Reduction of Risk Through Corporate Compliance Programs

A tailored corporate compliance and ethics program which is actually implemented can prevent and reduce risks in several ways as well as promote a culture of compliance. If the compliance program is effectively prepared and implemented, it should provide management with timely information about potential legal problems and a procedure to promptly deal with problems.  If a company is investigated for a potential violation of law, having a well-tailored compliance program in place may significantly reduce any penalty imposed and in some cases avoid the imposition of a penalty at all.  In addition, the existence and implementation of a compliance program may reduce or avoid civil liability in some situations.

The compliance program needs to fit the company – “one-size-fits-all” plans are typically not as effective, or effective at all, in preventing or reducing risks. However, effective compliance programs will likely have similar core structures which are derived from the “Organizational Sentencing Guidelines,” which is a set of advisory sentencing benchmarks developed by the U.S. Sentencing Commission.  These guidelines set forth seven elements necessary for an effective compliance plan:

1. Standards and Procedures – Establish and implement standards and procedures to prevent and detect illegal conduct.
2. Oversight – Give one or more individuals who are part of senior management overall responsibility for compliance and delegate day-to-day responsibility for the program to others. Provide adequate resources and authority as well as direct access to the board of directors or other governing body of the company.
3. Due Diligence – Use “reasonable efforts” not to give those persons who have engaged in illegal activity or conduct inconsistent with the compliance program a role in senior management or supervisory authority.
4. Communication and Training – Implement the program and train employees.
5. Audit and Reporting – Monitor and periodically audit compliance programs to evaluate effectiveness. Provide employees with a procedure to anonymously or confidentially report potential misconduct or seek guidance that protects such individuals from retaliation; follow up on reports.
6. Incentives and Disciplines – Include in the program appropriate incentives for compliance and appropriate discipline for failure to comply.
7. Corrective Action – In the event of misconduct, address the misconduct which may include self-reporting to authorities and take appropriate steps to prevent such misconduct in the future. Provide regular reports on audit results and status of corrective actions to the governing body of the company.

All plans must be periodically reassessed and modified to be kept current.

Areas of Review

Set out below are areas which a company may wish to monitor and provide programs or procedures or develop new ones to minimize risks.

1. Accounting Practices/Policies. Review and update accounting policies and procedures such as those related to recording transactions, cash receipts, electronic commerce, etc. Is there a procedure to track and deal with unclaimed property in accordance with applicable law? States typically have reporting and escheat requirements relating to unclaimed property.
2. Anti-Corruption/Anti-Bribery. Have appropriate policies, procedures and training programs in place related to soliciting or accepting kickbacks as well as giving or offering anything of value, directly or indirectly, to a public or private party to obtain a restricted benefit – especially in connection with doing business outside of the U.S. in countries such as China and Mexico. An example of a law which may apply is the Foreign Corrupt Practices Act.
3. Anti-Trust. Review and implement policies and procedures to avoid violating anti-trust laws such as price sharing or predatory pricing.
4. Benefits. Review employee benefit programs for current compliance and have appropriate policies and disclosure programs in place including procedures to ensure timely COBRA compliance.
5. Conflicts of Interest/Gifts and Entertainment. Provide policies relating to situations in which an employee’s personal interests compete with his or her duty to the company, including relating to outside business ventures and receipt of gifts from customers.
6. Contracting Procedures. Provide policies and training relating to company contracts, such as e-sign policies, click-thru terms procedures and signing authority limits, to avoid the making of inadvertent deals or contracts or prevent the making of contracts not approved in advance by the appropriate persons. E-mail strings or accepting click-thru terms can create unintended binding agreements.
7. Environmental. Review presence of hazardous substances in procedures and products and storage, transportation and disposal of such substances or products. Track the use of conflict materials – tantalum, tin, gold or tungsten.
8. Government Contracting. Review compliance with laws and regulations relating to contracts with governmental bodies, if any.
9. Health and Safety Laws. Review compliance with workplace procedures under applicable health and safety laws relating to a safe work environment such as use of personal protective equipment and access to hazardous substances.
10. Information Technology. Have in place a disaster recovery plan to keep business systems running. Review procedures for acquisition/license and current status of licenses, including for example number of licenses and actual number of devices or users accessing it. “Software audits” are becoming more common and the new tact is to try to require licenses for users that do not access a program directly but thorough a program that interfaces with it to access data; for example, a sales program that accesses data from the enterprise software – requiring users of sales program (which could be independent contractors without access to the enterprise system) to be licensed users of enterprise system.
11. Insurance. Review current insurance policies for coverage and exclusions. Is there sufficient product liability coverage for the company as a supplier? Is there cyber security coverage for loss of personal or other information or credit card information?
12. Intellectual Property. Review protections and procedures relating to confidential information and trade secrets. Do the appropriate employees have contracts relating to protection of propriety information? Is there coverage in the employee handbook? Have the provisions been updated to comply with the Defend Trade Secrets Act passed in the summer of 2016 requiring whistleblower exclusions from nondisclosure provisions? Are the company’s trademarks property protected? Is there a program in place to monitor the internet and other sources for infringing use? Are the desired domain names protected?
13. International Trade and Assets. Do imports and exports comply with laws such as export control laws and customs? Does the company have any overseas bank accounts, entities or properties that may be subject to special reporting or other requirements?
14. Labor and Employment Laws. Is the company in compliance with laws that govern employment relationships such as discrimination laws, wage and hour law and anti-retaliation laws? Does the employee handbook comply? Is a procedure in place to monitor immigration status if applicable? Are any noncompetition or non-solicitation provisions in employment agreements or elsewhere as effective as allowed under applicable state laws?
15. Political Activity/Lobbying. Does the company have in place adequate policies and rules relating to lobbying and other political activities such as political contributions and the provision of gifts or entertainment to public officials?
16. Data Privacy. All companies have protected information to some extent such as employee personal information, protected health information, customer information and credit card information. Does the company collect only necessary information, have security and protections in place, and properly dispose of information? Does the privacy policy match the actual practice with respect to use of information? Is there a plan in place in the event of a data breach? Does the company receive or collect personal information relating to any individuals who reside outside of the US or is an data stored there and transferred to the US?
17. Product Safety and Warranties. Is there a procedure for notice of safety issues and recall of products? Are there procedures in place to implement and monitor any warranty programs?
18. Real Property/Equipment. Is the procedure for review of compliance with real property and any equipment leases? Is there a plan to fulfill future space needs?
19. Record Management/Retention. Is there a policy in place and implemented relating to the creation, storage, maintenance and security of hard copy and electronic documentation consistent with laws?
20. Taxes. Review federal, and state tax laws in states in which the company has a presence, to determine if any shift in assets can reduce taxes. In the event of planned expansion or existing locations or addition of new locations, review applicable laws and available incentives, such as those that may relate to hiring new or certain types of employees, capital expenditures or opening new facilities.