7. Building Effective Internal Communication Channels
This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
A well-designed and well-implemented compliance programme is a critical component of corporate governance. But even the best-designed programme will be ineffective without regular and effective communication about the programme in an organisation. Many companies spend a great deal of time, resources and effort on creating policies and procedures and designing compliance programmes, but not nearly enough on actually communicating about the programme to the people who need to understand and live compliance each day. Indeed, the time, resources and effort a company spends on training and communication can be a good indicator of its commitment to ethical behaviour.
Fundamental to an adequate communications and training programme is ensuring that the personnel to whom a compliance programme applies – typically an organisation’s employees, agents, executives and directors – truly understand the risks to which the organisation is exposed, the content of the compliance controls that are in place to mitigate those risks, and their responsibilities for implementing the compliance controls. That begins with the actual rollout of the programme (especially the clear communication of policies and procedures), continues with training and must include as a key element regular communications of the type we discuss in this chapter. Only by regularly communicating with stakeholders can an organisation translate its guiding principles and its policies into actions that minimise risk effectively.
With this in mind, US regulators and enforcement agencies have identified essential principles relating to communications and training surrounding an organisation’s compliance programme that can affect its overall effectiveness. This is especially the case in light of the continuing compliance explosion and perceived increase in risks in Latin America. We discuss the practical lessons of these principles throughout the chapter. In particular:
- executive management should ensure that the organisation’s risk tolerance is communicated through policies, standards and procedures that define responsibility and authority, and that its position on employee misconduct, including the remedies that may be utilised in the event of misconduct, is also clearly communicated;
- compliance resources, including policies and procedures and other materials developed to support the compliance function (e.g., periodic bulletins, desk-level references) should be easily accessible and understandable to employees and relevant third parties;
- the compliance function should have direct communication with, and escalation channels to, executive management and boards of directors, to ensure that compliance has appropriate autonomy and authority within an organisation;
- training initiatives should be developed using a risk-based approach, so that the training is specifically tailored to employees’ job functions and the organisation’s products, services and level of risk;
- training should clearly communicate employees’ compliance responsibilities and adequately cover prior compliance incidents;
- the organisation should measure the effectiveness of the training curriculum;
- the organisation should maintain formalised standards for the frequency, methods (e.g., formal, on-the-job, external) and documentation of training;
- key gatekeepers in control processes (people with approval or heightened compliance responsibilities) should receive appropriate guidance and training, know what misconduct to look for, and know when and how to report concerns; and
- the organisation should maintain a formalised process for communicating findings derived from compliance testing, monitoring and audit activity that ensures that findings are appropriately shared and reported to relevant stakeholders and executive management based on the risk posed to the organisation.
An obvious caveat is that, in different organisations and even within the same company, there is no one-size-fits-all approach to communications and training. Different business lines or geographies, for example, are likely to require different approaches. And among different companies and industries, those differences might be more pronounced, as a medium-sized baked goods factory in Colombia will clearly have vastly different concerns from a large financial institution in Brazil. This chapter seeks to outline general best practices across industries and compliance issues, but they should of course be tailored to the particular characteristics of each company and the company component to which they apply.
Since the first edition of The Guide to Corporate Compliance was published in 2020, the worldwide spread of covid-19 has resulted in business disruptions and remote work arrangements at many organisations. With a dispersed workforce, and less in-person supervision and training of employees, effective compliance communications have become more challenging and more important, and we include in this edition practical tips for tailoring communications strategies to the remote environment. Additionally, US government expectations regarding compliance communications have continued to evolve, as best shown by the US DOJ’s updated guidance for evaluating corporate compliance programmes. These updates are addressed in this publication.
