Compliance – from a tool to a culture

Compliance programmes are gaining in popularity, in particular in the context of a draft of a new corporate criminal liability act, as a defence precisely against this liability. Primarily, however, compliance should be a tool for ensuring that an organisation functions properly, especially as the number of regulatory requirements is on the rise. To fulfil both functions, a compliance programme must be effective.

What is a compliance programme?

Compliance means to act in line with currently applicable law, adopted values, and ethical rules. Therefore, the compliance function is to ensure that a business functions in a manner that minimises the risk of misconduct, even if it is involuntary or is a result of routine. Thus, a compliance programme is intended to minimise the risk of legal liability as well as of financial loss or damage to reputation.

This compliance function is fulfilled mainly through implementation of procedures. In practice, there are two types of compliance procedure, structural and sectorial.

Structural procedures are a set of principles and rules that provide a framework for an effective compliance programme. The basic elements include:

  • A code of practice (ethics) that represents the values that an organisation adopts , and is used as a guide in a business’s operations,
  • A function created separately within the organisation’s structure held by a person responsible for compliance,
  • A transparent structure and system of allocation of duties, and definition of relationships of dependence between posts at particular levels of the organisation,
  • A procedure for reporting and investigating misconduct and introducing remedial measures,
  • A procedure for conducting checks on external service providers.

Mapping the risks existing in a business’s operations is also a crucial element of structural compliance. This mapping, and constant reviewing it, enables the identification of areas of vulnerability that could give rise to misconduct. Thus, to a large extent, risk mapping determines what sectorial procedures should be adopted and applied in a company.

Sectorial procedures are a set of in-company rules of conduct that translate the obligations under laws applicable to specific sectors into corporate language. Therefore, it is the subject area of a company’s activity and its parameters (scale, market, cross-border element of operations, etc.) that determine which sectorial compliance procedures should be implemented in a company. .

At the same time, many sectorial procedures must apply in every organisation. This applies for instance to data protection issues, privacy and human rights, health and safety at work, combating slavery, bribery (which is important within the supply chain), combating unfair competition practices, environmental protection, or reporting tax schemes. Many businesses are also subject to anti-money laundering regulations (for example regarding identification of the true beneficial owner) or cybersecurity regulations.

A compliance programme as a management tool

Overregulation, one of the causes of which is ballooning legislation, can be a headache. When there is a mass of regulations, devising a compliance programme may be perceived as a burden. As the law has to be complied with in some form in any case, a compliance programme can become a management tool in this regard.

Sectorial procedures thus should serve to manage operational processes and duly fulfil obligations in particular areas of business activity. The appropriate application of the sectorial procedures should be in turn framed and managed by the structural procedures.. This includes decision-making processes in all areas of the organisation’s operations. Structural procedures should also regulate, horizontally, the aspects common to each sectorial area. Their function is to monitor procedures and operational processes, and update procedures in line with legislative developments, to allow misconduct to be reported and investigated, etc.

Meanwhile, to ensure that compliance management achieves its purpose and leads to compliance goals being attained, a compliance programme must be effective, i.e. implemented and applied.

Effectiveness becomes one of the basic elements considered in assessment of an entity’s due diligence in meeting legal obligations, including prevention of misconduct within the organisation. A correctly implemented and functioning compliance programme therefore affects legal liability.

Compliance – from a tool to a culture

One of the factors determining effectiveness of compliance programmes is alignment with the specific nature of an organisation’s operations. Although the structural and sectorial framework might in most cases be the same, the procedures have to be tailored to an entity’s operations and its parameters. Making compliance programmes too rigorous can have a choking effect on a business.

Another factor and also a measure of effectiveness of a compliance programme, is the involvement of the managerial staff. Their role should be to send the appropriate and firm message concerning conduct expected of the entire organisation with regard to legal compliance and ethics. Managers at each level have to set an example of conduct in line with the rules established in the organisation. At the same time, the employees must know the rules in place at the organisation, and display the correct approach towards them. This in turn requires the appropriate communication and training. Employees are one of the main sources of evidence, especially for law enforcement agencies, in issues relating to the procedures applied in a company to prevent misconduct.

Compliance procedures cannot exist solely on paper. They must function in the consciousness of everybody in the organisation. The people in the organisation are required to adopt the “do the right things right” approach. A culture of compliance should be a business value, elevated to the status of a competitive advantage. Meanwhile, as effectiveness par excellence, it can help as successful defence against allegations of breach of law.

Aleksandra Stępniewska, adwokat, Business Crime practice, Wardyński & Partners