1

Date: January 28, 2013 Location: Fordham University Law School

The Basics

Rolling Out Your Corporate Compliance Program

Carole Basri Adjunct Professor Fordham University Law School

Cell: 917-822-2447 Email: cbasri@yahoo.com

©CBasri 2013

2

New Reasons To Implement a Compliance Program:

Federal Sentencing Guidelines, revised as of Nov. 1, 2004,

requiring a “culture” of ethics and a “best practice gaps” analysis to support the underlining structure of the corporate compliance program.

Justice Department guidance on the prosecutorial decisions in the Holder, Thompson, McNulty and, Filip Memorandum which states that in determining whether to charge a corporation for the criminal misconduct of its employees, prosecutors should consider, “the existence and adequacy of the corporation’s compliance program.”

NY Stock Exchange Rule 303A.10 requiring NYSE-listed companies to adopt codes of business conduct and ethics for directors, officers, and employees which codes are to be posted publicly. Further, waivers of the code for directors or executives must be promptly disclosed to shareholders.

NASDAQ Rule 4350 requires NASDAQ listed companies to adopt a code of conduct for directors, officers and employees which codes are to be posted publicly. Further, waivers of the code must be disclosed on a Form 8-k within five days.

Large settlements with government against companies without “effective” compliance programs such as Siemens.

Caremark Decision (Del.ch.1996), personal liability for directors for oversight of compliance.

Government Imposed Corporate Integrity Agreements

3

WAKE UP CALL FOR CORPORATE COMPLIANCE

An effective corporate compliance program can:

Help insulate a company, and its officers and employees, from criminal and civil fines

Protect its board of directors from personal liability

Create a culture of “good citizen corporation” (5% good, 5% not, 90% follow)

A poorly constructed program can:

Serve a roadmap for prosecutors

Damage morale (employees view code of conduct as merely lip service by executives)

Encourage fraud and unethical conduct to continue

4

Revised Nov. 1 2004 U.S. Federal Sentencing Guidelines: Promotes “Culture of Ethics” Includes Part C: Risk Assessment Part C plus Seven Elements Creates an “Effective” Corporate Compliance Program.

5

Part C- Risk Assessment

(Best Practices-Gaps Analysis)

• Antitrust/ Competition

• Conflicts of Interest • Privacy & Data Protection

• Employment • Environmental

• Export Controls • False and Deceptive Advertising

• Foreign Corrupt Practices Act • UK Bribery Act

• Fraudulent Financial Reporting

• Gifts and Gratuities • Government Contracting

• Insider Trading • Intellectual Property

• Lobbying, Political Contributions and other political activities • New Business “Alliances” • Procurement of Goods/Services

• Records Management • Protection Security/Wiretapping

• Privacy of Communications • Sexual Harassment

• Social Networking

• Subcontractors and Contract Labor • Tax

• Workplace Safety • US Patriot Act

• Anti-Money Laundering Act

6

Seven Elements of An Effective Corporate Compliance Program are as follows:

1. Standards and procedures to prevent and detect criminal conduct;

2. Board must be knowledgeable about and oversee program; top management must ensure effectiveness of program; specific individual(s) within high level personnel must have responsibility for program;

3. Reasonable efforts not to include within substantial authority personnel individuals who organization knew or should known have engaged in illegal activities or conduct inconsistent with effective program;

4. Communicate standards and procedures by training directors, employees and, as appropriate, agents, and by other means;

5. Monitor and audit to detect criminal conduct; evaluate program periodically; have and publicize a system for reporting suspected violations and seeking guidance;

6. Promote and consistently enforce through appropriate incentives to perform in accordance with the program and appropriate discipline; and

7. After criminal conduct is detected, take reasonable steps to respond appropriately and prevent further similar criminal conduct, including necessary modifications to program.

7

First Element

Written Policies, Procedures and Internal Controls for Risk Areas include the following:

• Standards of Conduct • Internal Controls • Mission statement • Letter from CEO • Code of Conduct or Code of Ethics • Employee handbook • Corporate Compliance Program Guidelines • Alignment of Code of Conduct, Polices and

Procedures, and Internal Controls

8

Second Element

Board must oversee the compliance program. Top management should take a leadership role in fostering the compliance program. Designate specific “High-Level Personnel” to oversee compliance such as a compliance officer. A compliance officer is critical to the success of the compliance program. A chief compliance officer should be appointed to coordinate the activities of individual compliance “officers” at subsidiaries. The compliance officer should have the following: • Direct access to CEO and Board of Directors, and • Sufficient funding and staff

The compliance officer’s responsibilities include: • Overseeing and monitoring the implementation of the compliance program; • Reporting on a regular basis to the CEO and compliance committee; • Periodically revising the program in light of new developments; • Developing, coordinating and participating in a multifaceted educational and training program that focuses on the elements of the compliance program; • Assisting the financial management in coordinating internal compliance reviews and monitoring activities; • Independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations; developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation.

9

Third Element

Reasonable efforts not to include in the compliance organization personnel of questionable integrity • Coordinating background checks on employees involved in compliance administration and coordination

10

Fourth Element

Effective communication of Standards and Procedures Training should include the following areas:

code of conduct;

employment issues;

competition issues;

using e-mail, voicemail, newsletters, memoranda, etc., to aid communications; and other topics as necessary.

Training should be at the time of hiring as well as regularly scheduled at least once or twice a year as necessary.

