In an article in the January/February issue of the ACC Docket entitled “Five Fundamentals for Taking Management Compliance Seriously”, author Daniel Lucien Buhr discusses a model for a compliance system which he describes as the “Compliance House”. The Compliance House is a model which has been developed by Swiss businesses to use as the foundation of effective compliance management by ensuring that by “binding values and appropriate compliance management they can safeguard their integrity, and avoid or contain breaches of the law.” Buhr believes that it is the basic legal responsibility of any company board of directors to make certain breaches of law are either avoided or, if they occur, are detected early enough so that the company may remedy the situation.
Buhr begins with a very basic understanding of the term compliance, which he defines it as “ensuring law abidance.” However, the author goes on to expand this definition by noting that both private and public stakeholders of a company will expect that the company shall comply with applicable standards, therefore compliance may also be defined as “the state of integrity expected by stakeholders on the basis of civic responsibility of the companies.” This is a far different version than most US companies would state. Most US companies would try and obey the law but not include a complete culture of integrity.
Buhr states that whatever the size of the company, it all begins with a strategic risk profile or what he terms a “risk map”. This sounds quite similar to the UK Bribery Act’s First Principle of Adequate Procedures, that being a risk assessment where a company regularly and comprehensively assesses the nature and extent of the risks relating to bribery and corruption. It is also the same as the Department of Justice’s (DOJ) admonitions that to follow the US Sentencing Guidelines for a best practices Foreign Corrupt Practices Act (FCPA) compliance program, a company should begin with a risk assessment. Buhr stresses that while there is no single model which will apply to every company, there are five common elements to build the “Compliance House” and they are:
- A written Compliance Policy and Code of Conduct is the ‘roof’ of an effective compliance policy. Under this element, the corporate management commits to complete integrity, through complying with FCPA, the UK Bribery Act or other compliance laws and regulations. This must be a key component of corporate culture and the foundations of its business operations.
- The structure of the compliance organization is the first pillar upon which the Compliance House is built. This is one of the side walls of the Compliance House. Management must ensure that the company’s Code of Conduct or other implementing statements are effectively implemented by the company’s compliance group. This requires that management fully empower the compliance group with adequate staffing, material and financial resources. This structural component must guarantee that an independent body is created, through a hotline or other mechanism, which allows compliance concerns and violations to be reported in confidence.
- The compliance processes are the second pillar of the Compliance House. Together with the confidential reporting mechanism, the compliance processes make up the other pillar of the Compliance House. The pillar includes planned systematic processes such as the regular analysis of compliance risks, the publishing and implementation of internal compliance policies and procedures, training the appropriate staff on compliance issues and the detection and investigations of possible compliance violations.
- Appropriate compliance incentives and sanctions. While most US companies are fairly well versed in sanctioning employees for compliance violations, they are less progressive in compliance incentives. This prong requires that a company reward particular achievements relating to compliance. Conversely, compliance breaches must be punished; however a company must make clear that the compliance program will not be sacrificed for commercial incentives. Finally, there should be complete transparency in both rewarding those who do business in a compliant manner and punishing those who violate the company compliance program.
- Testing the effectiveness of the Compliance House. As noted by Lanny Breuer, Assistant Attorney General, for the Criminal Division of the US DOJ, a compliance program must be dynamic, not static. This requires constant improvement of the compliance program through measurement and regular testing for effectiveness. Breuer has advocated an annual compliance program assessment by each company. Under the Compliance House model this would allow a company to determine weaknesses in its compliance program and remedy them or take into account changes in a company’s business model, such as moving into a high risk business area. The fifth element completes the Compliance House model.
The Compliance House model provides to the compliance practitioner, whether in a Swiss company or a person who is governed by the FCPA or the Bribery Act, a conceptual framework to develop an overall compliance program. It can also be used as a format to present to a Board of Directors to help them to understand a company’s compliance obligations and how those obligations are being satisfied.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011