A general compliance program to fit every company does not exist, although there are a few general principles that should be universally adopted. Instead, to reduce the possibility of improper conduct, each company must develop a set of ethical conduct standards and procedures for their implementation. These standards should be documented in the company’s Code of Conduct (CoC), which outlines the company’s ethical principles and identifies the major compliance risks. It should also address enforcement and evaluation methods, such as, training, support, monitoring, auditing, whistleblower protection, hotline, etc. In addition, the consequences of improper conduct, conducting of due diligence of business partners, background checks, and PEP (politically exposed person) status checks of business partners should be examined.
Additional CoC policies should address industry-specific issues as well as compliance with anti-bribery and anti-corruption laws, rules for conducting business with third parties or government-owned entities, participation in public procurement, donations and sponsorships, conflict of interest, and others. Company-wide adherence to these principles should be monitored and enforced through additional internal procedures.
Producing a set of documents is not enough to ensure company-wide compliance with CoC principles. Company employees must be duly familiarized with the CoC and other additional internal procedures, which can be accomplished through obligatory training for all employees, management, and, if necessary, business partners as well. The training must be documented, and the employees‘ understanding of its content tested. Live trainings are preferable because with face-to-face contact, employees are more likely to point out risky situations. Their understanding of the compliance program can be immediately assessed as the company can obtain timely feedback on the program, and red flags may be easily discovered and addressed.
The compliance program must be fully supported by company management, with commitment to compliance strongest at the top. Management should actively promote a “culture of compliance”, by, e.g., unambiguous support of whistleblowers’ protections. Management should perceive compliance not as an administrative necessity, but as a strategic function helping the company move forward. This should be supported in turn by independent compliance officers (internal or external) with strong authority and a team large enough to manage the company’s policy on a day-to-day basis. Resources allotted to the compliance team will vary depending on the type and structure of the company. Cooperation between the compliance team and management must be based on mutual respect and support, with the compliance team granted direct access to the company’s decision-making authorities. Ideally, the position of compliance officer should not be subsumed into another position such as legal counsel, chief audit officer, or risk management officer.
An essential element of compliance is risk assessment. The risky areas of the company’s business must be pinpointed in order to allocate resources effectively. A systematic approach to the compliance program followed by regular assessment is crucial. Afterwards, improvements and modifications based on a well-focused risk assessment may be implemented. The most common risk assessment tools include internal audits, calls made to hotlines, internal investigations, completion of employee trainings, monitoring of internal compliance, and monitoring of third parties. Whether internal or external, audits must be performed by an independent authority. It is important to implement tools that not only review the past, but also foresee the future and propose solutions.
It is also strongly advised that the compliance department aid employees who seek guidance or help with compliance issues. A reporting system, such as a hotline (e.g., e-mail or phone line support provided by external legal counsel), is effective in uncovering improper conduct and may be utilized by business partners as well as employees. With a hotline, response times may be easily verified, and remediation can be fast. To encourage employees to make use of hotlines, it must be unequivocally clear that under no circumstances will there be retaliation of any kind whatsoever against whistleblowers.
Disciplinary actions against persons breaching compliance rules will vary ad hoc, and include mainly: repeated training, a pay cut, and termination. The company must take steps proportional to the misconduct detected. On the other hand, employees who help the company improve the compliance program or report misconduct must be openly rewarded. Following detection of a breach, the compliance team must evaluate the breach, impose appropriate sanctions, and then modify the compliance program to prevent recurrence.
In recent years, there has been much progress in the implementation of compliance programs in the US as well as in many EU countries. The abovementioned basic principles are of compelling interest to anyone looking to be successful in conducting transparent business. An effective compliance program should be seen as a strategic tool, giving the company a strategic advantage against competitors. The more companies that implement and enforce compliance programs, the more pressure will be put on other companies to achieve a transparent business environment. In the end, the implementation of compliance programs throughout the business world will help society eradicate corruption, improve transparency in business relationships, and improve the life of the entire society overall. That is a WIN-WIN for everyone.
Vladimír Kordoš, Partner, bnt attorneys-at-law
Filip Takáč, Junior Associate, bnt attorneys-at-law