On Line Training-Risk Management Benefits
Many countries now require companies to implement compliance policies for legal and risk management reasons. Some companies have implemented compliance policies for brand image and other reasons as well. A compliance program, properly implemented, not only increases a company’s brand image but reinforces ethical behavior, which in turn minimizes violation of local laws by upholding compliance of financial and legal rules. In essence, a compliance program yields many benefits especially those associated with brand image. Risk Management has become involved in the implementation and auditing of compliance programs and as such, must not only implement compliance programs that identify areas of risk but Risk Managers or Compliance Officers must train executives and employees in compliance areas deemed important by the company. To understand compliance in general and the reasons for compliance training one needs to review the history of compliance in the United States.
US Compliance History
In November 1991, an innovative piece of legislation was enacted in the United States that had a profound effect on corporate America. This has reverberated throughout the world. The legislation was the US Federal Sentencing Guidelines (“Guidelines”).
The Guidelines are used by judges to determine the appropriate sentence for corporations convicted of a federal crime. According to the Guidelines, a corporation may be sentenced or fined for federal offenses connected with antitrust, securities, bribery, fraud, money laundering, criminal business activities, extortion, embezzlement, conspiracy, etc. As you can see it is quite broad and covers many “illegal” activities. When deciding on an appropriate sentence, judges were for the first time asked to consider whether the corporation had an “effective compliance program” before the violation took place or, in other words, whether the corporation took appropriate steps to prevent and detect violations of law. Therefore, in order for courts to reduce or mitigate criminal sanctions, companies must now have a compliance program in place. The Guidelines were amended in 2004 (Revised Guidelines).
The Revised Guidelines
The Revised Guidelines recognize that effective compliance and ethics requires more than policies and procedures, it also entails a focus on organizational culture that promotes law abidance. In other words, a major focus is on compliance and ethics. For the first time, a set of laws creates a legal mandate for compliance. It looks at:
- A focus on ethical behavior
The Revised Guidelines also recognize seven elements in a proper compliance program. The current Revised Guidelines list seven elements of an “effective compliance program” as being:
- Compliance standards and procedures (a code of conduct should exist)
- Oversight by high-level personnel ( the Board must oversee the program)
- Due care when delegating authority (due care in hiring employees)
- Effective communication of standards and procedure (training)
- Auditing/monitoring/reporting systems must be in place
- Compliance must be promoted and enforced consistently throughout the organization.
Establishment of Compliance Program
The establishment of a compliance program anywhere in the world usually consists of adopting a company code of conduct, with perhaps specific policies governing local conditions. However, because of the U.S. requirements, many organizations have adapted compliance policies that conform to U.S. standards. Because of the Revised Guidelines, specific elements to a valid compliance program are required. They are:
The basics—what is needed?
- A code of conduct
- Local codes of business ethics (and other company policies) covering each country in which a company does business
- Local training on all aspects, such as antitrust, employee issues, etc.
- A system to report suspected wrongdoing to the company
- An anonymous reporting system allowing employees to report wrongdoing anonymously
Code of Conduct
A company’s compliance programs’ code of conduct should incorporate various principles. Primarily, five basic principles should be followed or reflected in the code. The five principles a company’s compliance code of conduct should incorporate are as follows:
The company complies with local laws and ethical standards of society.
The company maintains and promotes an ethical organizational corporate culture.
The company respects customers, shareholders, and employees.
The company cares for the environment as well as the health, and safety of its customers and society.
The company is a socially responsible corporate citizen.
U.S. Compliance Program Code of Conduct
To establish an “effective compliance program” under the guidelines and other U.S. laws, a foreign company normally goes beyond its local code or domestic code of conduct. Its employees must be familiar with the specific laws that govern their conduct in the jurisdiction in which they work.
If a company has a branch or division in the United States, it must have a U.S. Code of Ethics, which is designed to inform employees in the United States about the specific laws and standards governing their conduct. Having a compliance program is mandated by the U.S. Sentencing Guidelines.
