01

ESTABLISHING, INTEGRATING
& MAINTAINING AN EFFECTIVE
COMPLIANCE PROGRAM
Every company is unique, and they each need a
compliance program to match. Risk profiles vary, and
so too do the appropriate mitigation methods. This is
true regardless of the size of the business, and even
for multinational organizations. Management model,
number of employees, industry, geographic footprint,
and regulatory landscape are just a few of the many
factors in play.

As such, it is important to understand that there is no

single, rigid formula to which every organization could
or should adhere. However, in this section we hope
to offer a framework by which specific policies can be
developed, and a set of considerations that might be
taken into account.

3
 ECI
BENCHMARK
These five principles provide the standard framework on which an
E&C program should be developed. The word ‘program’ is crucial
here: a good compliance regime will be approached as a program,
and not simply as a process or tick-box exercise. This
In 2016, the ECI’s Blue Ribbon Panel released the Principles and
interpretation was endorsed by the US Department of Justice (DOJ)
Practices of High-Quality Ethics & Compliance Programs report. This has
in its 2020 update to its guidelines for Federal prosecutors on the
since become a benchmark for constructing an effective E&C program.
evaluation of the effectiveness of corporate compliance programs.
The objective of the original report was to focus on the five critical
This guidance represents the standard by which all Ethics &
principles of a high-quality program (HQP), and the recommended
Compliance programs should be judged, whether or not they
techniques for practitioners to use when building out their own.
operate in the United States.

THE FIVE PRINCIPLES HIGHLIGHTED IN THE REPORT ARE:

One of the key reasons for this is set out by Thomas Fox, who in
2020 noted the much needed alignment between compliance
professionals and lawmakers. He wrote: “The 2020 Update is most
welcome news for every Chief Compliance Officer (CCO),
STRATEGY compliance professional, and corporate compliance program in the
Ethics and compliance is central to business strategy. US and beyond. The reason is simple: it ends, once and for all, the
clarion call for paper compliance programs written by lawyers for
lawyers. The DOJ has now articulated what both the business and
RI SK MANAG EM ENT compliance communities have been learning—that compliance is a
Ethics and compliance risks are identified, owned, business process, and as a process, it can be measured, managed,
managed, and mitigated. and most importantly, improved.”

The DOJ will measure the effectiveness of corporate compliance

C ULTU RE programs through three specific lenses. We can also use these
Leaders at all levels across the organization build and lenses as a starting point for the development of any individual
sustain a culture of integrity. program.

T HE Y AR E :
SPEAK I NG UP Is the corporation’s compliance program well-designed?
The organization encourages, protects, and values the
Is the program being applied earnestly and in good faith?
reporting of concerns and suspected wrongdoing.
In other words, is the

Program adequately resourced and empowered to function

ACC OUN TABIL ITY effectively?
The organization takes action and holds itself Does the corporation’s compliance program work in practice?
accountable when wrongdoing occurs.

4 5
 DESIGN BUILDING THE PROGRAM
A well-designed program does not only set out a clear message that misconduct E&C programs should be unique, but in order to assist in their d
is not tolerated; this, alone, is not enough. In addition, a good program employs evelopment there are several key questions that should be asked.
policies and procedures (including assignments of responsibility, training, and
T HE S E I N C L U D E :
incentives) to ensure complete integration of E&C principles into the company’s
How do you identify risks?
operations.
Do you allocate time and resources appropriate to those specific risks?
Finally, this must be adhered to by leadership and rank and file employees alike. Do you constantly review and revise this risk assessment? Is it a ‘living
process’ rather than a periodic snapshot?

BUILDING THE PROGRAM

GOOD FAITH & EMPOWERMENT
Are your policies and procedures easily accessible by all employees,
with appropriate signposting and offline materials if required?
Are they written in an understandable and accessible way, including
Companies where leadership has a ‘do as I say, not as I do’ approach end up with
in multiple languages if required?
cultures of tolerance for rule-breaking. A perception that misconduct will not be
taken seriously is perhaps the most important factor in disincentivizing Can you track which policies are most accessed by employees, and
employees from speaking up. are you using this data to help improve the program?
Who has responsibility and accountability for policies and processes?
This, in turn, creates more misconduct because of a lack of repercussions for Are you satisfied that the ‘gatekeeper’ positions are occupied not by
perpetrators and an acceptance that ‘this is how things are done here’. compliance professionals but by subject matter specialists, for
example HR, payroll, or internal audit?

WORKING IN PRACTICE
The design of a good E&C program must be based on relevant metrics (which
will, again, be unique to the organization in question) identified through a risk
assessment that must be continually assessed and improved.

Here the ‘program’ aspect of E&C comes to the fore again: good E&C isn’t a
one-time activity, but instead an ongoing practice.

