pdf version - Society of Corporate Compliance and Ethics

pdf version - Society of Corporate Compliance and Ethics

pdf version - Society of Corporate Compliance and Ethics

  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Compliance</strong> & <strong>Ethics</strong>November/December2012Pr<strong>of</strong>essionala publication <strong>of</strong> the society <strong>of</strong> corporate compliance <strong>and</strong> ethicswww.corporatecompliance.orgMeetMichael VolkovShareholder in LeClair Ryan’s<strong>Compliance</strong>, Investigations <strong>and</strong>White Collar Criminal DefensePractice Area; former federalprosecutorSee page 1430Improving yourpolicy managementprogramAndrea Falcione <strong>and</strong>Meghan Daniels37Website cookielaws bringcompliance issuesacross EuropeJonathan Armstrong43Creative, artfulapproaches to buildingtrust <strong>and</strong> shapingethical cultureTed Nunez50Moneylaundering101MariaCoppinger-PetersThis article, published in <strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional, appears here with permission from the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> & <strong>Ethics</strong>. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.

FeatureBy Andrea Falcione, JD, CCEP <strong>and</strong> Meghan Daniels, JD, CCEPImproving your policymanagement program»»Codes <strong>of</strong> conduct provide general guidelines, but policies <strong>and</strong> procedures give specific applications for behavior.»»Clearly-drafted <strong>and</strong> well-communicated policies <strong>and</strong> procedures significantly reduce the likelihood <strong>of</strong> inconsistentmessaging, <strong>and</strong> therefore, risk.»»Create a matrix <strong>of</strong> applicable laws <strong>and</strong> regulations <strong>and</strong> make sure you have policies <strong>and</strong> procedures that mapto the basic requirements.»»Establish a process to periodically review policies <strong>and</strong> procedures to make sure they remain legally accurate,up to date, relevant, <strong>and</strong> practical.»»Using technology <strong>and</strong> communication tools can help keep current <strong>version</strong>s accessible <strong>and</strong> easy to locate.<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional November/December 2012Maintaining an effective compliance<strong>and</strong> ethics program is impossiblewithout a solid supporting structure,<strong>and</strong> just as the code <strong>of</strong> conduct serves as thefoundation <strong>of</strong> a strong program, a company’spolicies <strong>and</strong> procedures provide its framework.In addition, there are many laws <strong>and</strong>regulations that require certain companies tomaintain policies <strong>and</strong> procedures in a variety<strong>of</strong> key areas. These laws <strong>and</strong> regulations can bebroad in scope or can apply narrowly to a specificindustry. In many cases, failure to complywith policy requirements can lead to significantfines <strong>and</strong> penalties. Firms will reap substantialbenefits in risk reduction <strong>and</strong> efficiency by carefully<strong>and</strong> intentionally engaging technology<strong>and</strong> adopting policy-related best practices.It can be difficult to avoid breakingthe rules if the rules are not clear. Whenemployees have easy access to policies <strong>and</strong>procedures that help guide them in theirday-to-day actions, reduction <strong>of</strong> risk is anobvious outcome. A company’s code <strong>of</strong> conductprovides general guidelines for employeebehavior, but policies <strong>and</strong> procedures providespecific applications <strong>and</strong> have, in some ways,become more important risk managementtools, particularly as codes <strong>of</strong>conduct are, appropriately, becomingmore general in their guidance.In addition, there may be some riskswhich are specific to particular businessareas or locations <strong>and</strong> whichthe company’s Code may not cover.FalcioneNevertheless, those risks must beaddressed at the business-unit level—appropriate policies <strong>and</strong> procedurescan play that role.A notable benefit <strong>of</strong> wellmanaged,consistent policies <strong>and</strong>procedures is that they ensureemployees have the resources <strong>and</strong> Danielsdirection they need to perform theirjobs well. Although regular communicationabout policies <strong>and</strong> procedures is imperative,the very nature <strong>of</strong> clearly-drafted <strong>and</strong>well-communicated policies <strong>and</strong> proceduressignificantly reduces the likelihood <strong>of</strong>inconsistent messaging that could result inknowledge gaps. In addition to managingrisk, compliance <strong>and</strong> ethics policies <strong>and</strong> procedures,when appropriately available <strong>and</strong>30 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featureeffectively communicated, also reduce thepotential for wrongdoing, as well as any associatedtime <strong>and</strong> expenses.Developing compliance <strong>and</strong> ethics policies<strong>and</strong> proceduresPrior to addressing the importance <strong>of</strong> goodpolicy management <strong>and</strong> communication, it isessential to underst<strong>and</strong> that, fundamentally,policies <strong>and</strong> procedures provide the mostbenefit to an organization when they are comprehensive,relevant, <strong>and</strong> well-drafted. Theessence <strong>of</strong> developing an effective framework<strong>of</strong> policies <strong>and</strong> procedures depends not onlyon having the appropriate policies <strong>and</strong> proceduresin place, but ensuring that they areclearly written <strong>and</strong> comprehensible by everyoneto whom they apply.Identifying necessary policies <strong>and</strong> proceduresRegardless <strong>of</strong> where an organization sitson the policy development continuum, the<strong>Compliance</strong> department should make policyinventory a priority. In most cases, companieshave adopted many, if not all, <strong>of</strong> the policiesnecessary to effectively manage their risks. Inmany cases, however, policies <strong>and</strong> proceduresmay be outdated or may not have been properlyrationalized post-merger or acquisition.Assessing whether the appropriate policies<strong>and</strong> procedures exist should be an ongoingexercise, <strong>and</strong> there are a variety <strong>of</strong> “checks <strong>and</strong>balances” an organization can employ whenundertaking its analysis.Perhaps first <strong>and</strong> foremost, it is essentialfor organizations to adopt policies <strong>and</strong>procedures that map to specific legal <strong>and</strong>regulatory requirements. Ensuring compliancewith applicable laws <strong>and</strong> regulations isobviously essential to an effective policy <strong>and</strong>procedure framework. Depending, in largepart, on the size <strong>of</strong> an organization, as well asits level <strong>of</strong> regulatory oversight, the approachto policy development might vary. For thoseorganizations minimally impacted by regulations,this exercise might be managed in house,by simply creating a matrix <strong>of</strong> applicable laws<strong>and</strong> regulations <strong>and</strong> monitoring that list closely.In other cases, a more systematic or technologyenabledapproach may be preferable.Fortunately, because business challenges<strong>of</strong>ten necessitate business solutions, there arealso many external resources <strong>and</strong> technologytools which can assist, both in helpingto identifying applicable regulations, as wellas in tracking new regulations <strong>and</strong> updatesto existing regulations. Subscription servicesfrom specialist providers <strong>and</strong> externallaw firms can provide organizations withupdates <strong>and</strong> changes potentially affectingcurrent policies.Depending on the structure <strong>of</strong> an organization’scompliance <strong>and</strong> ethics program, it maybe advisable to consider delegating varyingdegrees <strong>of</strong> accountability for policy oversightacross the business. In these cases, it is <strong>of</strong>tena good strategy to propose or m<strong>and</strong>ate thatspecific individuals within certain businesslines be responsible for updating <strong>and</strong> reviewingrelevant policies. For example, it may beimportant to work with the Communicationsdepartment on a policy addressing socialnetworking <strong>and</strong> blogging, or the RegulatoryAffairs group when addressing the company’spolicy on lobbying.Effectively drafting policies <strong>and</strong> proceduresEnsuring that policies are clear, comprehensive,<strong>and</strong> practical is imperative inestablishing an effective policy <strong>and</strong> procedureframework. Policies <strong>and</strong> procedures mustclearly instruct readers how to act or behavewhen confronted with specific issues <strong>and</strong>must be explicit with respect to responsibility,accountability, <strong>and</strong> discipline.As noted above, for effective policy management,companies should conduct an inventory<strong>and</strong> weed out duplicate policies as well as<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional November/December 2012+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 31