Communication from the top and elsewhere
Regulatory and enforcement agencies around the world expect a company’s board of directors and executive management to communicate their expectations and set the tone for a culture of compliance. Regulators carefully judge executive management’s level of commitment and oversight of an organisation’s compliance programme when evaluating its effectiveness, and several have flatly stated that enforcement decisions often can be traced to a poor culture of compliance. It is important, therefore, that executive management effectively communicates its compliance expectations and standards to personnel and relevant stakeholders in a manner that reinforces the organisation’s commitment to (1) facilitating compliance with legal requirements, (2) holding personnel and other stakeholders (such as, for example, vendors) accountable for deviating from compliance obligations set forth in policies and procedures, and (3) conducting business activity in a manner that aligns with the organisation’s risk tolerance and strategic objectives. Indeed, we are aware of large, sophisticated institutions that have created executive-level positions or board committees for the specific purpose of fostering a culture of compliance within the organisation.
But except in the smallest of organisations, it is impractical to expect upper management to handle all training and communications. As a result, it is necessary for executive management to maintain visibility regarding compliance while at the same time delegating responsibility for training and communications to functional groups and, if appropriate, third-party providers. This is the only way to ensure that compliance communications and training are properly developed, disseminated and tracked to confirm that the personnel understand and adhere to the standards and controls set forth in the compliance programme. To make certain that those groups assigned responsibility for training and communications are capable of performing these functions successfully, executive management should provide these groups with the appropriate resources, authority and independence. Conversely, unless executive management has adequate visibility in how compliance communications are being carried out, management cannot provide proper oversight. Therefore, processes should be put in place to encourage upward reporting back to management.
While, again, no one methodology fits all companies, it is common for compliance training and communications to be assigned both to the first and second lines of defence: the appropriate business unit and the compliance and risk management function. Thus, compliance staff must maintain communications to disseminate regulatory changes as well as amendments to compliance policies or procedures resulting from regulatory changes, or in light of changes to existing business practices. The business unit must be able to put into practice and disseminate any relevant changes to the operational procedures necessitated by updates to the policies or procedures. The best organisations do not leave these communications to the compliance function alone, but actively ensure that key business leaders at all levels are focusing on the right messages. An important way to ensure this is to give business managers at all levels the tools and support they require to communicate the compliance message throughout the company. A potential risk if employees only hear from compliance staff is that they will imagine compliance to be a separate, perhaps support, function that is not meant to integrate with the ‘real’ business of the company. That is a mistake a robust compliance programme avoids.
A final risk to consider in disseminating compliance messaging throughout an organisation is the problem of global operations that have many subsidiaries or branches in far-flung locations. In these situations, a top-down bureaucracy can be ineffective in ensuring that the compliance message from headquarters is properly disseminated. So, too, and perhaps especially so in Latin America, compliance managers assigned to local operations run the risk of being drowned out by more powerful business leaders who are directly responsible for success or failure in that particular country. For those reasons, it will be crucial for the central compliance function to take the lead in ensuring that they and global leadership appropriately train and empower local compliance managers, and ensure that local business leaders understand, commit, and are rated on their own support of compliance. Without that, not only could the message get lost in the global ether, but compliance communications at the local level could devolve into ‘mere window dressing’ that would likely be rejected by US regulators or prosecutors when proffered in mitigation of liability.
Communication to the top
There has recently been an increased emphasis on the compliance function’s access to key decision makers among US regulators. When assessing whether compliance functions are autonomous and have appropriate authority, US authorities will often look to their reporting lines. Maintaining direct reporting and communication lines between the compliance function and the board of directors or compliance-related committees of the board, as well as other key decision makers, will ensure the compliance function has autonomy and the appropriate authority to keep the company operating within its risk tolerance. Additionally, regulators encourage regular meetings to discuss compliance initiatives and concerns to ensure that compliance plays an appropriate role in strategic and operational decisions.
Additionally, depending on the industry, the covid-19 crisis has stretched compliance resources. On one hand, this could become an opportunity to do more with less by placing an emphasis on communications from leadership as a relatively cost-effective way to keep the compliance message in the forefront. But on the other, too much emphasis on cost-effectiveness, and the likely cutting of compliance budgets that follows, could be misinterpreted by the rank-and-file as a lessening of the company’s commitment to legal and ethical behaviour. Tone from the top, after all, is not only about communications, but also about investing in robust compliance programmes. In times of crisis, it will fall to compliance leaders to make sure that both communications and the importance of sufficient budget are communicated to leadership and across the organisation.