6 7
 TRAINING & COMMUNICATIONS TRAINING & COMMUNICATIONS
Are the Ethics & Compliance professionals trained appropriately? An effective and accessible incident reporting and resolution
Does training need to be extended beyond E&C, for example to mechanism is the backbone of any compliance program. But
managers or specific functions? paradoxically, whistleblowing (and especially external
Do some personnel need specialized training? whistleblowing) is often cast in a negative light, for example as a
Is training accessible, for example in multiple languages or in an disgruntled employee with a grudge against their employer.
offline format for employees not online (for example those working on Dr. Margaret Heffernan sums up the figure of the whistleblower as
oil rigs or in mining operations)? follows:
How do you handle transparency and follow-up during and after a
misconduct incident? Do you inform employees when a member of “While the popular image of the whistleblower is typically an
staff is terminated for misconduct? Do you close the loop and follow eccentric loner, the truth is more prosaic: whistleblowers are likely
up during investigations, even in the case of anonymous reports? to be loyal employees, passionate about high standards, who go
Do employees understand the process of reporting and investigation? outside their organisation as a last resort when nobody takes them
seriously. They aren’t defiant troublemakers; they’re disappointed
believers”.

The point is, employees are your best first warning system when
something isn’t right. This is especially true, as Dr. Heffernan says,
of the “believers”.

According to the DOJ, one hallmark of a well-designed compliance

program is “the existence of an efficient and trusted mechanism by
which employees can anonymously or confidentially report
allegations of a breach of the company’s code of conduct, company
policies, or suspected or actual misconduct.”

There are two main factors that tend to prevent employees

speaking up: lack of confidence that action will be taken; and fear
of retaliation. The simple existence of a Code of Conduct is not
enough to tackle this. In businesses in which there is a disconnect
between conduct and culture, there is unlikely to be the
infrastructure required in order to enable the transition to a more
positive culture. Drawing more attention to the Code of Conduct is
useless if the tools in place to expose and resolve misconduct are
ineffective or non-existent.

8 9
 01
When designing incident reporting and resolution mechanisms, we THIRD PARTY &
PARTNER ECOSYSTEMS
should ask the following questions:

Is the reporting channel designed, established, and operated

in a secure manner that ensures the confidentiality of the Do all or a specific subset of the above questions also apply to partners,
reporter’s identity and that of any party mentioned? suppliers, customers, or the general public?
Have you considered alternatives to traditional hotlines that How do third parties or partners report misconduct to you, and how do you
might be more accessible, such as Vault Platform? follow up? Is this process clearly communicated and accessible?

02
Is a confirmation of receipt of the report given to the
reporting person within an appropriate time frame, including

MERGERS &
in the case of anonymous reports?

Does a competent person or department follow up on the

reports? Can this person maintain communication with the
reporting person and provide feedback, including in the case
ACQUISITIONS
of anonymous reports? Is an effective risk assessment process carried out during the due diligence
Is a careful follow-up investigation carried out on the report process of M&A?
by the designated person or department? How are any risks handled?
How will the multiple compliance programs be integrated?
Is a reasonable time limit set for giving feedback or closing
the loop on the report from the acknowledgment of receipt?

Does your case management and resolution system give you 03

real-time data on the status of ongoing investigations and
specific categories of incidents?
IS THE PROGRAM
FUNCTIONING EFFECTIVELY?
Is the program adopted top-down and bottom-up - that is, by leadership and
rank-and-file employees alike?
Who has oversight? For example, is it the Board of Directors? What experience
or training do they have to ensure adequate capability of oversight?
AND WE CAN ASK SIMILAR QUESTIONS WHEN DESIGNING
MECHANISMS FOR SPECIFIC ACTIVITIES:

10 11
 CONTINUOUS IMPROVEMENT,
PERIODIC TESTING & REVIEW
CULTURE
According to the DOJ, another hallmark of an effective compliance
program is its capacity to improve and evolve:

The role of compliance in speak-up culture is increasingly under-

stood not only by Ethics and Compliance professionals but also by
lawmakers, as reflected in the DOJ’s 2020 update. All parties now
“The actual implementation of controls in practice will necessarily reveal
acknowledge that the function plays a key role in helping
areas of risk and potential adjustment. A company’s business changes
organizations navigate the waters of bias, diversity, and equality.
over time, as do the environments in which it operates, the nature of its
customers, the laws that govern its actions, and the applicable industry
Over the last 18 months we’ve seen an increased focus on the
standards. Accordingly, prosecutors should consider whether the
intersection between the functions of Compliance, Legal, and HR,
company has engaged in meaningful efforts to review its compliance
particularly regarding the direction of a company’s culture and
program and ensure that it is not stale.”
whether the company and its employees act with integrity.

Best-practice compliance programs require practitioners to have access

to continuous and real-time transactional data within the organization -
In an article for Harvard Business Review, Rob Chesnut, who was
even across multiple silos such as HR, ESG/CSR, and E&C. However,
most recently Chief Ethics Officer at Airbnb, warns that it’s the end
getting to this stage is an iterative process, and one that does not
of the line for ‘canned codes of ethics’, and for companies that treat
happen overnight. Organizations are not sanctioned if they can
their code as just another legal box to check. Doing the bare min-
demonstrate they are moving in the right direction. The key is to ensure
imum required for legal compliance is no longer enough as com-
that everything is documented; by documenting the basis for your
panies are pushed by employees, governments, and customers to
decisions, you can more easily explain that calculus in the event of a
step up and adopt a multi-stakeholder approach that serves social
regulatory investigation.
purposes as well as investor demands.

