Standards of Compliance in a World of Diversity

Transcription

1 Standards of Compliance in a World of Diversity Jeffrey B. Miller, Esquire Chief Compliance Officer and Counsel Synthes, Inc. 1

2 I. INTRODUCTION Global providers of health care-related products and services strive to provide the highest quality products and services to the patients and providers they serve. Central to this achievement is the creation and maintenance of a corporate culture that emphasizes, safeguards and rewards the highest standards of ethical and professional behavior. In this complex (and sometimes counter-intuitive) regulatory environment, defining appropriate behavior, aligning incentives and safeguarding compliance with legal requirements and ethical mandates can be a challenge. Chief Compliance Officers ( CCOs ) of global organizations must develop programs that satisfy compliance program standards around the world. These programs should set clear, consistent company-wide compliance standards, while maintaining the flexibility to comply with local legal requirements and that satisfy local cultural norms. Failure to develop appropriate compliance standards can result in legal action from individuals and governments around the world, can unnecessarily hinder their companies progress toward legitimate business objectives, or both. Once appropriate standards are developed, they must be effectively communicated to employees who have been pre-conditioned to often conflicting standards of behavior by their diverse societies. Compliance standards should be taught through techniques that make them understandable, which gain employee support for their implementation, and which satisfy legal and company standards. The purpose of this presentation is to provide some information on designing global compliance programs, including international codes of ethics, and to provide some insight into effectively educating international audiences. II. DESIGNING GLOBAL COMPLIANCE PROGRAMS THAT SATISFY LOCAL STANDARDS A. Compliance Program Guidance The most cited source of guidance for developing effective compliance programs appears to be the United States Sentencing Commission s Sentencing Guidelines, U.S.S.G. 8B2.1 (relating to Sentencing of Organizations, Effective Compliance and Ethics Program) ( USSG ). 1 Under these guidelines, corporate compliance programs should be designed to provide effective compliance and ethics programs which are intended to provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct. Organizations levels of legal culpability are generally determined by the steps taken to prevent and detect illegal conduct prior to occurrence, the level and extent of involvement in or tolerance of the illegal conduct by supervisory personnel, and organizations actions after an illegal act has been committed. The United States Department of Health and Human Services, Office of Inspector General ( OIG ) is the primary interpreter and enforcer of compliance standards and procedures in the United States for health care-related organizations. In its compliance program guidance documents, the OIG interprets the USSG to establish the operational existence of seven (7) 1 Copies of the USSG can be obtained from the website of the United States Sentencing Commission at 2

3 definable elements for effective compliance programs ( OIG Guidance ). 2 This OIG Guidance is not law or regulation, and holds no independent legal authority. However, it is the OIG s published recommendations and expectations for corporate compliance programs. The OIG Guidance has also been recognized by other United States government authorities as applicable to health care-related organizations who do business in the United States, and as important for the development and management of effective corporate compliance programs. Additionally, the elements of the OIG Guidance are commonly reflected in the corporate integrity agreements ( CIA ) negotiated by the OIG and the United States Department of Justice ( DOJ ) when settling compliance-related prosecutions. 3 These CIAs often contain significant detail on the future compliance program-related responsibilities of the accused organizations, patterning these responsibilities from the OIG Guidance. Often reflecting or becoming industry standards for compliance programs, these CIAs themselves are also an important source of guidance for compliance program design and development. As a result, health care providers, and particularly those who do business in the United States, should carefully consider the recommendations in these documents. Outside of the United States there is relatively little written guidance on the development of effective corporate compliance programs. There are specific standards published by Standards Australia (the Standards Association of Australia) entitled the Australian Standard, , Compliance Programs ( Australian Standard ). 4 The Australian Standard is the first attempt in Australia to publicly and objectively provide guidance for effective compliance programs in Australia. The Australian Standard focuses on legal compliance, but also emphasizes the development of a culture of compliance, emphasizing compliance with other standards such as compliance with voluntary industry codes and organizational policies and procedures. Touching on many of the same themes as the OIG Guidance, with its own particular emphases and distinctions, and adding to additional detail, the Australian Standard organizes compliance programs into five (5) structural elements, nine (9) operational elements and six (6) maintenance elements that are generally consistent with the OIG Guidance. The Australian Standard is drawn from, and is in many provisions similar to, another set of compliance-related standards: the standards developed by the International Organization for Standardization ( ISO ) for quality management systems ( ISO Standards). 5 While many of the ISO s 15,000 international standards do not apply to the development of effective compliance 2 The OIG currently has final guidance documents published for twelve (12) separate segments of the health care industry. Copies of the guidance documents can be obtained without charge from the OIG on its website at 3 Copies of currently effective CIAs can be obtained at no charge from the OIG on its website at 4 Copies of the Australian Standard, , Compliance Programs, as well as HB , A Guide to AS , Compliance Programs, can be purchased from Standards Australia on its website at 5 The ISO is a non-governmental network of the national standards institutes from 157 countries, with one institute per country, with a Central Secretariat in Geneva, Switzerland that coordinates the system. The ISO occupies a special position between the public and private sectors, as many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. Many of its member institutes are in the private sector as well, having been organized by national partnerships of industry associations. Information on the ISO, and on the SIO Standards, can be obtain from ISO s website at 3

