Building a Strong Compliance Department

Sterling Miller
If you work as an in-house lawyer at a large, mature company, odds are good that the company has a well-functioning compliance department. But, if your company is small or not very mature, there is a good chance that this isn't the case. In-house lawyers constantly look for ways to avoid or lessen risk that can damage the company. While it doesn't always get the love it deserves, a robust compliance function is an important part of risk-reduction at companies of any size. As such, in-house lawyers should get behind the creation of a compliance group if there isn't one or enhancing the existing one, whether it sits in the legal department or not. A strong compliance department moves the company from reactive to proactive in detecting and preventing wrongdoing. Besides avoiding trouble, this can lead to substantially reduced fines with regulators who, as a first step, usually zero in on whether the company has a robust compliance program or not. The compliance department also helps establish the right ethical tone at the company, a tone that makes it easier for employees to make the right choices. While many executives don't see the value of the compliance function ' despite the many proven benefits ' the in-house lawyers do. But, they frequently don't know what to do next. This edition of 'Ten Things' walks through the basics of setting up or enhancing a compliance department:

1. Start at the top.

The single most important need of any compliance department is obtaining buy-in from the C-Suite, along with the Board of Directors. Both should be especially supportive of setting up/strengthening this function as regulators are focusing on enforcement against executives individually, as well as the company generally. The senior management of the company is an important part of the program, primarily through their support, their actions (walking-the-walk), and by regularly communicating the importance of compliance to employees at every opportunity, e.g., town halls, staff meetings, large employee conferences, email, intranet, video, and whatever other means the company uses to communicate with employees. Support from the upper levels is what regulators expect to see. For example, under the US Sentencing Guidelines, credit is given to companies that can show, among other things, the following:
  • Strong, explicit and visible support for the company's compliance program from the executive team and the Board of Directors
  • That the compliance program has sufficient stature and support within the company
  • The right culture is fostered at all levels, but especially at the top
  • Emphasis on the role compliance plays and the value it brings to the company
  • Regular communication of the company's standards and procedures

2. Compliance Audit.

Compliance programs are not 'one size fits all' ' they must be customized to the needs and challenges faced by each company. This is why some companies may have a relatively simple program, while others more complex programs. If you try to shoehorn someone else's program onto your company you're not going to do yourself any favors and you're unlikely to get any benefits under the Sentencing Guidelines, which require that companies tailor compliance programs to their specific needs. This means a thoughtful review of the different compliance risks faced by your company. Ideally, this audit is performed by an independent third-party, but not every company has the budget for that. If not, you can start with using your own internal resources to scope out the relevant issues. Here are just a handful of compliance risks companies can face:
  • Anti-bribery laws
  • Antitrust and competition laws
  • Securities laws
  • Environmental regulations
  • Sexual harassment issues
  • Cyber-risk
  • Trade secret theft
  • Government contracting compliance
  • Trade sanctions
  • Export compliance
  • Sexual harassment
  • Internal theft
And the list can go on and on, depending on the type of business you operate and its geographic location(s). To conduct a useful audit, you must interview employees from across the different lines of business and staff groups. As you begin to collect information about compliance risks, create a work plan setting out the different risks, different objectives regarding each identified risk, along with timelines/deadlines to complete the objectives. It can seem very daunting if you're starting from scratch, especially if you're conducting this audit on your own. If so, don't try to identify everything right away. Start with your company's five biggest compliance risks and address those first. You can embellish the program later after the most immediate issues are dealt with. Once your compliance department is established, periodic third-party audits of the function and its effectiveness can be very helpful and valuable. They can also provide benchmarking data which is helpful when seeking budget, implementing new policies, or responding to C-Suite or Board questions around 'how are we doing?'

3. Appoint a Compliance Officer.

Someone needs to be responsible for the compliance function, so it's important to appoint a compliance officer. Often, it's the general counsel but it doesn't need to be. In fact, there is a growing debate about whether the legal department should run compliance or not. I was the compliance officer along with being the General Counsel and I cannot think of a single situation where there was a conflict between my ' or the department's ' duties. We just did what was right and needed to be done. Regardless of where it sits, the compliance function should have a direct line into the CEO and the Board of Directors, typically to the audit committee. There should be nothing preventing the compliance officer reporting issues to the highest authority in the company. Additionally, it is crucial that the compliance officer has the staff and resources to do the job properly. It doesn't need to be an empire, but it needs to be appropriate given the size of the company and the range of compliance risks presented. Nothing fails faster or looks worse to a regulator than an under-staffed, under-funded compliance department. It looks like you're going through the motions vs. being serious about compliance.

