Building a Compliance Framework from the Ground Up

Tierney Mason
Associate Editor
Loyola University Chicago School of Law, JD 2019


Large companies generally have well established programs and systems in place to remain compliant with ever-changing regulations within their industry. But at a time when the percentage of job seekers starting their own businesses is at a recent high, young firms and start-ups are at a disadvantage when it comes to compliance, having to build a system from the ground up. In order to have an effective compliance program, an organization must “exercise due diligence to prevent and detect criminal conduct” and must establish and maintain an organizational culture that “encourages ethical conduct and a commitment to compliance with the law.” Thus, management not only has to focus on structure, but also culture in building their compliance systems.

The Elements of an Effective Compliance Program

The most recognized standards for an effective program were established by the U.S. Sentencing Commission within its Sentencing Guidelines Manual. A good compliance program generally rests on management, written policies and procedures, training and education for employees, compliance monitoring and assessments, and response to offenses. When it comes to management, leaders up to the Board of Directors need to “talk about compliance, write about it and demonstrate through their daily conduct that compliance is heavily important.”

A leader’s involvement or lack of involvement in handing the job off to others speaks volumes and sets a precedent to the rest of the company as to how seriously they should consider compliance. This might require management to submit to background checks or other specific industry checks all new employees receive, to ensure individuals in positions of authority should not be excluded from those positions. Leaders who fail to take compliance seriously from the start are not fulfilling their responsibility to be an effective leader.

With respect to written policies and procedures, a company must have standards of conduct and internal controls “reasonably capable of reducing the likelihood of criminal and other improper conduct.” The written policy should be made easily available to all employees and serve two basic functions: explaining legal requirements so that employees understand their obligations and how to conform their behavior to meet them, and encouraging managers to report suspected fraud and other improprieties without fear of retaliation.

The easier it is for employees to access their company’s policies and standards, the more likely it will be to maintain an effective compliance system. Company compliance with industry regulations both begins and ends with the employees who work there. This also applies to the training and education aspect of building a compliance program. All employees, including higher level executives and the organization’s agents, should be well informed on the systems in place. Proper training includes training on the code of conduct and the basics of the company’s ethics program, as well as any additional training for employees in specialized positions. Training should also be tracked and followed-up periodically.

Once the compliance program is in place, what remains is regular monitoring and risk assessments, and responding to offenses. Monitoring is a “basic expectation” of ethics and compliance management. This is an important part of the program as it allows the company to ensure the program is being followed and to evaluate its effectiveness. However, it can be something companies struggle to maintain since there is relatively little guidance on how companies should monitor their programs and employees. How often should risks analyzed? Who should defects be reported to?

In fact, “few have had true success,” but some industries have managed to develop helpful frameworks. The securities industry, for example, reports to FINRA, which requires all of its member firms to maintain written supervisory procedures to ensure that company activities are regularly monitored for compliance. If a regular monitor or audit does produce a defect, this does not necessarily mean the program was ineffective. In fact, this could mean the program was effective in detecting an issue before it affects the company’s larger work product. However, recurring defects can require a response from management, and remedial measures should be taken.

A Culture of Compliance

There is a common pattern amongst troubled companies of all compliance areas, whether it be hedge funds, insurance companies, or accounting firms. In most cases, there were signs of problems that built up to disaster that officials in the company ignored. Any firm could have a flawless compliance program tailored to their industry’s standards and regulations, but it’s still ineffective without a culture in which employees feel comfortable coming forward about illegal or dangerous practices.

Culture is a large determinant in how people behave. When a majority of employees are in agreement of how to behave and what values apply to their workplace, it becomes easier for everyone to conform to the same values. However, there can be a gap between how managers and employees view the office culture. It is not unusual for things to get lost in translation as the message moves further and further away from management. For this reason, a compliance program with a strong structure can ensure that the company’s values are clearly communicated through every level of the organization. It is also important that these values are stated consistently so the message is not lost.

In short, a new company should focus on a strong structure in implementing a new compliance program. With a structure in place, a culture of ethics should follow.

1 thought on “Building a Compliance Framework from the Ground Up”

Comments are closed.