Feature<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional November/December 2012policies that have been superseded—each acommon side effect <strong>of</strong> corporate acquisitions.In addition, policies <strong>and</strong> procedures must worktogether. Just as policies describe the rules, proceduresdescribe how to implement the rules. Inmost cases, one set does not work well withoutthe other. As such, it is important to be clearabout how specific policies align with specificprocedures <strong>and</strong> vice versa.Policies <strong>and</strong> procedures will be beneficialonly if they are practical <strong>and</strong> relevant to theirintended audiences. The impact <strong>of</strong> impractical<strong>and</strong> confusing policies goes beyond potentialviolations; it may also deter employees fromseeking out policies <strong>and</strong> procedures when theyhave questions or concerns. Having employeeswho garner a certain level <strong>of</strong> comfort with <strong>and</strong>confidence in the organization’s policies <strong>and</strong>procedures is integral to practical adoption.Implementing <strong>and</strong> managing policies<strong>and</strong> proceduresEstablishing a process for reviewing <strong>and</strong>approving policies is imperative for ensuringthey remain legally accurate <strong>and</strong> up to date,as well as relevant <strong>and</strong> practical. Most expertsrecommend, as a best practice, that companiesreview policies annually. In addition toan annual review, compliance pr<strong>of</strong>essionalsshould plan to complete a more fulsome“scrub” <strong>of</strong> a subset each year. That way, allpolicies <strong>and</strong> procedures will be covered over a5-to-10-year timeframe, which will be particularlyvaluable for eliminating redundancies.Engaging third-party partners for policymanagementFor many companies, including those withhigher risk pr<strong>of</strong>iles such as a large employeepopulation, broad global footprint, or heavyregulatory scrutiny, there are many waysthe compliance staff can partner with thirdparties to help manage the policy review<strong>and</strong> approval process. Once policy needs areidentified, automated policy managementtools <strong>of</strong>fer workflow capabilities to routepolicies for collaboration, approval, <strong>and</strong> publishing.Governance, Risk, <strong>and</strong> <strong>Compliance</strong>(GRC) systems that incorporate these functionscan assist compliance <strong>and</strong> ethics teamsin measuring the effectiveness <strong>of</strong> any policy,identifying areas for improvement, <strong>and</strong> updatingpolicies currently in effect.Communicating policies <strong>and</strong> ensuringaccessibilityPolicies <strong>and</strong> procedures will only truly help anorganization when they are easily accessible<strong>and</strong> understood by those individuals to whomthey apply. It is essential for companies to storepolicies <strong>and</strong> procedures in a centralized locationfrom which they can be easily accessed byemployees <strong>and</strong> other relevant parties.Traditional policy management has beenfragmented. Policies were, <strong>and</strong> are still,printed <strong>and</strong> placed in folders for employees toseek out <strong>and</strong> review. Even though the advent<strong>of</strong> computer networking tools has made policiesmore accessible, problems with currency,<strong>version</strong>ing, <strong>and</strong> consistency frequently remain.Centralized policy management tools, such asthose provided by GRC platforms, <strong>of</strong>fer a solutionto this dilemma.Features <strong>and</strong> benefits <strong>of</strong> such tools include:··Version control··Multiple policy formats··Easily accessibility <strong>and</strong> searchabilityCompanies can employ a wide range <strong>of</strong>best practices when developing communicationplans around policies <strong>and</strong> procedures. Infact, it <strong>of</strong>ten makes sense to employ differentmethods <strong>of</strong> communication depending on therisk <strong>and</strong> audience identified. In many cases,requiring attestation or certification to certainpolicies by certain audiences is an effective<strong>and</strong> recommended strategy. GRC platformsalso include a variety <strong>of</strong> methods for policy32 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

