In his excellent blog on Federal Corrupt Practices Act (http://www. fcpablog.com/blog/), Richard Cassin has written about an effective compliance programme. He notes that the purpose of an “effective compliance programme” is to prevent and detect criminal conduct.

In his suggestions on what constitutes an effective compliance programme, Cassin based his guidance on the United States Federal Sentencing Guidelines. He suggested the following:

A Written Programme: A company must have standards and procedures in place to prevent and detect criminal conduct.

Board Oversight: A public company’s Board of Directors must be knowledgeable about the content and operation of the compliance programme and must exercise reasonable oversight of its implementation and effectiveness.

Board Oversight: A public company’s Board of Directors must be knowledgeable about the content and operation of the compliance programme and must exercise reasonable oversight of its implementation and effectiveness.

Responsible Persons: One or more individuals among a company’s top management must be assigned the overall responsibility for the compliance programme.

Operating and Reporting: One or more individuals must be delegated day-to-day operational responsibility for compliance programme. They must report periodically to top management on the effectiveness of the compliance programme. The individuals must have adequate resources, appropriate authority, and direct access to the Board or Audit Committee.

Management’s Record of Compliance: A company must use reasonable efforts not to hire or retain personnel who have substantial authority and whom a company knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance programme.

Communicating and Training: A company must take reasonable steps to communicate periodically about its standards and procedures to the stakeholders — by conducting effective training programmes or disseminating information appropriate to the individuals’ respective roles and responsibilities.

Monitoring and Evaluating; Anonymous Reporting: A company must take reasonable steps (a) to ensure that its compliance programme is followed, including monitoring and auditing to detect criminal conduct, (b) to evaluate periodically the effectiveness of the compliance programme and (c) to have and publicise a system, which may include mechanisms that allow for anonymity or confidentiality, whereby a company’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

Consistent Enforcement — Incentives and Discipline: A company’s compliance programme must be promoted and enforced consistently throughout a company through appropriate (a) incentives to perform in accordance with the compliance programme and (b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

The Right Response: After criminal conduct has been detected, a company must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to a company’s compliance programme.

Assessing the Risk: A company must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance programme to reduce the risk of criminal conduct identified through this process.

—Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, Risk Management and international transactions. This article is published with prior permission from www. information-security-resources.com.