DEFINITIVE GUIDE TO

Ethics and
Compliance
Programmes
Your essential guide to developing and implementing an effective programme

1 THE COMPLIANCE GUIDE – INTRODUCTION

 Contents

Introduction: Why Does Ethics And Compliance Matter? 3

Defining Ethics and Compliance 4

Why Develop an Ethics and Compliance Programme? 5

The Costs of Non-Compliance 7

Benefits of a Strong Ethics & Compliance Programme 8

The Evolution of Ethics and Compliance Management 11

Plan: Creating An Ethics and Compliance Strategy 13

Establish the Structure and Reporting Lines 14

Define the Function’s Scope 15

Assemble the Right Team 16

Coordinate the Programme 17

Develop a Strategy 19

Implement: Establishing The Ethics and Compliance Programme 23

Best Practice: The Eight Essential Elements of an Effective Programme 24

Prevent-Detect-Respond Approach 26

Tailor Your Programme 27

The Risk Assessment 28

The 10 Key Steps of a Robust Ethics and Compliance Risk Assessment 29

Measure: Monitor, Assess & Improve Programme Effectiveness 31

Monitoring, Auditing and Measuring 32

A Story of Effectiveness 33

Benchmarking Your Programme 33

Conclusion 34
About The Author 35
Additional Resources 36

2 THE COMPLIANCE GUIDE – INTRODUCTION

 Defining Ethics and Compliance
Compliance means adherence to, or conformance with laws or regulations and with an organisation’s standards,
policies, and procedures. From a legal perspective, compliance is the way organisations seek to ensure that they, their
employees and representatives uphold the applicable laws and internal rules in order to prevent harm to themselves, the
organisation, or others. Based on this definition, it is evident that compliance is a form of risk management.

Modern organisations are expected to go beyond doing Whether "ethics" precedes "compliance" is a matter of
the bare minimum in complying with the law and internal semantics, but one thing is clear: an effective ethics and
policies. This means taking steps to develop and foster compliance programme today requires a commitment to
an ethical workplace culture. Ethics forms the foundation ethical principles.

INTRODUCTION
of an effective ethics and compliance programme
because it deals with concepts of right and wrong By combining the two, organisations can more
conduct, and is therefore rooted in "values". effectively manage risk and address regulatory
compliance requirements.

Key definitions
WHY DOES ETHICS AND COMPLIANCE
» Compliance implies conformity with applicable laws, regulations
MATTER? and internal standards, policies and procedures.
» Ethics are moral principles that control or influence a person’s behaviour1.
» Business ethics is the application of ethics to business behaviour2.
» Values are core ideas about how people should live and what ends they should seek3.
Ethics and compliance continues to grow in importance for » Integrity is the quality of being honest and having strong moral principles that you refuse to change4.
organisations of all sizes, right across the world, as lawmakers » Ethics and compliance programmes help organisations manage risk, address regulatory compliance
and foster an ethical workplace culture5.
seek to tackle the harmful effects of illegal, corrupt and unethical
business practices. At the same time, people increasingly
expect the companies they interact with and buy from to reflect
responsible, ethical and sustainable values. In a globalised
economy, understanding these issues and the various national and
international rules relating to them could be the difference between
an organisation’s success, or failure.

1
Oxford Online Dictionary 2 Institute of Business Ethics 3
C. Fisher and A. Lovell, Business Ethics and Values: Individual, Corporate and
International Perspectives. 3rd ed., Prentice Hall, 2009, p.153 4
Cambridge Dictionary of English 5
NAVEX Global

3 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 4

 Why Develop an Ethics
and Compliance Programme?
Contrary to being a “nice to have”, an effective ethics and compliance programme is critical to running a productive, Increase in enforcement » Is the programme being applied earnestly and
reputable and successful business. Without one, your business could expose itself to significant risk. When articulating in good faith? In other words, is the programme
the "whys" that justify investment in your programme, the following drivers are a good place to begin. Today’s enforcement environment is intense and adequately resourced and empowered to function
active on all fronts. Whether it is a new regulation, new effectively?
interpretation or simply greater enforcement of existing
Regulatory pressures laws, compliance departments must be alert to the real No longer can organisations apply a “checkbox”
and growing risk of fines and prosecutions. approach to their compliance obligations. To drive
Regulations are numerous and complicated. They of course Companies in the same industry and/or operating in meaningful behavioural change, an ethical culture is seen
vary from sector to sector, and across geographies too. But the same regions face similar regulatory pressures. By Statistics relating to Foreign Corrupt Practices Act as essential.9
modern organisations are expected to comply regardless. managing compliance-related risks more effectively (FCPA) enforcements bear this out. Between 1977 (when
than their sector peers, it is possible for organisations the FCPA was passed into US law) and 2000, no more
Since the Enron scandal of 2001 and the introduction of the to establish competitive advantage. In fact, data from than 10 cases per year were enforced by the relevant Stakeholder expectations
Sarbanes-Oxley Act (SOX) the following year, the pace and Ethisphere suggests companies that featured on its enforcement agencies. Since 2001 an average of more
momentum of regulatory change has increased not just ‘Most Ethical’ list – which rates an organisation’s ethics than 30 cases per year have been enforced7. The average Standards of corporate behaviour are continuously
in the US, but at a global level. Commencing with the UK and compliance programme among its evaluation criteria cost of fines has grown too, from $5m in 2015 to over evolving to reflect society’s demand for greater
Bribery Act (2010), the last decade saw an unprecedented - perform better financially than their peers6. $116m in 20198. accountability. The desire to maximise profits is now
raft of anti-corruption, modern slavery, whistleblower balanced by a need to act in the best interests of not
protection and data privacy regulations take effect in At the same time, global regulators are collaborating only shareholders, but of all stakeholders - including
Europe, Asia-Pacific and beyond. more than ever to enforce regulations. This has resulted employees, suppliers, customers, local communities and
in organisations being subject to multiple fines, from society in general. In other words, everyone who they
various regulators, for the same infringement. directly or indirectly impact.

Enforcement agencies around the globe acknowledge To remain successful, organisations have a responsibility
The introduction of global anti-bribery and corruption regulations has accelerated in recent years that ethics and compliance programmes are necessary to contribute positively to society, in accordance with
to help reduce the likelihood of legal violations and to ethical and moral norms. It implies taking an inclusive
1977 1993 2002 2010 2015 2016 2017 2018 2019 educate employees about what is expected of them. stakeholder view to build and retain public trust.
Effective ethics and compliance programmes (not just
those that “tick the box”) can therefore help organisations Increased investor attention on environmental, social,
USA France USA UK Germany France Argentina Russia Italy
Foreign Corrupt Law Sapin I Sarbanes Oxley UK Bribery Act German Act Law Sapin II Criminal Russian Bribe build critical legal defences, limit damages and in some and governance (ESG) issues have prompted compliance
Practices Act on Combating Liability Statute Criminal Code Destroyer Act instances avoid criminal prosecution altogether. teams to contemplate the importance of corporate
(FCPA) Spain Corruption South Korea
Spanish Improper Mexico India Saudi Arabia responsibility in the context of organisational success.
Criminal Code Netherlands Soliticitation General Law of Prevention of Anti-Bribery Law
Dutch and Graft Act Administration Corruption Act In the wake of public scandals, financial crises and
USA
Dodd-Frank
Criminal Code Responsibilities
UAE
Australia
Corporate
Higher ethical standards emergencies like the Covid-19 pandemic, it has become
Peru Penal Code Crime Bill clear that the way in which companies conduct themselves
Legislative
Decree 1352 China Up to now, the legal framing of compliance has driven will help determine their future societal value. Those that
Anti-Unfair significant progress. However, it’s become clear in recent protect their employees and prioritise longer term over
Competition
Law years that addressing ethics is equally (if not more) short-term shareholder interests are likely to be more
Malaysia important. insulated from external economic and reputational threats.
Anti-Corruption
Act
The US Department of Justice (DOJ) “Evaluation of
21
Corporate Compliance Programs” guidance underlines
18 how important it is for a company to create and foster a
culture of ethics. When assessing the effectiveness
13 of compliance programmes, prosecutors are directed
10 to ask:
8
6 » How often and how does the company measure its “The Department will continue
culture of ethics and compliance? to work aggressively with our partners
3
2 » What steps has the company taken in response to its across the globe to root out corruption.”
1
measurement of the compliance culture? Brian A. Benczkowski, DOJ Criminal Division.

