I often write about what I call the McNulty Maxims of Compliance. I heard them in a presentation by Paul McNulty to the Houston Chapter of the Texas General Counsel Association in my most recent corporate position. They were (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do when you found about it? These three maxims generally translate into (1) Your compliance program, made up of policies and procedures; (2) Your internal controls to serve as both a front-line detection and back-up against corruption; and (3) What remedial steps did your company take when they discovered the issue of concern?
So how does a compliance practitioner create the compliance program, or in McNulty Maxim terms create a “What did you do to prevent it?” compliance program? Many companies are still in the infancy of creating their compliance programs with their General Counsel or perhaps hiring an initial Compliance Officer. This person or persons may be somewhat overwhelmed about how to even get started. Transparency International, in its “Business Principles for Countering Bribery: TI Guidance Document” (“Guidance Document”) has provided a specific road map for the implementation of a compliance program. Although the Chapter in the Guidance Document is designed for the Transparency International’s “Business Principles for Countering Bribery: TI Six Step Process”; this process can be used as a guide for any compliance practitioner who must create a compliance program or who needs a guide to assess whether a compliance program should be enhanced.
Action: Decide to develop an anti-bribery and anti-corruption policy.
Primary Responsibility: Owner of Company/Board of Directors/Chief Executive Officer (CEO).
Process: Commitment to anti-bribery and anti-corruption policy from the top of the company. Appoint a senior manager to head the compliance function and cross functional Project Team.
Time Span: One Month.
Action: Plan the compliance program implementation.
Primary Responsibility: Appoint a senior manager of the Project Team, preferably the new Chief Compliance Officer (CCO).
Process: Define specific company risks and review current practices through a risk assessment, review all anti-bribery and anti-corruption, develop an initial draft of the compliance program and obtain buy-in from senior management and key stakeholders through the risk assessment process.
Time Span: 3 to 6 months
Action: Plan the project implementation: Appoint a senior manager to head risk assessment or bring in an outside expert.
Primary Responsibility: CCO or outside expert.
Process: Integrate the compliance program into your company’s organizational structure and assign appropriate responsibilities, develop detailed implementation plan including human resources policies, a communications program and training programs.
Time Span: 3 to 6 months.
Action: Implementation: Getting the compliance program working.
Primary Responsibility: CCO in conjunction with persons brought into the compliance function.
Process: Communicating the compliance program both internally and externally as appropriate through training courses for employees and appropriate third parties, establish anonymous reporting hotlines and advisory function channels to provide employees guidance on day-to-day compliance issues, introduce a sanctions process for violation of the compliance program and a rewards process for conducting business in an ethical manner.
Time Span: One year.
Action: Monitoring of the compliance program.
Primary Responsibility: CCO, Compliance Department, Internal and External Auditors.
Process: Regular reviews of the compliance program through basic testing, detailing of and reporting of all hotline calls, statistical reporting of any events or other significant issues which may arise.
Time Span: Continuous.
Action: Evaluation of the compliance program.
Primary Responsibility: CCO, in conjunction with specialized outside counsel or external auditors, reporting to Audit/Compliance Committee or Board of Directors.
Process: Annual compliance assessment; quarterly reports to Audit/Compliance Committee of Board of Directors; no less than annual reporting to full Board of Directors.
Time Span: No less than annually. Full compliance audit bi-annually.
The TI six step guide provides the compliance practitioner with a manner to think through how to approach and implement a full compliance program. It can also be used to internally market to management how the program should be created and implement. In short it is yet another example of tools that TI has created and made available at no charge to the compliance practitioner to assist in moving forward to create or enhance a compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011