Why Your Small Business Needs a Compliance Program
Often times businesses forget the importance of compliance programs whether their business is small, medium-sized, or large. No matter the size of the business or the industry a business is in, an effective compliance program must be an essential part of any businesses operations. A successful compliance program can help any business minimize the risk of a lawsuit, fines, and even jailtime. The more companies operate, make profits, and grow the greater the risk of a lawsuit. Unfortunately, many small companies delay the establishment of a compliance program and pay a hefty price. As a result, this article is designed to motivate small business owners to ensure their company is protected with an adequate compliance program.
So, what is a compliance program? In essence, a compliance program is the businesses’ process of making sure your company and its employees are following the laws, regulations, company policies, and ethical standards within the organization. Many experts break down compliance into two distinct areas: regulatory and internal. Regulatory compliance is company’s process of making sure the employees know the law and ensuring all of their actions are in compliance with the law. On the other hand, an internal compliance program concentrates more on the businesses’ internal policies and standards to safeguard the businesses’ culture. Both regulatory and internal compliance programs are important tools to help business owners minimize the risk of employee turnover, government fines, and possible jailtime. Moreover, the lack of an effective compliance program puts the business at an extreme risk of an expensive lawsuit that could put a small business owner out of business.
Small business owner often don’t take time to create a compliance program because it can be difficult to accomplish especially when the business lacks the time and resources to ensure that every employee is following the company standards, laws, and regulations. Unfortunately, most small businesses start and stop their compliance efforts with an employee handbook that contains some of the company’s policies and procedures. While this action is a necessary step in the right direction for a compliance program, there are many more actions that a business must take to steps to minimize the risk of liability. In fact, most experts on compliance recommend small business owners, at the very least, take the following actions to minimize risk.
1. Convince the Leadership to Commit to Corporate Compliance.
It might seem obvious that all of the people at the top of an organization must be committed to compliance, but often the leadership of a business is preoccupied with so many other matters that a compliance program is not seen as a priority. This is especially true with small business owners, who may or may not represent the whole leadership of a company. If the heads of a company don’t give compliance a full endorsement than the employees won’t consider compliance a priority. A small business owner must motivate employees to embrace the businesses’ compliance program. Often times business owners who don’t have the time to commit to a compliance program show their commendation by hiring a chief compliance officer that is and responsible for the day-to-day management and oversight of a compliance program. For example, one small technology company in the global payments field, that had only 20 employees, hired a compliance officer to ensure the company complied with, among other things, state and federal laws concerning privacy, consumer protection, and transferring money. Fortunately, when the U.S. found out that one of its’ customers was operating one of the biggest Ponzi schemes in U.S. history, the government declined to prosecute the company due to a well-orchestrated compliance program.
Whether it’s the small business owner, top management, or a compliance officer, employees typically follow the express or implied priorities endorsed by the leadership of the company. If it’s clear that the leaders of the company are overly focused on short-term profits, the employees will also be focused on short-term profits. For example, in 2016, Wells Fargo, in a quest to significantly increase their profits, highly encouraged and pressured employees to increase their sales by any means necessary. As a result, employees created millions of fraudulent savings and checking accounts. As a result, by the end of 2018, Wells Fargo sustained over $2.7 billion in civil and criminal lawsuits. In contrast, Morgan Stanley, in 2012, had established and maintained a successful compliance program that greatly reduced their risk of litigation. After a top executive was charged with bribery, the government refused to prosecute Morgan Stanley because discovered an effective compliance program.
2. Analyze Potential Risks Specific to the Business.
Once a small business owner gets on board with a compliance program, it’s time to assess the risks of the business. All businesses are subject to countless internal and external risks. Some of those risks are general and effect every business, big or small. Other risks are specific to the type of business or size of business. Examples of common risks that apply to all businesses include, but are not limited to:
· Finance (e.g. accounting, taxes, inventory management, capital management)
· Corporate Governance (e.g.audits, ethics, conflicts of interest, structure)
· People (e.g.hiring and firing, compensation and benefits, performance management, etc.)
· Business Operations (e.g.sales and marketing, contracts, intellectual property, vendors)
· Data (e.g. customer lists, employee privacy, storage and protection)
The problem with many small businesses is that they don’t analyze potential risk until something goes horribly wrong. However, assessing risk after something goes wrong can lead to costly government fines and/or legal action, especially since laws and regulations frequently change. For example, just recently, McDonald’s employees have united to report the unsafe working conditions to the Occupational Safety and Health Administration. More specifically, they claim that there have been 31 violent incidents over the last six months in addition to the frequent sexual assaults and robberies. Moreover, a worker’s rights group found over 700 news stories regarding violence at McDonald’s over the last 3 years with 72% of those accounts involving a gun. The lack of a proper risk assessment regarding potential violence against employees in their stores, its likely they will be facing hefty fines and lawsuits for not uncovering and preventing that risk. Some of the best methods to assess risk include:
· Create Questionnaires
· Conduct Interviews
· Generate an Audit Report
· Review Existing Systems and Controls
· Assign Responsibility for the Audit
· Consider Hiring a Lawyer to Help
· Use Risk Matrices
· Prioritize Risks
· Put Together a Timetable for Updating the Risk Assessment
3. Establish Standards and Controls.
Once a risk assessment is conducted, small businesses should incorporate detailed written procedures and policies for dealing with the risks identified by the risk assessment. For example, all employees should be aware of a code of conduct that addresses the standard behaviors that are expected of each employee and what control measures the business has in place to ensure employees meet those expectations. For example, in the area of employment relations, business typically place their standards and controls in an employee handbook. At minimum, small businesses should have an employee handbook that includes the following policies and procedures:
· An Acknowledgement that the Employee has Received and Read the Handbook
· An At-Will Employment Disclaimer
· Employment Classifications (e.g. exempt vs. nonexempt, full-time vs. part-time, etc.)
· Orientation and Training
· Hours of Work/Attendance/Inclement Weather/Holiday/Vacation
· Dress Code
· Personnel Records
· Internet/Social Media Policies/Email
· Substance Abuse Polices
· Anti-Discrimination & Harassment Policies
· Compensation & Benefits Policies
· Dispute Resolution and Termination Policies
Regardless of the size of your company, an employment handbook is paramount to minimizing risk of violating any of the many employment laws, improving employee morale, and ensuring consistency in the company. Even if your company has two employees an employment handbook is still needed. Some of the most common issues in employment disputes involve misunderstandings about the company’s employment policies, inconsistent application of the employment policies, or perceived unfairness. Employees can sue at any moment once they become disgruntled or terminated, an employee handbook with appropriate standards and controls can minimize that risk. In the event of litigation, the employee handbook can provide pertinent evidence of company policies and standards of behaviors. Most small business can find a free or low-cost employee handbook on the internet. Otherwise they can hire an attorney for assistance.
In addition to employee handbooks, all business should have standards of control that apply to the relationships with vendors, customers, regulators, and business partners. Also depending on your business, you may need standards and controls that relate to accounting and tax, anti-money laundering, ethics and conflicts of interest, immigration, data and personal privacy, etc.
4. Communicate and Train All Employees.
The next important component of a strong compliance program is to communicate and properly train all employees and third parties on relevant laws, regulations, policies, and prohibited conduct. The communication and training are different but both important ways to make sure everyone in the company and third-parties that do business with the company are abiding by the compliance program. Most companies address compliance in their business meetings and through memos. Bigger companies record meeting minutes addressing compliance issues. However, smaller companies might not have frequent meetings so communicating through memos might be the best course of actions. The advantage to the small company in communicating through memos is it creates of record of your diligent efforts to maintain an effective compliance program. This can be very effective in an investigation by the government and/or defending your business in a lawsuit. For example, in the state of Oregon, there’s a new law that prohibits businesses from providing customers with single-use plastic straws, stirrers, utensils, or plastic-packaged condiments like soy sauce or coffee creamers. Without an effective compliance program that ensures the business educated all employees about the new law, the business may incur fines of $500 for each violation.
In addition to communication, it is important to make sure all employees receive training on your compliance program. At a minimum, annual training should take place in every business large or small. For smaller business, sometimes hiring an expert compliance person to conduct training is an option as long as that expert is aware of all the potential risks of the company. In addition to employees, companies often include officers and third party vendors and stakeholders in the training. Through the theory of vicarious liability, business are generally responsible for the actions of their employees, however, sometimes businesses can be held responsible for the actions of a third-party with whom they have a contract. For example, just recently, a company that owned a hotel and contracted out spa and fitness services within the hotel was sued by a guest for the sexual assault of a staff member of the spa and fitness center. The plaintiff sued under the theory that a hotel has a duty to protect their guests from foreseeable harm. The was found liable for failing to communicate and train third party’s concerning their companies policies regarding harassment. Accordingly, third party training is always important.
5. Oversee the Continuity of the Compliance Program.
Furthermore, an effective compliance program requires ongoing monitoring and auditing. Monitoring and auditing are two different methods of ensuring the program is up-to-date and meeting the ongoing needs of the business. Monitoring is the process of reviewing and detecting any defects in the compliance program and quickly reacting to remediate any harm. Auditing is more of a limited review of specific business components in order to evaluate certain risks. Both functions are important and often work together. For example, if during the monitoring process, a business detects a heightened risk, it might be time for an audit to further investigate the issue. For example, if through the process of monitoring a non-bank financial services provider notices an increase in money transactions in a specific region, the business may need to audit the region to ensure the company is following its internal polices as well as the laws and regulations concerning money laundering. Moreover, a company should pay attention to the types of questions employees ask during training. These questions may uncover issues that need further investigation.
Again, compliance programs are not just for big businesses, it critically important for businesses of all sizes. By having an efficient compliance program that all employees are invested in and consistently follow, you can avoid the risk of litigation, fines, and even jail time. If you don’t have a compliance program you should hire a professional to help you establish one in your company today.