While many companies have a compliance and ethics program (Program) to prevent and detect criminal conduct, some do not structure it in the best interest of their organization. A starting point is to thoroughly understand minimum requirements as defined in Chapter 8, Part B of the U.S. Sentencing Guidelines (Guidelines) entitled Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program published by the U.S. Sentencing Commission. The Guidelines provide incentives to organizations that follow a structural foundation to self-police their own conduct through an effective Program. Under the Guidelines, an organization that is convicted of a crime may be eligible for a reduced sentence if it had an �effective� Program in place at the time the crime was committed.
The Guidelines define the minimum requirements for an effective Program, which includes exercising due diligence to prevent and detect criminal conduct, as well as promoting an organizational culture that encourages ethical conduct. The Guidelines forward seven minimum requirements for encouraging ethical conduct and demonstrating a commitment to legal compliance. These requirements pertain to standards and procedures, a knowledgeable board of directors, an identified responsible person, communication, training, monitoring, auditing, incentives, and disciplinary measures. The Guidelines also call for the organization to periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify requirements of the Program to reduce the risk of criminal conduct identified through the risk process.
The Guidelines apply to all organizations - public or privately held, large or small. It applies to virtually every type of organization, including; corporations, partnerships, associations, joint-stock companies, unions, trusts, pension funds, unincorporated organizations, governments and non-profit organizations. The Guidelines do not distinguish between organizational size, meaning all sizes and types of organizations are susceptible to the same Guidelines. However, the scalability to organizational size is an important theme as the Guidelines specify several times that �reasonable� efforts are expected.
Once an organization has a clear understanding of the Guidelines, it is wise to sync-up the requirements to a control framework. In the US, the COSO Framework is by far the most popular control framework. The COSO Framework defines five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 supporting principles.
Leveraging the COSO Framework to a Program is not difficult and yet very useful in ensuring that the Program’s effort ripples through the culture. Specifically, the components and underlying principles are all critical to the ultimate success of a Program. Integration of Program requirements with the COSO Framework provides a strong basis for aligning objectives, risks and controls to best promote ethical behaviors.