Many companies can find themselves in hot water when they don’t have the proper framework in place to ensure that they meet all their legal responsibilities. But it doesn’t have to be that way! Having a successful corporate compliance program in place will help to ensure your organization operates lawfully and meets all of its obligations with relevant laws and regulations.
Table of contents
What is corporate compliance?
Corporate compliance is when a business ensures that it adheres to all regulations, standards, laws, rules, and ethical practices applicable to both the company itself and the industry that it operates in.
This can include national, state and municipal laws, as well as enforcing internal policies that are used to create good governance and accountability.
In a nutshell, having a corporate compliance program in place will help to safeguard your organization against a range of issues like fines and penalties, lawsuits, reputational damage, shutdowns, and more.
How does corporate compliance affect business?
Businesses need to comply with many laws, from workplace health and safety to privacy to taxation and more. When there is a corporate compliance program in place within an organization, it can be used to track different legal and other requirements, including any dates where important documentation must be lodged with relevant authorities and processes, procedures, and ways to notify of any compliance breaches.
There are resources required to manage compliance in most organizations, which is necessary to reduce its risk exposure. Risk can be legal, financial or reputational.
However, on the other side of the coin, this investment can be rewarding for a business: it can make the company stronger, more prosperous, and profitable.
The differences between external and internal compliance
When people think about corporate compliance, they usually only consider the external compliance requirements – i.e., following government rules and regulations. There are lots of different examples of this. For example, there are types of financial records that some public companies must publish under the law. In other cases, it might be ensuring that everything is compliant with privacy requirements, such as the European Union’s General Data Protection Regulation (GDPR).
When there are external compliance requirements, the government and other authorities are generally not concerned with what internal processes are in place to ensure compliance: they just want to be sure the company is complying and meeting its obligations.
Internal compliance refers to the processes that are in place within a company to ensure that it meets its external compliance commitments. For financial compliance, for example, it may be that there are policies around expenditure, donations, and gifts to officials.
Different types of compliance risks to be aware of
Every company will have its own unique compliance risks that will vary depending on where they do business and their industry. However, there are some common compliance risks that apply regardless of the industry a company operates in.
This includes situations when companies are involved in bribery, kickbacks, rigging event outcomes and other business practices that could be deemed improper. It also includes fraud and embezzlement, insider trading, conflicts of interest, and other unethical activities.
2. Environmental risk
When the company’s work could damage or otherwise pose a threat to the environment, including ecosystems and living organisms.
3. Employee behavior
The actions of your employees can pose many risks. This could be if they don’t comply with safety, sexually harass or discriminate against other employees, or otherwise behave in a manner that is inconsistent with the law while in the workplace. In some cases, it can involve employees acting recklessly and taking risks that management are unaware of and wouldn’t approve of.
4. Political uncertainty
When there is a change of government, this can mean new laws are implemented that will require organizations to considerably alter some of their work practices and the way they conduct business in general.
5. Financial reporting
Whether it be taxes, preparing statements of income for different government authorities or meeting fiduciary duties to shareholders, organizations have a range of financial responsibilities that must be carried out under the law.
6. Social responsibility
While not always legally required, companies that are perceived to be socially irresponsible face risk in the form of reputational damage if their business practices are harmful to their workers or communities.
7. Workplace health and safety
There are legal and moral responsibilities to provide workers with a safe, healthy workplace and many rules and regulations that must be adhered to to do so.
8. Data protection
Companies have to meet certain obligations around keeping data secure to protect privacy and other sensitive details. This is particularly crucial to stay on top of with the growing threat of cybercrime.
9. Quality control
There is a high degree of risk with products and services that are not up to scratch. Appropriate minimum standards and due diligence are required here.
What is a corporate compliance program?
A corporate compliance program is a systematic approach to ensuring all of your external and internal compliance activities are accounted for and policies, procedures and other measures are put in place to ensure that your company meets its obligations.
An effective corporate compliance program will integrate with all of the compliance activities carried out across the company and ensure that your organization’s exposure to compliance risk is minimized greatly. It should:
- Have mechanisms built in to identify and reduce risks when complying with different laws, rules, and regulations,
- Have measures built in to help you to remedy any non-compliance if you have detected it,
- Assist you in creating a culture of compliance within your company.
