72 The Alabama Lawyer 284 (2011). Creating an Elective Corporate Compliance Plan: Part II.

• Author: By Pamela Bucy Pierson and Anthony A. Joseph

Alabama Lawyer

2011.

72 The Alabama Lawyer 284 (2011).

Creating an Elective Corporate Compliance Plan: Part II

Creating an Elective Corporate Compliance Plan: Part IIBy Pamela Bucy Pierson and Anthony A. Joseph(Part I of this article appeared in the May 2009 issue of The Alabama Lawyer.)

An effective corporate compliance plan is essential for every business, large or small, public or private. Here's why: in today's world, businesses are able to significantly limit possible criminal and civil exposure if they have an effective corporate compliance program at the time an offense may occur.(fn1)

An effective corporate compliance plan consists of steps taken by a business to inform its employees, executives and directors about the laws that apply to them when executing their business duties; to encourage law-abiding behavior by its personnel; to establish protocols for detecting as early as possible any violations of the law committed within the business; and to deal appropriately with any violations that may occur.

The components of an effective corporate compliance plan are: (1) a corporate governance structure sensitive to compliance issues; (2) a general standard of conduct, and specific standards of conduct tailored to employees and their duties; (3) involvement by high-level personnel in corporate compliance issues; (4) an emphasis on corporate compliance when hiring, compensating and disciplining employees; (5) training directors, officers and employees about the laws and rules that apply to them; (6) establishing reporting mechanisms for instances of non-compliance; (7) conducting compliance audits; (8) assessing the "compliance health" of a target business prior to merger or acquisition; (9) protocols for updating a corporate compliance program; and (10) identifying and responding to instances of non-com-pliance.(fn2) This article briefly discusses these components.

Corporate Governance

The governing board of a company is responsible for ensuring that a company is attentive to compliance issues. This means at least three things.

First, as reflected in the agenda and minutes of board meetings, the board of directors (or an appropriate committee of the board) regularly receives reports on, discusses and reviews compliance issues, including current risk areas and whether new risk areas have arisen, internal training on compliance for all personnel, violations of the law that may have occurred, and the company's response to violations.

Second, board members should be competent to perform their compliance oversight duty. This means that in addition to appropriate credentials and experience, relevant board members receive regular training on compliance oversight, and have adequate time, free from other responsibilities (including service on too many boards), to fully execute their compliance oversight duties.

Third, directors should ensure that executive compensation is tied, at least in part, to achieving specific compliance goals.

Standards of Conduct

A business should have three different "standards of conduct." First, every business should have a mission statement that is brief, broadly applicable throughout the company and makes clear that ethical and law-abiding behavior is expected of all employees, executives and directors.

Second, every business should have a comprehensive statement, prepared through a collaborative effort that gathers input throughout the business at all levels, and applies generally to all personnel. Such a statement should cover compliance issues on generic topics, such as expense reimbursement, leave policy, employee harassment and discrimination and dealings with third parties (avoiding bribery, kickbacks, collusion, etc.).

Third, each business should have multiple, short, specific codes of conduct tailored to particular employment duties. Each of these codes should identify current and potential risk areas and provide guidance for dealing with these areas. For example, a hospital should have a specific code of conduct for emergency room patient care employees covering issues unique to the emergency room setting,(fn3) a separate code of conduct for emergency room billing employees(fn4) and another code of conduct for hospital employees who negotiate contracts with emergency room physicians.(fn5)

Most businesses will have dozens of these last, more detailed, codes of conduct. Such codes should be brief, comprehensible to the relevant employees and updated often. In quickly moving and highly regulated areas, quarterly, even monthly, revisions of these codes may be necessary. In other areas, annual reviews may be sufficient. Always, these codes should be specific. For example, instead of prohibiting employees from providing extravagant gifts to vendors, a code should specify that employees should not provide to any vendor (where vendor is defined) gifts, meals, items or services (where services are defined) valued at more than a specified dollar amount, unless the employee obtains a written waiver (where a specific authorizing individual is named).

Oversight by High-Level Personnel

Whether a company's corporate compliance plan is genuine and operated in good faith, or a sham designed for show, will be judged by the level of involvement by the company's high-level personnel. The exact role of high-level personnel will vary among businesses. Large companies should have a full-time compliance officer, if not a full compliance department. Small companies should directly involve the president in compliance issues. Whatever is the case, the person(s) performing compliance duties should have: adequate training and stature within the company to command clout; access to every aspect of a business; adequate resources to oversee compliance issues; a direct reporting route to top company executives; and an independent reporting route to the company's board of directors.

A compliance officer's job includes: assessing risk areas within the company where violations may occur; updating risk areas; ensuring that compliance training and monitoring is effective in addressing risk areas; ensuring that adequate mechanisms exist within the company for detecting violations of law and company codes of conduct; dealing appropriately with any violations; and documenting all of the above. In addition to maintaining effective corporate compliance, the point of adequate documentation is to demonstrate to regulators, FBI agents or a judge or jury, if the need arises, that the company has an effective corporate compliance plan even though a violation of the law has occurred.

Employment Relations

Vetting potential employees should include not only a criminal background check, but also a review of the candidate's compliance experience. Potential employees should be required to certify that they have no prior compliance violations. The compensation of employees, executives and directors should be tied, in part, to company codes of conduct, including attendance at, and successful completion of, training programs.

Stated employment duties should include the obligation to report internally (following a specified protocol) any known or suspected instances of noncom-pliance. Internal reporting serves two purposes. First, it gets information about violations or suspected violations to those within the company who can deal appropriately with the problem. Second, internal reporting limits the ability of employees to become "whistleblowers" who create additional liability for businesses by filing their own lawsuits or otherwise reporting their suspicions to authorities.(fn6)

...