How to Build a Mature Corporate Compliance Program

The U.S. Department of Justice (DOJ) relies on the Justice Manual to guide prosecutors through specific factors they should consider in conducting an investigation of a company, determining whether to bring charges, and negotiating pleas or other agreements. Among the key factors they are told to evaluate is “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense as well as at the time of a charging decision” and the corporation’s efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”

“Beyond compliance structures, policies and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company,” according to the DOJ’s “Evaluation of Corporate Compliance Programs” memorandum.

This focus on creating a culture of compliance is central to how the DOJ evaluates corporate behavior and determines how to proceed with enforcement of any potential violations. But what exactly does that mean and how can it be achieved?

“Given the importance attached to a culture of compliance by the DOJ, it is clearly advisable from a prudential as well as an ethical standpoint . . . to focus on developing such a culture over time by taking the steps and devoting the resources necessary to establish and maintain an effective anti-corruption compliance program,” writes Howard Weisman, Of Counsel at Miller Canfield, in Law360®. “A good compliance culture develops over time through an ongoing effective compliance program.”

Of course, the starting point is to develop a program roadmap (e.g., see “Creating a Compliance Program Checklist” on the Lexis+® platform) and create a corporate compliance office somewhere in the org chart. The difficult part is building that compliance operation in the right way and fostering its maturity into an effective corporate function.

But there are some specific steps you can take to build a mature compliance program by focusing on the fundamentals. These tips are excerpted from a practice note created by Practical Guidance contributor Thad McBride, partner at Bass, Berry & Sims PLC.

Mr. McBride advises that all companies, regardless of size or industry, should adopt and maintain a formal document that lays out the control framework for the company’s compliance program as it evolves over time. The key components should include:

Leadership and Oversight

Lay out the compliance department’s governance and organizational structure. The areas covered should demonstrate the robustness of a mature compliance organization, including its independence, resources, role and responsibilities, and reporting lines.

Regulatory Management

Focus on two specific objectives: (1) How you identify new and changing laws, regulations and standards, including the process of communicating the obligations to the business lines; and (2) How your company interacts with regulators and coordinates regulatory examinations and inquiries.

Risk Assessment and Reporting

It is important to periodically assess your company’s overall compliance risks so that your executive team understands the impact and level of compliance risks across the organization. It also allows for a process of continual improvement whereby the program is amended and refined to reflect the company’s current risk profile.

Training and Communication

Training encourages employee compliance with—and furthers employee understanding of—the compliance program. It should be risk-based so it is relevant and should involve input from business line stakeholders. Develop and communicate these plans throughout the organization; effective training and communication are critical to building a sustainable culture of compliance.

Policies and Procedures

A mature compliance program needs to have controls in the form of policies and procedures that support compliance with all applicable legal obligations, business requirements and industry best practices. Each policy or procedure should include a specific lifecycle definition, form and content requirements, applicability to each area of the business and a clear reporting process.

Monitoring and Testing

Compliance monitoring consists of an independent ongoing review of data, reports and other activities to oversee adherence to regulatory obligations. Compliance testing is a point-in-time review of policies and procedures, controls or other data sources to assess the effectiveness of the compliance control environment. These twin activities should be dynamic, subject to revision due to risk profile changes resulting from strategic changes, regulatory developments, emerging risks, industry events or other evolving conditions.

Issue Management

Finally, a mature compliance program will establish pro-active protocols for issue management and resolution. This includes communication to senior management when significant risks are identified, as well as mechanisms for review, reporting and remediation of compliance issues.

The central function of corporate compliance is to ensure that your company is staying in compliance with all relevant obligations. This not only protects the company from potential legal and reputational risks, but it is also essential to avoid costly financial penalties.

To help support the activities required to maintain a strong regulatory compliance framework, some organizations use Governance, Risk and Compliance (GRC) or Enterprise Risk Management (ERM) software. These platforms help businesses mitigate risk by defining, implementing and monitoring company-wide compliance strategies. The capabilities of GRC or ERM software can be augmented with LexisNexis® Regulatory Compliance.

LexisNexis Regulatory Compliance combines regulatory content with technology to empower you to take control of your compliance obligations. The tool delivers corporate compliance professionals their company’s obligations based on the current legislative framework in easy-to-apply business language drafted by leading attorney-authors. Alerts on what's changing and regularly updated content keep you and your compliance program current—saving you significant time and resources.

Request a free demo of LexisNexis Regulatory Compliance here.