To have an effective compliance program, a company must also hold compliance training after it “launches” the compliance program. Areas of training should be covered and how the training should be given is of major interest. It is best if the company offers local compliance training covering the relevant laws and practices where people are located. Training can be given in person, online via web-based training, or by other media. It must be given on a regular basis. Lately, it is becoming apparent to many companies and organizations that on-lining training is perhaps the most efficient and economical method of compliance training if properly implemented. This is especially true if on-line training can be conducted on a local level or micro level allowing subsidiaries and/or affiliated companies and divisions to conduct on line training targeted to select groups of employees and functions as well.
Training on the code of conduct can be given by HR or by Legal.
-Local training in antitrust, anti-harassment, anti-discrimination, and anti-retaliation, ethics, illegal business practices, financial integrity, customs, etc.
-The majority of the local training will be online.
-The goal is to equip employees to handle compliance issues.
-Training should help employees to identify potential wrongdoing.
-Training should help employees understand their role in the compliance scheme.
-It should let them know what to report and how to report.
The U.S. Compliance Program: Reporting Wrongdoing
In the United States, having an effective reporting system has come to mean one that encourages reporting by allowing for a variety of reporting avenues including anonymous reporting systems.
If an employee was limited to one avenue of reporting (i.e., to his supervisor), it is likely he would not report wrongdoing if his supervisor was involved.
In the United States, a company should allow for employee reporting normally as follows.
On-line compliance training should cover all employees to the extent possible. For compliance programs to be effective, normally all employees are required to promptly report all known or suspected violations of applicable laws or of the compliance program, including corporate policies. Reports of such violations shall be promptly made to a manager; the compliance officer, risk manager if any; HR; or to the Law Department. If any employee wishes, he or she may report violations anonymously via an anonymous e-mail (or by phone) system. All reports should be promptly and thoroughly investigated.
To the extent possible and permitted by law, the company must take reasonable precautions to maintain the confidentiality of those individuals who report legal or compliance-related violations.
Training programs may vary depending on the needs of a particular company. Training programs may consist of instructor-led training, Internet-based, or E-learning programs or even a combination of both. It is up to the company to decide which training program fits the needs of its employees as well as suits its budgetary constraints. In fact, companies in the United States are scrambling around trying to decide on how to handle training programs for the BOD and executive management that is required which includes deciding on what form the training should take, its content as well as the frequency of the training. However, it is apparent, especially for multinational companies or companies in general that lack in house training facilities, e-learning is becoming the easiest and most effective compliance training tool for a number of reasons. First, it is much easier for most employees of any company to access a computer and therefore the internet. Many companies have streamlined over the years and have outsourced the training function to independent third parties. Second, it is more effective to target certain groups of employees across corporate departments with customized e-learning compliance programs than try and offer in house training in person.
Risk Assessment of Compliance Programs
A risk assessment or legal risk management audit (LRM) is vital in the implementation and continued success of any compliance program. Not only do the U.S. Federal Sentencing Guidelines require a periodic risk assessment of a compliance program, but conducting a periodic risk assessment has an upside as well. By conducting a periodic or annual assessment of the compliance program, not only is the company or organization receiving valuable feedback on the program from employees and management which will help it improve the compliance program but it is also will be in compliance with the U.S. Federal Sentencing Guidelines. By conducting an LRM audit of the compliance program, a company should be able to:
- Review and modify existing corporate processes.
- Update current compliance training, if needed.
- Modify the Compliance Department structure if needed.
- Add additional policies and or training programs.
- Add additional manpower to comply with the compliance needs of the corporation if necessary.