Adequate dissemination of policies and procedures
The best policies and procedures will not achieve their goals unless they are appropriately disseminated to an organisation’s stakeholders. The size of the company, its geographical footprint, the target audience, the activity governed by the policies and procedures, and the nature of its office operations (including whether staff is operating remotely, owing to the covid-19 pandemic or otherwise), are all factors that should be considered in determining the most efficient manner of dissemination. For example, policies that address business activity at a global level are more likely to be a valuable resource if they are posted within a central repository that is available to a broad range of personnel. On the other hand, policies that provide guidance on how a particular business unit should satisfy assigned compliance fulfilment functions should be disseminated in a more targeted manner.
The following are some of the various options organisations should consider when disseminating policies and procedures.
- Compliance portal: a dedicated portal that is user-friendly and easy to find is the most comprehensive way to maintain regular communications, although it must be kept current. For large organisations especially, portals can be customised to deliver targeted information to appropriate business lines and geographies, and in appropriate languages.
- Third-party platforms: for those entities that may not have the resources to maintain a compliance portal internally, third-party platforms are viable alternatives, with the same function as dedicated portals.
- Email: updates may be disseminated by email as well, though only in the rarest of cases should this be the only method used. In larger companies, emails with general announcements of policy updates risk being ignored or given less importance than they might in smaller companies. Additionally, email dissemination is static, when the reality is that many companies change personnel and configurations almost daily.
- SharePoint or other shared drive: although a shared drive is less formal than a compliance portal, and is likely to require more effort to keep up to date, it is an option that many companies use. As with portals, maintenance and employee awareness are keys to success.
- Paper: providing updated policies and procedures in hard copy is also an option for dissemination. As more entities become digitised, however, the paper alternative may be considered mostly by smaller companies where this type of dissemination is not hindered by geographical distances, for example. Paper dissemination is also impractical – and perhaps impossible – for organisations with remote work environments.
These methods of communication are not mutually exclusive. For example, executive management might send hard-copy handbooks, email updates, and make more information available via a compliance portal. Regardless of the manner of dissemination, the company should ensure that policies and procedures are easily accessible to all, updated as necessary, and that employees know when they are updated.
Designing and implementing effective training programmes
Methods of delivering training
In an ideal world, a company’s chief executive officer (CEO), general counsel or other similar executive would personally train all personnel and thereby make certain that the compliance message has been delivered. Because this is obviously impractical, every organisation must consider the complexity of its activities, geographical footprint, sophistication and size when designing methods of delivery. In-person training (even if not delivered by the CEO) is the most attractive option in that it typically generates the most participation, but it also requires the most effort. This has ranged from impractical to impossible during the covid-19 pandemic, but will continue to be a preferred method once the need for social distancing subsides.
In-person training can be interactive, requiring action from the participants, which in itself engages more participants than a pre-recorded presentation, or even an interactive online training programme. As the use of videoconferencing has become commonplace, that type of meeting has become nearly as interactive as in-person training. When individuals are required to attend a training session, they will focus on programme content rather than the distractions at their desk (and, ideally, will have left their personal devices to the side). Importantly, in order to successfully conduct an interactive videoconference, the participant list must be limited to ensure full participation by attendees, and attendees should be required or strongly encouraged to enable their video function. Although pre-recorded training sessions might be the most cost-effective and convenient to attend, it could lead to a lower number of active participants. The in-person or videoconference experience also creates opportunities for discussions on how the compliance obligation should and can be fulfilled by relevant team members.
Equally important is conducting training in the local language of the personnel being trained. There is simply no substitute for communicating concepts plainly and in participants’ native language. And doing so has the added benefit of increasing the likelihood of employee buy-in, as the trainer will literally be speaking their language. Finally, the local language is likeliest to spark an interactive session, as employees will feel more comfortable asking questions in their native language.
Who should conduct training sessions?