4. Code of Conduct.

The most important document for a compliance function is the employee code of conduct (sometimes called a business ethics policy). This is the document where the company sets out its expectations for all employees (legal, regulatory, ethical, etc.) along with the behaviors and practices it will not tolerate. Your company may already have a code of conduct/business ethics policy. Yet, if there is no compliance department focusing on it, the policy is probably overdue for a serious overhaul and should be Number 1 on your 'to do' list this year. Click here for 18 examples of great codes of conduct. Likewise, a compliance department needs policies and procedures, including its process for conducting internal investigations and how it will report out results. Preparing a core set of these is Number 2 on your 'to do' list. While aimed at healthcare companies, the Holland Hart law firm offers a useful (and free) sample compliance program that's worth looking at if you need a place to start. Finally, the code of conduct and other policies need to be easily available to employees. A prominent place on the home page of the company's intranet and regular reminders of where to find the code and policies (with live hyperlinks). One of the most innovative ways to make policies and procedures available to employees is Ford Motors 'Right Way' app, which is available to download on every employee's smartphone and provides 24/7 access to the Ford Motors code of conduct and answers to common compliance questions.

5. Coordinate Internal Teams.

A common misperception is that the compliance department is responsible for all compliance. In my experience, that is not correct. As you probably know, many different groups within the company are responsible for various aspects of 'compliance.' For example, HR is responsible for sexual harassment claims, Legal handles antitrust and import/export, IT security handles data privacy and security training, Internal Audit deals with employee theft, and so on. The compliance function handles certain aspects of compliance directly but often acts as the quarterback of the company's compliance efforts. In this role, job one is determining whether all areas of company risk are sufficiently covered and, if not, how to incorporate any material outliers into the overall compliance program and determine which group is responsible. Job two is establishing regular meetings of the different groups responsible for compliance to ensure coordination between them, along with sharing best practices, common issues, and so forth. One important task for the compliance officer is creating the right matrix to ensure that different compliance issues are routed to the right group and that there is no duplication of effort, or worse, groups operating at cross purposes. Finally, the compliance officer must ensure a reporting process into the C-Suite and the Board, so that they are aware of any material issues before any become a public headline. The Board will likely want regular reporting of what compliance issues came in and how the team dealt with them, including the final resolution. Reporting to the Board is the perfect time to utilize benchmarks so they can see how the company compares with others in terms of metrics like the number of hotline complaints, type of complaint, etc.

6. International Locations.

One common mistake made by many companies when it comes to compliance issues is forgetting about their foreign locations. First, if you have foreign locations you should strongly consider translating your code of conduct, training, and other materials into the primary language of those locations (if not the same as headquarters). It is difficult to convince a regulator that you have an effective in-country compliance program if that program is available only in one language ' and it's not the native language of those employees. Second, get input from your foreign offices about how effective the policies and training are, and if there are any local compliance issues that are not properly covered by the main policies and procedures ' if at all. Don't assume the only compliance risks are those you can identify at headquarters. Third, find ways to underscore the importance of compliance at remote offices. It may require you to travel or incorporate a visit or meeting if you are headed that way. Don't miss out on any opportunity to appear live in front of employees. Finally, be sensitive to cultural differences when it comes to compliance. For example, in some cultures whistleblowers are viewed poorly so relying on them to come forward presents challenges. Likewise, in Europe, many countries do not permit the use of anonymous 'hotlines' and must factor that into your program as well.