The Compliance function therefore has a powerful platform within

“
AS TOM F OX SAYS: the organization, reaching every employee and, if leveraged in the
right way, becoming a powerful strategic driver.
No compliance professional, compliance program or
even company under Foreign Corrupt Practices Act
(FCPA) investigation or scrutiny has ever been punished “
for making an incorrect decision where a succinct and
documented business justification was in place.

12 13
THE ROAD TO
ETHICS & COMPLIANCE
This ebook is intended to provide a foundation for the establishment of a
comprehensive Ethics & Compliance program. Any such program must
by nature be an evolving, ‘living’ project, both reactive and proactive in
its nature. It must be agile enough to respond to new challenges, while
being built on a thorough understanding of the modern E&C landscape.

Appended to this ebook is a checklist to aid in the development of your

E&C program. Vault Platform is ready to provide turnkey solutions to
Ethics & Compliance challenges, regardless of the size of the business.
Get in touch today to discuss how we can help.

15
 Does your Ethics & Compliance Program meet the Five Principles and Practices
of High-Quality Ethics & Compliance Programs set out by the ECI Blue Ribbon
Panel Report?

1 . S T R AT E GY
Are Ethics & Compliance acknowledged as being central to business strategy?

2. R I S K M AN AG E M E N T
Are Ethics & Compliance risks identified, owned, and managed?

3 . C U LT U R E
Do leaders at all levels across the organization agree and understand how to build
and sustain a culture of integrity?

4 . S P E AKI N G U P
Does the organization encourage, protect, and value the reporting of concerns
and suspected wrongdoing?

5 . AC C O U N TAB I L I T Y
Does the organization take action and hold itself accountable when wrongdoing
occurs?

CHECKLIST
Does the program go beyond a ‘box ticking’ exercise?

1 . Is the ethics and compliance program well designed?

2. Is the program adequately resourced and empowered to function effectively?

3 . Does the compliance program work in practice? Is this measurable?

Risk Mitigation

1 . How do you identify the risks?

Risk Mitigation (continued) Training & Communications (continued)

2 . Do you allocate time and resources appropriately to those specific risks?

5 .How do you handle transparency and follow-up during and after a misconduct incident?
Do you inform employees when a member of staff is terminated for misconduct? Do you
3. Do you constantly review and revise this risk assessment? Is it a ‘living process’ close the loop and follow up during investigations, even in the case of anonymous reports?
rather than a periodic snapshot? Do employees understand the process of reporting and investigation?

Policies & Procedures

1 . Are your policies and procedures easily accessible by all employees, with
appropriate signposting and offline materials if required?

2 . Are they written in an understandable and accessible way, including in multiple

languages if required?

3. Can you track which policies are most accessed by employees, and are you using
this data to help improve the program?

4.Who has responsibility and accountability for policies and processes? Are you satisfied Incident Reporting & Resolution
that the ‘gatekeeper’ positions are occupied not by compliance professionals but by subject
matter specialists, for example HR, payroll, or internal audit? 1 . Is the reporting channel designed, established and operated in a secure manner
that ensures the confidentiality of the reporter’s identity and that of any party
mentioned?

2. Have you considered alternatives or technology to traditional hotlines that might

be more accessible?

3 . Is a confirmation of receipt of the report given to the reporting person within an

appropriate time frame (even anonymous reporters)?

4 . Does a competent person or department follow up on the reports? Can this

Training & Communications
person maintain communication with the reporting person and provide feedback
1 . Are the Ethics & Compliance professionals trained appropriately? (even anonymous reporters)?

5 . Is a careful follow-up investigation carried out on the report by the designated

2 . Does training need to be extended beyond E&C, for example to managers or person or department?
specific functions?

6 . Is a reasonable time limit set for giving feedback or closing the loop on the report
3. Do some personnel need specialized training? from the acknowledgment of receipt?

4. Is training accessible, for example in multiple languages or in an offline format for 7 . Does your case management and resolution system give you real-time data on the
employees not online (for example those working on oil rigs or in mining operations)? status of ongoing investigations and specific categories of incidents?
Third Party & Partner Ecosystems Is the program functioning effectively?

1 . Do all or a specific subset of the above questions also apply to partners, suppliers, 1 . Is the program adopted top down and bottom up (by leadership and rank-and-file
customers, or the general public? employees)?

2 . How do third parties or partners report misconduct to you and how do you follow up? 2. Who has oversight? The Board of Directors? What experience or training do they have to
Is this process clearly communicated and accessible? ensure adequate capability of oversight?

Mergers & Acquisitions

1 . Is an effective risk assessment process carried out during the due diligence
process of M&A?

2 . How were any risks handled?

3. How will the multiple compliance programs be integrated?

VISIT VA ULTP LATF O R M . CO M