Number of major anti-bribery and corruption regulations

6
Ethisphere, World’s most ethical companies 2020. 7
FCPA, 2020 8
Wilkie, Farr & Gallagher, 2020 9
DOJ, Evaluation of Corporate Compliance Programs, June 2020, p2, p.16

5 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 6

 Benefits of a Strong Ethics and Compliance Programme
The Costs of Non-Compliance

Between 2016 and 2020, four companies were subject to While fines and financial penalties might provide The immediate benefits of a robust ethics and How do you earn a declination or
corruption fines of more than $1bn each. The largest of sufficient motivation to address compliance risk, they may compliance programme include reducing regulatory, a DPA discount?
these, which involved a major aerospace manufacturer, only represent a fraction of the overall costs associated legal and financial risk exposure, while creating significant
totalled more than $3.9 billion and related to foreign with non-compliance. Legal and ongoing monitoring competitive advantage. Longer term, it can significantly
bribery charges with authorities in the United States, costs, falls in the company share price and lasting improve an organisation's capacity to manage compliance- Have a robust compliance
France and the United Kingdom. reputational damage can often have a far greater impact related risks, meet regulatory expectations and foster an programme in place
on the organisation's bottom line. ethics-centred culture.
An effective ethics and compliance
programme reduces the risk of prosecution
Legal defence or regulatory enforcement in the first place.
Should the worst happen, its existence will
Notable recent corruption fines While legal standards vary, there are common strategies demonstrate that your organisation has taken
organisations can use to build a compliance-based steps to mitigate compliance risk.
defence should they be faced with prosecution or
regulatory enforcement. Courts, juries and enforcement
Aerospace Petroleum Telecoms
Corporation
agencies are looking to reward organisations that make
Conglomerate Company Company Self-report
a substantial, good-faith effort to comply with the law
and encourage their employees to do the same. This can
result in non-prosecution or reduced penalties through Voluntarily disclose the potential violation,
Deferred Prosecution Agreements (DPAs). all relevant facts and individuals involved
to the prosecutors prior to the threat of a
For example, in 2012 the DOJ declined to prosecute government investigation. Timing is critical:

$4bn $3.5bn
a multinational investment bank when its employee if there is an unreasonable delay in reporting
$1.78bn $1bn violated the FCPA. In explaining its decision, the DOJ an offence to government authorities after
highlighted the bank’s efforts to regularly update becoming aware of it, the company may
its internal policies, provide frequent training for its not receive credit for having an effective
employees and conduct extensive due diligence on all programme in place.
new business partners.

In 2017, a global engineering company earned a 50%

HQ location Netherlands Brazil Brazil Sweden DPA discount from the UK’s Serious Fraud Office (SFO), Cooperate with the authorities
which referenced “the full cooperation” and “improved
due diligence in respect of intermediaries” implemented
Regulator US, UK, France UK, Brazil, Switzerland US US
at the affected organisation. Preserve and disclose all evidence, coordinate
the company's internal investigation with the
These examples demonstrate how regulatory actions regulator’s investigation, and make relevant
Date 2020 2016 2018 2019
can be tempered in cases where organisations can individuals available for interviews. To ensure
show that they invest in and take self-directed action to cooperation is timely and thorough, the
aggressively limit their compliance risks. organisation should ensure its compliance
officer retains an open line of communication
with prosecutors.

Acknowledge mistakes

Demonstrate timely and appropriate

remediation of the violation by disciplining
culpable employees and strengthening the
ethics and compliance programme to prevent
further similar violations.

7 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 8

 A more ethical culture Engaged workforce Healthier bottom line Reputational value

A strong ethics and compliance programme is tied to Ethical business practices help cultivate a culture of trust, Ethical companies are more successful and typically Even a single compliance failure can deeply affect the
improvements in organisational culture. A programme goodwill, integrity, and compliance. out-perform the competition financially, demonstrating public’s trust in an organisation.
built around a well-defined code of conduct and aligned the connection between good ethical practices
to the company's values and risk profile can help Organisational pride and buy-in to an ethical culture and performance12. A strong ethics and compliance News reports frequently highlight how lapses in
articulate who the organisation is - or aspires to be - and often radiates beyond the physical barriers of the office. programme enhances employee morale and increases leadership in managing compliance-related risks have
bind stakeholders to that vision. Rather, it extends deeply into employee communities, engagement, which positively impacts productivity and damaged organisations and even exposed them to
across the industry and into positive press and regulatory company performance. substantial fines and penalties. The financial penalty can
Not only is a strong focus on ethics likely to reduce the relationships. Recognition as an ethical place to work be managed, but the reputational impact can have far-
cost of misconduct, but it can also contribute towards tends to be self-fulfilling by attracting and retaining high- Moreover, establishing a reputation as an ethical reaching consequences for many years.
a solid corporate reputation, genuine employee quality executives, employees, partners and customers. company helps earn the trust and loyalty of consumers.
compliance, robust governance, and increased Employees who are treated fairly have a sense of This is particularly true among younger consumers who Stakeholders, investors and shareholders value
profitability. goodwill and organisational trust, which translates into a are likely to consider a company’s ethical values before companies with reputations for acting ethically. An
happier and more productive workforce. buying their products13. ethical reputation signals greater transparency, reduced
Many regulations, including those related to bribery risk of wrongdoing, a stronger compliance culture
and corruption, employment law and privacy, can trace An ethical orientation in an organisation serves as an and, ultimately, future growth and success. "Socially
their origins to the concept of ethics. These areas of insurance policy against incivility in the workplace and responsible investing" entails investing in well-managed
compliance resonate with employees’ personal morals employee misconduct such as harassment, bullying, and profitable companies that are also committed to
and values, meaning an ethics-based approach to and discrimination. Academic research has also shown "A strong ethical culture directly supports a upholding ESG standards that benefit society. Once
compliance is likely to be more meaningful to them. a correlation between a strong ethics and compliance strong compliance program." a niche approach, sustainable investing is gaining
programme and less disciplinary action and employee FCPA Resource Guide momentum with ESG funds capturing record flows in
sick time taken, and a consequent decline in human 2019. According to a Morgan Stanley survey, around 85%
resource costs10. of investors are interested in sustainable investing14.

33% of Gen Z workers (born 1995-1999) said that Performance of the 'World's Most Ethical Companies'
a company’s reputation for ethical behaviour (Ethisphere 2020 Honorees), compared to the Large Cap index
was “very important” when choosing to work for
them, compared to just 22% for their Millennial
counterparts (born 1983-1994)11.