Having one in place will not only help you to avoid failing to comply with laws and regulations, but if your organization somehow does fail to comply, you will be able to demonstrate to the authorities or the courts that you took every reasonable step to ensure compliance was met.
In implementing a corporate compliance program, it is essential there is clear leadership and effective compliance communications. Suppose your employees do not know about or understand the company’s compliance obligations and what is expected of them in this regard. In that case, they obviously will not be able to follow the appropriate rules and regulations.
Ten tips for an effective corporate compliance program
Your business’ corporate compliance program should be tailored to meet your organization’s unique needs, but these are inclusions that are worth having to ensure success, no matter what work you are involved in:
1. Involve leadership from the very beginning
It’s important that everyone on your company’s leadership team knows about, understands, and endorses your compliance program from the beginning. They need to act as ambassadors to promote the compliance program internally. Still, the reality is that many of your most senior employees can carry an element of professional or legal risk if compliance isn’t met. Depending on their role and the industry you work in, they can be personally sued if things go wrong and/or could lose their jobs.
2. Establish responsibilities for day-to-day compliance oversight
You may wish to employ compliance management officers who are responsible for overseeing that the organization’s compliance activities are on track and who can intervene if any problems arise to ensure the compliance gets back on track.
3. Set out expectations for all employees
Every employee has a role to play in ensuring your company operates within the law. This needs to be addressed through having instruments in place such as codes of conduct, policies, procedure documents and other well-defined standards. These will set out expectations with employees about what conduct is required of them, what they need to do to meet those expectations, and how to get help if something goes wrong.
4. Conduct a risk assessment
A risk assessment will help you identify the different types of risk your organization is potentially exposed to and the consequences of non-compliance either through malice or through a mistake.
5. Create a risk management plan
Building on your risk assessment, you should then create a plan to manage that risk, including specific actions that need to be taken, and who has the responsibility to take these actions. It should also include what steps an employee needs to take if there has been a problem such as breach or a mistake.
6. Train employees
A proper training program should be created to ensure that all employees understand what they need to do to ensure that various compliance requirements are adhered to. The training should be uniform – don’t just rely on managers telling their employees what to do. It should also be built in such a way that you can readily test employees knowledge. Offering refresher training/testing periodically will ensure their knowledge is up to date. New training should be offered whenever any new legal requirements are adopted.
Training can be interactive, engaging and hands-on by creating hypothetical scenarios or telling real-life compliance stories.
7. Include compliance expectations in your onboarding processes
When new employees join your organization, the compliance requirements and expectations should be spelled out to them at the very beginning, and consequences for failure to meet these expectations and how they can report any non-compliance if they encounter it.
8. Regular compliance communications
To create a culture of compliance, you need to keep it on peoples’ minds. Developing and publishing policies and placing them on the company intranet isn’t enough. People need to be reminded that they exist and, most importantly, what actions they need to be taking to ensure compliance.
Сreating internal communication campaigns is a great way to remind employees about different compliance requirements. Using various tools and channels such as email, intranet, corporate screensavers, wallpapers, pop-up notifications, videos, and digital signage will help remind people about their obligations.
9. Let people speak up confidentially
In many organizations, people may be afraid to speak up if they make a mistake or if they are aware that someone else has acted improperly. In creating a culture of compliance, your organization also needs to develop a culture where people feel safe in speaking up without fear of recriminations or reprisals.
To do this, you should have systems and mechanisms in place where people know that they can report compliance breaches or any other wrongdoings confidentially.
10. Escalation and remediation protocols
With all these other steps in place, you need to ensure additional escalation and remediation protocols in place for when non-compliance is identified.
Must-have compliance programs for 2021
When looking at areas of corporate compliance, there are some that are quite timely that you cannot afford to overlook in 2021. These include:
1. COVID-19 compliance
Exactly what COVID-19 compliance looks like will vary depending on where your business operates from. But the reality is that the pandemic has placed specific legal requirements on companies to ensure that their employees, customers and other stakeholders are safe, as well as internal policies and procedures around the same.