4 programs, 6 the ISO s Standards for quality management systems have many similarities to standards for effective compliance program management. In this regard, the Australian Standard cites the ISO Standards for quality management systems as a source for compliance guidance, particularly as they relate to human resource management and training. As a result, these standards can be considered as well when developing international compliance programs. Another interesting source of information for effective compliance programs outside of the United States for health care-related organizations are the standards published by the Japanese Pharmaceutical Manufacturers Association ( JPMA ) known as the JPMA Compliance Program Guidelines ( JPMA Guidelines ). 7 The JPMA Guidelines provide the basic requirements for effective compliance programs in eight (8) defined elements, specifically citing and generally tracking the requirements USSG as described in the OIG Guidance. 8 Significant guidance on implementation of a program is also provided, and is generally consistent with, with its own emphases and distinctions, the guidance provided in the OIG Guidance. It is difficult to summarize the details of all of the guidance and requirements provided by these compliance program guidance documents. As with various legal systems and cultures within which they were created, many different emphases and distinctions exist. Along with the documents described above, a plethora of other important documents may apply as well. Each country has its own rules and customs. CCOs must research and be knowledgeable and sensitive to these varying requirements, emphases and distinctions. However, CCOs should not become discouraged with these varying documents, emphases and distinctions; there are significant commonalities among the documents as well. The development of effective compliance programs universally depends upon the creation of appropriate compliance standards, systems to implement and manage those standards, and internal controls to monitor those standards. These commonalities dominate the design, implementation and operation of compliance programs. Whether organized into seven, eight or twenty element these commonalities remain generally consistent with each other, allow effective global compliance programs to be structured in ways that best accommodate each CCO s company. By addressing these elements flexibly and allowing for regional or country-by-country emphases and distinctions, CCOs can operate compliance programs that are recognized as effective around the world. B. Structuring Basic Elements of Effective Compliance Programs 1. Effective Oversight Chief Compliance Officers; Compliance Officers 6 The ISO's Standards vary from standards for traditional activities, such as agriculture and construction, through mechanical engineering, to manufacturing medical devices, to developing information technology. 7 Copies of the JPMA Guidelines can be obtained without charge from the JPMA on its website at 8 The JPMA Guidelines state that [t]he U.S. Federal Sentencing Guidelines have outlined the minimal requirements to say a party is enforcing an effective compliance program, and that member companies should at least design and implement programs that meet the following eight (8) requirements for an effective compliance program that have been outlined by the U.S. Federal Sentencing Guidelines. JPMA Compliance Program Guidelines, Japanese Pharmaceutical Manufacturers Association, Chapter 2, Section I (April 1, 2001). 4