Five-year
ethics premium

13.5%

January 2015 January 2020

2020 ETHX Large Cap Index

Source: Ethisphere. World’s most ethical companies 2020. Performance of the 2020 honorees as compared to the large cap index.

10
J. Paul McNulty, Jeff Knox & Patricia Harned, What an Effective Corporate Compliance Program Should Look Like, The Journal of Law, Economics and 12
Ethisphere, World’s most ethical companies 2020 13
Accenture Strategy Global Consumer Pulse Research, 2018
Policy, 9, no. 375 (Spring 2013): 383 11
Deloitte Millennial Survey, 2018 14
Morgan Stanley Survey Finds Investor Enthusiasm for Sustainable Investing at an All-Time High.

9 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 10

 The Evolution of Ethics
and Compliance Management
» US DOJ » EU Whistleblower
» FCPA Guidance Evaluation Protection Directive

2012 2017 2021

The ethics and compliance management landscape has witnessed rapid and significant development since it originated
in the US during the second half of the 20th century.

» US DOJ
» Committee of Sponsoring Compliance Counsel » DOJ Evaluation
» Defense Industry Organizations of the Treadway » Medicare » Thomson » Modern Slavery revised
Initiative (DII) Commission (COSO) 7-Elements Memorandum » Dodd-Frank Act Act » OFAC Guidance

1986 1992 1999 2003 2010 2015 2019

1977 1991 1997 2002 2011 2016 2020

» Foreign Corrupt » Federal Sentencing » OECD Anti-Bribery » Sarbanes-Oxley » UK Bribery Act » ISO 37001 » DOJ Evaluation
Practices Act Guidelines for Convention Act » Sapin II revised
(FCPA) Organizations (FSGO)

2004 2013 2018

» FSGO Revisions » COSO Revisions » General Data Protection
Regulation (GDPR)
» Anti Money Laundering
1960s 1980s Directive 5 (AMLD5)
The first compliance programmes emerged in the After a series of defence procurement scandals, 18
American corporate arena when large contractors in the defense contractors formed the Defense Industry 2000s
heavy electrical equipment industry were prosecuted Initiative on Business Ethics and Conduct (DII). Among The 21st century began with the Enron and WorldCom The SEC became authorised to pay awards (10-30%
for anti-trust violations. Thereafter, companies began to the DII recommendations was the need to develop accounting scandals and the subsequent passage of the of collected money) to eligible whistleblowers who
adopt antitrust training and other compliance measures. ethical principles for business conduct, increase the Sarbanes-Oxley Act (SOX) in 2002. The definition of an provide high-quality and original information leading to
effectiveness of internal controls, and enhance senior "effective" program was further expanded in 2004 under enforcement actions that yield sanctions of over
management oversight and employee training. the amended FSGO, which now required companies $1 million16.
1970s to “promote an organizational culture that encourages
A series of bribery scandals revealed by the US Securities ethical conduct and a commitment to compliance with The global compliance landscape has continued to
and Exchange Commission (SEC) and IRS (Internal 1990s the law”15. Since then, regulators around the world began evolve, with major developments occurring in key ethics
Revenue Service) led to the passage of the Foreign The modern era of compliance and ethics began on to emphasise the role of ethics in the prevention and and compliance areas over the last decade. These have
Corrupt Practices Act (FCPA). Multinationals based November 1,1991 when the US Federal Sentencing detection of criminal conduct. included a significant number of new and updated
in the United States had been caught bribing foreign Guidelines for Organizations (FSGO) came into effect. The regulations covering corruption and bribery prevention,
government officials to gain business advantages, and guidelines were a decisive milestone in the development modern slavery, whistleblower protection, sanctions, anti-
it became clear that informal compliance programmes of a modern approach to compliance. In 1992 The 2010s – Present money laundering and data privacy. At the same time,
were no longer enough. Committee of Sponsoring Organizations of the Treadway The global financial crisis began in 2007. To promote a number of initiatives, guidelines, and standards have
Commission (COSO) published its Internal Control – financial stability, the US Congress enacted the Dodd- been published in an attempt to harmonise the diversity
Integrated Framework. The model provided principles- Frank Wall Street Reform and Consumer Protection Act of national legal systems and encourage businesses to
based guidance for designing and implementing in 2010. The Act incentivised organisations to develop commit to ethical practices.
effective internal controls. In 1997 the OECD Convention formal channels for detecting and reporting violations.
on Combating Bribery of Foreign Public Officials in
International Business Transactions was signed by 37
OECD countries and seven non-OECD countries. 15
USSC Press release, May 3, 2004 16
SEC

11 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 12

 Establish the Structure and Reporting Lines
The positioning, structure and responsibilities of the compliance function may vary dramatically from one organisation
to another and are usually determined by organisation’s size, business model, risk profile and culture. Regulators and
prosecutors acknowledge that different structures can support an effective programme

That said, organisations are expected to provide reasons function establishing the minimum required standards.
for the structural choices they make. The structures may For larger organisations this approach provides flexibility
be centralised or decentralised, functional (i.e. focusing and may be ideal for highly diversified organisations,
on a specific risk area), attached to a business unit those that operate across different legal systems or have
(usually legal), or entirely independent. diverse risk factors between units.

PLAN For small and medium-sized organisations the main

structural considerations are likely to be centred around
whether the compliance function (or the compliance officer)
will have an independent or semi-autonomous status: Best Practice:
Key Things to Consider
Independent structure
The compliance function is a separate operating unit, Choose the structure that works best for your
with the Chief Ethics and Compliance Officer (CECO) organisation. If you are just starting out, some of

CREATING AN ETHICS
reporting into the CEO. Not surprisingly, this structure the key questions to address may include:
has been recognised by regulators and enforcement

AND COMPLIANCE STRATEGY

agencies as the most effective for ensuring the » Will the compliance programme be a
programme’s independence. separate unit? If so, where will it operate, and
to whom will it report (administratively and
Semi-autonomous structure operationally)?
The compliance function is appended to another » Will the compliance programme be part of
Getting the most from your ethics and compliance programme department (most frequently, legal) and the CECO another unit? If so, which unit(s) should take
requires careful planning. Your strategy should be built around a clear reports into the general counsel. Though they do on these responsibilities?
not report to the board of directors, the CECO » Are there any recommendations on
understanding of the compliance structure and reporting lines you
should provide periodic reports to the board to structuring the compliance function from the
will have, a secured budget to address the sufficiency of compliance ensure continued independence of the programme. organisation’s primary regulator?
personnel and resources, and visibility of the compliance and Alternatively, the general counsel performs the role of
ethics-related risks that need to be within your scope. CECO. Although regulatory compliance can be viewed Bear in mind, however, that in order for your
as a natural subset of an organisation’s legal unit, this ethics and compliance programme to qualify as
structure may cause compliance to become a "second- effective, the structure you establish must meet
rate" issue. the following regulatory requirements:

Larger organisations may also wish to consider the » There is a senior manager ("high level
differences between a centralised and a decentralised person") assigned overall responsibility for
structure: the programme.
» There are specific individual(s) assigned with
Centralised structure day-to-day operational responsibility for the
Compliance officers have a “dotted-line” relationship with programme.
their business head counterparts, but do not functionally » These individual(s) report periodically to
report to them. In larger or multinational organisations, the senior manager and, as appropriate,
they report to a central compliance department, to the board of directors or an appropriate
regardless of where they are located or what business board committee on the effectiveness of the
function they are assigned to. Advocates of this approach programme17.
cite the independence of compliance officers from the » To carry out their operational responsibility,
business units and standardisation of compliance activities. these individuals have adequate resources,
appropriate experience and qualifications,
Decentralised structure seniority and stature, as well as sufficient
Each business unit has a local compliance officer direct and indirect access to the relevant
with freedom and authority to develop a programme sources of data, the board of directors or an
that would meet the business units’ own needs and appropriate board committee18.
requirements, with a small corporate-level compliance
17
FSGO, §8B2.1(b) (2) (A) – (C). 18
DOJ, Evaluation of Corporate Compliance Programs, June 2020, page.12.