This might include:
- Social distancing
- Cleaning protocols
- Other safety measures e.g. Perspex screens
- Mask use
- Monitoring symptoms.
2. Data protection
In 2020, new records were set globally in terms of the amount of data that was lost to cybercriminals in breaches and attacks. 2021 isn’t expected to be any better – with the level of risk magnified when employees are working remotely on personal devices or unsecure networks due to the pandemic.
- Your compliance in this area should cover:
- Appropriate use of company IT
- Network security
- What to do in the event of a breach.
- Cybersecurity awareness
3. Discrimination and harassment
Around the world, there have been many debates raging about racism, misogyny and other forms of discrimination. As we’ve seen with the Black Lives Matter movement in the USA, people expect governments and companies to take issues like racism seriously, to stand up to it and eradicate it. In Australia in recent months, the topic of sexual assault and mistreatment of women has been raging for so long that the Prime Minister has had to create new Ministerial portfolios to demonstrate that the issue is being taken seriously and steps will be taken to rectify it.
Your employees and stakeholders will undoubtedly expect that your organization also takes these types of issues seriously at the company level.
Compliance in this area should include topics like:
- Diversity in hiring
- Harassment and discrimination policies.
4. BREXIT issues in the UK and EU
If your company is based in, or does business in, the United Kingdom or the EU, there may be issues with compliance that you need to factor in as things change and the UK leaves the European Union. Some of these compliance issues are still emerging, but there have already been areas identified where companies may need to change their compliance regimes when it comes to things like:
- Data protection – many businesses may find that they no longer comply with the GDPR
- Trade agreements and sanctions
- Employees’ right to work in the country they reside in
- Tariffs and customs duties when importing and exporting
- The need to comply with border and customs procedures
- The structure and format of some corporate reports
Real-life examples of compliance failures
There’s a saying that isn’t entirely correct: ‘any publicity is good publicity’. When your organization finds itself in the headlines because of a failure to comply with the law, it can cause serious reputational damage with customers, government and other stakeholders.
Example 1: A large investment company and its code of conduct
A well-known Australian investment company promoted one of its employees to the position of CEO, even though there had been sexual harassment claims made about him previously by a female employee.
Before the promotion, the executive had been penalized $500,000 (which was one-quarter of his annual bonus) after being found to be in breach of the company’s code of conduct. In the fallout, several people, including the CEO himself, ended up tendering their resignation.
The lesson here is that when organizations have policies and protocols in place, there can’t be a rule for some employees and a different one for others.
Example 2: A large bank fined $150 million for non-compliance
A large bank was fined $150 million by the New York Department of Financial Services for multiple failures in compliance. It was accused of processing millions of dollars for a high-profile registered sex offender, and is said to have known about the individual’s sex trafficking and abuse history when it took him on as a client.
Payments made in the account included some of his co-conspirators named publicly in the media. The bank had failed in its legal duties to prevent the facilitation of crime through the financial system.
Example 3: Famous petroleum company fails to pay employees properly
One of the world’s biggest petroleum brands found itself in breach of labor laws after a labor organization in one country investigated and said there was evidence of underpayment of wages as well as non-payment in many of its franchised retail outlets (gas stations).
In addition, it was found the company threatened to terminate any employees who complained about this. The regulator found that the parent company could not be absolved of responsibility for its franchisors’ actions and found it did not have the appropriate mechanisms in place to ensure the franchisors properly understood what their obligations to employees were.
Example 4: A pharmaceutical company pays bribes to foreign government officials
A pharmaceutical company agreed to pay more than $519 million in both civil and criminal fines and penalties after the Department of Justice and the Securities and Exchange Commission investigated and found it had paid bribes to foreign government officials in order to gain access to new markets for its medications, for more than a decade. The bribery scheme had bought the company more than $200 million in illicit profits during that period of time.
As a result the company said it had overhauled its internal governance and appointed a global head of compliance to ensure this did not happen again.
A corporate ethics and compliance program will help gain the trust of your workforce, your stakeholders, and the public and ensure that you stay on the right side of the law. Having due diligence and a corporate culture that promotes good governance will take your organization from strength to strength.