5 According to the OIG Guidance the first element of an effective corporate compliance program is assigning oversight responsibility to individuals high in the management structure through the appointment of a CCO, and through the assignment of persons to a Corporate Compliance Committee ( CCC ). The OIG obtains this element directly from the USSG, which provide that CCOs should be high-level persons in their organizations with substantial roles in forming and enforcing company policy, similar to executive officers or other persons in charge of major business or functional units. The OIG opines that CCOs: (1) should be senior level officials who report directly to their companies Boards of Directors (or committees of the Boards), and have direct access to their organization s Chief Executive Officers, Presidents and legal counsel; and (2) should be in positions to exercise judgment independent from other senior managers, with the authority to effectuate change across their organizations. The OIG also states that CCOs should not be subordinate to the... [organizations ] general counsels, or comptrollers or similar financial officers, stating that the separation of the compliance function helps to ensure independent and objective legal reviews and financial analysis of the companies compliance efforts and activities. 9 The OIG s corporate integrity agreements also consistently require that organizations CCOs be members of senior management who are not subordinate to the organizations general counsels or chief financial officers. However, in its OIG Guidance documents the OIG also consistently notes that the optimal placement of the CCO in any particular company will vary with the particular situation of that company. Compliance program guidance outside of the United States is generally consistent with this approach. The Australian Standard, consistent with its focus that seeks to integrate the compliance function closely with existing organizational management, places the responsibility for compliance squarely upon organizations Chief Executive Officers. Independent CCOs are not required. However, the Australian Standard recognizes that most organizations will find it helpful to create a separate staff lead by a CCO. Where CCOs positions are created, the CCOs should be senior executives with direct access to their Chief Executive Officers, as well as any existing audit committees or compliance committees. CCOs should have high status, authority, recognition and support within the company, and have direct access legal advisors. The JPMA Guidelines are similar, but track closer to the OIG Guidance. The JPMA Guidelines recommend that organizations appoint a high level official to be in charge of compliance, describing that person as a member of senior management who is able to communicate with other senior managers on an equal basis, and who has the authority to supervise and instruct all division managers regarding compliance. While industry practices regarding compliance programs and CCOs vary, they appear to be generally consistent with these requirements. For example, according to a recent survey of 640 compliance officers published by the Health Care Compliance Association, a professional association of compliance officers working in all areas of the health care industry, approximately 65% of CCOs report directly to their organizations chief executive officers or presidents, and manage stand-alone departments with budgets and staffing. 10 Only 12% of CCOs 9 OIG Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg , (May 5, 2003) th Annual Survey: 2006 Profile of Health Care Compliance Officers, HCCA (2006). A copy of this document can be obtained at no charge from its website at 5

6 report to their organizations general counsels. 11 Similarly, the American Health Lawyers Association ( AHLA ), a national professional association of attorneys who practice health law, recently reported in survey of 429 in-house attorneys that 56% of company compliance officers report directly to their organizations chief executive officers, while 20% report to their organizations general counsels. 12 To satisfy global compliance program standards, organizations should appoint CCOs that are in positions to exercise judgment independent from senior managers, and who have the authority to effectuate compliance changes across their organizations. In this regard CCOs should generally be members of organizations senior management teams, and should not be subordinate to organizations general counsels or chief financial officers. For most global organizations, the appointment of a single CCO to manage a global program may be insufficient to adequately manage the size and scope of compliance program activities. In addition, appointing a CCO to manage a global program single-handedly may not be the most effect method of obtaining global compliance. Employees across organizations must recognize that the compliance program and compliance efforts are not limited to the corporate office, or the region of the world where the CCOs office is located. To be effective, employees in every region of the world where the organization operates must feel that their part of the organization is connected to and responsible for the compliance program. Providing a local official in charge of compliance, such as a local compliance officer, is an effective tool for providing this connection. Where organizations appoint regional compliance officers, those officers should work under the supervision of and report to the CCO. These compliance officers will effectively function as the representatives of the CCO in their assigned regions, assisting the CCO to direct the development and management of the compliance program in the regions, to form and enforce company policy in the regions, and to gather the information that is necessary to effectively exercise judgment. In these cases organizations should ensure that the compliance officers can function in a similar manner to the COO, maintaining an adequate level of independence from regional management and having the resources necessary to perform their responsibilities. Some organizations may not have a sufficient presence in some regions of the world to appoint a full time compliance officer to those regions. In such a case, organizations may consider hiring a part time employee to that position. Another alternative may be to appoint someone on the CCO s staff (who is located outside of the region) to perform duties related to that region (or to support the CCO who will perform those duties). Appointing someone on the compliance staff who is outside of the region is not ideal because it does not result in a compliance presence in the region. Not only can this mitigate against employee buy-in to the compliance program in the region, but it may inhibit the effectiveness of the compliance program in the region. By having a presence in the region the CCO can better ensure effective 11 Id. 12 An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, United States Department of Health and Human Services, Office of Inspector General, American Health Lawyers Association (July 1, 2004). A copy of this document can be obtained without charge from the American Health Lawyers Association on its website at CorpComp2.pdf. 6

7 communication with management and employees in the region, and can better understand the compliance risks, and the effects of compliance policies and procedures, in the region. However, if this approach is chosen, this individual could assist the CCO to address compliance responsibilities for the region, and may open up time for the CCO to spend more personal time in the region, increasing the compliance presence there. A third alternative would be to appoint an existing employee in the region to act as the part-time regional compliance officer. While this would result in a compliance presence in the region, these circumstances are also not ideal. A hallmark of effective compliance under the OIG Guidance and the JPMA Guidelines is an independent compliance function empowered to review matters, solicit concerns and make judgments independent of other business managers. Where an existing employee, who is supervised by other business managers, is appointed to act part-time in a compliance officer position, this independence is compromised. As a result, the CCO s ability to gauge compliance risks, make judgments regarding the effect of compliance policies and procedures, and objectively review factual circumstances in the region may be inhibited. Additionally, employees with compliance questions or concerns regarding management decisions or activities may be sensitive to this lack of independence, and may be reluctant to raise them. If this alternative is chosen, the individual chosen should have a formal position description for the compliance officer position, and a formal and direct reporting relationship to the CCO, including a regular performance review, to mitigate to the extent practicable any conflict effect. Corporate Compliance Committees For CCCs, the OIG Guidance emphasizes that CCC members should be drawn from a cross-section of the company, and should have the requisite seniority and experience to both address compliance issues within their departments or business units, and to develop and implement necessary changes to policies and procedures. The OIG Guidance does not provide instruction on any specific level of seniority for CCC members. However, the OIG s corporate integrity agreements do consistently require that the members of the CCC be senior-level executives. According to the OIG, the role of the CCC may vary with the organization, but is essentially to be an extension of the CCO by advising the CCO, assisting with compliance program implementation, and by providing increased compliance oversight. The Australian Standard views CCCs differently from the OIG Guidance. Under the Australian Standard the CCC is an extension of organizations boards of directors, much like an audit committee of the board in the United States. The role of CCCs under the Australian Standard is to assist organizations boards in supervising the compliance program. From this standpoint, CCCs act as drivers of compliance, and play supervisory roles over their organizations compliance programs and efforts. The Australian Standard does not require the use of CCCs, but notes that they are common, are useful for most companies, and are an option that should be considered. The JPMA Guidelines track closer to the OIG Guidance. Under the JPMA Guidelines organizations should establish a CCC (a Committee for the Promotion of Compliance ) to discuss and review compliance policies, and to generally assist the CCO with his responsibilities. 7

8 Under the JPMA model the CCC would be staff by the CCO or the officers in charge of compliance and the division managers of staff divisions, as well as outside lawyers or other specialists who can provide professional and legal advice. The JPMA notes that, in some organizations, a majority of CCC members may be comprised of outside specialists. For global organizations, and particularly for organizations that appoint both CCOs and compliance officers, the creation of a single global CCC to address issues that arise in a global program may be insufficient. A single global CCC may be unable to adequately understanding and address country and/or regional legal and cultural issues. Additionally, they may not be as effective at facilitating compliance in the far reaches of the world In such a case organizations may consider creating regional compliance working committees who meet under the supervision of regional compliance officers, and who perform the responsibilities of the global CCC at the regional level. The work performed by the regional compliance working committee would be performed under the supervision and in coordination with the global CCC. In these cases the members of the regional compliance working committees should be drawn from a cross-section of the company in the region. While committee member seniority is important, it is not as important as the seniority of the global CCC members as the authority for the work performed by the regional compliance working committees can be derived from the approval of the global CCC. 2. Standards and Procedures The second element for effective corporate compliance programs is establishing effective compliance standards and procedures. According to the OIG Guidance, compliance standards and procedures should address the operation of the compliance program itself, formalizing the existence and operation of the seven elements of an effective program, as well as addressing each organization s areas of risk. One suggested technique is to found the compliance program upon a general code of ethics. These codes are designed to provide the basic ethical and compliance standards for their organizations, upon which more detailed and specific policies and procedures can rest. These codes often include a description of the operation of the compliance program as well, including the role of the CCO (and sometimes other compliance staff), a description of employee responsibilities under the compliance program, and ways to facilitate compliance questions and concerns. After the creation of a code of ethics, more detailed policies and procedures are to be created to expound upon, and implement, the standards set forth in the code. The Australian Standard is generally consistent with this approach, but places more emphasis on a generally worded code of ethics, and on specific operating procedures for compliance, and less emphasis on individual compliance policies. The Australian Standard encourages organizations to avoid legal and industry terms, and to use broad statements in plain language. Integration of the requirements of the laws, regulations, codes and organizational standards should take place within detailed day-to-day operating procedures. These procedures should be action-based, providing staff with specific actions to take to avoid compliance problems. The JPMA Guidelines are similar to the OIG Guidance, requiring organizations to establish compliance standards and take the necessary procedures in order to prevent unlawful conduct. More information on drafting effective international codes of ethics is provided in Section III of this presentation. 8