13 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – PLAN 14

 Define the Function’s Scope Assemble the Right Team
It’s important to define the scope of your compliance department from the outset. Regardless of who owns what, all risks Staffing your programme depends on its scope and the resources available to the organisation. The skills, knowledge, and
must be managed effectively across the organisation. Gaps or overlaps in compliance management create confusion and experience of compliance staff are critical drivers of the programme’s success. You have a variety of choices when building
could result in new and unforeseen consequences. your team: lawyers, auditors, behavioural psychologists, business ethics and educational specialists to name a few.

In most companies, many of the compliance compliance function, procurement, distribution, and One option adopted by some organisations is to Full-time VS part-time staff
responsibilities are fully or partially managed outside supply chain managers should all work together to hire former industry regulators who have extensive For many organisations with geographically dispersed
the corporate compliance function. For other areas, like ensure this critical risk is managed effectively. knowledge of regulatory issues, investigative practices, operations (or with limited resources), part-time ethics
anti-bribery and whistleblowing hotline management, the and personnel. When faced with a staffing decision, and compliance "champions" may be the only viable
compliance function will assume primary responsibility. Communicate your scope to other risk owners reflect on the following considerations: option. These "champions" have a full-time role in their
Operational areas of compliance – such as data privacy to establish a common understanding and clear business, typically in finance, HR or procurement, but
or trade compliance – are more likely to be managed accountability for compliance obligations throughout Generalist VS technical compliance officer carry additional compliance responsibilities. In addition
directly by the business, with the compliance function the organisation. Think about establishing mechanisms The generalist focuses on broad issues including to their managerial reporting lines they have a dotted-
only providing oversight and assistance. to facilitate collaboration and coordination of activities ethics, culture, training and communication. A technical line reporting to the corporate compliance function.
between the compliance function and other units. Your compliance officer has eyes on the issues related to
Many compliance areas require collaboration between interaction is key to the programme’s success. technical rules and regulations such as compliance
several competencies. Consider supply chain risk: the audits, risk assessments and monitoring.

Internal position VS external hire

A current employee may know the organisation and its
inner workings very well, whereas an outsider will bring
new experience and expertise.

Who "owns" ethics and compliance risks?

This diagram illustrates which department was most frequently selected as the "owner" of Chief Ethics and Compliance Officer:
compliance and ethics-related risks in a 2016 PWC survey. Figures provided show the percentage Key competencies and characteristics
of respondents who selected that department as the "owner". The size of the circle depends on
the number of risks "owned" (most frequently cited as the leader) by the department or function.

Legal Compliance & Ethics Procurement HR IT Operations Corporate

Communications

Intellectual Leader Auditor Investigator Idealist Business Lawyer Risk Negotiator

property
69% Bribery or Partner Manager
Records Insider corruption
Fraud Ethical
management trading 47%
33% sourcing
30% 43% Conflicts of Employment Data Safety or Social
Money 40%
interest and labour security environmental media
Government Fair competition laundering Supplier
51% compliance 79% 26% 41%
contracting or antitrust 38% compliance 71%
29% 59% 42%
Privacy and
Import-export controls confidentiality
or trade compliance 38%
19% Effective Salesperson Litigator Multitasker Business Policy Writer Psychologist Ethical Role
Coordinator Trainer Model

Adapted from: A. Hayward and T Osborn, The Business Guide to Effective Compliance and Ethics.
Source: PWC State of Compliance study 2016
Why Compliance isn’t working – and how to fix it, 1st ed, Kogan Page, 2019.

15 THE COMPLIANCE GUIDE – PLAN THE COMPLIANCE GUIDE – PLAN 16

 Coordinate the Programme
It's critical to ensure that the programme components will function effectively when stitched together. Key to this is
creating a clear plan for how the programme will be coordinated. Building Internal Partnerships

Working with the board Engaging other teams

The role of the board Using key regulatory requirements and best To help build understanding and partnership
practice examples as a basis, ensure you cover across all levels of the business, consider the
With enforcement on the rise, CEOs and board members engaging with the board on a regular, periodic basis, and the following when engaging with the board: following tactics:
are under pressure to uphold both compliance and ethics not only when asked to do so, cannot be overestimated.
oversight, and company leadership responsibilities. Working successfully with the board creates » Make sure all board members understand » D
 emonstrate the relevance of ethics and
Boards are required give the compliance officer access to opportunities for deeper engagement and improvements their responsibilities with respect to the compliance to the business: reach out and
them and oversee the implementation and effectiveness in company culture, and can help strengthen trust and programme, and applicable regulations. explain what you do, how you do it and
of the programme – albeit without turning board respect for the accomplishments of the organisation’s » Report on the content and operation of why it’s important.
members into micromanagers. The importance of ethics and compliance programme. the programme on a quarterly basis. » Show genuine interest: talk to the business
» Submit the compliance budget and functions to get an idea of what keeps
staffing levels for review and approval. them busy.
» Establish an escalation process to ensure » Create informal lines of communication:
How often do compliance functions engage with the board? timely reporting and resolution of matters. socialise and get to know the people you
» Provide effective and role-relevant training. work with.
Programme maturity level
» Make the board aware of risk assessments » Build a network of supporters: cultivate
and board-specific risks to the organisation. trust, mutual respect and understanding in
Reactive Basic Defining Maturing Advanced
» Update the board members on emerging your interactions.
Periodically, and the
56% 26% 43% 56% 78% 86% trends and topics of interest.
Board has oversight

Periodically 27% 29% 33% 29% 19% 12%

Only when asked 9% 24% 12% 7% 2% 1%

We do not report
8% 20% 12% 7% 1% 1%
to the Board

0% 10% 20% 30% 40% 50% 60% Base: All respondents excluding those responding 'don't know'. n=1,241

Source: NAVEX Global, The Definitive Risk & Compliance Benchmark Report, 2020, page 48

Collaboration and Networking

Communication and collaboration is key to the effective

management of risk – and to the overall success of your
ethics and compliance programme.

Compliance committees are a popular mechanism

for formally coordinating joint efforts between
teams. Although they may be established at “The board should take an active role
different organisational levels, they typically include in shaping the big picture of ethics and
representatives from the key business or operating units compliance in the company.”
and the legal, compliance, audit, risk, HR, finance and Carrie Penman, NAVEX Global
procurement functions.

17 THE COMPLIANCE GUIDE – PLAN THE COMPLIANCE GUIDE – PLAN 18

 Develop a Strategy Review your regulatory environment

While there is no single, standalone piece of regulatory » FSGO 8B2.1

Once the structure, reporting lines and compliance scope The best practice is to base the budget and staffing guidance that will cater for all situations or organisations, » OECD’s 13 Good Practices on Internal Controls,
have been defined and established, the planning process levels on the identified ethics and compliance risks to many of the key guidelines and frameworks align around Ethics, and Compliance
can move onto strategy development. ensure they are managed effectively. As part of the a similar set of standards – albeit with different levels of » US DOJ Evaluation of Corporate Compliance Programs
board's oversight role, it must ensure that programme emphasis on programme components (such as anti- » UK Ministry of Justice guidance to the UK Bribery
An effective ethics and compliance programme must is fully equipped to address the challenges in relation to bribery and corruption). Act.
be holistic, risk-based and scalable depending on your staffing and resources.
organisation’s size, geography and risk profile. When When designing your ethics and compliance programme, Whilst most are country-specific, these measures have
designing and planning the programme, consider the it may be most useful to start with these guiding ramifications across the globe and they inform elements
following strategic considerations to help ensure success. measures for a well-rounded programme: of the best compliance programmes.
How to gain budget
from your board
Get leadership and management buy-in
Despite the never-ending increase in regulatory Comparison of the key themes across leading compliance frameworks
Leadership has traditionally been associated with the requirements, compliance is often seen as a cost
ability to influence and motivate others, that’s why it plays centre rather than a business enabler. It’s the
UK Bribery
an important role in organisational culture. Visible support CECO’s responsibility to communicate the value Is the compliance programme well designed? FSGO OECD DOJ
from top executives is critical in any programme seeking to of the compliance activities for the business and Act
influence or modify employee behaviour. If a programme convince the board to invest in managing risks. Risk assessment
is seen as unimportant, a nuisance, or a threat to top Consider the following tactics to make a
management, employees will not trust it and will not persuasive business case for your budget request: Standards, policies and procedures
engage with it.
Choose the right communication style Training and communications
However, the notion that the ethical culture of an Know your audience and tailor your message to
organisation is shaped solely by the message coming fit their expectations with regard to things like Confidential reporting structure
from the board and CEO is fanciful. While it begins with data presentation (numbers, graphs, or soft data)
the “tone at the top”, it is the middle managers and line and depth of detail (a high-level overview versus Investigation of misconduct
managers that play an equally important role in shaping a deep dive into facts and details).
an environment that fosters and promotes ethical conduct. Third-party management
Through their actions, inaction, choices, decisions and the Make the business case
behaviours they reward, discipline or ignore, leaders and Your board does not necessarily live in the world Mergers and acquisitions
line managers transmit a powerful message on what is of ethics and compliance. It is therefore your job
System of internal controls
really valued, and what is required to survive and succeed. to prepare and develop arguments using the
terminology they are familiar with. Make sure you
Is the compliance programme being implemented effectively?
Secure the budget understand the organisation’s broader business
objectives and can explain how investing in
Commitment by senior management
Compliance requires investment. But even as regulatory compliance will support the organisation in
requirements increase, many organisations fail to those efforts. Commitment by middle management
recognise the value a strong programme can deliver. In
broad terms, the cost drivers of an ethics and compliance Take a proactive approach to compliance costs Autonomy and resources of a compliance function
programme fall into three categories: Forty-five per cent of organisations with
Advanced ethics and compliance programmes Substantial authority personnel due diligence
» Headcount spend more than a quarter of their budget on
» Administrative expenses (office space, technology solutions19. With compliance budgets Incentives for compliance
equipment, supplies, travel) on the rise, one way to manage a growing list
» Programme expenses (compliance-related of requirements is to leverage the efficiencies Disciplinary measures for non-compliance
initiatives, systems and tools, consulting fees, of integrated risk and compliance solutions.
conferences, staff training, etc.) Show the board that you’re not just asking for Does the compliance programme work in practice?
money, but that you have thought through
Continuous improvement, periodic testing and review
It is important to be aligned with your budget the calculations. Lay out the cost difference
authority. Ideally, this should be the board of directors between hiring more staff and using technology.
Culture of ethics and compliance with law
or an appropriate board committee. Regulators Demonstrate that you are budget-conscious and
and prosecutors expect compliance functions to trying to invest the organisation’s money wisely.
Analysis and remediation of underlying misconduct
be adequately resourced in order to operate their
programme. But how does one define “adequate”?

19
NAVEX Global, The Definitive Risk & Compliance Benchmark Report, 2020, Page 28

19 THE COMPLIANCE GUIDE – PLAN THE COMPLIANCE GUIDE – PLAN 20

 Which laws and standards Focus on ethics Implement effectively
might apply to your organisation?
Many companies have compliance-based programmes. Regulators and prosecutors require that each company
1. N
 ational laws and regulations in jurisdictions 4. I nternational standards and guidelines. These As the name suggests, these programmes focus on tailor its programme to its own needs, size, business
where your organisation conducts business, voluntary initiatives fall under the category specific regulatory risks facing the organisation, which may model, geographical spread and risk profile. There is
including those where you use third parties, of soft law and are not directly enforceable, themselves be complex, multi-faceted and ever-changing. no one-size-fits-all solution. What’s important is that the
agents and distributors. but may be expected by some customers or programme is “implemented, reviewed, and revised, as
partners – or within your industry. Example: ISO Values-based programmes emphasise ‘doing the right appropriate, in an effective manner”20.
2. I ndustry-specific regulations. These are 37001:2016 Anti-Bribery Management Systems. thing’ and are, unsurprisingly, deemed more effective
particularly important for organisations in highly- at deterring unethical conduct. By embedding an Regulators have often expressed their frustration with
regulated industries like healthcare, financial Your legal or contractual compliance
5.  understanding of general ethical principles, as laid down the "paper programmes" they often encounter in the
services and insurance. obligations. These may relate to supplier codes in your code of conduct, you can be confident that your business world. The policies are written, the procedures
of conduct and compliance-related clauses in employees will be able to identify with the values you are are adopted – but what’s missing is perhaps the most
3. L
 egislation with extraterritorial reach. The contracts your organisation has signed. asking them to adhere to, and why – as opposed to a set important element: implementation. Your ethics and
most prominent examples include the FCPA, the of technical rules and regulations. compliance programme should have substance and be
UK Bribery Act, Law Sapin II and the GDPR. embedded in the daily operations of your business.
Avoid falling into the trap of ‘imposing' ethics as a
compliance requirement through constant surveillance
and tight controls. Employees should be encouraged
to consider the ethical implications of a decision when
faced with a moral dilemma. Therefore, ethics should
Define stakeholder involvement Plan for known challenges be communicated and promoted as a decision-making
framework rather than a fixed reference point.
Stakeholders in the programme should include legal, risk There are several common organisational challenges that
management, internal audit, HR, procurement, finance, you may encounter when implementing an ethics and
information technology, corporate social responsibility compliance programme. They include:
and communications. Stakeholders should discuss the
implementation plan, timeframe, resources and any » Defining key people and their roles early in the
enhancements that would make the programme more process.
valuable. In addition, the board of directors needs to be » Communicating effectively with implementation teams
aware of the implementation plan and may wish to provide and stakeholders.
some specific direction regarding operations. » Understanding the processes, procedures, data,
systems and teams already in place.
Ensure that each stakeholder has a clearly defined » Coordinating teams separated by geographical
role in the programme. If you have already defined boundaries.
the compliance function scope, you will have a better » Gaining participation and input from all levels of
understanding of who is responsible for the risks in management.
your organisation and what role they will have in the » Keeping up with regulatory change.
programme’s implementation. Develop and document » Insufficient or stagnant budgets and limited
an implementation timeline that specifies who will lead programme resourcing.
the process, who will coordinate, and who will provide
assistance. Create a formal escalation policy that details By taking actions early on to mitigate these challenges,
what the leadership and board of directors needs to you can ensure your progress is not disrupted by
know and when. preventable setbacks

20
US Department of Justice, 9-28.000 - Principles of Federal Prosecution of Business Organizations, Corporate Compliance Programs, point B.

