The Foreign Corrupt Practices Act (FCPA) marked the early beginnings of compliance programs in the United States. In the mid 1970s, United States Securities and Exchange Commission (SEC) investigations discovered that a significant number of American companies participated in bribery oversees. “Over 400 U.S. Companies admitted to making questionable or illegal payments to foreign government officials, politicians and political parties.” (United States Department of Justice 2006) One of the most infamous cases of its time was the admittance by a Lockheed executive, to the Multinational Corporations Subcommittee of the Senate Foreign Relations Committee, that Lockheed had paid bribes in the amount of $22 million to Japanese’s government officials in the course of trying to sell its aircraft. This revelation came on the heels of the U.S. Government providing Lockheed with a $250 million emergency loan guarantee (Hishikawa 2003).
In an effort to restore faith in American business, in December 1977 the Foreign Corrupt Practices Act was signed into law. This anti-bribery provision makes it “unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person.” (United States Department of Justice 2006) The law also requires publicly traded companies “to maintain records that accurately and fairly represent the company’s transactions. Additionally, it requires these companies to have an adequate systems of internal accounting controls.” (United States Department of Justice 2006)
Following the passage of the FCPA, in 1988, the Congress became concerned that American companies were operating at a disadvantage because their foreign counterparts were, as a matter of practice, paying bribes to foreign officials and deducting those bribes as business expenses on their taxes. (United States Department of Justice 2006) Subsequently, the Executive Branch began negotiations with the Organisation for Economic Co-operation and Development (OECD), a 34-member nation coalition consisting of the United States and 33 other countries, to enact legislation similar to FCPA. In 1997, the OCED signed the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. (http://www.oecd.org/document/21/0,2340,en_2649_34859_2017813_1_1_1_1,00.html)
This regulation requires member nations to designate the payment of bribes to foreign offices as a crime and to follow the rules and regulations that govern bribery in international transactions. The U.S. ratified this convention and enacted implementing legislation in 1998. At this time, the FCPA was amendment to include territorial jurisdiction over foreign companies and nationals. A foreign company or person is now subject to the FCPA, if the company or person either directly or indirectly through agents, engages in acts which further the facilitation of corrupt payments taking place within the territory of the United States.
In response to the FCPA and its requirement to implement internal control programs, in 1985 a private-sector initiative was formed called the National Committee on Fraudulent Financial Reporting (commonly know as the Treadway Commission). This Commission recommended that its organizational sponsors work together to develop guidance on internal controls. Subsequently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed, and in conjunction with the CPA firm Coopers & Lybrand, COSO authored and published in 1992 the “Internal Control-Integrated Framework" (http://www.coso.org/publications/executive_summary_integrated_framework.htm). This framework has become the de facto standard in the accounting industry for auditing, evaluating and monitoring internal control systems.
The COSO Internal Control-Integrated Framework is now widely used by most organizations as the basis for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” (15 USC § 7262) and for the assessment of control effectiveness under section 404 of Sarbanes-Oxley. (http://www.pcaobus.org/About_the_PCAOB/Sarbanes_Oxley_Act_of_2002.pdf)
In 1984 Congress enacted The Sentencing Reform Act, which created a set of mandatory federal sentencing guidelines (Campbell & Bemporad 2006). As part of the Act, the United States Sentencing Commission was formed and delegated the responsibility “to provide “certainty” and “fairness” in sentencing, avoiding “unwarranted sentencing disparities” while “maintaining sufficient flexibility to permit individualized sentencing when warranted by mitigating or aggravating factors (Campbell & Bemporad 2006).”
On May 1, 1991, as an extension of the Sentencing Reform Act, the United States Sentencing Commission submitted to Congress the Federal Sentencing Guidelines for Organizations] (FSGO) (http://www.ussc.gov/orgguide.htm), a set of standards that govern the sentences federal judges impose on organizations convicted of federal crimes. Enacted on November 1, 1991, core to the guidelines was the Commission’s intent to “prevent and deter organizational wrongdoing” through its design of the organizational sentencing guidelines (http://www.ussc.gov/corp/advgrp.htm). These guidelines describe the elements of an organization’s compliance and ethics program that are required to be considered for eligibility for a reduced sentence if convicted. In general, the FSGO require an organization to establish standards to guide its employees and agents. These standards must reflect government regulations and industry standards and apply to almost all types of organizations including corporations, partnerships, unions, non-profit organizations and trusts.
