A compliance program is a bundle of policies and procedures designed to identify legal and regulatory problems, correct identified deficiencies, and create a mechanism to prevent future problems. At its core, a compliance program is a "risk management" system intended to address not just liability issues and legal and regulatory risks created by federal and provincial obligations imposed on a profession, industry or other field of endeavour.

To be considered "effective," a compliance program must contain several core elements. The eight elements noted by the United States Sentencing Commission Guidelines (USSCG), while not binding on Canadian compliance programs, provide a good blueprint that, if followed, would likely satisfy Canadian requirements.

These elements are as follows:

• Standards of conduct. A "standards of conduct" statement should be drafted, describing what constitutes appropriate conduct for the members of the organization. The standards must be written and communicated to all relevant employees.
• Senior Management Involvement and Support. Senior management must play an active and visible role in relation to the compliance program, in order to clearly send the message that compliance with the law is a fundamental part of company policy. By demonstrating its commitment and involvement, senior management will send the message that violations of the Act are not accepted as a legitimate business practice. Subsequent periodic statements to sustain the initial message, and management conduct that reinforces the message, will establish a positive behavioural model for all employees.
• A training program. A training program must be instituted to educate affected personnel about the standards of conduct, and to train them on the important regulatory and legal issues facing the organization. The program should involve some "live" training in addition to videotaped or written training materials. Training is required for new hires, and retraining must be provided periodically for existing employees.
• A disciplinary procedure. Programs must include disciplinary procedures that require the organization to counsel, reprimand, or discipline personnel in an appropriate, measured, and consistent fashion whenever they violate the organization's standards of conduct or any applicable provincial or federal requirement. Regulators will be skeptical of the value of a compliance program that lacks a mechanism to enforce the standards of conduct.
• Periodic auditing and monitoring. A program must include a system to audit the organization's compliance with important rules and regulations. The format of this component will depend on the organization's particular needs, given its line of business and the extent of its exposure to potential regulatory violations. The organization's audit systems and procedures should be written into formal policies.

Monitoring is preventive in nature, being a continuous, systematic procedure implemented to check against potential violations. In the event that a violation does occur, monitoring can be of value in supporting a due diligence defence. For example, prior to being signed off, an organization could require that all its advertisements, regardless of their form, be checked against a predetermined list of requirements for compliance with the Competition Act, a federal statute which regulates unfair advertising in Canada.

Audits are designed to identify whether a regulatory violation has occurred and, if one has, that it is dealt with appropriately. Whether companies institute periodic, ad hoc, or event- triggered audits, or a combination of them, the aim is the same -- to ensure that problems are identified and resolved and that the organization and its personnel and agents are in compliance with the law. The choice of audit approach should be determined according to what activities the organization considers will raise the greatest risk of regulatory violations. The organization should also consider whether any of its internal activities, or external practices in the industry in which it operates, give rise to uncertainty about the law.

Part of the periodic monitoring must include some means for the personnel of the organization to raise compliance issues. An internal reporting procedure -- that is, an unfettered ability to report conduct that is reasonably believed to be a contravention of the Act – encourages personnel to provide timely, reliable information that can be the basis for further investigation by the organization. If the steps to be followed and the information required are clearly defined, the reporting procedure can identify existing or potential problems in order that timely remedial action can be taken. For smaller organizations, this requirement can be satisfied by providing personnel with a suggestion box, or by periodic questionnaires.

• Corrective action procedures. The organization must commit to addressing any identified problems in a manner that ensures that the deficiency has been corrected and that appropriate procedural changes have been implemented to prevent a recurrence of the problem.
• Screening of employees and contractors. The organization must take steps to ensure that its personnel, agents and independent contractors are not "untrustworthy." This means implementing a credentialing process that will identify any person or entity who has been convicted of a regulatory or criminal offense, or excluded from the activities carried on by the organization by any government body. Available databanks and disciplinary boards should be queried for disciplinary actions, criminal violations, and other incidents.
• A compliance officer or compliance committee. The organization must designate a compliance officer or create a compliance committee charged with managing and directing the program.

How to Implement a Compliance Program
While the practice differs depending on the nature of the organization in question, the implementation of a compliance program typically involves six steps:

• a "legal audit" of the organization
• identification of potentially unlawful or unethical conduct
• remediation of perceived difficulties
• drafting standards of conduct
• development and implementation of a mechanism to prospectively identify, investigate, and correct perceived compliance problems
• institution of a training program for management and employees.

The legal audit normally comprises two distinct phases: a desk audit and an on-site visit. The desk audit consists of a legal review of a variety of documents that are relevant to a number of important regulatory issues. This also enables the auditor to determine how best to conduct the on-site portion of the audit. Various issues are identified, and an audit protocol is developed to determine the organization's current level of compliance on each issue.

The most appropriate focus for an organization can vary depending on the practice and its regulatory history. If an organization has been investigated or audited by a regulator for any particular practice areas, then those areas should clearly be given careful attention. A core compliance program will address, at a minimum, those issues which relate to its central business activity. Other issues can also be examined in a compliance program, including occupational health and safety issues, labor law issues, informed consent issues, securities matters, gaming issues, corruption, bribing of foreign officials, professional codes of conduct, competition ("antitrust") concerns and money laundering practices.

The legal audit identifies areas in which the organization's conduct could be considered unlawful or unethical. The client is informed of the relevant risks associated with the conduct in a privileged internal investigation report that sets out the nature of the conduct, the factual findings of the compliance team, and a legal analysis of the organization. If the organization determines that its conduct involves an unacceptable level of risk, remedial policies and procedures are designed and implemented.

The client and its counsel then articulate and draft a statement of the organization's values and principles, called the “standards of conduct”. Management can use these standards to express its commitment to ethical, lawful competition. They also set the tone for the rest of the organization's compliance efforts.

Next, a mechanism is designed to ensure that the organization will be able to prospectively identify, investigate, and correct potentially unlawful or unethical practices. This includes conducting periodic internal audits, which typically involve regulatory and billing components. The audits are conducted according to a protocol that specifies participation by an appropriate combination of internal personnel and outside consultants.

The final component is a training program. This comprises training on the compliance program itself and regulatory training. The frequency and nature of training varies according to each targeted employee's level of responsibility and duties.

The substantive content of a compliance program should then be described in a company publication. While the required detail and form may vary from firm to firm, some typical items include:

• a statement by the chief executive officer stressing the company's commitment to the policies and procedures contained therein, and its uncompromising adherence to the Act;
• a reference to the purpose of the legislative enactments pertaining to the organization's activities;
• a general description of the relevant legislation and its enforcement, penalty and remedy
• provisions, with emphasis on those provisions of the legislation that are most relevant to the
• organization;
• clear examples to illustrate the specific practices that are prohibited, so that personnel at all
• levels can easily understand the potential application of legislation to their own duties;
• a practical code of conduct that identifies activities that are illegal or open to question;
• a statement outlining the consequences of breaching corporate policies;
• procedures that detail exactly what an employee should do when concerns arise out of certain situations, or when possible violations of legislation are suspected;
• an acknowledgement, signed by each employee, indicating they have read, understood, and
• will adhere to the policy.

Benefits of a Compliance Program

• An effective compliance program should benefit an organization by:
• educating personnel about the legislative and regulatory requirements affecting their industry, and the current enforcement policies of the regulatory authorities, thereby reducing uncertainty about what is or is not legal conduct;
• giving early warnings of potentially illegal conduct;
• reducing the exposure of corporate officers, directors and employees, and the corporation itself, to criminal and civil liability;
• reducing costs related to litigation, fines, adverse publicity, and the disruption to operations resulting from investigations and prosecutions before courts or hearings before administrative tribunals;
• assisting the organization in its dealings with the regulatory authorities; for example, by identifying violations early enough to allow the organization the opportunity to make a request for immunity or a reduction in penalty in a criminal matter.

Conclusion
The importance of a compliance program in avoiding illegal or questionable conduct, and in early detecting and dealing with such behaviour, should not be underestimated. The procedures put in place as the result of a compliance program serve not only to identify unlawful or questionable conduct, but also to promote awareness that will result in ethical standards of conduct.

Implementing an effective compliance program which addresses both criminal behaviour and conduct reviewable by civil means is a matter of good business sense. It can help an organization avoid the adverse publicity and financial costs associated with legislative and regulatory contraventions. Once a compliance program has been identified and implemented, it leads to enhanced understanding of what is acceptable behaviour, so that legitimate business practices can be vigorously pursued without unwarranted and time-consuming concerns of contravening the law.

The foregoing comments are of a general nature, and are not intended nor should they be used as a substitute for legal advice or legal opinions which can be rendered only when related to specific fact situations.