For the last two decades, companies have been expected to establish effective compliance and ethics programs. The COVID-19 pandemic has highlighted why a compliant ethics program is an absolute business necessity.
Remote workplaces have introduced a new range of compliance risks causing the Department of Justice (DOJ) and Security Exchange Commission (SEC) to issue new guidance on corporate compliance programs. According to a recent Deloitte study, a few factors have led to these new developments, including a significant increase in fraud and whistleblower activity, and disruptions stemming from remote work (workplace safety conditions, cyber security, data protection etc.)
Whether you’re gearing up for an IPO or simply need to refresh your current program, a compliance and ethics program can seem daunting.
Where should you start?
Three main legal frameworks should guide an effective compliance program: U.S. Sentencing Guidelines, Sarbanes Oxley, and Stock Exchange Rules. At its core, an effective and compliant program protects a business and its stakeholders by preventing and detecting improper conduct.
U.S Sentencing Guidelines
In 1991, the U.S. Sentencing Commission established the most recognized standards for an effective Program within its Sentencing Guidelines Manual, Chapter 8, Part B.
In short, these guidelines state that to have an effective compliance and ethics program, an organization must take reasonable steps to:
- Exercise due diligence to prevent and detect criminal conduct
- Create a Program that is designed, implemented, and enforced in a way that is effective in deterring criminal conduct
- Promote a culture that encourages ethical conduct and compliance with the law
- Assign specific high-level personnel to be responsible for the compliance and ethics program, with day-to-day operational responsibilities
- Have and publicize a system, which may include tools that allow for anonymity or confidentiality, where employees can report or seek guidance regarding potential or actual criminal conduct without fear of retaliation
Sarbanes Oxley & COSO
In 2002 the Sarbanes-Oxley Act was passed by Congress to help protect investors from fraudulent financial reporting by corporations.
SOX requires companies to establish a Code of Business Conduct and Ethics to cover a Code of Ethics requirement as provided by the SEC’s Section 406 of the Sarbanes-Oxley Act.
Essentially, a public company’s management must establish adequate internal controls, promote honest and ethical conduct, regularly disclose their framework of controls and any waiver in their code of ethics. Employees must have a way to anonymously submit concerns or complaints regarding ethical issues. And, public companies are required to have an always accessible whistleblower hotline.
The Committee of Sponsoring Organizations (COSO) framework serves as the “gold standard” that most public companies in the United States use to satisfy these requirements. COSO is made up of seventeen principles for an effective control environment, divided into five categories (C.R.I.M.E).
- Control Activities: mitigate risks, develop tech control and deploy controls throughout policy and procedures.
- Risk Assessment: objectives, risk analysis, and identification of changes that could affect internal controls.
- Information and Communication: relevant usage of info to support controls, communication of controls internally and externally.
- Monitoring: ongoing and periodic evaluations of internal controls and communication of any control deficiencies.
- Control Environment: commitment to integrity and a competent workforce, oversight, reporting lines, and accountability.
Stock Exchange Rules
If an organization plans to go public, it’ll also need to meet specific compliance rules issued by its stock exchange.
The NASDAQ, under Rule 5610, requires companies to:
- Establish a public code of conduct for all employees that is actively enforced
- Approve waivers for directors or executive officers through the Board. Waivers must be disclosed within four business days.
- Have a code of conduct that complies with SOX Section 406
The New York Stock Exchange (NYSE), under Rule 303A, requires companies to:
- Establish a public code of conduct for all employees that is actively enforced
- Disclose waivers, made only by the Board or Board Committee, promptly
- Establish a code that contains compliance standards and procedures, ensuring prompt and consistent action against code violations. The code must address: Conflicts of interest, corporate opportunities, confidentiality, fair dealing, protection of assets, compliance with law and reporting requirements
Steps to Take in Building A Code of Business Conduct and Ethics
You’ve reviewed the three legal frameworks, the new guidelines, and dozens of pages of documents. What should you do next? Build out your business program and Code of Business Conduct and Ethics.
As long as you keep these three main points in mind, you should be able to establish or effectively update a robust compliance and ethics program.
- The program should be ingrained into a company’s culture and be designed and enforced to prevent and detect criminal conduct.
- A specific high-level employee should maintain the compliance and ethics program with day-to-day operational responsibilities.
- Your program should include and regularly share its anonymous or confidential reporting feature where employees can report workplace issues or seek guidance without retaliation.
Once your foundation is established, the final steps are to heighten your company’s diligence and maintenance of the compliant ethics program.
- Create and share company-wide policies, procedures, and reporting structures
- Establish annual refreshers and new employee training around the code of conduct
- Source software to automate and simplify program maintenance and data analysis
- Build communications and messaging to remind and keep employees well informed
- Regulate investigation and response protocols to ensure effective employee follow up
How Can AllVoices Help?
As we prepare to transition into a post-COVID-19 world, it’s clear that programs and cultures of the past may no longer be adequate. But, taking advantage of this opportunity for a new or refreshed compliance program, in considering the new normals to come, will ensure that your company and its stakeholders are well protected and prepared.
The AllVoices platform is SOC2 and SOX compliant yet more modern, mobile, and user-friendly than a typical whistleblower hotline. It is a simple solution to ensure that your company is up to date with the newest DOJ guidelines and values of a modern workplace.
With the help of AllVoices, your compliance team can proactively improve workplace culture and give employees an anonymous way to report or voice their concerns. The incredibly user-friendly design features customizable dashboards that allow companies to be vigilant in staying compliant, following up on reports, and proactively identifying issues.
AllVoices allows you to check the box of being compliant and take it a step further- genuinely benefit from the honest feedback and voices of your employees.