In 2004, the United States Sentencing Commission voted to amend its existing organization guidelines to make the criteria for an effective compliance and ethics program more stringent. Two major standards were identified in the amended guidelines. The amended guidelines stated the need for directors and executives to take an active role in the management of its compliance and ethics program and the importance of promoting an organizational culture that is compliant with the law and demonstrates ethical culture. The amended guidelines outline minimum requirements for an effective compliance and ethics program (http://www.ussc.gov/2005guid/8b2_1.htm) and the amended FSGO has become synonymous with an effective compliance program.
The FCPA, Sarbanes-Oxley and the Federal Sentencing Guidelines represent just a fraction of the standards and requirements organizations need to consider today when developing and implementing their compliance programs. “Since the passage of SOX, the New York Stock Exchange (NYSE), NASDAQ, and the Public Company Accounting Oversight Board (PCAOB), have all proposed and implemented new rules relating to compliance programs (Martin 2004).” Organizations today are increasingly accountable to mandated laws, regulations and standards on a number of dimensions, which include geographical/regional considerations, as well as industry and functional discipline concerns. These regulations and standards apply to a variety of financial and non-financial areas. Adding to this complexity are the “voluntary” boundaries, which organizations have individually established such as organizational commitments, values, and contractual obligations. As a result of these dynamics, organizations at the very core of their business strategy need to establish the capacity and the capability to effectively address the conditions mandated by these external requirements and internally generated operating principles while still meeting their business objectives.
History set the tone for increasing regulations and rising standards. Overtime organizations will need to be more proactive in anticipating and addressing these considerations while simultaneously protecting and building the enterprise. More and more organizations will need to translate, integrate and simplify these various standards and requirements into a cohesive approach.
A high-performing compliance and ethics program is best organized as an integrated capability assigned to business functions/units while managed and overseen by individuals with overall responsibility and accountability. Compliance can be a daunting challenge, but it is also an opportunity to establish and promote operational excellence throughout the entire organization and significantly improve the overall operational performance.
Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization’s own policies are a critical component of effective risk management. Monitoring and maintaining compliance is not just to keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.
On a more practical level, a compliance and ethics program supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when the organization is getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of a business objective.
Once an issue is detected, management must be prepared to respond quickly and appropriately to minimize the impact on the organization (and the community, as appropriate). Management should continuously improve its compliance and ethics program. This will enable it to better prevent, detect, and respond to similar misfeasance and/or malfeasance in the future.
Like any other core capability and/or process, the compliance and ethics program should strive to deliver tangible benefits and outcomes to the organization. Every organization is unique and has its own objectives. As such, several objectives of the compliance and ethics program will be unique as well. That said, there are a few universal program outcomes/objectives that a compliance and ethics capability should deliver. These include an enhanced culture of trust, accountability and integrity; prevention of noncompliance, preparation for when (not “if”) noncompliance occurs, protection (to the extent possible) from negative consequences, detection of noncompliance, response to noncompliance and improvement of the program to better prevent, protect, prepare, detect and respond to noncompliance.
An important aspect of a high-performing program, and one that cannot be overstated, is enhancing the culture. A strong culture that provides important benefits would including a “safety net” for when formal controls are weak or absent, and an open environment of trust, accountability and integrity – all of the ingredients that help drive overall workforce productivity.
A well-designed compliance and ethics program is only half the picture. Critical to its success and its ability to meet the challenges of constant change, increasing complexity, rapidly evolving threats, the need for continuous improvement requires organizations to have the commitment of both senior management and the board, adequate authorization and funding, the apporpriate tools to facilitate measurement and rolling-up information, comprehensive training on the measurement process and an early socilaization of approach.