7. Training.

Having a code of conduct (and other policies) is great, but everyone knows it's useless unless you train all the employees on the code (including executives and, if possible, the Board). Consequently, a robust training program is a must. Most training today is done online (but look for chances to conduct live training). Online is fine so long as the training is tailored to your company's specific needs and risks, and it is refreshed regularly (so employees aren't watching the same guy agree with his competitor to share pricing information for the sixth year in a row). Where possible, make training fun. The gamification of compliance training is growing and is especially effective in terms of ensuring employees take the training and that they retain the information. The key with any training is keeping it simple. Complex legal concepts are generally lost on the employee base. Go for the big issues, in easy-to-understand language and examples. Save the law school exam level training for your legal team. When training your employees, ensure that there is an emphasis on the 'spirit' of the law as much as there is on the 'letter' of the law. Employees should understand that the company wants them to do the right thing and that compliance makes the company better, protects the brand, and keeps it from getting entangled in expensive and messy lawsuits or regulatory actions. One tough problem you might face is the group of employees who just won't get around to completing the training. Here's what's worked for me in the past:
  • Ensure all the senior leadership team has completed the training. This allows you to tell the recalcitrant employees that they cannot be busier than the C-Suite, which found time to complete the training.
  • Give the group a short, but reasonable amount of time to get the training completed, e.g., 10 business days. Inform them that failure to complete it by the deadline means their access to company systems will be suspended. This usually does the trick.
  • If they still fail to complete it by this deadline, give them one additional day along with a note that if they fail to complete it then, they will be ineligible for any discretionary bonus payment. This always does the trick.

8. Make reporting problems easy.

Crucial to any compliance program is ensuring that employees understand when they need to report something and how they can report it. The code of conduct should contain a section describing all the ways employees can raise issues, including a toll-free hotline, email to a monitored compliance email address, their manager, the general counsel, the head of HR, and so forth. Focus on making it as easy as you can for employees to raise issues. It may seem like you are setting yourself up for a lot of work, but it is far better to have employees raise issues than having those problems buried until it's too late. It is equally important that the company have and enforce a no retaliation policy and make sure every employee knows that there will be no such retaliation for raising a good-faith issue. Likewise, you need a general policy around ensuring appropriate confidentiality for both the person bringing the complaint and any employees implicated by the same.

9. Internal Investigations.

When a complaint comes in there should already be a pre-set process for how it will be investigated. It should be assigned to the right department, i.e., HR, Legal, Compliance, Internal Audit, outside counsel, etc., and procedures in place to guide how the investigation will proceed, the expected timeline, along with form interview and other reports so there is a consistent 'look and feel' to all the company's investigations. There should be a mechanism to report back to the person raising the issue (assuming they left you a means to get in touch) so they know the company took the complaint seriously and investigated it. Finally, there must be consistent punishment for any employee found in violation of the code of conduct, including executives. If there are different outcomes for different employees, there will be little faith in your process. Lack of faith in the compliance process is deadly. I have written on conducting internal investigations in this blog and you can read that post by clicking here.

10. Resources.

Here are some helpful resources for anyone interested in compliance issues and building or enhancing a compliance function:
Creating a strong compliance department is a tough job. But the alternative ' no or a weak compliance function ' is very risky. If you can get the support of top executives and the Board, including the appropriate amount of funding and people, you can build a viable compliance team in a relatively short time. The basic building blocks are straight forward: understand the compliance risk profile of the company, create the right policies and procedures, and ensure any complaints are properly investigated and dealt with. If your company is falling down in the area of compliance, now is the time to get the issue in front of the decision makers. A proactive legal department is a valuable legal department.
Related Insights
Sterling Miller
Sterling Miller is a three-time general counsel and author of the award-winning "Ten Things You Need to Know as In-House Counsel" blog series. From 2017-2018 Miller served as the general counsel and corporate secretary of Marketo, Inc. Prior to that, he was general counsel, corporate secretary and chief compliance officer for Sabre Corporation (NASDAQ: SABR) from 2008 to 2014 and general counsel for Travelocity.com from 2004 to 2008. He was in charge of litigation and regulatory affairs in the Sabre Corporation legal department from 1996 to 2004, and he worked in American Airlines' legal department from 1994 to 1996. Before moving in-house, Miller was an associate in the litigation section of Gallop, Johnson & Neuman in St. Louis from 1988 to 1994. He is currently senior counsel at the Dallas office of Hilgers Graben PLLC.