TMFeaturedistribution <strong>and</strong> attestation. Attestation methodsshould be flexible based on employees’locations, the relevance <strong>of</strong> the policy to theindividual’s role, <strong>and</strong> individual learningstyles. Flexible methods include email distribution,structured policy certifications viaquestionnaires, <strong>and</strong> integrated delivery as part<strong>of</strong> a broad compliance <strong>and</strong> ethics program.On the other end <strong>of</strong> the spectrum, policyattestation <strong>and</strong> certification might not always benecessary in cases where policies are intendedmore as general guidance for a very broad audience.In this case, it might be preferable to sendone or more communications about a policy, butnot to require attestation or certification.ConclusionThough codes <strong>of</strong> ethics are the foundationupon which corporate compliance programsare built, policies <strong>and</strong> procedures are wherethe intention becomes action. By translatinghigh-level aspirations into concrete, businessrelevantinstructions, they give employees thetools to put corporate values into practice <strong>and</strong>help to reduce several types <strong>of</strong> risk. The development,implementation, <strong>and</strong> communication<strong>of</strong> policies <strong>and</strong> procedures, however, can be asubstantial, <strong>and</strong> frequently difficult, process.By adopting GRC technology <strong>and</strong> followingappropriate best practices, firms can ease theburden <strong>of</strong> ensuring their policies <strong>and</strong> proceduresare current, relevant, <strong>and</strong> appropriatelycommunicated. ✵Andrea Falcione (Andrea.Falcione @ saiglobal.com) is the Chief <strong>Ethics</strong>Officer <strong>and</strong> Vice President, Advisory Services <strong>and</strong> Meghan Daniels(Meghan.Daniels @ saiglobal.com) is Senior Director, Advisory Services, bothat SAI Global <strong>Compliance</strong> in Waltham, MA.Also visit SCCE on these popular social media sitesJoin our groupfollow us oncorporatecompliance.org/linkedin twitter.com/scce facebook.com/sccethe premier social networkfor compliance <strong>and</strong> ethics pr<strong>of</strong>essionalsWhy should you log on to SCCEnet ?••Get your questions answered in the community discussion groups••Download compliance documents from our community libraries, or share your own••Stay informed on the latest compliance <strong>and</strong> ethics news <strong>and</strong> guidanceLog on at corporatecompliance.org/SCCEnetcorporatecompliance.org/googleyoutube.com/compliancevideos<strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essional November/December 2012+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 33

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!