“Compliance program” is an often-used phrase that is easily repeated, even when the speaker has no clear understanding of what is being said.
Compliance programs come up in the context of the multiple layers of on-going, routine functions a company should have in place to both survive a government audit and, more altruistically, to be ready to immediately respond in the event of an alleged illegal or improper event.
The basic elements of a compliance program are: (1) the “compliance program” document to set forth the corporate culture of compliance set by ownership and management, alike, and to identify the statutes and regulations believed to apply to company operations and personnel; (2) the standard operating procedures to create a functional compliance program; (3) the training materials to impart the compliance program; (4) the scheduled monitoring to ensure the timeliness of the compliance program and its implementation; and (5) the compliance event response regimen and its associated documentation.
A few more words on what is important about these component parts, plus a few highlights of what gets tricky.
The compliance program document is both the anchor and the umbrella of the compliance program. The correct identification of governing law is the first step company officers can take to demonstrate their knowledge of their field and demonstrate their culture of compliance. If nothing else, during an audit, a correct identification of governing law allows a company to credibly assert that it is aware that it should be doing something (or not doing something).
Without standard operating procedures (SOPs), a compliance program document serves as little more than a book report. SOPs create or memorialize the functional mechanics of how a company is going to get into and stay in compliance in a given area. It might be as simple as designating which employee should be in charge of compliance training or as complicated as sequencing in the event of a data breach.
Once things are down on paper, it’s important to train your existing workforce and new hires. Some companies use a certification process for on-line training; others a simple sign-in sheet with personal instructors in a classroom setting. The key to workforce training is setting benchmarks for re-training, e.g., will it be at least annually, or, can it include events at a certain level of importance, such as a new statute?
Ideally, both the compliance program document and the accompanying SOPs are scheduled for periodic review of no less than annually to try to ensure that statutory references are current, guidance documents incorporated, training materials refreshed, and notable events analyzed for structural improvements. Again, you want to try to avoid creating compliance paperwork that sits in a 3-ring binder, collecting dust. Not only will that be unlikely to insulate your company in the event of an audit, it can create a functional crisis in the event of an emergency.
Finally, the law of numbers tells us that you will have occasion to use the compliance program to respond to a crisis. Documentation of crisis events is necessary not only towards bolstering any available defense, but also for post-event analysis. When written documentation is gathered and created, it can be utilized by an internal compliance team to push against the program document, SOPs, and training materials to identify and repair flaws in the compliance operating system.