Seven Steps for Developing an Effective Compliance and Ethics Program

By Kristin Graham Koehler, [email protected]; and Brian P. Morrissey, [email protected]

An effective compliance and ethics program is essential for virtually all U.S. businesses in today’s regulatory environment, particularly retailers. Essentially, a compliance and ethics program is a set of protocols a company puts in place to prevent and deter unlawful conduct and to promote a culture of compliance. There are at least two reasons to invest the time and resources necessary to create such a program and make it effective. First, an effective compliance program provides management timely and accurate information about potential legal problems and a means of promptly redressing them. Second, if a company is ever investigated for a potential violation of federal law, having an effective compliance program in place may significantly reduce any penalty imposed and may even convince prosecutors not to pursue penalties at all.

It is virtually impossible to prescribe a “one-size-fits-all” compliance program for companies in any industry, especially retail. Most retailers have broad and diverse business lines, and face a multitude of federal regulatory requirements at each phase of their operations, including merchandising, supply chain management, and human resources, to name just a few. Yet, regardless of a particular retailer’s business lines, the core structure of an effective compliance program is largely constant. The “Organizational Sentencing Guidelines,” a set of advisory sentencing benchmarks promulgated by the U.S. Sentencing Commission at the direction of Congress, set forth seven elements necessary to make any compliance program effective. (See the U.S. Federal Sentencing Guidelines, 18 U.S.C.A. §8B2.1, for more detail.)

(1) Standards and Procedures: A company must establish standards and procedures to prevent and detect criminal conduct, and communicate them effectively. At bottom, this is a common sense requirement: if a company expects its employees to do the right thing, it needs to communicate, through standards and procedures, what the right thing is and how it can be accomplished. It is equally important to communicate this information to employees in a concise, practical fashion, rather than through cumbersome legalese.

(2) Leadership and Oversight: A company must give a specific senior executive or committee of executives overall responsibility for the compliance program. However, a company’s “governing authority” — typically its board of directors — must oversee its implementation. In addition, all management, not just those with direct oversight of the program, must understand the company’s policies relevant to their business unit and ensure that employees under their management understand and follow those procedures.

(3) Individuals with Substantial Authority in the Company Cannot Have a Propensity to Act Criminally or Unethically: A company must use “reasonable efforts” not to give individuals who have engaged in illegal activity or other conduct inconsistent with an effective compliance program a role in senior management or supervisory authority over the program (e.g., as a manufacturing plant or sales manager). This does not impose an absolute bar hiring individuals with a history of misconduct in positions of responsibility. Yet, when making hiring decisions, a company should consider the degree to which an individual’s record of misconduct relates to the individual’s anticipated responsibilities.

(4) Communication and Effective Training: A company’s compliance program cannot merely look strong on paper. The company must effectively implement the program through education and training. In the retail industry, training for many employees may need to cover topics such as confidential information, proper accounting, organizational property, gifts and favors, fair labor standards, unfair trade practices, Americans With Disabilities Act rules, sexual harassment, outside employment, and reporting. Training should not merely recite the law, but should explicitly explain the company’s policies and ask employees to think through complex “gray areas” they may encounter in their day-to-day tasks.

(5) Monitoring, Auditing, and Disclosure: A company must audit its compliance program to make sure its elements are actually being implemented and periodically evaluate the program’s effectiveness. For example, auditors may ask employees what they perceive as the “unwritten rules” within the company to determine whether the compliance program’s goals match its actual operation. Separately, a company must provide employees with effective mechanisms through which to anonymously or confidentially report potential misconduct or seek guidance on compliance issues, protect such individuals against retaliation, and adequately follow up on their reports.

(6) Discipline and Incentives: A company must provide appropriate incentives to encourage employees to comply with the program and impose appropriate disciplinary measures when employees fail to do so. It is important for the company to enforce these rules consistently to maintain the credibility of the program.

(7) Corrective Action: A company must address misconduct after it occurs — including, at times, self reporting to the authorities — and must take reasonable steps to prevent similar misconduct in the future. In addition, a company’s Board or Audit Committee must receive regular and meaningful reports on audit results and the status of corrective action.

Finally, once these seven elements are in place, the program must be periodically reassessed and modified to ensure that it is kept current and effective.

All retailers with significant U.S. operations should adopt a compliance program based on the Guidelines’ approach. In addition to providing information about potential problems and a means to address them, such a program offers a company critically important protection if it is ever investigated for potential misconduct. Under federal law, a company typically is liable for the wrongful acts of an employee so long as the employee is acting in an official capacity, even if the employee acted contrary to corporate policy and instructions. If a company finds itself in that position, having an effective compliance program in place can help to insulate it from the harsh sanctions that would otherwise apply by convincing prosecutors that no penalties are appropriate or, at a minimum, reducing any penalty imposed.

With the assistance of counsel and other experts, a compliance program can be tailored to an individual retailer’s precise needs. The seven elements described above, however, provide the essential foundation for any retailer embarking on this process.

Kristin Graham Koehler is a partner in the Washington, D.C., office of Sidley Austin LLP, where her practice focuses on the representation of corporations and individuals in all phases of government enforcement matters, including internal investigations, grand jury proceedings, and trials. She has significant experience in developing corporate compliance and audit programs in a broad range of industries, including retail. She can be reached at [email protected].

Brian P. Morrissey is an associate in the Washington, D.C., office of Sidley Austin LLP, where his practice focuses on white collar and complex civil litigation matters and appeals. He can be reached at