How To Structure Your Compliance & Ethics Program

One of the many interesting topics covered at PLI’s Advanced Compliance & Ethics Workshop (Oct. 9-10, NYC) was the importance of giving careful thought to a compliance & ethics (C&E) program’s structure and the department’s interaction with the board of directors.

A lively presentation and discussion, highlighted below, was led by Andrea Bonime-Blanc, Esq., Board member and Past Chair of the Ethics & Compliance Officer Association (ECOA), with 20 years of C&E roles in the global media, infrastructure and professional services industries; and Matthew Tanzer, Esq., VP and Chief Compliance & Ethics Officer of Tyco, with 20 years of C&E roles at Tyco, General Electric and GE Plastics.

A little context.  Under the U.S. Sentencing Guidelines (USG), the organization must “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”  Under the USG, the Board’s ethics and compliance responsibilities are to:

  • Be knowledgeable about content and operation of the C&E program.
  • Exercise reasonable oversight over the C&E program.
  • Have full understanding of the program’s “effectiveness.”

U.S. companies that operate globally are also advised to heed the OECD’s (Organisation for Economic Co-operation and Development, of which the U.S. is a member) numerous publications on proper C&E protocol.

The biggest risks.  According to the Corporate Board Member’s Legal Risks on the Radar (2012), the top 10 risks perceived by directors are data security (48%), operational risk (40%), company reputation (40%), M&A transactions (37%), investor relations (30%), executive compensation (30%), SEC/regulatory compliance (28%), disaster recovery (27%), internal controls (26%) and global business expansion (26%).

Top 10 risks for general counsel are similar: data security (55%), operational risk (47%), management of outside legal fees (38%), company reputation (35%), disaster recovery (35%), e-discovery (33%), FCPA (30%), global business expansion (29%), internal controls (26%) and executive compensation (26%).

Some benchmarking.  How often does your CCO report to the Board?  A prominent benchmarking study recently showed that a significant majority of companies have their CCO submit a written report at least quarterly to a Board committee.[1]  These reports are submitted almost always at in-person meetings.  Of 127 companies surveyed, 15% of companies’ CCOs met with the Board committee monthly (at all or most Board meetings), 57% met quarterly, 7% annually, 6% ad hoc (when necessary), 2% rarely or never and 13% other.

The majority of companies also have their CCO meet regularly with the CEO or Senior Executive Team.  10% meet weekly, 28% monthly, 23% quarterly, 32% ad hoc (when necessary), 3% rarely or never, 3% other.

Best PracticesAccording to the presenters, ideally the Chief Ethics, Compliance, CSR & Risk Officer reports directly to the Board of Directors and the Executive Team, and leads the Corporate Responsibility Committee (CRC).  The CRC Charter would require the Committee to:

  • Promote ethical business conduct and the creation of value for all stakeholders.
  • Maintain strong corporate governance, adherence to applicable laws and regulations, and adherence to company policies, including the Code of Conduct.
  • Provide a productive and safe working environment
  • Encourage sustainability & participation in community initiatives to protect the environment and enrich the communities in which the company operates.

Possible members include the Chair (CECO), Chief Legal Officer, Chief Financial Officer, Chief Operating  Officer, Head of Sales, Head of Human Resources, Head of Internal Audit, Head of Quality Management, Head of Environment, Health and Safety, Regional Heads, Information Security SME, International Trade SME, Anti-Corruption SME, Data Privacy SME, Other SMEs.

Sample topics of the CRC include: Core values, corporate governance, global code of conduct & policies, global ethics & compliance, enterprise risk management, crisis management, quality management, global information security, data privacy, global anti-corruption, business continuity plan, environment management, health & safety, employee talent management, employee satisfaction, community involvement, trade (import/export) compliance.

An inside look at Tyco. At Tyco, the compliance team has a detailed mission statement that covers (a) the promotion of a culture of ethics and integrity globally; (b) supporting Tyco’s business objectives and values – which include, among others, teamwork, integrity and accountability; (c) ensuring the code of conduct and all applicable laws are adhered to worldwide; and (d) the provision of tools and resources for businesses and employees to effectively fulfill their C&E obligations.

There are 6 principle elements of Tyco’s C&E program: tone at the top, adequate resources, global policies & procedures, global compliance measurements, effective compliance assurance program, culture of zero tolerance for non-compliance, and communication with all stakeholders, internal and external.  Key metrics are provided to the Board and business leaders quarterly.  These metrics include a breakdown of OMBUDS cases and concerns, compliance forms open/submitted, training, and third-party program activities.

The Compliance team has monthly conference calls with the Chair of the Audit Committee of the Board;  quarterly presentations to the Audit Committee at which they provide a quarter/half-year update on strategic objectives for the year, and a dashboard summarizing new/ongoing investigations, new risk areas identified, new policies under consideration/development, training and communication efforts underway.  The Compliance team also has periodic and annual E&C Education presentation to the full Board.

The responsibility of the Board, in turn, includes ensuring a proper “tone at the top,” that the CECO function has appropriate resources and visibility to achieve desired results, staying informed about the C&E/CR program and the ERM program and results, including questioning management about its tolerance for risk, particularly as part of management’s strategy, and being skeptical.

The Audit Committee, among other tasks, oversees the code of conduct and Tyco’s C&E program, annually reviews it and assesses its adequacy, monitors the hotline and management follow-up to matters reported and recommends changes to the full Board.  Compliance matters regularly reviewed with the Audit Committee include investigations or compliance breakdowns, training completion statistics, biannual code of conduct commitment results, compliance culture survey results, new laws and regulations, and their impacts, annual risk assessment results, and ombudsman office statistics.

Want a daily digest of articles like this one, plus the latest compliance jobs at top-tier organizations? Join 65,000 other compliance, risk governance, and regulatory professionals and subscribe to our free afternoon newsletter. Where do you find news, style, and career all in one place? The Executive Gateway, our new lifestyle magazine.

Mandy Roth is an experienced attorney and works in AML compliance at HSBC in New Castle, Delaware.  She is actively seeking to transition into a compliance officer role that will leverage her analytical skills and knowledge of the legal and financial systems.  Mandy also writes articles in French for a French magazine and is an avid yoga practitioner.  She enjoys networking and can be reached at or

[1] Source: PwC and Compliance Week.

One Response
  1. December 5, 2012

Leave a Reply

%d bloggers like this: