Oversight of a Compliance Program Should Not Be Delegated

Senior management should remain engaged in overseeing the compliance process and ensuring that decisions on the allocation of compliance, audit, and other resources are adequate and risk-based.  Oversight of a compliance program should not be delegated.  “Management [should] engage constructively with processes of oversight and challenge” the effectiveness of a compliance program.1  Senior management must ensure “that adequate and appropriate resources needed for effective operation of the anti-bribery management system are allocated and assigned.”2

“Decisions on allocation of compliance and audit resource[s should be] risk-based.3  Senior management should ensure that adequate resources are provided and that compliance resources are allocated in such a way as to address relevant risks.  For a compliance program to be effective, those assigned responsibility “must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the [entity’s] compliance program is implemented effectively.”4

Policies and procedures should be understandable and pertinent should be widely disseminated throughout an entity as well as to those acting on its behalf. “[C]ompliance standards and procedures [must be] reasonably capable of reducing the prospect of violative conduct.”5 Senior management must be actively involved in ensuring that policies and procedures are clear and appropriate and adequately communicated throughout an entity’s organization, including to third parties acting on the entity’s behalf.

An effective compliance program must have the full attention of the entity, extend to all levels of the organization, and apply to its agents, consultants, and representatives.  Employees must be “adequately informed about the compliance program and [be] convinced of the [entity’s] commitment to it.”7

No special treatment should be permitted.  “No executive should be above compliance, no employee below compliance, and no person within an organization deemed too valuable to be disciplined, if warranted.”8  No other practice can undermine the effectiveness of a compliance program than treating lower-level members of an entity differently than those in senior management.  Such disparate treatment dramatically undermines morale and any notion of the commitment of senior management to compliance.  It sets the tone for the entire entity.

Disparate treatment may also have implications for those individuals and entities acting on behalf of an entity.  Looking the other way for those generating business is not an acceptable practice.  Otherwise, an entity exposes itself to liability.  An entity must be consistent in the manner in which it treats reports of abuses on the part of individuals or entities acting on its behalf.


1Financial Conduct Authority, Financial Crime: A Guide for Firms (“FCA Guidance”), pt. 1, at 20 (emphasis added) (Apr.  2015).

2ISO 37001, Anti-bribery management systems — Requirements with guidance for use, at 5.1.1(d) (Oct. 15, 2016).

3FCA Guidance, supra note 1, pt. 1, at 20 (emphasis in original).

4U.S. Dep’t of Justice & U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 58 (Nov. 2012).

5Consent and Undertaking, at ¶ 4(a), United States v. Metcalf & Eddy, Inc., No. 99CV12566NG (D. Mass., files Dec. 14, 1999).

6U.S. Dep’t of Justice, U.S. Attorneys’ Manual, § 9-28.800 (2017).

7FCA Guidance, supra note 1, pt. 1, at 60.

8FCPA Guide, supra note 4, at 60.