21 THE COMPLIANCE GUIDE – PLAN THE COMPLIANCE GUIDE – PLAN 22

 Best Practice: The Eight Essential Elements
of an Effective Programme
Regulators and prosecutors across the globe expect organisations to detect and prevent corporate wrongdoing. While
their guidance varies, the key requirements can be distilled into eight essential elements that a strong compliance and
ethics programme needs to address. Successfully incorporating these elements into your own programme will help
protect your organisation’s reputation, enhance employee engagement and improve organisational culture.

IMPLEMENT
Risk Assessment Standards, Policies and Procedures

A risk assessment is key to developing your organisation’s As you develop your programme, policies and
risk profile. It should identify: procedures will play a critical role. Your code of conduct
should be the foundation policy, supported by standards
» ethics, compliance and reputational risks your and procedures that drive compliance with internal values
organisation may face given its industry and as well as applicable laws, rules and regulations.
geography
» risks related to your employee population

ESTABLISHING THE ETHICS AND

» your current and planned mitigation strategies to NAVEX Global's Definitive Guide to
reduce risk to a level deemed acceptable by your Your Code of Conduct explains how

COMPLIANCE PROGRAMME
organisation to transform your code of conduct
into an engaging employee resource.
Risk assessments should be kept current and be subject
to periodic review based upon continuous access to
operational data and information from across your
With a clearly defined strategy and a budget in place, you are ready organisation. Beyond the development of these policies, thought must
to begin the process of implementing your ethics and compliance also be given to how you will manage and communicate
them. Remember that clear communication of ethics and
programme. In this section you will learn how an effective programme
Don’t forget about third parties. compliance expectations is a basic step toward creating a
should be structured, which elements are essential, and how they NAVEX Global's Definitive Guide to culture that supports an effective programme.
need to be tailored based on your organisation’s industry, size, Third-Party Risk Management will
history, and risk profile. help you navigate this increasingly
important area of compliance risk. NAVEX Global’s Definitive Guide to
Policy and Procedure Management
provides guidance on how to
optimise your policies and procedure
management programme.
Oversight, Structure and Leadership

Your programme needs both appropriate oversight (to

protect from risk) and commitment from leadership (to
drive behaviour and culture). Those who do have key Alignment with HR Practices
oversight duties, including your board of directors, need
to be informed and trained on their roles to help your An effective compliance programme has many
organisation achieve an effective programme. touchpoints and overlaps with an organisation’s HR
department. For example, the individuals an organisation
chooses to recruit and promote sends a clear signal
about its goals and priorities. As well as paying
close attention to hiring practices, take care to align
performance measures and incentives with ethical and
“Even a well-designed compliance compliant behaviours, and apply consistent disciplinary
program may be unsuccessful in practice if policies. Developing positive relationships between
implementation is lax, under-resourced ethics and compliance and human resources paves the
or otherwise ineffective.” way for an ethical company culture and sends a clear
US DOJ Criminal Division ‘Evaluation of corporate compliance programs’ message that unethical behaviour will not be tolerated.

23 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – IMPLEMENT 24

 Communications and Training Monitoring and Assessment

Organisations are expected by regulators to Measuring and monitoring your programme is the only
communicate standards and procedures to the board of way to know whether it is truly effective. Regulators like Prevent-Detect-Respond Approach
directors, high-level personnel, employees and (where the DOJ expect organisations to take “reasonable steps”
appropriate) third parties. Therefore, the policies and to “ensure that the organization’s compliance and ethics
procedures in your ethics and compliance programme program is followed, including monitoring and auditing An ethics and compliance management system can be divided into three levels of action:
should be accompanied by a strategic communications to detect criminal conduct,” and “evaluate periodically
plan and training programme. This will help ensure the effectiveness of the organization’s program”21. You 1. Prevent: Preventative measures include risk
»  3. Respond: Clear consequences for wrongdoing,
» 
employees remain informed of, and attest to, the policies must therefore regularly engage in meaningful efforts assessments, policies and procedures, training and as well as lessons learned and programme
that apply to them. A regular and effective training plan to review your ethics and compliance programme and communication, and alignment with HR practices. enhancements, form the basis of an effective
will ensure employees understand what is expected of ensure it evolves over time. response strategy.
them, help managers understand how to respond to » 2. Detect: Monitoring and assessment, reporting
issues raised and ensure lessons learned are consistently channels and incident management processes are
used to improve culture. indispensable in helping to recognise matters of
NAVEX Global’s Definitive Guide misconduct.
to Compliance Programme
Assessment provides guidance on
NAVEX Global’s Definitive how to evaluate and improve your
Guide to Ethics and Compliance compliance programme.
Training provides guidance on Leadership, structure and oversight is the overarching Culture serves as the foundation of the whole
managing your employee training element above these three levels. programme.
programme.

Culture

Compliance regulations reinforce the idea that in order to

Reporting and Response have an effective programme, you need to foster a culture
that promotes compliance and ethics - not just rules and
The reporting process enables employees to bring their additional layers of controls. Successful programmes are Leadership,
concerns to the attention of your organisation. Every integrated efforts that align financial and compliance Structure and Oversight
ethics and compliance programme must offer ways requirements with an organisation’s mission and values.
for employees to easily and comfortably report issues Forward-thinking organisations build cultures where
without fear of retaliation. It should also include measured employees know that doing the right thing is expected,
steps to respond to and resolve those reports, including understand the standards that apply to them, and believe
investigations and disciplinary processes. in the integrity of their leaders. These same employees
should feel empowered to raise concerns about
misconduct with confidence and without fear of retaliation. Prevent Detect Respond

NAVEX Global’s Definitive Guide to » risk assessment » monitoring and » incident

Whistleblowing Hotlines provides » standards, policies assessment management
guidance on how to enhance your and procedures » reporting channels » clear consequences
reporting and response process. » training and » compliance audits for wrongdoing
communication » compliance controls » lessons learned
» alignment with and programme
HR practices enhancements

Integrated ethics and compliance

While the primary focus of compliance officers may tend to focus on anti-corruption, the eight elements
framework can be practically and effectively applied in other areas of your ethics and compliance Culture
programme, including:

» trade » data privacy » modern slavery » cybersecurity

» antitrust » anti-money laundering » sexual harassment » fraud
» conflicts of interest » anti-discrimination

