Simply having a Code of Conduct, together with compliance policies and procedures is not enough. As articulated by former Assistant Attorney General Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” The 2012 FCPA Guidance stated “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.” Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process which can be fully documented as a basis to include revisions to your compliance policies and procedures.

Get buy-in from senior leadership of your company 

Your company’s highest level must give the mandate for a revision to compliance policies and procedures. It should be the Chief Executive Officer, General Counsel or Chief Compliance Officer, or better yet all three to mandate this effort. Whoever gives the mandate, this person should be consulted at every major step of the policies and procedures revision process if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally, there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is important that you establish a timetable for the revision process and you hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves all the comments, notes, edits and decisions during the entire project. In addition to this use of technology in revising your compliance policies and procedures revisions, you should determine if they will be available in hard copy, online or both. There must be a distribution plan, particularly if the Code and compliance policies and procedures will only be available in hard copy.

Determine translations and localizations 

The 2012 Guidance made clear that your compliance policies and procedures must be translated into local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures-no matter the language. 

Develop a plan to communicate the revised policies and procedure 

A rollout is always critical because it is important that the revised policies and procedures are communicated in a manner which encourages employees to review and use the policies and procedures on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised compliance policies and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However, you deliver the new or revised policies and procedures, you must document that each employee received it.

Stay on Target and Budget 

You should work to set realistic expectations that to stay on deadline and stay within your budget. This is equally applicable to your policy and procedures revision. Also remember to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your policies and procedure need updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process now. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

Three Key Takeaways

  1. If you have not revised your compliance policies and procedures in the past five years, you should do so no.
  2. Set a timeline and budget and stick to it in the compliance policy and procedure revision process.
  3. Document your process of revision to demonstrate more complete operationalization of your compliance program as set out in the DOJ Evaluation of Corporate Compliance Programs.


This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.