Simply put, corporate compliance means having internal policies and procedures designed to prevent and detect violations of applicable law, regulations, rules and ethical standards by employees, agents and others. It involves legal risk management and internal controls.
Why do companies have corporate compliance programs? Besides being good business (for example, some companies that do business with other firms may require that they have corporate compliance programs) there are a number of legal related reasons for it, depending on a company’s size.
A. The U.S. Sentencing Guidelines for organizations, for example, mandate the reduction of criminal fines if a company had an effective compliance program in place at the time an offense was committed. That means that criminal penalties can greatly increase in the absence of compliance program. Under the Sentencing Guidelines, there are seven steps or criteria for an effective program:
1. Standards and procedures to be followed by employees and others that are reasonable capable of reducing the prospect of criminal conduct;
2. Specific high-level personnel must oversee compliance (high level meaning individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization);
3. Due care must be taken not to grant substantial discretionary authority to those with the propensity for illegal conduct;
4. Standards and procedures must be effectively communicated within the company;
5. Reasonable steps must be taken to achieve compliance, including auditing, monitoring and reporting mechanisms;
6. Consistent enforcement of compliance policies by appropriate disciplinary measures; and
7. Reasonable steps to respond appropriately to misconduct if it occurs and to prevent the recurrence of misconduct.
B. The U.S. Department of Justice advises prosecutors to take into account the existence and adequacy of a corporation’s compliance program in determining whether to charge the corporation for the criminal conduct of its employees.
C. In sexual harassment cases, a company can avoid liability for a hostile environment if it can show that it exercised reasonable care to prevent and correct promptly any sexually harassing behavior, and the employee unreasonably failed to take advantage of any preventive or corrective opportunities provided by the employer or otherwise to avoid harm.
D. Punitive damages liability can be avoided in Title VII cases where the employment conduct at issue was contrary to the employer’s Title VII policies and procedures.
E. Under a case decided by the Delaware Supreme Court, a director’s obligation includes a duty to attempt to assure that corporate information and reporting systems exist. Failure to do so may, under some circumstances, render the director liable for losses caused by non-compliance with applicable legal standards.
F. The audit policy of the EPA states that a company will not be liable for gravity-based penalties if violations were discovered through voluntary audits or compliance management systems and were promptly disclosed and corrected.
G. The U.S. Securities and Exchange Commission looks a company’s compliance program in determining whether to bring charges and what charges to bring.
H. The Sarbannes-Oxley Act of 2002 requires disclosure of a code of ethics for senior financial officers, and SEC regulations implementing the Act broaden this to include the CEO. The Act also requires procedures for the receipt and treatment of complaints regarding accounting, internal accounting controls and auditing matters.
I. New York Stock Exchange Rule 303A.10 requires NYSE-listed companies to adopt a code of business conduct and ethics for directors, officers and employees.
J. NASDAQ Rule 4350 requires NASDAQ listed companies to adopt a code of conduct applicable to directors, officers and employees.