Implementation is often the most difficult aspect of any program. This is the juncture where most failure occurs. However, if executed well, it can represent the biggest opportunity for positive influence on the organization’s performance and culture.
The engaged involvement of key stakeholders is critical to a successful implementation or major enhancement of a compliance and ethics program, i.e. the dialogue and agreement up front, by all the major parties, regarding the objectives, goals, and overall purpose of the program will be critical to the project’s eventual impact. By working together, compliance and ethics officers, executive management, and the board can help ensure a compliance and ethics program not only contributes to the improvement of the organization’s governance practices but the success of its company’s strategy as well.
Integrate compliance and ethics - Address the “letter of the law” while promoting the “spirit of the law”. For some companies this means making a breach of company policy as serious as breaching laws, resulting in “internal” standards being as important as ‘mandatory’ standards.
Embed compliance and ethics risk management processes into the business - Organizations must systematically assess and prioritize present and emerging compliance and ethics risks. Such analysis should take into account the organization’s culture, compliance and ethics history, as well as industry issues. Business processes should incorporate compliance and ethics program needs. Boards should routinely discuss these risks, and how they are addressed, with management.
Demonstrate leadership - The board should ensure senior management consistently communicates and models the organization’s values and behavioral expectations identified in the compliance and ethics program.
Require accountability and ownership - In order to have the compliance and ethics program “make a difference”, it should foster a corporate culture that places responsibility on individuals for their actions and motivates everyone. The board and management should ensure employees have appropriate training and information and should participate in such training themselves.
Provide an open culture - Issues and problems should be, and in some cases are, required by law to be investigated and proactively managed to resolution. Unethical or illegal behavior should be addressed promptly. Employees must be required to raise and resolve violations of compliance or ethics standards. To do so, they must feel confident that they can take action without fear of retaliation. Such fears have been reduced, but not eliminated, with the introduction of the “whistleblower” protections of the Sarbanes-Oxley Act and the Canadian equivalents. The board should enquire of management the steps they are taking to create this open culture.
Measure performance and results - Compliance and ethics processes and results should be monitored and measured. Objective data should support evaluations that are more subjective. Evaluation results should provide the basis for continually improving the program.
By using accurate, timely data on the organization’s performance, managers know whether they are moving the entity closer to its objectives. Measuring compliance and ethics program performance help organizations gauge their improvement and learn whether the company's tactics are contributing to the success of the company's strategy. Keeping the board informed is a critical activity and robust performance reporting facilitates that important effort too. An organization’s compliance and ethics program should be measured like any other critical capability.
There are numerous benefits and challenges to measuring the performance of a program. A well-known maxim is "what gets measured gets done.” The compliance and ethics program and capability is no different.
The Open Compliance and Ethics Group, OCEGTM, a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness.
Effectiveness describes the quality of a program along two dimensions: design effectiveness and operational effectiveness.
Design effectiveness describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system or process contain all the necessary elements to thoroughly evaluate risk? Has it been designed for maximum effectiveness? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks and boundaries and determines if the system is appropriately designed.
Operational effectiveness describes the degree to which a system or process operates as designed. If the system has been well designed, does it function correctly? Does it operate the way it was designed? If not, how must it be managed to elevate its level of operation? Operational effectiveness helps management understand if, given a strong design, the system is operating as it is intended.
The concept of efficiency captures the cost of the process or system – not simply financial efficiency, the amount of money spent but also the cost of human capital expended.
Financial efficiency describes the total amount of financial capital required to execute a process.
Human capital efficiency describes the type and level of individual(s) required to participate in the process. While human capital costs can be partially captured in purely financial terms, intangible opportunity costs must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just purely financial costs (salary, benefits, and other overhead). An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention, and customer loyalty.
Responsiveness should be looked at on two dimensions — the system's ability to operate quickly and flexibly in response to changing circumstances. Cycle time describes the amount of total hours and/or total duration that it takes to execute a process. Flexibility/adaptability describes the degree to which the system can integrate changes including new requirements (e.g. a new law, rule or regulation) and/or new business units (due to merger and acquisition activity.)