9 When preparing standards and procedures, global organizations must identify their areas of compliance risk. These areas of risk can be identified by looking within organizations for areas where there are opportunities or incentives to be non-compliant. CCOs, and where utilized, compliance officers, should be knowledgeable of same, and should diligently review and monitor potentially problematic areas. Information can be obtained by reviewing relevant documentation, and by asking for information from CEOs, CFOs, COOs, risk managers, internal audit departments, health care providers and other individuals that have regular contact with potentially problematic areas and issues. Outside sources can also be helpful. Helpful sources in the U.S. include the DOJ, which publishes announcements and reports on its legal initiatives and cases, 13 and the OIG, which does the same with its initiatives, interpretations and documents. 14 Of particular interest is the OIG s annual Work Plan, published each November, describing the OIG s enforcement priorities for the upcoming year. Information on Food and Drug Administration s ( FDA ) initiatives can also be obtained on its website. 15 Professional and industry association can also be helpful in identify government priorities and compliance risks. In this same regard the Australian Standard recommends that CCOs identify areas of compliance risk through discussions with legal advisors, being on regulators mailing lists, maintaining memberships in professional groups and through attending industry-sponsored forums and seminars. Beyond legal and regulatory issues, the Australian Standard emphasizes the operational side of compliance programs, recommending the CCOs identify and take steps to rectify other problem areas that may be harmful to the operation of the compliance program, including harmful attitudes and remuneration systems that work to discourage compliance or reward non-compliance. Similar to the OIG Guidance, the JPMA Guidelines suggest that CCOs identify and address any related laws, ministerial ordinances or government instructions that may apply to the organization. By using these internal and external resources, CCOs can identify most issues that may effect their organizations. Global CCOs should address both legal and operational concerns when developing standards and procedures. Existing company resources, such as discussions with a global CCC, regional CCCs and regional compliance officers, interviews with middle-level managers in key compliance areas within each region, and internally raised compliance questions and concerns are often the most useful sources for developing same. The outside resources noted above can also be helpful because they identify problems within the industry, and problems that government authorities consider significant. By addressing substantive legal and regulatory issues with sensitivity towards supporting all of the elements of an effective compliance program, both substantive and operational issues can be effectively addressed. In general, global organizations should strive to achieve consistent global policies. These policies help to provide structure for the organization as a whole, and set the tone for a consistent global corporate culture. As a result, global operational compliance policies and umbrella global policies on key compliance areas, including a global code of ethics is preferred. Differences in 13 The DOJ s publications addressing these standards and practices can be found on its website at 14 The OIG s Work Plans, Guidances and other publications can be obtained on its website, located at 15 Information from the FDA can be obtained on its website at 9

10 regional infrastructure and resources, cultural norms and country to country legal requirements can be addressed as derivative supplements to the global policies, such as through supplemental regional codes of ethics or policies, or where no global policy applies, through separate regional policies. Suggestions on appropriate processes for developing these policies can be found in Section III(B) of this presentation, written in the context of global codes of ethics. 3. Training and Education Under the OIG Guidance the third element for effective corporate compliance programs is the proper education and training of officers, directors, employees, contractors and agents. The USSG state that the organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g., by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required. According to the OIG training must be a regular part of the compliance program, with a recommended minimum of one to three hours of in-service per year. United States governmental authorities measure training by its effectiveness, not simply by its length. Therefore, an additional important training focus is on how effectively the information is communicated. Similar requirements are provided in the Australian Standard and in the JPMA Guidelines. Strategies for training and educating international audiences are addressed in detail in Section IV of this presentation. 4. Lines of Communication The OIG Guidance provides that a fourth essential element for effective corporate compliance programs is maintaining effective lines of communication that allow for anonymity and confidentiality, whereby employees and agents can make compliance reports and seek compliance guidance without fear of retaliation. According to the OIG, this element s purpose is to ensure that employees, physicians, contractors and other persons are aware of ongoing compliance efforts, and are able to effectively provide information on suspected failures to remain in compliance. The OIG encourages mandatory employee reporting of potential instances of non-compliance, and encourages the use of anonymous compliance hotlines to facilitate compliance reporting. Similar lines of communication are supported by both the Australian Standard and the JPMA Guidelines, with some distinctions and emphases. Both documents emphasize the need to communicate compliance standards clearly and frequently. Additionally, the Australian Standard references compliance hotlines as useful tools for employee reporting, and encourages organizations to make them readily available. Employee anonymity is not specifically addressed. The JPMA Guidelines warn organizations that hotlines in Japan can be viewed as snitching systems, and as a result, tend not to be used by employees. 16 However, the JPMA Guidelines also encourage organizations to implement hotlines, noting that they offer an alternative with an emphasis on confidentiality. 17 Sufficient employee education emphasizing that hotlines are intended for the early detection and resolution of problems is the key. According 16 JPMA Compliance Program Guidelines, Japanese Pharmaceutical Manufacturers Association, Chapter 2, Section IV (April 1, 2001). 17 Id. 10