As with communications generally, various individuals or groups may have the capacity to conduct compliance training appropriately. That said, it is important to confirm that those personnel or groups providing training maintain the expertise and authority needed to provide the targeted audience with guidance that is specific to their job functions and consistent with the organisation’s risk management principles. Options include the following:
- Senior management: resources permitting, this is always a good option, because senior management is typically tasked with integrating executive management’s compliance expectations and risk limits into the organisation’s everyday business activity; however, it is not always vital or possible that senior management do so.
- Business leaders: similarly, the company’s leaders and managers who are closer to the day-to-day operations of an enterprise should have broad knowledge of the company operations and policies applicable to the company as a whole, as well as to smaller business units. An advantage here is that these leaders often garner the respect of those they more directly oversee.
- Compliance team member: if the company is large enough to have dedicated compliance staff, they are often in the best position to understand all requirements and how they apply to the different business units. Whether they personally deliver training or not, compliance departments should have as part of their mandate to ensure the delivery of effective training. Often, large companies will have a training department or other personnel broadly responsible for making certain that training initiatives are appropriately developed and provided to employees and other relevant stakeholders (when appropriate).
- Legal team member: the company’s in-house or external lawyers are often a good source of training personnel, especially for law-heavy areas such as insider trading.
- Third-party compliance resources or outside counsel can also be workable alternatives for providing training to employees, provided that they are in tune with the company’s business activities and strategic objectives.
Regardless of who is actually tasked with leading the training, this person or group should have a clear understanding of the legal requirements applicable to the company and how these affect the company’s business activities. The intersection of the company’s activities and legal requirements must be understood by the trainer in order to effectively relay them to stakeholders. It is therefore advisable for compliance and business personnel to review the content of the training and inform the trainer of any relevant considerations.
It is often desirable that initial training sessions, as part of a compliance programme rollout or a new training initiative, be conducted at least in part by senior management to stress the importance to the company. In the long term, these arrangements are not likely to be sustainable, so it is important for executive management to ensure that subsequent training sessions are led by personnel with sufficient knowledge of the compliance programme and its effects on the company.
What to include in training sessions
The content of compliance training sessions is as varied as the different types of compliance issues an organisation faces. Whatever the subject area, training should be customised to the audience. For example, the content required for legal and compliance personnel will differ from the content appropriate for business lines. Similarly, with respect to anti-corruption training, for example, some parts of a company might have daily interactions with government officials, making them higher risk than those in a division that does not interact with governments at all. Each division’s sessions should therefore have an appropriate emphasis. More generally, as business risks evolve with alternate work arrangements and less in-person interaction, organisations should consider the types of risks arising from virtual interactions, such as cybersecurity and other unwanted intrusions into private meetings, which should be previewed and understood by its team members.
Additionally, not everything contained within policies and procedures need be emphasised, lest the training devolve into a didactic reading rather than an interactive exercise in which the most important risks and expectations are stressed. Thus, the company’s risk assessments, which will have identified areas of elevated compliance risk, are a good source of training topics. To illustrate particular points, it is crucial to use examples either from the organisation’s own experience or from more broadly known cases. It would be difficult, for example, to get through anti-corruption training in Brazil without discussing Operation Car Wash, perhaps the most widespread bribery scandal in history.
As we have stressed, every company has different risks and areas of focus, but generally, all organisations will need to include the following basic topics, at a minimum, in their compliance training:
- Company’s values, mission, guiding principles: because a culture of compliance is important to maintain effective communications, regular compliance training should discuss the company’s values and guiding principles, which hopefully will have been designed to stress the importance of ethics and integrity. The key here is to get employees thinking about broad principles, which they can apply to more varied situations, rather than just rules. Employees need to understand that ethical behaviour requires thinking about the reasons why rules are in place and the principles behind those rules.
- Code of conduct: in light of the wide-reaching nature of a company’s code of conduct, training on its requirements, expectations and responsibilities should be regularly included in training sessions (when updates are implemented or in connection with training new employees or changes to remote operations). Good code-of-conduct training will stress that the code does not govern all situations, that employees will be tested in real life with fact patterns that are not necessarily explicitly covered, and that they should use the ethical principles behind the code to guide their decision-making. Training should also stress that the employees are not alone, and that when they are in doubt, they should ask for guidance.
