Evidencing Compliance Culture
Stressed by DOJ and USSC
Evidencing a culture of compliance is cited in the U.S. Sentencing Commission’s “Organizational Sentencing Guidelines,” with its importance reinforced in the DOJ’s “Evaluation of Corporate Compliance Programs.” Compliance culture relates to the underlying beliefs, assumptions, expectations, values, and ways of interacting that contribute to the compliance environment of an organization. In short, it defines values that guide behavior in various situations. It must be evidenced by the actions and behavior beginning at the board and executive leadership levels and cascading down through all levels of management. The attitude, perceptions, and level of personal compliance commitment of employees can either strengthen or weaken the organization in its mission. Developing and implementing written guidance in the form of the Code of Conduct and policies/procedures is not enough. Achieving a positive compliance culture is a top-down effort:
- Board/Executive Support. A compliance culture is a “top-down” effort shaped by words and behavior. At the board level, evidence of this can be in a charter of the compliance program, along with board and executive oversight committees that actively support and oversee the compliance program. This includes ensuring the Compliance Officer has the authority for the job and can provide the necessary operating resources, support, and enforcement.
- CEO Support. The CEO’s role and commitment to supporting the compliance program is critical. The Sentencing Commission Guidelines, OIG Compliance Program Guidance, and DOJ Guidelines all look to having the Compliance Officer report to the CEO. It is also best practice to have the CEO provide a cover letter for the Code that further evidences support for compliance by endorsing the guiding principles and restating leadership commitment to compliance.
- Compliance Officer. The Compliance Officer should have ownership of the development and management of the compliance program. This includes completing compliance risk assessments, ongoing monitoring, and auditing to ensure these processes function effectively. The Compliance Officer should participate in strategic planning to ensure the compliance perspective is always present.
- Code of Conduct. The organization needs a set of written rules and principles to guide employee behavior with one another, partners, patients, and the outside world. The Code must provide the guiding compliance principles, as the constitution for the compliance program.
- Compliance-Related Policies. If the Code is like a constitution for an organization, the policies are analogous to laws, regulations, and rules. They must reinforce the compliance commitment of the organization and provide detailed guidance on ensuring the compliance principles are functioning in practice.
- Training and Education. Building a compliance culture requires making everyone aware of the rules and letting them know where to go if they have a concern. Leadership statements and written guidance on a commitment to compliance is never enough. It must be included in education and training so everyone knows what they can and cannot do. This also means they know their duty to report suspected wrongdoing or ask clarifying questions without fear of retaliation.
- Compliance Communication. The compliance message needs to be communicated at all levels of the organization; however, it is a two-way street whereby employees need to communicate concerns and suspected wrongdoing without fear of retaliation.
- Accountability. All levels of management must be held equally accountable for engaging in or permitting wrongdoing. This commitment must be reinforced at every opportunity when speaking to employees and other leaders. Pay and reward must reflect compliant behavior, including the performance management process that links rankings and bonuses to reward support and adherence to compliance.
- High-Risk Focus. Focusing on high-risk areas and regulatory risk assessments is a critical component of the compliance program. How this is done will provide evidence of maintaining a culture of compliance.
- Incident Management. Awareness of violations is the first step in addressing shortfalls and mitigating risk. Having clear processes for reporting, tracking, and recording reported and suspected wrongdoing is essential. Not managing this process undercuts any attempt to evidence a compliance culture.
- Compliance Culture Surveys. A well-written, professionally developed compliance culture survey on compliance attitudes and perceptions in the workplace can provide a credible means to gauge the progress of the development of a culture of compliance. It should be anonymous and confidential for respondents. Surveys also let employees know that leadership values learning from them about the work environment. In addition to gauging the compliance culture, a culture survey can serve as early detection of areas warranting attention.
- Promote Speaking Up Culture. An effective speak-up culture is one where employees feel comfortable coming forward with a question or raising a concern without fear of retaliation. Instilling a speak-up culture is critical to an effective compliance program.
Keep up-to-date with Strategic Management Services by following us on LinkedIn.
Subscribe to blog