E-Learning Or On-Line Initiatives
Many corporations are implementing an enterprise –wide compliance e-learning program on line. In order to meet a compliance training effort that exceeds the minimum requirements of the US Scenting Guidelines or a local country’s laws, Risk Managers or Compliance Managers are having to implement certain key or tactical steps that sufficiently address the E-leaning needs of the company. Such steps include:
– Determining goals and estimated budget
– Assembling staff to implement E-Learning
– Creating a Code of Conduct Training Plan
– Determining a 3-5 year Compliance Training Program
– Receiving proposals from E-Training Vendors
– Choosing Vendors and customizing E-Learning Programs
– Launching E-Learning Compliance Programs
– Measuring effectiveness of E-Learning Programs
E-Learning Compliance Programs involve a substantial amount of technology issues. A company’s Legal Department or Risk Management Department may not be equipped to deal with all of the issues. The technology issues need to be addressed up front at the beginning not only during the E-Learning Vendor selection process but during the planning stage with the company’s IT department. The right internal parties must be involved and sufficient time must be invested in determining what technology requirements will need to be addressed and E-Learning Compliance programs properly deployed. Issues that should be addressed include:
– Bandwidth constraints that preclude the use of video based programs;
– Difficult integrations between a vendor’s data and an organization’s Human Resources Information System (HRIS) resulting in a botched administration of the program;
– Corruption of training records which undermine the integrity of the system
To address the issues and facilitate the smooth implementation of the E-Learning program, a Risk Manager of Law Department will have to ask and answer the following questions:
1. What is the required minimum network infrastructure necessary to run the E-Learning based training programs?
2. Will the programs be hosted internally or externally?
3. What will the organization use as a Learning Management System?
4. How will the programs be technically administered and will it be integrated to the organization’s HRIS?
Current Practices for Technology and Record Keeping
Companies that have trouble free E-Learning Compliance Programs have developed a number of practices that have led to successful implementation of E-Learning programs, Such practices can be narrowed down to six basic steps or practices and are as follows: (i) companies have avoided using excess video in E-Learning programs that may take up bandwidth constraints. Companies have found that using technologies that can avoid network bottlenecks work best ;( ii) Companies have found ways to leverage E-Learning for non-networked employees. Though some employees are not usually on a network, such as floor managers or industrial workers, Companies are able to create kiosks or ad hoc E-Learning training centers that connect employees;(iii) Companies work with vendors to limit the need for multiple sign ons/passwords. Most employee already have multiple passwords to access various corporate systems; (iv) Companies work with external vendors to maintain the security of the corporate systems. Corporations must be satisfied with the E-Vendor’s security protocol and to take steps before the launch of the E-Learning Program to avoid hacking;(v) The technical sophistication of E-Learning vendors varies widely. Companies have found it necessary to conduct test integrations with possible vendors ;(vi) Prior to officially launching the E-Learning Program, Companies have required a pilot test program to filter out bugs and provide fixes prior to launching the programs.
E-Learning In a Corporate Setting- What next
When implementing appropriate on-line or E-Learning Programs in a corporate setting for compliance or other legal or risk management concerns, Risk Managers must be involved at the beginning planning stages. An enterprise-wide compliance E-Learning initiative is a complex process with multi-part undertakings that are integrated with other parts of a compliance program or ERM program. A Risk Manager should conduct due diligence on the potential vendor. Progress will have to be reported to the Board of Directors as part of the Compliance Process. Therefore, all internal steps will have to be coordinated with relevant departments to confirm the effective and proper implementation of the E-Learning based Programs. This also means that organizations will likely rely more and more on E-Learning based vendors who are able to satisfy the organization’s technology issues including systems integration and customization of programs.
As jurisdictions are requiring more and more compliance based training programs, E-Learning Compliance Programs will become the dominant training vehicle of the future. More and more companies and organizations will migrate over to E-Learning based training. Companies will have to decide whether to host such programs internally or externally. Due to cost efficiencies, more and more companies will opt to have external E-Learning Vendors host such training provide such training can be efficiently integrated into the organization’s HR network ( HRIS) or a company’s learning management system ( LMS). This presents great opportunities for E-Learning Training providers or vendors provided such vendors can address the technical issues that are inherent in any organization. Risk Managers and /or Compliance Officers must grapple with the issues the company faces when trying to implement an E-Learning based ERM training program. For a successful implementation, both Risk Managers and E-Learning Vendors must work together to address all issues a company will face when migrating over to On-Line or E-Learning Programs. The future appears bright for those vendors offering On-Line training, especially in a corporate context.