- Lessons learned and prior compliance incidents: guidance from numerous regulators suggests that lessons learned from previous compliance incidents, preferably at the specific company, should be addressed in training. Not only does this reduce the likelihood of similar incidents, but it also shows commitment to identifying and addressing potential problems. Discussing actual past breaches is invaluable for employees.
- Reporting processes and whistle-blower hotline: reporting processes within the organisation and whether a vehicle for confidential whistle-blower communication exists are critical information that should be specifically addressed in training sessions.
- Anti-corruption: a clear statement of the company’s anti-corruption policies and procedures should be the subject of focused training, including potential consequences for non-compliance. Corruption risks arising from daily business dealings should be addressed, including not just government corruption risks but also commercial corruption with other business entities. Where appropriate, contractors and suppliers should be given training as well. This is important for all organisations, but is crucial for companies operating transnationally or in a country with high corruption risk.
- Insider trading: public companies, and other companies that come into possession of material, non-public information regarding publicly traded companies, routinely provide training on insider trading compliance requirements. While no law requires public companies that are not brokers or dealers to maintain insider trading policies or training, these types of measures have been widely adopted since the enactment of the US Insider Trading and Securities Fraud Enforcement Act of 1988, and are today crucial components of a sound compliance programme.
- Human resources training: employment policies and human resources training is crucial and, increasingly in many jurisdictions, mandatory, particularly for topics such as sexual harassment or diversity and inclusion.
A fundamental element of a training initiative’s effectiveness is employee participation. Simply put, no training activity will be effective if it is not completed by those personnel for which it is designed and if a company cannot later prove that the training was provided. For this reason, it is critical that executive management communicate that ongoing training is an essential part of each employee’s job functions and that those who do not complete training in a timely manner will be evaluated on that basis, and could be subject to discipline. Additionally, functional regulators will often consider employee participation when assessing the effectiveness of an organisation’s compliance programme. As a result, it is prudent for organisations to track and document levels of employee attendance, and keep evidence of the action taken with respect to employees who do not maintain an acceptable level of attendance.
Periodic evaluation of training programmes
The ultimate measure of a well-designed training programme is not someone’s subjective opinion of how good or bad it might be. The key question is whether it works – that is, whether the trainees have internalised the lessons of the programme and can apply it to day-to-day business at the company. The only way to know this is to evaluate and test the programme. Not surprisingly, US regulators and prosecutors assess how well an organisation evaluates its training effectiveness when reviewing an organisation’s compliance programme.
One method to test the effectiveness of training, particularly when implemented to address a compliance breach, is to measure key data points before and after the training. For example, if a required disclosure was not being provided to customers of a broker-dealer as required, a company might calculate whether there was an increase in the number of disclosures produced by the system after the training. Similarly, the effectiveness of training pertaining to incident-reporting processes can be evaluated by comparing how often the vehicle for reporting problematic incidents (e.g., compliance reporting portal) was used before and after the training.
Another means of assessing the effectiveness of training is conducting targeted extra ‘spot’ testing of employees who attended a particular training. While this type of evaluation method may not be practical for all organisations, ‘spot’ tests allow to determine whether the employees have consistently at least understood, and hopefully adhered to, key requirements. One caution is that spot tests may be viewed as invasive by some employees, so an organisation should consider limiting them to employees whose adherence to the conduct specified in the training most affects the organisation’s compliance obligations.
Any weaknesses revealed through testing an organisation’s training programme should be factored into its risk assessment process, as the objective of these assessments is to help executive management proactively identify current and emerging compliance risks and implement appropriate strategies to mitigate these risks. By doing so, an organisation will be better positioned to correct training weakness before they become systemic.
Once policies and procedures have been appropriately disseminated and employees have received appropriate training, an organisation with a robust compliance programme must include periodic employee communications to reiterate the compliance message. Employees are busy people focusing on the business of the company, so those in charge of a communications programme must walk the line between communicating so infrequently that information falls through the cracks, and communication fatigue, which arises when employees hear so much about compliance that they stop listening.
Types of communications
Regular and consistent compliance communications to employees should be succinct, but provide enough detail so that they can understand the context in which it applies to each individual’s role. A key is for the communications to be interesting and not repetitive. For example, internal bulletins can be created to disseminate important dates, information or requirements once a month. Similarly, a periodic newsletter highlighting developments affecting compliance, reminders regarding scheduled training sessions, and an FAQ, among others, can be a useful regular communication resource for employees. This information could be disseminated in a company-wide email message, posted on an internal compliance portal, or printed and available in secure common areas.
Additionally, updates to policies and procedures provide an excellent opportunity to review both the existing policy and present a high-level summary of the updates circulated. This could be done by compliance staff or at business meetings, which are themselves a useful vehicle for sharing compliance communications. Indeed, any integration of compliance topics with business meetings can be extremely useful, and carry greater weight in the business context. Finally, more informal settings, such as roundtables or town halls moderated by the compliance group or senior management, can serve as a means of sharing communications regularly. In some parts of the world (Latin America is a good example), even more informal communication can be important to truly have impact, so settings such as office gatherings and even social events should not be overlooked as opportunities to communicate in a less threatening environment.
Employee feedback, reporting lines and governance
It is important to remember that communication goes both ways: employees should be encouraged to contact compliance staff, either for guidance on issues that arise or to report problems or gaps. Sometimes, the absence of this type of contact can be a red flag, indicating either that employees are not recognising compliance issues or that they do not consider it important to seek guidance on these issues. Both are problems, and one solution that compliance officers are increasingly turning to is proactively calling business personnel for periodic check-ins. The first call might seem out of the ordinary to the business representative, but once that is out of the way, the compliance officer can have regular conversations and establish a true partnership. Making these communications routine will inevitably have a positive effect on the company’s compliance culture.
Employees should also have opportunities to provide feedback to the company. Though the specific mechanism to obtain feedback may vary by organisation, maintaining an email inbox, an online form process, or both, are acceptable. But the feedback system will only be successful if employees feel comfortable about sharing and providing their opinions, so organisations must do all in their power to encourage feedback. Employees should feel encouraged to share the information they deem important or valuable to the company, whether positive or negative.
Reporting compliance issues
Relatedly, it is crucial for companies to have a mechanism beyond regular business lines for reporting compliance issues. Indeed, the US Department of Justice and the Securities and Exchange Commission have made clear that an effective compliance programme, at least under the Foreign Corrupt Practices Act, ‘should include a mechanism for an organisation’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation’. A compliance hotline, which individuals may use to report concerns confidentially, is a best practice in this regard. And corresponding whistle-blower protections are also crucial. These mechanisms have several benefits.
In particular, a hotline makes clear the company’s commitment to ethical conduct and integrity, a key component of a good compliance culture. Additionally, information received through the hotline, even if not rising to the level of a regulatory or compliance breach, can be used to improve existing policies or procedures. A hotline also can make senior management aware of problems early, before they fester and become serious reputational or legal issues. And, of course, this kind of reporting channel, if effective, can be used in mitigation of enforcement actions with regulators.
The company should have appropriate whistle-blower policies and procedures that spell out how potential violations will be handled. In Latin America in particular, where concepts such as whistle-blowers and cooperating witnesses remain mostly inventions from other continents and are therefore sometimes viewed with suspicion, companies should take special care to explain them in detail to their employees. Elements of a strong whistle-blower policy include:
- the opportunity for reporters to decline to identify themselves (i.e., report anonymously), while encouraging them to identify themselves;
- reasonable assurances of confidentiality, if feasible and to the extent permitted by law;
- assurance of non-retaliation for complaints made in good faith;
- a defined process for evaluating and promptly addressing the issues raised in complaints, and potentially reporting the progress of an inquiry (even if not the results) to the original complainant;
- an internal investigations policy and infrastructure for complaints that rise to that level;
- a mechanism to use what is learned from the hotline to improve existing compliance policies and procedures; and
- periodic tests of the effectiveness of the hotline, for example by tracking previously submitted reports from start to finish.
Ensuring that proper reporting policies are in place puts the company in a better position to identify and mitigate the regulatory, monetary, operational and reputational risks of the conduct reported. A strong whistle-blower protection programme is also important and should be included in regular compliance training.
Communicating the results of compliance testing and internal audits
Effective monitoring, testing and auditing of business activity and controls are key components of an effective compliance programme. A well-coordinated testing programme as part of the compliance function not only identifies compliance oversights and policy-related breaches, but also evaluates the effectiveness of the controls in place to facilitate compliance with the applicable legal requirements at issue, including training. As a best practice, results of monitoring and testing should be communicated to the appropriate stakeholders for evaluation. Sharing the results with relevant parties allows for collaborative feedback to those conducting the tests and will better position the company to adopt corrective actions or remediation. Moreover, appropriate distribution of these results will allow for issues to be reported appropriately. These types of measures are often viewed as reinforcing management’s commitment to a culture of compliance. For these reasons, it is imperative that executive management be involved in receiving these results, provide insight on corrective action and ensure that corrective action is tracked to completion.
Separate from the compliance function and business units within the company is the internal audit function, often called the third line of defence, for organisations large enough to sustain such a function. The audit function operates independently of the compliance function and business units, and can provide executive management with risk-based reviews of an organisation’s compliance programme and risk management standards. The reviews completed by a well-coordinated audit function typically include, among other things, an evaluation of internal controls to identify compliance control issues, including the root causes, across business activities or auditable entities. The audit function also measures whether risk has been adequately assessed by business and compliance functions, and whether controls are adequate in light of the risks. The audit function is uniquely positioned to provide executive management with an unbiased assessment of the organisation’s compliance programme and assist executive management to identify aspects of the compliance control functions completed by the compliance and the business unit that can be improved. Management, in turn, should seek to communicate these findings to all relevant personnel, and to make appropriate changes in the design or implementation of the compliance programme, as suggested by the findings.
Effective internal compliance communications require avoidance of a one-size-fits-all solution. No one mould will fit all companies (given differences such as size and risk profile) and, as a result, the manner in which a company communicates with its employees will be a driving factor in the effectiveness of its compliance programme. Moreover, when significant business disruption occurs, organisations will need to be nimble about adjusting their communications to fit the circumstances and may wish to address compliance communications in contingency planning. Communications must be tailored specifically to the company, the business activity and, importantly, to the different constituencies within the company that must all comprehend at some level each aspect of the company’s regulatory compliance. This is also one of the reasons why pre-recorded or online training sessions are often less desirable than in-person, or at least live virtual, training, particularly for those within an organisation who are exposed to the greatest compliance risks. A skilled trainer can focus on the training materials while tailoring the message to the different types of employees that might attend any given session.
A culture of compliance should be fostered through ongoing communication from the highest level of the company as well as the compliance function. But in addition to these communications, business leaders at all levels should be encouraged to communicate on compliance topics, so that compliance is truly integrated with the business.
Training sessions should be tailored to the specific audience. Training content may require customisation so that each employee obtains sufficient information to comprehend the manner in which their role affects the company’s compliance as a whole. (See also Chapter 7 on Employee Compliance Training.)
Training should be sure to stress the importance of ethical principles and not just rules. Employees will come across situations that do not have a clear answer under the organisation’s policies and procedures; those can be dealt with based on broad principles if the employee has internalised the compliance message. Employees should also be encouraged to seek assistance.
Compliance personnel should not only measure how often they receive enquiries from business units, but also proactively initiate compliance-related communications. Although this could be jarring the first time, the more these types of communications happen, the likelier it will be that compliance and business functions will truly integrate.
Reports of monitoring and testing, as well as internal audit, should be circulated to relevant stakeholders and provide an opportunity to give feedback. Corrective action and remediation should be adopted whenever necessary and appropriate.
Organisations should have an established method of reporting compliance complaints, preferably a confidential hotline. It is also important to have appropriate protections for whistle-blowers who come forward in good faith.
 Daniel R Alonso is a partner, Andrew P Pennacchia is senior counsel and Benjamin W Hutten is a counsel in the New York office of Buckley LLP. Norma Ramirez-Marin is an associate in Buckley’s Los Angeles office.
 See Newbery, Charles, ‘Compliance is Taking Off in Latin America. Is It Effective?’ Americas Quarterly (22 July 2019) <https://www.americasquarterly.org/content/compliance-takes-latin-americ-it-working>; see also Diaz Reus, ‘2020 Compliance Trends in Latin America’ The Legal 500 (undated] <https://www.legal500.com/gc-magazine/interview/2020-compliance-trends-in-latin-america>.
 See, e.g., Office of the Comptroller of the Currency, ‘Compliance Management Systems’ [OCC Management Systems], p. 10 <https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/compliance-mgmt-systems/pub-ch-compliance-management-systems.pdf>; US Dep’t of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (1 June 2020) [US DOJ Evaluation], p. 5 <https://www.justice.gov/criminal-fraud/page/file/937501/download>.
 See, e.g., US DOJ Evaluation, pp. 4 and 5.
 See, e.g., US DOJ Evaluation, p. 11.
 See, e.g., id., p. 5; OCC Management Systems, p. 12; Consumer Financial Protection Bureau, Examination Procedures, ‘Compliance Management Review’ [CFPB Procedures], p. 9 <https://files.consumerfinance.gov/f/documents/201708_cfpb_compliance-management-review_supervision-and-examination-manual.pdf>.
 See, e.g., US Dep’t of Treasury, Office of Foreign Assets Control, ‘A Framework for OFAC Compliance Commitments’ [OFAC Framework], p. 7 <https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf>.
 See US DOJ Evaluation, p. 5.
 id., at p. 5; OCC Management Systems, p. 12.
 See, e.g., US DOJ Evaluation, p. 5.
 See, e.g., OCC Management Systems, pp. 6 and 7, 11; CFPB Procedures, pp. 5 and 6.
 See US DOJ Evaluation (updated 1 June 2020).
 See, e.g., US Dep’t of Treasury, Financial Crimes Enforcement Network, ‘Advisory to US Financial Institutions on Promoting a Culture of Compliance’ (FIN-2014-A007), [FinCEN Culture] <https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007>; UK Serious Fraud Office, ‘SFO Operational Handbook: Evaluating a Compliance Programme’, p. 5 <https://www.sfo.gov.uk/download/evaluating-a-compliance-programme/?wpdmdl=25403>; Alonso, Daniel R, ‘Loud and Clear: FinCEN Demands a Culture of Compliance’, Business Crimes Bulletin, 1 October 2014 <http://www.lawjournalnewsletters.com/sites/lawjournalnewsletters/2014/10/01/loud-and-clear-fincen-demands-a-culture-of-compliance/>.
 CFPB Procedures, p. 4; Office of the Comptroller of the Currency Compliance Management Systems, p. 6.
 See, e.g., FinCEN Culture.
 See also Federal Reserve Board Supervisory Letter <https://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm> (emphasising the importance of boards and senior management of banking institutions to promoting strong compliance cultures within the organisation).
 See, e.g., US DOJ Evaluation, p. 5.
 See Jaeger, Jaclyn, ‘Leveraging Middle Management to Foster a Culture of Compliance’, Compliance Week (26 November 2013) <https://www.complianceweek.com/leveraging-middle-management-to-foster-a-culture-of-compliance/3801.article>; Alonso (footnote 11, above) (‘[O]ften, the key to true culture change is the contribution of informal leaders at all levels of the organization.’).
 Chen, Hui; Soltes, Eugene, ‘Why Compliance Programs Fail—and How to Fix Them’, Harvard Business Review (March-April 2018) <https://hbr.org/2018/03/why-compliance-programs-fail>
 US DOJ Evaluation, p. 11. See also OFAC Framework, p.2.
 US DOJ Evaluation, p. 11. See also OFAC Framework p. 2.
 Alonso, Daniel R.; Archer, Tiffany A.; Bistrong, Richard; Karpati, