including information on how to contact your CECO or other compliance and ethics reporting system. Cost: $0.

5.   Require contractors or agents working for you who are in a position to get your company in trouble to have compliance and ethics programs themselves. (If you are a U.S. government contractor doing a certain level of business with the government you may be required to do this.) Offer to let them look at what you have done. Cost: $0.

6.   Require in contracts with third parties that they report to you any instances of illegal or unethical conduct that may occur in any work they perform for your company. Cost: $0.

7.   When doing business with third parties in other countries, check with the embassy in those countries about those parties. You can do this while you are there prospecting for business. Cost: $30 for a taxi or Uber ride. 

8.   You can talk with peers and at least do Google checks of potential business partners. Cost: $0.

F. One of the most obvious steps, but one often poorly done, is to communicate your code standards and the requirements of the law to those who work for you.

1.   Start by focusing on your code of conduct. Refer to it often. Make it available. Cost: $0.

2.   Have your trade association or local business association get lawyers or government spokespersons to talk about compliance in different areas of the law. If you do this right, you can get basic training for your key employees as part of the membership dues you are already paying. Make sure your employees take notes and sign in, so there is a record they were trained. Cost: $0.

3.   Ask for permission to record the association’s compliance training session. Use your own smartphone camera to record the presentation. This will give you a tool to train employees who could not attend. Keep the video and the sign-in sheets with your compliance and ethics program records. Cost: $0.

4.   At staff meetings and other company get-togethers, discuss a compliance and ethics topic that covers a risk area. Even these types of informal events count. Cost: $0. 

5.   For any compliance training you have be sure your employees sign in, so you have a record. You could do this through your computer system to save the cost of paper. Cost: $0.

6.   Government agencies often make guides available online for free. In the U.S. these include the EEOC (e.g., for the Americans with Disabilities Act), the FTC (e.g., mail order sales rules), and the Department of Justice (e.g., Foreign Corrupt Practices Act, www.justice.gov/criminal-fraud/fcpa-guidance ). You can email these to appropriate employees. Cost: $0. 

7.   Look at your other training. If you already are training employees in areas of your business, add in the relevant compliance training. For example, whoever does your sales training should also tell your employees the basics about price fixing. If your people are trained on telemarketing, include the FTC guidelines in the training. If you use an outside trainer, push them to include this in the training. If you do the training yourself, you can start with the government materials. Cost: $0.

8.   Get your trade association to develop compliance training materials. If the association is big enough, there may be no cost to you. If there is a cost, it will be much less than doing this alone. Cost: $0.

9.   Posters and notices: some of these are already required and provided by the government. You can do your own poster or notice for your compliance and ethics program. You can start by typing your company’s name; the name, email and phone number of your CECO; and a statement that it is your policy to obey the law and to do business with integrity. Be sure to state that you will not retaliate against anyone who raises compliance and ethics issues in good faith. You could add different policy and compliance messages from time to time. These messages could come from free government materials, or from the compliance speakers at your trade association. Many lawyers also send out free client newsletters that can easily be used for this purpose. Cost: $0. 

10. If you have a company newsletter, add in an ethics and compliance column. (Caution: If you copy other publications’ articles, get permission first.) Cost: $0.

11. On your website, you can add in materials about the rules of the game, and/or provide links to resources explaining the laws. For example, there can be links to government-issued guides. Your code of conduct should certainly be there, including your own personal statement about being committed to following the law and doing the right thing. Cost: $0. 

12. If you read any business press you will likely find stories of other companies getting in trouble, and of government enforcement efforts. Use these as learning opportunities, and send emails to employees summarizing the message of relevant cases. Cost: $0. 

13. You can find in your local library, or have the librarian obtain by interlibrary loan, books and guides that explain each key risk area in layman’s terms. These may also list other training and communications resources available. You can also get much of this same information online. Cost: $0. 

G. An effective compliance and ethics program must be more than just paper and preaching. You need to have methods to check to know whether violations are happening and whether the program is working.

1.   Get information personally about what is going on in your company. This is something any smart manager should do anyway. Walk around and talk with your people; ride along with a sales person; visit a work crew. Cost: $0. (In fact, you are likely to lose money if you are not already doing this.)

2.   When you walk around and ask questions, include a compliance and ethics checklist, e.g., Any sexually offensive pictures? Any loose wires people could trip over? Any mysterious black oily fluids sitting around in cans? This is part of a compliance and ethics audit covering sexual harassment, workplace safety, and environmental compliance. As with everything else you do, document it and follow-up with any problems. The mere fact that you do this will also send an important and memorable message to all employees. Cost: $0.

3.   If you already have accountants and/or auditors, insist that they get training or background in compliance and ethics areas. Give them the website for SCCE. Tell them to look for compliance and ethics trouble in any work they do for you. Again, document that you told them to do this. (Don’t even think of paying any outside professional to obtain this professional background—they should already have it.) Cost: $0.

4.   If you have an in-house lawyer, include compliance and ethics reviews in his or her job description. Make sure he or she knows or learns the compliance and ethics area. Cost: $0.

5.   When someone leaves the company have your CECO interview the person to ask if there were any compliance and ethics concerns the person saw and did not report. If there are, be sure you follow up on them. Cost: $0.

6.   If you have employees scattered at different locations you could conduct a simple survey of their opinions about the company’s commitment to compliance and ethics and whether they see any issues. You could do this by email, although employees may prefer an anonymous response system. If so, you can give them the option to print out the questions and mail in the responses anonymously. Cost: $0.

7.   Give employees, agents, and others your business deals with a way to report concerns and get advice. Some companies claim to have an “open door policy.” This is one cost-free method we do not recommend, because it is often ineffective. On the other hand, an anonymous suggestion/concerns box can serve this purpose. Cost: $0 – use a free cardboard one. Just be sure to check it, and then respond.

8.   It is best, though, if people can report concerns anonymously and also easily seek advice. You can give out your CECO’s number. Let people report anonymously, including by postal mail. Cost: $0.

9.   If you have an internal website you can also arrange to receive concerns and questions through the website. Cost: $0.

10. You may be able to talk your outside lawyer into making his or her number available. He or she may do this on the theory that if something comes up, you will hire him or her to handle it. Be sure your lawyer knows how to handle such calls (there are serious ethical issues lurking). Again, give him or her the web address for SCCE, but remember to make clear that you will not pay any professional’s cost of getting up to speed in the compliance and ethics area; this is professional background they should already have. Cost: $0 (but costs can occur if the lawyer gets significant calls). 

11. Publicize whatever reporting system you set up. Include the number in your code, on your website, any bulletin boards you may have, on any posters you use, in a company directory, or anywhere else in the company you have phone numbers. Cost: $0.

12. Having a reporting system is one of the most sensitive parts of your compliance and ethics program. Be sure you follow up on all reports, give feedback on reports, and protect those reporting from retaliation. This is one area where it is best to call in counsel at the first sign of trouble. Cost of follow-up and feedback on non-sensitive matters: $0. 

13. For those who report misconduct, have the CECO check on the person’s status from time to time to prevent retaliation. If you have human resources people be sure they can recognize retaliation and bring it to the CECO’s attention. Cost: $0. 

14. Programs need to be evaluated on an ongoing basis. One way to handle this is to use peer reviews. Working with companies that are similar in size and risks, have teams of the companies’ compliance and ethics officers review each others’ programs and provide input. Each company helps evaluate the others and all gain from seeing others’ best practices. Cost: $0.

H. You have to be serious about your compliance and ethics standards, and that means discipline for violators. Discipline must be consistent, and include those who should have, but did not, detect the violations.

1.   When people break the rules, you have to be tough on them. It is good business. Cost: $0.

2.   If managers or employees avoid the compliance and ethics training, use discipline to make the point that this is mandatory. No training means no bonus, no promotion, and none of whatever else counts in your company. Cost: $0.

3.   Write up a set of guides for discipline. One basic standard: the higher a manager is, the tougher the standards and the harder the penalties. Include as a basis for discipline managers’ failure to take steps to prevent and detect misconduct. You may be able to get disciplinary guides from other companies. Cost: $0.

4.   Have your CECO sign off on discipline cases. Cost: $0.

I.   One of the clearest tests of a program’s effectiveness is whether a company’s system of incentives, objectives and appraisals supports or undercuts the compliance and ethics program.

1.   Make the compliance and ethics program part of how you incent and measure people. If you don’t do this, employees may not take your commitment seriously. SCCE has an entire pamphlet on this topic available on its website for free, Murphy, “Using Incentives in Your Compliance and Ethics Program” (SCCE; November 2011),https://assets.hcca-info.org/Portals/0/PDFs/Resources/library/814_0_IncentivesCEProgram-Murphy.pdf   . Cost: $0.

2.   Making compliance and ethics part of the appraisal system is one of the most cost-effective compliance techniques. If you have an appraisal form, just have this element added in. Cost: $0.

3.   When you evaluate your direct reports, ask each one what he or she did to advance compliance and ethics in his or her unit. Write that into the evaluation. Set compliance and ethics objectives for next year. Examples of how to do this can be found in the SCCE white paper. Cost: $0.

4.   When someone shows leadership in compliance and ethics have your CECO write that person a commendation letter. This can be done for things as simple as being the first person to complete particular compliance and ethics training. This recognition sends a signal that doing the right thing really matters and is noticed. Cost: $0.

5.   If you provide employee parking, reserve the best parking space for whoever shows compliance and ethics leadership. Cost: $0. 

J.  If you detect weaknesses in your compliance and ethics program, or if violations occur, you need to respond appropriately.

1.   If you find a problem, you have to fix it. Set up a process you will follow in case this happens. For example, you can write on an emergency sheet your lawyer’s home number and the home numbers of the key people who you would need to be involved in a crisis. Share this with your CECO and other key leaders in the company. Cost: $0.

2.   Have presentations at your trade association/chamber of commerce by law firms and other experts on how to conduct internal investigations, and send anyone in your company who would conduct such investigations. Cost: $0. 

3.   Where your audits and reviews show weaknesses in your compliance and ethics program, fix them. For example, if employees do not know that they have to fill out a certain EPA form, make sure they learn. Cost: $0.

4.   Discuss compliance and ethics failures at your senior management meetings, and discuss how to prevent them from recurring. Follow up to be sure fixes are made, and document this process. Cost: $0.

5.   Have an experienced lawyer available who is familiar with you and your business, and who has also had at least some basic training on compliance and ethics. You may be able to establish this relationship without a retainer, with the understanding that if a problem comes up, you will call that lawyer. Cost: $0.

6.   If a problem comes up you need to have it investigated. This is where your lawyer comes in—in-house if you have one, otherwise your outside lawyer. And if it’s a potentially serious legal matter, it’s better to use outside counsel. Cost to be prepared: $0. 

K. In addition to the list of minimum steps, the Sentencing Guidelines say a program should be at least up to “industry practice.”

1.   Discuss with your trade group or local business association what other companies do to prevent violations. Document this. If there are any good ideas, use them. If the ideas are not for you, just jot down why what you do is enough. Cost: $0.

2.   The SCCE social network gives you an online, no-cost way to network, ask questions and follow developments in the compliance and ethics field: www.corporatecompliance.org/sccenet. Keep a record of doing this. Cost: $0.

3.   You can go online anytime and research what other companies are doing in their compliance and ethics programs. LinkedIn also provides a useful forum for this.  Where you see a good idea that might work for you, use it. Cost: $0.

4.   You can form your own compliance and ethics practices group in your own community. These are forums where businesses either in the same industry or in the same geographic area meet and exchange ideas, resources, and experiences. You can meet at each others’ facilities on a reciprocal basis, so there need not be any cost. (You might even find some new customers through doing this.) Cost: $0. 

Optional Spending 

This list of inexpensive or free steps is offered to show that compliance and ethics is not about spending money, but about management’s commitment. You could, if you are willing to do the work, have a credible program on this basis. However, the fact that you can do it so cheaply does not mean this is the best or most efficient way to proceed. So we offer here additional ideas and resources for your program. A small business does not have to spend on the scale of a large one, but it should be willing to spend sufficient amounts to have an impact. Also, keep in mind that it is not necessary for your business to face even these modest expenses alone. You may find that pooling resources with comparable businesses makes sense. Thus, a particular book might be very helpful, but you can easily share it with peers and split the cost. In a group of companies, one might choose to have its CECO join SCCE but then share the experience with the others. 

1.   Murphy, 501 Ideas for Your Compliance and Ethics Program (SCCE; 2008). This is a book written by the author that contains many ideas on elements of a compliance and ethics program. $55 for SCCE members; $70 for non-members. 

2.   SCCE individual membership, at $325 per year. This gives you even greater access to SCCE’s resources, and discounts on purchases from SCCE (www.corporatecompliance.org). Membership can even be a positive and productive method for networking with potential, blue-chip customers. We list SCCE membership as optional, but by our count of expenses listed above a company could pay for an SCCE membership and still be within the dollar-a-day cost calculation. 

3.   Program reviews. You can pay an outside expert to review your program and provide advice. Be sure you get someone who knows the compliance and ethics field, and negotiate a set price. 

4.   Helplines. If you want to take a more cautious approach than having an in-house system, it costs more but there are contractors who will field calls for you. This is particularly useful if you have employees in widespread locations and especially outside your home country. 

Can Your Program Be Serious If You Don’t Spend Much Money?

There are those who may be skeptical about the ability to have an effective compliance and ethics program without throwing large amounts of resources at the task. But, in fact, it is good, smart management methods that are the keys to compliance and ethics. Signals from the top—what top management actually does in tough situations—mean more than slick productions. The fact that the top boss personally asks subordinates about compliance and ethics sends a powerful message.

You can look at the list and realize that this is not about money; however, the length of the list may lead you to ask an entirely different question—where will you get the time? First, remember that you need to have one senior person take on the role of Chief Ethics and Compliance Officer; typically in small and medium sized businesses this will be only part time. But the function needs to be a core part of that person’s job. As for timing, you will notice that the list has eleven topics. We all have our own ways of approaching tasks, so if you are committed to the task you can devise your own plan for tackling this. One simple approach is to tackle one per month, until you feel the project is successfully launched. Another, if your senior staff is large enough, might be to assign ownership of one or two topics to different managers in your business and then hold them accountable for achieving results. Whatever method you have used successfully to get other projects done in your business, apply those same approaches to this task. 

Can large, billion-dollar-plus companies get by on a dollar a day? No, for larger companies more can fairly be expected, because with their greater position in the marketplace comes greater responsibilities. For example, a large company could readily be expected to have one dedicated senior officer as the CECO. But the point still remains, that the most important factor for any company is not simply resources, but commitment. It is true that in larger companies the provision of necessary resources will certainly be one sign of commitment. But resources without that high level commitment will not be effective. However, if senior management commitment to doing the right thing is there, then there will always be a way to get the job done. 

You should also recognize that there are risks, and there may be times when you need good legal advice. If there appears to be a violation of law, the risks can be severe. Of course, this is even more so without a program; the program does not create the violations, and the cost of responding to trouble is not a cost of the program. You also need to use care in what you write. Attorneys can operate on a confidential basis using attorney-client privilege; you probably cannot protect what you write on your own. Unfortunately, even good intentions can get you in trouble. For example, charges of defamation, wrongful discharge, invasion of privacy and the like can arise from mishandled investigations. If there are signs of trouble, get outside legal help immediately. 

Can a small business conduct a compliance and ethics program on a dollar a day or less? Yes, the costs of a compliance and ethics program can be minimal if the commitment is there. There is really no excuse for any business to ignore the law and the importance of ethical conduct. A compliance and ethics program is not expensive for small and medium sized businesses. But the costs of violations can be backbreaking for your business, especially if you have no program and if warning signs of trouble are ignored or mishandled.

Joe Murphy is Director of Public Policy, Society of Corporate Compliance and Ethics, and author of 501 Ideas for Your Compliance and Ethics Program (SCCE; 2008). He can be reached at [email protected]; 856-278-1664. Joe has a financial interest in the book 501 Ideas for Your Compliance and Ethics Program, listed under “Optional Spending”. 

Joe was co-founder of Integrity Interactive starting with four employees, is a member of Rotary, runs his own small business, and was on the board of the business association in Haddonfield, NJ, where “mom and pop” businesses are literally run by moms and pops (and other family members).

Joe Murphy, CCEP

Editor, Compliance and Ethics: Ideas & Answers

3 年

Hi, Colleagues – In 2010 I published through SCCE a paper called “A Compliance & Ethics Program on a Dollar a Day.”??It was written to make the point that even small companies could have a compliance program, as long as they wanted to make the commitment.??I am updating it now, and am interested in any additional ideas.??I am looking for things that can done without spending money, including online resources.??I have included here the current version that I have started updating.??Comments and new resources are welcome.??

要查看或添加评论,请登录

社区洞察

其他会员也浏览了