11

Fifth Element

Developing effective methods of monitoring, auditing reporting, and publicizing the system. • Creating an anonymous hotline and protecting whistle blowers; and • Setting up a regular auditing and monitoring schedule including on-site visits and spot checks. • Publicize results of the compliance program.

12

Sixth Element

Consistent enforcement through corrective actions and incentives • Written policy on disciplinary standards; • Create incentives system; and • Dissemination of standards to new and existing employees.

13

Seventh Element

Take reasonable steps to respond to detected criminal offenses • Detecting criminal violations; • Conducting internal investigations; and • Reporting criminal violations; and • Updating the Corporate Compliance Program

14

Corporate Compliance Program

Roll Out

Phase I Phase II Phase III Phase IV Phase V

High Level Compliance Assessment

Develop an Overall Corporate Compliance Blueprint

Evaluate and Develop Policies in Substantive Areas

Communication, Training and Implementation

Continual Refining of the Program, Self-Assessment, Monitoring and Reporting

o High Level Review

o Interview

o Best Practices and Gaps analysis/ Risk Assessment

o Work Plan

o Senior Management Meeting

o Code of Conduct

o Corporate Compliance Program Guidelines

o Alignment of Code of Conduct; Policies and Procedures, Internal Controls and Employee Handbook

o Antitrust

o Social Networking and Privacy

o Document Management

o Employment

o Environmental

o Foreign Corrupt Practices

o Intellectual Property

o Insider Trading

o Other Risk Areas

o Introduce Code of Conduct and Program

o Ongoing Communication Plan

o Training Plan

o Training Material/on Intranet

o Training Schedule for Train the Trainer and Internet Training

o Internal Controls

o Internal Audit

o Incentive System

o Internal Investigation Protocols

o Publicize reporting results

15

Phase I

Conducting a High Level Compliance Risk Assessment

During Phase I, you should: • Form a committee; • Interview key officers and employees; • Prepare a report on Risk Assessment, including

Best Practices and Gaps; and • Present the report on Risk Assessment,

including Best Practices and Gaps. • The Committee should be composed of at least

the following:

• CEO or President

• General Counsel

• CFO

• Internal Audit Director

The Committee should report to the Audit Committee of the Board of Directors or directly to the Board of Directors Interview key officers and employees of the company and all subsidiaries including the following:

• President, • Business Development/Sales Marketing, • General Counsel/Outside Counsel, • Chief Financial Officer, • Human Resources Director, • Environmental Health and Safety, if any, • Compliance Officer, if any, and • Other key officers and employees, as necessary

16

Based on the interviews, prepare a report on Risk Assessment, including Best Practices and Areas of Deficiency (gaps) based on the following questions:

• What are your key risk areas? • What are the standards and procedures that you

now have in place in these risk areas? • What are the areas you have successfully

limited risk and how? • What areas could you improve in the cost to

limit risk and how? • What is happening in such key areas as

antitrust, environmental, employment, intellectual property and insider trading?

• Describe the company culture toward corporate compliance and limiting risk.

Present the report on Risk Assessment, including Best Practices and Gaps:

• The report should provide a risk assessment for relevant areas of law.

• The report should be presented to senior management and the Board of Directors.

• The report should be presented to the officers of all subsidiaries who were interviewed.

• Buy-in on the report should be encouraged. • Create a Workplan which includes a timetable

and an action plan.

17

Phase II

Develop an Overall Compliance Blue Print

During Phase II, you should:

• Look at other Codes of Conduct; • Use the Committee and Focus Groups to develop a

Code of Conduct; • Customize the Code of Conduct to the Company

culture; • Customize the Code of Conduct so it is suitable for

all employees; • Make sure the Code of Conduct is user friendly

and attractively packaged; • Create a Mission Statement and letter from the

CEO to accompany the Code of Conduct; and • Create Compliance Program Guidelines.

18

Phase III

Evaluate and Develop Policies and Procedures in Substantive Areas

During Phase III, you should:

• Inventory policies and procedures already in place (e.g., internal controls for antitrust/competition, sexual harassment policy, environmental policy, etc.);

• Align, Code of Conduct, Policy and Procedures, Internal Controls and Employee Handbook; and

• Develop Policies and Procedures where Gaps exist as indicated from the report on Best Practices and Gaps and borrow best practices, where necessary from other subsidiaries or outside the organization (see trade associations, industry practice groups, law firms, consultants, seminars, such as Practicing Law Institute (PLI) and the Association of Corporate Counsel

19

Phase IV

Communication, Training and Implementation

During Phase IV, you should: • Introduce Code of Conduct and Program; • Ongoing Communications Plan; • Training Plan; • Training Plan for Fraud Prevention; • Training Materials/on the Intranet; and • Training Schedule.

20

Phase V

Continual Refinement, Self-assessment, Monitoring and Reporting

During Phase V, you should have: • Management Controls; • Internal Audit System; • Internal Controls; • Incentive System; • Internal Investigation Protocols, and • Publicize Reporting Results An Effective Corporate Compliance Program is an early warning system for risk control through the following:

• Risk assessment process; • Monitoring; • Reporting (i.e., hotline); and • Training sessions

21

Make Your Compliance Rollout Memorable

• Mementos (tombstones, plastic cubes, post-it notes);

• Screen savers;

• Calendars;

• Intranet sites; and

• Formal announcements and invitations to compliance event.

Remember

• This is a marketing campaign!

• Your product is a Compliance Program!

• Your audience is your employees!