The following material describes the benefits of corporate compliance programs and the steps needed to implement these programs.

Implementing Compliance Programs

(excerpted from Richard S. Gruner, Corporate Crime and Sentencing (2nd ed. 1997))

Law compliance programs are systematic measures taken by firms to detect and prevent corporate offenses. They encompass a variety of steps to identify, facilitate, encourage, and monitor lawful conduct by corporate employees. Such programs can further corporate interests in many ways, including reducing the frequency of illegal conduct, influencing prosecutorial discretion to withhold corporate charges for employee offenses, minimizing corporate penalties for completed offenses, satisfying demands by board members and others for information on corporate law compliance, and implementing ethical standards in business operations.

The most important function of corporate law compliance programs is to prevent and limit illegal conduct. Law compliance programs prevent offenses by directing employees towards lawful behaviors in their work, by giving them incentives to adopt those behaviors and by monitoring adherence to legal standards. Even if they are not fully successful in preventing offenses, law compliance programs can still serve valuable ends by stopping illegal conduct at early stages when the scope and impact of the conduct are minimal.

Beyond promoting and controlling law compliance under stable, predictable circumstances, law compliance programs have an additional role in minimizing illegal conduct under changing conditions. Shifts in corporate activities or surrounding legal constraints sometimes force firms to operate in new legal environments. If a firm enters a new field, acquires a new business, or crosses a significant regulatory threshold (as, for example, when it makes its first public offering of stock), new legal constraints will apply to the firm, requiring new compliance efforts. Systematic law compliance programs that include regular assessments of changes in corporate business activities and surrounding legal environments can help ensure that new legal issues are not overlooked. In short, law compliance programs are also key components of corporate change processes.

By treating law compliance programs as specialized types of management systems, corporate executives can use incentive, instructional, monitoring, and control techniques drawn from other management contexts to construct law compliance programs. Law compliance programs based on methods from other management settings can not only improve law compliance, they can -- by their similarity to other management processes -- send a clear message to corporate personnel that law compliance is a mainstream management concern.

Regardless of the particular management techniques used, a commitment of substantial resources to law compliance programs sends a valuable signal to corporate employees. It confirms, in tangible terms, that top corporate managers are strongly interested in law compliance. As employees make informal assessments about corporate managers' true values and expectations, they are likely to gauge the relative significance of various management concerns from the extent of corporate resources devoted to those concerns. Corporate law compliance will only be seen as a high priority if top managers have taken significant, visible steps to inform, train, monitor and discipline employees concerning compliance-related performance. Employees know from experience that important aspects of corporate performance typically are addressed in policies issued by top executives, examined in ongoing monitoring of employee performance, and considered in allocating corporate rewards and discipline. Matters of lesser importance are addressed through management processes that lack one or more of these features. Absent treatment on a par with the attention given other critical performance factors, law compliance will be viewed by many employees as a professed goal of top executives that can be ignored when achieving law compliance conflicts with other performance goals.

Law compliance programs may also be needed to offset profit-oriented pressures created by corporate incentive schemes. Many corporate incentive programs tie employee compensation and promotions to the attainment of performance goals such as sales or production quotas. Managers and employees in poorly performing corporate units may feel strong pressures to "get their numbers up" and seek to do this through illegal means. Similarly, performance pressures in recessionary periods or during intervals of intense competition may cause managers or employees to misbehave rather than face adverse consequences under their firms' compensation and reward systems.

To the extent that the attainment of performance measures like sales quotas or production targets is closely monitored by corporate superiors but law compliance is not, the employees being monitored will tend to give more attention to the closely scrutinized aspect of performance than to law compliance. Law compliance programs with a strong monitoring component are needed to equalize scrutiny of performance results and methods and to avoid inadvertently rewarding employees for illegal actions. Such programs may also have a deterrent effect. The mere threat of monitoring and detection under a strongly enforced law compliance program may be enough to dissuade managers and employees from pursuing performance goals through illegal means.

Since they frequently detect illegal conduct at earlier stages than would otherwise be the case, law compliance programs often expand corporate managers' options in responding to offenses by employees. Early recognition of a potential legal problem may allow managers to adopt actions that avoid the problem entirely. Even if an offense is already underway, the range of potential responses to reduce the harmful effects of that offense may be broader if a response is made at an early stage. Furthermore, measures to stop illegal conduct in its early stages are often far less disruptive to other corporate activities than later responses implemented hurriedly in the face of a legal controversy or under court compulsion.

Constructing and Operating Law Compliance Programs

     Design Principles

a. Introduction.  Designing law compliance programs involves selecting and implementing systematic measures to detect and prevent corporate offenses. As they undertake this design process, corporate managers should be guided by the following basic design principles governing compliance programs.y First, the problem of law compliance by corporate employees is fundamentally an agency problem revolving around the need for mechanisms to ensure that employees and other agents conform their conduct to the law compliance goals of their corporate principals. Second, in evaluating the merit of alternative agency processes for implementing corporate law compliance, corporate managers should view law compliance programs as performance quality control measures aimed at ensuring lawful actions by employees within their roles as corporate agents. Third, by interpreting law compliance programs as a variety of performance quality control program, quality control principles developed in other corporate settings can be used to construct and evaluate law compliance systems. Fourth, existing government and industry standards for evaluating quality control systems can supplement legal standards governing law compliance programs to produce useful tests for due diligence in corporate law compliance efforts.

b. An agency analysis of law compliance programs.  Since all aspects of corporate performance are carried out by corporate agents (there being no physical corporate principal to take any action), the attainment of corporate law compliance is necessarily an agency problem. In connection with many corporate operations, the specific agency problem is how to ensure that low level corporate employees carry out corporate actions within the bounds of relevant laws. For purposes of the discussion here, I will focus on applicable criminal laws, but a similar analysis might be completed of compliance with requirements of civil laws, regulatory standards, or ethical values.

At a basic level, the success of agency processes aimed at corporate law compliance depends on a strong statement of interest in law compliance by top corporate executives. Absent this sort of support for law compliance by corporate leaders, operating employees will not view law compliance as a requirement of them in their roles as corporate agents. Hence, top level policies in support of law compliance and related actions by corporate executives to make it clear that these policies are meant to be enforced within the corporate organization are necessary elements of effective law compliance programs.

Assuming that top level pronouncements sufficiently clarify the interest of the corporate executives in law compliance, a number of further actions will be necessary to ensure that corporate personnel carry out law compliance in their agency roles. These further actions must address three features of corporate operations:

Taken together, these types of steps are the actions necessary to carry out a successful agency process furthering law compliance in corporate affairs. Each of these agency features should be present in an effective law compliance program.

c.  Sources of compliance system designs.  Law compliance programs should be constructed as much as possible by personnel operating the companies or operating units covered by the programs. After being briefed on applicable legal requirements, operating managers and employees should attempt to anticipate legal problems in their operations and develop compliance measures to detect and control instances of those problems. Compliance programs resulting from this process will be superior to externally imposed systems for several reasons. Such programs will be technically superior since they will utilize employee expertise about company operations. These programs will also be seen as having greater legitimacy by employees who must abide by the programs since the programs are constructed by fellow managers and workers.

d.  Characteristics of successful compliance program designs.  Like other corporate management systems, the success of law compliance programs should be judged from their results. The merit of various compliance approaches should be determined from the degree of law compliance they achieve. However, measuring a cause-and-effect link between corporate compliance programs and lawful employee behaviors is often difficult. Hence, the adherence of corporate employees to practices likely to promote law compliance must often serve as an indicator of program success, substituting for more direct measurements of law compliance results.

Since they are specialized quality systems -- with conduct in conformity with legal requirements treated as high quality performance -- law compliance programs can also be evaluated in terms of tests for evaluating quality management systems. These tests suggest that a successful law compliance program should have the following features:

From the standpoint of a corporate defendant seeking a sentence reduction or other favorable treatment based on its law compliance efforts, a law compliance program must not only be effective, but demonstrable as such. Consequently, the merit of compliance systems will turn in part on how well they document a company's law compliance efforts.

Furthermore, in designing a compliance system, it is useful to keep in mind how the system will appear if reviewed by public authorities. In this regard, it may be useful to consider the meaning that compliance program documents would be likely to be given were they to appear as trial exhibits. System documentation must be understandable by prosecutors, judges and other public officials having no prior experience with the system. A firm may wish to prepare a prepackaged summary of its program (or determine in advance what types of documents will be gathered to form such a summary) so that this material can be delivered to prosecutors or other public officials when an offense is reported or an external investigation is initiated.y

As a final test of system sufficiency, it may be desirable to have regulatory agency personnel assess the adequacy of a corporate law compliance program. This will be particularly valuable if personnel from the same regulatory agency will conduct most compliance assessments of the company involved. Even if agency personnel will not formally certify the adequacy of a law compliance program, an informal assessment can still identify compliance program weaknesses in the eyes of enforcement personnel, while at the same time demonstrating a company's commitment to law compliance in advance of any controversy where the firm's compliance program is at issue.

Targeting Law Compliance Programs

Effective law compliance programs should be aimed at preventing predictable corporate offenses. Consequently, corporate managers must study the offenses that are likely to arise in their workforce before constructing and implementing a law compliance program. Their failure to do so will mean that any program they formulate will probably be incomplete or misfocused.

Two types of analyses will be useful in predicting future offenses in a given firm. First, a careful study of normal corporate business activities and the persons potentially affected by those activities will often suggest types of injuries and related crimes that are likely to arise out of corporate operations.y In this assessment, employee compensation practices (such as production bonuses or cost-cutting incentives) that may encourage employee misconduct for personal gain should be taken into account in identifying particularly likely types of offenses.

Second, the history of offenses in an organization and the types of offenses experienced by other firms sharing similar operating features will be important sources of information on likely offenses. In addition to prior convictions, past offenses (or closely related conduct) can be revealed through (1) agency enforcement actions, (2) civil damage claims, (3) complaint letters, (4) tips from whistle blowers, and (5) results of internal corporate investigations. Historical information like this provides empiric evidence of likely future offenses in continuing corporate operations.

Finally, in order to ensure that a law compliance program remains focused on a firm's current legal risks, the program needs to be reevaluated periodically to determine if it is still addressing the likely legal problems of the firm involved. Compliance program reevaluations are particularly important as laws governing corporate conduct change or company business activities expand or shift so as to create new stakeholders in firm performance or affect old stakeholders in new ways.

Steps in Establishing Compliance Programs

a.  Introduction.   Components of corporate law compliance programs should be constructed to direct, promote, monitor, and adjust actions of corporate employees and agents in ways that will further law compliance. Although the discussions which follow refer to employees, a complete compliance program will need to include parallel actions concerning other types of corporate agents.

b.  Clarifying law compliance behaviors.  Corporate managers should guide employees toward lawful conduct through combinations of corporate conduct codes, job-specific rules, procedures, practices, and individual work assignments tailored to ensure that legally required tasks are accomplished. The discussion that follows focuses on design considerations concerning corporate conduct codes; however, similar considerations apply to other types of corporate conduct rules, procedures, and practices that further law compliance.

Corporate conduct codes (or other compliance-related directions or documents) can shape employee actions in several ways. At their most general level, conduct codes compel employees to take actions in accordance with particular values or legal requirements. However, compliance codes often take more particular, rule-based forms that dictate how employees should act in specific circumstances. Indeed, the most important compliance standards may be those which are narrowly tailored and stated for a specific type of employee conduct. Such specific requirements may be more easily applied by employees than vaguer, more broadly framed standards.

In general, conduct standards reflect efforts to pre-plan aspects of corporate activities to ensure that those activities remain within legal bounds. If behaviors promoting law compliance can be predicted for particular types of employees, those behaviors can be promoted by requirements that the employees comply with corresponding rules, practices, or procedures. Rules can forbid specific activities that are themselves illegal or that involve high risks of unlawful conduct (e.g., meetings with competitors' sales personnel). Conduct rules can also require activities that are necessary steps towards law compliance. In addition, corporate managers can require legally sensitive transactions or activities to conform to pre-determined procedures which avoid or minimize legal risks.y Useful procedures can be preventive (e.g., toxic materials handling protocols to prevent releases) or reactive (e.g., discharge containment and cleanup procedures). Employees can also be compelled to adopt practices that increase the likelihood of law compliance (e.g., a practice of checking the operation of overflow containment equipment before releasing toxic materials into a holding vessel). The efficacy of each of these methods in promoting law compliance will depend on the degree to which necessary employee behaviors can be anticipated, described in conduct standards, and linked to incentives encouraging employees to adopt the behaviors.

Whatever the form of the guidance, whether it be codes, rules, procedures, or practices, certain drafting considerations should shape compliance-related directions to employees. The following instructions for creating a conduct code reflect drafting principles that can maximize the impact of all types of compliance-related directions to employees:

1. Draft the code to require conduct exceeding the minimum required by law rather than just restating that minimum;

2. Make compliance with the code a condition of employment, thereby confirming management's right to impose discipline for breaches;

3. Make the code apply to all employees, with possible specialized supplements for narrow groups of employees facing distinct legal risks;

4. Tailor the code to match the firm's corporate culture and emphasize code compliance and enforcement in the development of that culture;

5. Draft the code in plain English to facilitate understanding by employees who are subject to it and by persons who must evaluate whether the code was effective;

6. Make one or more high-level officers at each corporate location available to provide guidance on the meaning and application of the code and take further steps to ensure that the guidance provided by these officers is uniform; and

7. Make sure that the code sets realistic conduct standards since standards set too high and regularly violated may be taken as an indication of management indifference to law compliance.

c.  Allocating legally significant decisions.  Attention to law compliance concerns can also be improved by insuring that legally significant decisions are made by persons within corporate hierarchies who are well informed about relevant legal constraints and who have clear motivations to take legal constraints into account in making related decisions. Rather than directing decision makers about how to take legal constraints into account, allocation strategies bring decisions to those who already have knowledge about compliance requirements and who are sufficiently isolated from day to day performance pressures to ensure that law compliance considerations govern decisions.

For example, decision allocation rules that require certain decisions to be referred to or jointly approved by a high-level executive or counsel will tend to ensure that the legal implications of the decisions receive special attention. Such allocation rules are particularly valuable if legal risks in connection with particular decisions are high and there are reasons to believe that operating managers at lower hierarchical levels should not be relied on to make the decisions in the absence of further reviews. Thus, for example, managers in financial institutions might be required to consult with counsel before initiating new currency handling procedures. Such a requirement would help ensure that the new procedures do not lead to monetary transaction reporting violations.y

d.  Provisions for legal advice to decision makers.  A final way that corporate compliance systems can inform employees about law compliance requirements is by making legal advice available to decision makers as questions arise. Regardless of the detail of corporate conduct codes and other sources of guidance to employees regarding law compliance, eventually employees will encounter situations in which these sources of guidance suggest the presence of a possible legal problem, but do not indicate how it should be resolved. In such situations, corporate superiors or inside counsel should be available to field questions about how individual employees should act to satisfy corporate compliance standards and surrounding legal requirements.

e.  Encouraging employees to pursue law compliance.  Employee compensation and other personnel practices should shape employee preferences in favor of law compliance. Even the best compliance standards mean little if employees regularly ignore them. Employee compliance with conduct codes and legal requirements can be encouraged through both employee selection and reward practices.

Employee hiring and promotion practices should negatively select for tendencies to engage in unlawful conduct. This is another way of saying that persons with identifiable tendencies towards illegal conduct or towards behavior raising substantial legal risks should not be selected or promoted. In cases where an employee has a history of illegal behavior (either with her present employer or with prior firms), the employee should be excluded from corporate positions that involve opportunities for similar misconduct. This exclusion should continue for a substantial period or until management can identify persuasive reasons why the employee's values and conduct have changed so significantly that a repetition of the person's illegal conduct is no more likely than it would be for an average individual without the same criminal history.

Predictions of tendencies toward illegal conduct on the part of corporate employees or hiring candidates who have not yet committed offenses will often be difficult. There are as yet few criminologists who study how and why people commit crimes in particular industries. Therefore, managers often have little information about the things to look for to recognize employees who are about to commit their first offense. Hence, unless some criminal conduct or indifference to legal standards is manifested in the past actions of an individual, job exclusions for that individual will probably not be warranted.

Internal corporate rewards to employees should be structured to discourage illegal conduct. At the very least, firms should avoid positive rewards such as promotions or incremental compensation for performance achieved through illegal means. Preferably, persons acting illegally should receive less favorable treatment in corporate reward processes than other employees, with sanctions including pay cuts, demotions, and terminations. Companies can also administer compensation systems so as to create positive law compliance incentives for entire operating units. For example, employees in an operating unit such as a branch sales office might be given incentives to avoid illegal conduct by instituting a charge back system that imposes some or all of a criminal penalty on that unit, thereby reducing the profitability of the unit and any compensation payments based on such profitability.y

f. Monitoring and controlling illegal conduct.  Systems for monitoring law compliance and controlling detected compliance problems are key parts of every corporate compliance program. These systems are not just means for responding to compliance failures, although this is an important part of the control process. Rather, monitoring and control systems are necessary complements to other law compliance practices, testing the sufficiency of law compliance mechanisms like compliance codes and incentive systems.

While law compliance control systems have not been the subject of extensive studies to date, internal control systems aimed at other aspects of corporate performance have been analyzed extensively. One of the most thorough studies of such systems was completed in the early 1990's by five major accounting organizations including the American Institute of Certified Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the National Association of Accountants, and the Financial Executives Institute. Their joint efforts resulted in a 1992 report entitled "Internal Control -- Integrated Framework." This report describes the minimum features of an effective internal control system -- features that should also be present in control systems promoting corporate law compliance.

According to this study, an effective internal control process must have five interrelated features:

Complete law compliance monitoring processes will incorporate ongoing and event-driven components. Ongoing monitoring involves regular reporting and auditing on significant features of law compliance performance, while event-driven components include special studies of legally risky or significant transactions and, most importantly, investigations of detected misconduct. Each of these monitoring techniques is discussed briefly here.

Reports on legally significant aspects of corporate performance serve the same purpose as corporate performance reports generally. These reports summarize and transmit performance information to higher corporate levels for review and evaluation. One difficulty often involved in law compliance performance reporting is that specific aspects of employee performance related to law compliance are not easily identified in advance, or, if they can be so identified, are not of a quantifiable nature amenable to systemized recording, aggregation or reporting. To the extent that these problems can be overcome in specific compliance areas -- e.g., in assessing environmental law compliance from measurements of chemical discharges at a particular plant -- regular measurement and reporting of compliance related performance will be a useful means to monitor law compliance changes.

Legal audit processes are useful in a broader range of law compliance monitoring. These processes are aimed at producing accurate portrayals of legally significant aspects of company business at efficient intervals and in useful forms. Of course, to do this successfully corporate managers must understand which aspects of company business activities are legally important and be able to measure when performance in those areas is varying from proper performance in legally significant ways.

Corporate managers have several potentially useful sources of legal audit criteria. Claims and complaints against their firm are good indicators of likely legal problems in the future. Both the nature of particular claims and complaints and their pattern over time can suggest areas to emphasize in subsequent auditing. Furthermore, legal auditing can focus on performance or behaviors likely to be correlated with legal problems. For example, audits can use managers' knowledge about governing legal requirements as a measure of the sufficiency of corporate codes and training. Weaknesses in this sort of knowledge serve as indirect indicators of probable future legal problems as managers shape their conduct and that of subordinates without an adequate understanding of legal requirements.

In measuring the sufficiency of compliance-related performance, past performance often provides a useful baseline for evaluating current results. Past audit results can be compared with corresponding results from current audits to detect changes in compliance-related performance. These changes will tend to reflect altered corporate practices or new sources of legal risks that justify further investigation.y Thus, for example, a special investigation might be warranted if a company experiences a significant jump in complaints against its sales employees in a particular office. By monitoring the pattern of such complaints, a company can use an upward deviation to trigger further inquiries into the causes of the increase including an assessment of whether any criminal misconduct was associated with the complaints.

In implementing legal audit processes, corporate managers should usually develop audit criteria incrementally. Managers can start with one legal focus and facility (e.g., environmental compliance at a particular plant) and develop audit criteria for that narrow combination on a trial basis. These preliminary audit standards can be perfected through several audit cycles. Adjustments can be made to add audit criteria if problems are being overlooked and to eliminate criteria if they produce few useful audit findings. Once perfected in this way, the audit program can be expanded to include similarly situated facilities (e.g., environmental compliance at all plants). Finally, the initial program can be expanded again to include other types of legal requirements. This can be accomplished by attempting to generalize findings about the common features of legal problems discovered in the early auditing phases and by using those findings to look for similar problems in other compliance areas.

Periodic legal audits will often be valuable means to detect decreases in law compliance following changes in corporate operations or employees, to determine progress towards needed changes in compliance-related practices, to ensure that employees are informed about new legal requirements or constraints, or to compare corporate performance to base line data from earlier audits to identify developing or changing law compliance problems. Firms should increase the frequency of legal audits when further audits are likely to serve one or more of these purposes.

Slowly changing corporate activities generally need to be audited only infrequently to determine if company employees are continuing to apply standard operating procedures for maintaining law compliance in these activities. However, activities in a new field or involving new or unusual corporate practices need more frequent auditing because the law compliance demands related to these activities are relatively unfamiliar to the employees involved and because the performance pressures that may cause those employees to engage in illegal conduct are also uncertain. Types of changing corporate conditions most clearly justifying increased auditing (at least temporarily) include: new corporate operations raising previously unencountered legal problems, changes in corporate personnel in a legally sensitive area, alterations in incentive schemes or competitive pressures that may heighten employee motivations to act illegally to gain corporate rewards, and shifts in applicable legal requirements.

The final products of an audit development process should be written statements of audit procedures. These statements can be used for planning audits, ensuring complete efforts by auditors, providing a framework for organizing and evaluating audit findings, and directing follow-up monitoring of responses to legal problems discovered in audits. By describing and standardizing audit processes, statements of audit procedures provide useful guidance to auditing personnel and define criteria for evaluating the execution of auditing activities.

Documenting the construction and operation of legal auditing processes can be advantageous in later litigation. Firms need to document analyses made in constructing and operating their audit processes in order to be ready to establish the bona fides of their audit programs when those programs are at issue.y Particularly important documents in this regard include compliance audit completion reports and records of disciplinary actions taken in response to discovered misconduct. Corporate managers will probably need to retain such records to ensure that their firms receive proper credit for past law compliance efforts. To the extent that managers choose to destroy compliance documents that no longer serve a positive management function, these documents should be destroyed systematically. Selective retention of documents based on favorable content should be avoided to prevent the appearance of creating a fictitious program image.

Event-driven audits -- that is, audits of transactions or activities that are likely to be of legal significance -- raise many of the same issues as periodic audits. One advantage of event-driven audits over periodic ones is that the former can focus large expenditures of auditing resources on particularly risky conduct. For example, a firm might want to audit product pricing determinations leading to a large bid submission against stiff competition. Such a transactional audit would seek to determine if either predatory pricing or price fixing were present in the bidding process.

Internal investigations of reported misconduct are another important type of law compliance monitoring. Investigations of reported misconduct focus the expenditure of law compliance resources on studies that are likely to yield information that is useful both for stopping existing misconduct and for preventing similar misconduct in the future. Of course, not all reported misconduct will be confirmed in subsequent investigations. However, reports are low cost sources of frequently reliable information about offenses; follow up investigations in response to whistleblower reports therefore tend to be focused inquiries that are more efficient in detecting and understanding the sources of corporate misconduct than ongoing auditing programs. In small firms, investigations triggered by misconduct reports may be the exclusive form of compliance monitoring that is reasonable since more elaborate auditing without the focus provided by misconduct reports may not be cost-justified.

While the investigative techniques that may be desirable in responding to misconduct reports vary too greatly to warrant discussion here, one frequently encountered issue deserves attention. This concerns reports to public authorities of detected misconduct. A policy requiring disclosures to public authorities may commit a firm to disclosures that -- in particular cases -- it would rather not make. The failure to make disclosures where a company compliance program requires them may cause the program to be viewed as ineffective. On the other hand, a compliance policy that does not commit a firm to disclose discovered criminal actions may be deemed inadequate even in cases where disclosures are made.y

However, in addition to establishing management's strong support for law compliance, a policy requiring disclosures of detected misconduct will also avoid the possibility that managers, thinking that they can conceal internally detected misconduct from damaging public disclosures, worsen a corporation's position (and their own) by making misstatements to public officials or undertaking other responses that are poorly thought out.

g.  Measuring the effectiveness of a law compliance program. Reevaluating the focus and success of a law compliance program should be an ongoing task. Evaluators of law compliance programs should look for the following program features which indicate that law-compliance is being pursued diligently:

1. Frequent efforts by executives to articulate their commitment to law compliance;

2. Regular evaluations of offenses detected through law compliance monitoring, including analyses of corresponding corporate investigations, internal discipline, disclosures to public authorities and responsive reforms;

3. The involvement of personnel in compliance studies and investigations who have adequate training and resources to make accurate and thorough compliance assessments;

4. The inclusion in the program of a well publicized means for whistleblowers to report misconduct (such as an ombudsman or another senior manager designated to receive misconduct reports), with mechanisms for shielding the reporting party from retaliation (or, perhaps better yet, affirmative rewards for whistleblowing);

5. Records describing audits and investigations completed as part of the program and the portions of company operations assessed;

6. Compliance program features that exceed the enforcement capabilities of outside officials, thereby reflecting management's commitment to law compliance beyond a desire to keep one step ahead of public authorities;

7. Studies to determine the causes of offenses committed despite the company's compliance efforts and how related compliance efforts can be improved;

8. The absence of patterns of offenses in misconduct reports from employees, managers and outsiders; and

9. Corporate responses (both investigative and remedial) to misconduct reports from whistleblowers and others.