21
US DOJ, Criminal Division, Evaluation of Corporate Compliance Programs, June 2020, page 3.

25 THE COMPLIANCE GUIDE – IMPLEMENT THE COMPLIANCE GUIDE – IMPLEMENT 26

 Tailor Your Programme The Risk Assessment
The US Federal Sentencing Guidelines for Organizations (FSGO) commentary states that an effective ethics and An effective ethics and compliance programme should Key definitions
compliance programme will consider the organisation’s industry, size and history. It is therefore advisable to contemplate be based on a well-informed understanding of the risks
how these parameters could affect the breadth and depth of your own programme before the implementation begins. facing the organisation. A systematic risk assessment » Risk is defined as the “effect of uncertainty
is therefore the essential first step. Without it, you may on objectives”25 and is most often
find it difficult to explain why your programme has been measured in terms of likelihood and
Industry practices Organisation history designed as it has, should you be required to23. impact.
» Likelihood is the probability that a risk will
You can model your programme on recognised ethics Recurrence of similar misconduct creates additional Your risk profile is an evaluation that identifies the materialise.
and compliance industry leaders. Review their codes of compliance risk and casts doubt over the effectiveness unique risks your organisation may face given its » Impact is the cost of a risk if it does occur.
conduct and compliance policies, and look for publicly of an organisation’s compliance efforts. A history of industry, geography and employee population. In many » Effective risk management involves "the
available information around the programmes they have compliance violations would therefore require that cases, organisations may be subject to regulations and systematic application of management
in place. Look closely at industry-specific codes too - they greater resources are directed towards the ethics and vulnerable to risks about which they know little. After policies, procedures and practices to the
are a valuable resource for identifying risks and practices compliance programme. conducting a thorough risk assessment, you are likely to activities of communicating, consulting,
facing your organisation and its peers. An organisation’s discover risks that are new, were previously not visible, establishing the context, and identifying,
failure to incorporate and follow applicable industry or which have become more significant since you last analyzing, evaluating, treating, monitoring
practices makes it less likely its programme would be completed an assessment. and reviewing risk.”26
considered effective by regulators. » An ethics and compliance risk
According to the 2020 NAVEX Global Definitive Risk assessment identifies the organisation’s
& Compliance Benchmark Report, risk assessment is a ethics, compliance and reputational risks,
Organisation size high priority activity among respondents, with 46% of the employee population that creates the
organisations planning to conduct a comprehensive risk, and the current and planned mitigation
Regulators and enforcement agencies expect large organisational risk assessment in the next 12 months24. strategies to reduce risk to a level deemed
organisations to devote greater resources and take a acceptable by the organisation.
more formal approach to their programmes. By contrast,
smaller organisations may take an abbreviated approach
provided they can demonstrate “the same degree of
commitment to ethical conduct and compliance with the
law as large organizations”22 Examples of informality and
use of fewer resources include the following:
How do you conduct your compliance risk assessment?
» training may take place at informal staff meetings
» monitoring can be done during regular “walk
arounds” Engage with senior stakeholders 67%
» available personnel may be used to carry out the
programme Analyze compliance-related violations 58%

Analyze business units' compliance KPIs 41%

Undertake a staff survey 29%

Solicit input from the Board 23%

Conduct focus groups 21%

Don't know 13%

Other 9%

0% 10% 20% 30% 40% 50% 60% 70%

Source: PWC State of Compliance survey 2015

23
US DOJ, Criminal Division, Evaluation of Corporate Compliance Programs, June 2020, page 2 24
NAVEX Global, The Definitive Risk & Compliance
22
FSGO, §8B2.1, Commentary 2(C) (Ch. 1, n. 24). . Benchmark Report, 2020 25
ISO 31000:2018 Risk management – Guidelines, page 3.1. 26
ISO 31000:2018 Risk management – Guidelines, page 4

27 THE COMPLIANCE GUIDE – IMPLEMENT THE COMPLIANCE GUIDE – IMPLEMENT 28

 The 10 Key Steps of a Robust Ethics and
Compliance Risk Assessment
1. Get leadership buy-in 3. Secure adequate resources 6. Identify risk indicators 10. Develop your action plan
Active and visible support from senior executives and The function leading the risk assessment, whether it be Risk indicators are metrics that can be used to measure Once the risk assessment is complete, compile your
the board of directors is a key component of a successful compliance or another department, is unlikely to have risks affecting the organisation. They can act as predictors findings and recommendations in a comprehensive
risk assessment. Without it, risk assessments can lose expertise in every area. It will therefore require support and provide early signals of increasing risk exposures. report to be presented to the board for review and
momentum, avoid or inadequately deal with certain from other functions including legal, risk management, The analysis of risk indicators should be holistic and approval. However, the process should not stop there.
issues, or have their quality impaired by other executives internal audit, sales and marketing, procurement, include both internal and external resources. An action plan that prioritises the recommendations from
and managers choosing not to participate. finance, HR, supply chain and corporate affairs (this the risk assessment should then be developed to ensure
list is not exhaustive). Stakeholders should discuss the that the necessary enhancements are implemented.
implementation plan, timeframe, resources and any 7. Collect the data
2. Define roles and responsibilities enhancements that could make the risk assessment more Interviews, surveys, self-assessments, and brainstorming
Define who should ‘own’ the risk assessment and effective. sessions are different methods to collect the data and
who needs to be involved. Clearly delineated roles information on how and why compliance risks may occur
and responsibilities should be communicated and in the organisation. Understand the pros and cons of
understood. 4. Establish your risk appetite and risk tolerance level each method before choosing the one that will work best
Determine your organisation’s risk appetite and risk for your risk assessment objectives.
tolerances early in the risk assessment process. "Risk
appetite" is the amount of risk an organisation is “While there is no “one-size-fits all” risk
willing to accept or retain and represents a broad 8. Identify the risks assessment, the exercise should generally
view of risk. "Risk tolerance" is relative to specific risks Now that you understand the scope of the business and consist of a holistic review of the organization
A well-informed ethics and and performance targets. It can be defined as the the risk indicators specific to the nature of its operations from top-to-bottom and assess its touchpoints to
compliance risk assessment looks at: organisation’s flexibility with regard to specific risks. and locations, you should break the risks down to a the outside world.”
reasonable level of detail. The objective of the risk OFAC Guidance
» the organisation’s business model identification is to create a comprehensive inventory of
» the geographic location of its operations 5. Understand your environment compliance and ethics risks facing your organisation,
» the industry sector and the You should have a clear understanding of how your industry and regions.
competitiveness of the market organisation functions. An organisation is expected to
» the regulatory landscape analyse and address its unique risks within the context
» clients and customers of what it does, its geographic presence, industry sector, 9. Rate the likelihood and impact
» products and services competition, regulatory landscape, clients and business Rate both the likelihood that each risk might occur and
» supply chain and third parties partners. By understanding the nature of operations and the corresponding potential impact of that occurrence.
» transactions and projects locations, you will be better able to grasp the types of The aim is to prioritise the responses to the identified
» the ways in which risks may manifest risks specific to your organisation, as well as the potential risks in a logical format.
themselves consequences should a violation occur.

29 THE COMPLIANCE GUIDE – IMPLEMENT THE COMPLIANCE GUIDE – IMPLEMENT 30

 Monitoring, Auditing and Measuring
Monitoring, auditing, and measuring are all key to understanding whether your ethics and compliance programme is
appropriately designed and implemented, and working effectively. The gaps identified by these analyses should then be
addressed to ensure continuous improvement.

Monitoring is an ongoing, real-time surveillance or Measuring and assessment is a comprehensive

oversight of your programme. It is integral to the timely evaluation of how your programme:
identification of internal control deficiencies. It involves
testing daily business activities with the greatest focus on » 
Measures up against organisations of a similar size,
the areas of the business which are exposed to the most industry and footprint

MEASURE
significant risks. » 
Meets globally-recognised or industry-accepted
standards
Auditing is a periodic, rather than a continuous, » 
Helps close gaps in risk mitigation
retrospective exercise. Although an internal audit function » 
Defines improvements in a prioritised manner by way
is well-placed to conduct compliance audits, from time-to- of a multiyear work plan to achieve your organisation’s
time the board is likely to need some more independent desired level of programme maturity
assurance. External audit firms or accredited consultants
can provide an independent validation of your ethics and Along with assessing for external factors, a robust
compliance programme. programme must account for an important internal variable -

MONITOR, ASSESS AND IMPROVE

human behaviour. Even with strong policies and compliance
procedures in place, employee behaviour presents the

PROGRAMME EFFECTIVENESS
highest risk for your ethics and compliance programme.
A robust quality assessment will help you understand the
impact your current ethics and compliance programme is
having on employees as well as the overall corporate culture.