These changes may be internal; as managers study the results of past performance evaluations and make needed alterations. Or they may be external. New regulatory environments, changing market conditions, or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment. It also develops a long-range perspective, foreseeing more distant changes and preparing for them.
A solid measurement system and approach should be implemented that embodies these principles: Focused on Business Objectives, Outcome-Oriented and a Simple Measurement System.
Business objectives should include a program metrics and measurement, helping management understand how the program contributes to overall enterprise objectives. But while process and activity metrics are important, the outcomes are the ultimate goal – never lose sight of this.
The measurement system and approach should be simple, cost-effective and elegant to ensure sustainability. Management should look for opportunities to gather data from existing systems rather than creating whole new systems to create data. If it costs more (both in time and capital) than it is worth, the measurement program will ultimately go away.
Senior management and the board of directors should commit to a measurement approach and ensure that a high-level executive is charged with overall accountability. This should include a commitment to the longevity of the program as it will take a few years to realize the full potential of a measurement program.
The measurement system and approach should be a positive contributor to help improve performance. It should not be used for punitive purposes.
Key metrics and indicators should be specific/simple, measurable, actionable, relevant and timely.
Balance of Leading and Lagging - Lagging indicators show how the company has already done (revenue growth in the past quarter; number of workplace accidents in the last year). Leading indicators are those that may predict future performance. Examples are on-time delivery rate, which can lead to higher customer satisfaction ratings and, in turn, more sales to existing customers.
Indicators should provide visibility into both short-term and long-term objectives. Overemphasis on short-term objectives can stifle a company's long-term growth, by short-changing new product development. Emphasis on short-term financial results, such as quarterly profits, can lead to reduction in spending on research for new product development, or purchasing cheaper components to raise profit margins, leading to lower product quality, more product returns, complaints from customers, and loss of business.
Focus on Internal Trends before External Benchmarks - Program metrics and measurement should help management understand internal trends. Once internal trends are understood, the use of external benchmarks will be more meaningful.
Performance measurement system should be reviewed and improved on an ongoing basis. It is only by gaining experience measuring performance that the organization can really refine and improve the system.
Organizations are exposed to governance, compliance and ethical risks daily. Coupled with the current economic, regulatory and social climate, these risks have propelled corporate governance, compliance management and integrity to a top business priority. More than ever, the business community understands the need to articulate and integrate the principles of good governance, risk management, and compliance (GRC) into the fabric of day-to-day business.
The integration of governance, risk management, compliance and ethics help an organization more effectively and efficiently drive performance. Governance establishes objectives and, at a high level, the boundaries inside of which the entity must operate. Risk management helps the organization identify and address potential obstacles to achieving objectives. Compliance management ensures that the boundaries are well set, and that the organization does indeed conduct business within those boundaries. A strong culture provides a safety net when formal controls and structures are weak or nonexistent — while, at the same time, providing an environment that helps the workforce reach its highest level of productivity.
High performing organizations master each of these disciplines and integrate them for maximum effectiveness, efficiency and responsiveness. Integration allows an organization to use a common operational approach to address all of these requirements and it allows an organization to leverage innovation in one area across the enterprise.
Governance, Risk and Compliance (GRC) management capability is the solution to addressing increasing stakeholder expectations. Solid financial results are no longer sufficient. Stakeholders are demanding more. They want to know about non-financial results and the intangibles that will ensure financial growth. They want increased reporting and transparency and insight into an organization’s strategy, risks, and operations along with an understanding of the manner in which business is conduced. As with the quality movement of the mid-1980’s to early 1990’s, these stakeholder demands are becoming baseline expectations.
Compliance and ethics practices can no longer be viewed in isolation of the rest of the organization, as some function off to the side to keep an organization out of jail. It must become part of the overall business strategy and operations, pervasive throughout the entire organization. Ultimately, taking this integrated approach will lead to better overall performance and compliance will become less of a burden on the business.