11 to the JPMA Guidelines, where employees are appropriately educated hotlines can act as an effective auxiliary system to rectify compliance violations. Generally, the health care industry appears to be following the lead provided by the OIG Guidance, the Australian Standard and the JPMA Guidelines. To encourage employees to raise their own compliance questions and concerns, many organizations choose to implement dedicated compliance telephone hotlines. Dedicated electronic mail addresses or internet compliance reporting links are also used. These techniques for reporting compliance questions or concerns may be toll free, may be available 24 hours a day, 365 days a year, and may be operated internally by compliance staff, or may be outsourced to organizations which provide these services. In whatever form, these techniques are widely used. According to the Society of Corporate Compliance and Ethics, 18 73% of organizations participating in a recent study reported that they had some form of compliance hot line. 19 Keys to successful hot lines include effective advertising of and education on the hot line, hour availability 21 and the opportunity for anonymity. 22 CCOs for international organizations must reconcile this guidance with legal restrictions that exist in some countries which significantly limit anonymous reporting. For example, in France the Commission Nationale de L Informatique et des Libertes ( CNIL ), the French data protection authority, significantly limits the use of hotlines. Warning that hotlines are subject to the requirements of the French Data Protection Act, the CNIL stated that should not turn into organized systems of denouncement at the workplace. 23 Based upon this foundation the CNIL imposed significant requirements, including CNIL approval prior to implementation, on hotlines. Among other CNIL requirements, hotline reporting cannot be required of employees. While anonymous reporting may be allowed, organizations must discourage it, and must inquire about the identity of every caller. Other significant requirements also apply. 24 As a result, CCOs seeking to implement OIG-style hotlines in France should obtain the advice of legal counsel prior to implementing same. Similar challenges to the implementation of OIG-style hotlines exist in Germany. In June, 2005 the Arbeitsgericht Wuppertal (German Labor Court of Wuppertal) ruled that telephone whistleblower hotlines are subject to the restrictions of German labor law, and require German Labor Court approval prior to implementation. 25 As a result, CCOs should seek legal advice on any restrictions that may apply in other countries, as well. 18 Information on the Society of Corporate Compliance and Ethics can be obtained at 19 Slovin, Dave, Confidential Reporting Processes: Keys to Maximizing Effectiveness Insight from the Data, Society of Corporate Compliance and Ethics, December, Id According to the article organizations cite posters, employee handbooks and wallets cards as the most effective tools for educating employees on hot lines. 21 Id. According to the article 48% of all hot line calls are received outside of normal business hours. 22 Id. According to the article 50% of all hot line callers prefer to remain anonymous. In its Guidances the OIG cites anonymous reporting mechanisms as useful for ensuring effective compliance. For publicly traded companies, anonymous reporting mechanisms are important or Sarbanes-Oxley compliance. 23 Frequently Asked Questions on Whistleblowing Systems, Commission Nationale de L Informatique et des Libertes, Question 2, (2006). 24 Information on the CNIL and its requirements relating to hotlines can be obtained on CNIL s website at A detailed discussed of the CNIL s requirements is beyond the scope of this presentation. 25 Decision of the Labour Court of Wuppertal, 15 June 2005, file number 5 BV 20/05. 11

12 As a result of legal and cultural differences, CCO should approach the implementation of compliance hotlines on a regional basis, taking into account country and regional legal requirements and cultural norms. Regardless of the regional or country, carefully designed and effectively provided employee education is important. Along with employee education programs, CCOs should consider publication of compliance standards and procedures in locations where they are available to employees and in easily accessible forms, such as in brochures, wallet cards, and on posters. Information on compliance hotlines could also be published in company or department compliance manuals, and on their organizations intranets. Publication on organizations internet websites can also be considered. 5. Auditing and Monitoring According to the OIG Guidance the fifth essential element of an effective corporate compliance program is auditing and monitoring to ensure compliance with compliance program standards. Auditing involves regular, comprehensive studies of specific risk areas. Monitoring involves the routine general management of the corporate compliance program to ensure proper execution, including overseeing and conducting control reviews of high-risk operation areas, conducting periodic checks of program effectiveness, the implementation of program updates and making program improvements. As an additional part of the monitoring function the USSG require that organizations use due diligence to avoid including, within the substantial authority of the organization, individuals who have engaged in illegal activities or other conduct inconsistent with effective compliance. Following this lead the OIG recommends that organizations not hire or do business with individuals or entities that have been sanctioned by the U.S. Federal Government and noted to be excluded from participation in federally funded programs, including employees and contractors. As an additional note, the OIG suggests that organizations perform exit interviews on departing employees to discover any compliance concerns. The Australian Standard also supports auditing and monitoring through providing standards related to compliance monitoring and assessment. The Australian Standard provides that an effective compliance program should regularly monitor performance through the use of both internal monitoring and assessment (performed by staff within the relevant business unit), and external monitoring and assessment (performed by staff outside of the business unit). The JPMA Guidelines recommend auditing and monitoring through compliance checks that are designed to confirm that compliance policies are being followed. In the JPMA Guidelines compliance checks can be performed in combination with other business-related audits, either by an internal group or an external group. Neither the Australian Standard nor the JPMA Guidelines require background checks or exit interviews. The role CCOs in auditing and monitoring, regardless of the region or country, is to work with the CCC to determine the risk areas to be audited, determine the nature and scope of the audit, and to review the results of the audits. Audits are commonly conducted by trained auditors; often by internal audit staff. In some cases, however, depending on the complexity, size or sensitivity of the audit, the audit may be appropriately outsourced to an outside entity that specializes in the detection and prevention of fraud and abuse. CCOs of global organizations must be aware of and sensitive to varying legal requirements related to audits across the world. 12

13 As a result, CCOs should obtain advice on audit-related legal requirements prior to initiating audits. In many circumstances, monitoring may be appropriately performed by departments within the organizations that share oversight responsibility for the proper execution of the policies and procedures (e.g., FDA/regulatory department monitoring proper execution of compliance standards in a manufacturing plant). In these cases the reviewing department should work closely with the CCOs on performing the reviews, and reviewing the results of monitoring. CCOs should also consult with legal counsel to ensure that monitoring activities satisfy the requirements of the law in the countries within which the CCO s organization operates. 6. Promoting and Enforcing Standards Through Incentives and Discipline The sixth essential element of effective corporate compliance programs under the OIG Guidance is the promotion and enforcement compliance standards through effective and appropriate incentives and discipline. While a code of ethics and other policies and procedures may dictate standards, these standards may not function effectively unless organizational incentives, including financial incentives, are also geared towards supporting compliance. Furthermore, the USSG state that compliance standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. Adequate discipline of individuals responsible for an offense is a necessary component of enforcement. Intentional and material non-compliance should subject transgressors to significant sanctions, up to and including termination. The Australian Standard supports the promotion and enforcement of compliance standards as well. Under this Standard compliance must be made to be everyone s responsibility, should be written into all position descriptions, and should be a significant component of all performance reviews. Similarly, the JPMA Guidelines encourage organizations to consider compliance in each employee s performance review, and to provide disciplinary action where compliance standards are violated. The JPMA Guidelines specifically provide that the personal responsibility of the violator s supervisor for the employee s violation should also be considered. Part of aligning employee incentives requires CCOs to design and implement compliance systems and internal controls that are clear and user-friendly. Controls and systems that are clear and easy to execute facilitate employee compliance in every culture, even when they are significantly different from past policies, procedures or practices. Controls and systems that are ambiguous or burdensome provide incentives to strain their limits, or to work around them. To align incentives CCOs must design clear, user-friendly systems and controls. When aligning incentives, CCOs should also consider employee job requirements, financial incentives and discipline. In this regard CCOs should review all employee position descriptions and incentive compensation arrangements, as well as organizational criteria for employee performance reviews and promotion. Position descriptions should include explicit provisions that require complete compliance with legal and ethics standards, as well as participation in the compliance program initiatives. Supervisors should be responsible for using diligence to ensure the compliance of those employees that they supervise. Incentive compensation arrangements, while not required to be tied specifically to maintaining compliance, should be aligned as best possible so that they do not provide incentives for non- 13