Your ethics and compliance programme is an ecosystem of moving

What metrics do you use to measure compliance programme effectiveness?
parts. New laws and regulations, new lines of business, new
geographies, and mergers and acquisitions will all become part of a Programme maturity level
growing enterprise your compliance ecosystem must support. This
Reactive Basic Maturing Advanced
requires those in charge of the system to regularly monitor and assess
Employee surveys and other
49% 10% 35% 58% 81%
risks and priorities to make necessary adjustments that will continue culture assessments

to deliver an effective programme. Analysis of internal audit findings 48% 6% 32% 59% 84%

Breaches of the code of

48% 10% 35% 57% 85%
conduct/internal policies
Conducting exit interviews and
45% 13% 37% 55% 63%
measuring employee turnover
Tracking whistleblowing reports,
41% 2% 31% 45% 83%
retaliation and substantiation rates
Employee quizzes on
39% 9% 29% 47% 60%
training or policies
Attestation rates on training
34% 10% 22% 39% 72%
and policy programs
Comparisons using third party
24% 1% 12% 26% 66%
measurements or benchmarks

Case closure times 22% 4% 13% 21% 57%

Independent evaluations by outside

21% 3% 10% 26% 47%
counsel and / or consultants
Monitoring reviews on 'Glassdoor' /
16% 3% 10% 20% 28%
social media articles / news reports
Reduction or regulatory fines
14% 3% 7% 15% 40%
or penalties
We don't formally assess
15% 65% 16% 3% 0%
effectiveness

0% 10% 20% 30% 40% 50%

Source: NAVEX Global, The Definitive Corporate Compliance Benchmark Report, 2019, page 19

31 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – MEASURE 32

 A Story of Effectiveness
The results from your monitoring, auditing and assessment activities should tell a story that demonstrates the effectiveness
of your programme, and how it relates to the mission, values and strategic operating plans of your organisation.

Use the data you collect to anchor your story in evidence, development of an ethics and compliance work plan that
while adding the more abstract observations and will incorporate programme improvements – and remedy
attitudes as the cultural manifestations of that data. programme gaps or inefficiencies. Along with next steps,
your effectiveness story should also include projected
Your effectiveness story should include a concrete dates to periodically revisit and course-correct the
roadmap that illustrates how you will use the results programme adjustments informed by your monitoring, CONCLUSION
moving forward. One of the main outputs should be the auditing and assessment.
An effective ethics and compliance programme is never complete. Instead, it should continuously
evolve to take into account the inevitable regulatory, organisational and external developments that
will influence its current status and future direction.
Example: Ethics and compliance programme assessment template
Due to the unrelenting pace of such change, it's likely technology will become increasingly
important to your long-term success. Unifying your ethics and compliance programme within an
PARTIALLY
STANDARDS, POLICIES NEEDS
MEETING
BEST
ACTION PLAN
ACTION PLAN
STATUS
automated, integrated solution will give you the opportunity to keep pace with new developments,
AND PROCEDURES: ATTENTION PRACTICE OWNER
BEST PRACTICE improve effectiveness, and manage and mitigate your ethics and compliance risks.

No action required,
COMPREHENSIVE the code of conduct
CODE OF CONDUCT X is in line with industry CECO Complete
best practices.

Develop, adopt,
POLICIES AND
and roll out Gifts & CECO,
PROCEDURES X Hospitality Policy. Train middle managers In progress
IN HIGH RISK AREAS relevant employees.

Design and implement

a procedure for periodic
POLICY MANAGEMENT CECO,
reviews and updates to
PROCESS: REGULAR X business process Open
the policies and
UPDATES experts
procedures based on
the risk assessment.

Benchmarking Your Programme

Benchmarking is an important part of the assessment process. Benchmarks can be used to justify your budget or other
resource requests, to create a prioritised list of improvement opportunities and to inform the timeline for incorporating
those improvements.

Most importantly, benchmarking can help you

understand whether your programme is within the norms Get the latest Risk and
for your company’s size and industry – and where the Compliance Benchmarking
programme as a whole (or individual elements) may land data from the NAVEX Global
on the continuum from substandard to best practice. website
In addition to using benchmarking to measure your
programme against peers, it is a critical step in designing
your programme to better withstand the scrutiny of
external, governmental or regulatory parties. NAVEX Global is the worldwide leader in integrated risk and compliance management software and services that
help organisations manage risk, address regulatory compliance requirements and foster an ethical workplace culture.
For more information visit www.navexglobal.com

33 THE COMPLIANCE GUIDE – MEASURE THE COMPLIANCE GUIDE – INTRODUCTION 34

 About the Author Additional Resources
Benchmarking and Market Trends

2020 The Definitive Risk & Compliance Benchmark Report

2020 Third Party Risk Management Top Market Trends & Analysis
2020 Risk & Compliance Hotline Benchmark Report
2020 Regional Whistleblowing Hotline Benchmark Report

Governmental and International Guidance on Ethics and Compliance Programmes

US Department of Justice Evaluation of Corporate Compliance Programme

2018 Federal Sentencing Guidelines Manual
AFA Guidance on SAPIN II Compliance (in French)
UK Bribery Act Guidance from Transparency International
FCPA Corporate Enforcement Policy
Vera Cherepanova ISO 19600:2014 Compliance Management Systems
Ethics Advocate, Consultant, Author ISO 37001:2016 Anti-Bribery Management Systems
Studio Etica, Milan (Italy) ICC Ethics and Compliance Training Handbook
UNODC Compliance Resources
A Framework for OFAC Compliance Commitments
Vera Cherepanova is a former Regional Compliance
Officer and author of “Compliance Program of an
Organisation.” Vera has worked on the ground in Guidance for Working With the Board
Eastern Europe, CIS and Russia. Taking her experience
in addressing the cross-cultural challenges of ethics and Key Elements for Effective Compliance Programme Board Reporting
compliance, Vera currently consults with international Four Key Board Responsibilities for Monitoring Risk and Compliance
corporations, non-profits, wholesale and retail
establishments, and small to large businesses, advising
them on ethics and compliance programmes. Vera Risk Assessment Guidance
speaks Russian, English, French, and Italian.
Risk Assessment Framework
Sample Risk Prioritization Framework
ISO 31000:2018 Risk Management – Guidelines

Compliance Programme Definitive Guides

Definitive Guide to Compliance Programme Assessment

Definitive Guide to Third-Party Risk Management
Definitive Guide to Whistleblowing Hotlines
Definitive Guide to Your Code of Conduct
Definitive Guide to Policy and Procedure Management
Definitive Guide to Ethics & Compliance Training

35 THE COMPLIANCE GUIDE – INTRODUCTION 36

EMEA + APAC Americas
Vantage London – 4th Floor 5500 Meadows Road, Suite 500
Great West Road, Brentford TW8 9AG, UK Lake Oswego, OR 97035, USA

www.navexglobal.com www.navexglobal.com
+44 (0)20 8939 1650 +1 (866) 297 0224 PLEASE RECYCLE

This information is provided for informational purposes only and does not constitute the provision of legal advice. Review
of this material is not a substitute for substantive legal advice from a qualified attorney. Please consult with an attorney to
assure compliance with all applicable laws and regulations. Copyright © 2020 NAVEX Global Inc. All Rights Reserved.