14 compliance, and CCOs should advocate for incentives that encourage compliance. Regardless of incentive arrangements, compliance criteria should weigh heavily in organizational employee performance reviews and promotion decisions. In this context it is also important to obtain legal counsel familiar with labor and employee rights laws in the countries in which the organization operates. Working closely with the human resources departments that manage employee issues is also critical. Labor and employee rights laws can vary significantly from country to country. In many countries employees have significantly more rights that in the United States, and in a some cases organizational employees may actually be employees of the governing entity (e.g. China). As a result, obtaining timely legal counsel is important when considering employee incentives, requirements and discipline. 7. Responding Appropriately to Allegations of Non-Compliance In the OIG Guidance the seventh essential element of effective compliance programs is responding appropriately to detected breaches of compliance standards. The USSG state that after offenses have been detected, organizations must have taken all reasonable steps to respond appropriately to the offenses, and to prevent further similar offenses, including any necessary modifications to their compliance programs to prevent and detect violations of law. The OIG Guidelines emphasize that upon receipt of reasonable indications of potential non-compliance, the organization immediately investigate to determine whether non-compliance has occurred, if it has, take appropriate action to correct the problem. The Australian Standard also supports this element, requiring a clearly defined complaints handling system to address failures of compliance, and requiring that organizations take timely and appropriate action to rectify compliance failures. The JPMA Guidelines also require a thorough investigation of any detected unlawful conduct, and swift rectification. Global CCOs should address this element through the creation of clear policies and procedures for responding potential non-compliance. Legal counsel, knowledgeable of the legal requirements in the regions of the world where the policies and procedures will apply, should be involved in drafting same. Many countries have significant privacy protections that will effect internal investigations of employees. Regardless, these policies and procedures should require immediate communication of compliance reports to the CCOs, and prompt investigation under the direction of the CCOs. Where CCOs themselves do not conduct the investigations, where available they can be conducted by members of the compliance staff. Where members of the compliance staff are not available, within the requirements of local law these investigations may be conducted by internal personnel. However, to preserve investigation independence personnel should not be requested or permitted to investigate matters within their own departments or areas of responsibility. Where at any time during the investigation the CCO finds material evidence supporting a conclusion that a potential instance of non-compliance may have resulted in a legal violation, the CCO should promptly turn the review over to the direction of legal counsel. III. DEVELOPING EFFECTIVE INTERNATIONAL CODES OF ETHICS FOR DIVERSE SOCIETIES A. Government and Industry Guidance 14

15 In the United States the OIG Guidance specifically provides standards for compliance program codes of conduct, as follows: 26 [Health care providers should] develop a general corporate statement of ethical and compliance principles that will guide the company s operations.... The code should function in the same fashion as a constitution, i.e., as a document that details the fundamental principles, values, and framework for action within an organization. The code of conduct should articulate the company s expectations of commitment to compliance by management, employees, and agents, and should summarize the broad ethical principles under which the company must operate. Unlike the more detailed policies and procedures, the code of conduct should be brief, easily readable, and cover general principles applicable to all employees. The OIG further states that in addition to a code of conduct, clear, detailed and substantive policies should be developed that provide the company s policies and processes for addressing specific areas of compliance program operation and risk. As the OIG Guidance describes, the OIG s standards for compliance program codes of conduct are that they be brief, easily readable statements of the organization s ethical and compliance values and principles. Organizations more substantive and detailed policies and procedures are then founded upon the code of conduct. A similar approach to compliance program codes of conduct has been expressed in the United States by industry professional organizations and commentators. For example, the OIG and the AHLA published together a resource entitled Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors. 27 The purpose of this document is to provide boards of directors with guidance on how to evaluate their corporate compliance programs, including their codes of conduct. The resource provides that the purpose of codes of conduct are to set forth the organization s fundamental principles and values in order to help define the organization s culture. The writers further state that all operating policies are derivative of [the code of conduct s] principles. Outside of the United States the Australian Standards also emphasize the need for compliance documents that express the fundamental values of their organizations. In this regard the Australian Standard describes two sets of written standards: a compliance policy, and operating procedures for compliance. The Australian Standard describes a compliance policy as a clear statement of the organization s commitment to compliance, advising that organizations should avoid technical, legal and industry terms because plain language that is clear to everyone on staff is essential for the compliance policy. The Australian Standard later 26 See OIG Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg , (May 5, 2003). 27 Copies of this document can be obtained at no charge from the OIG at 15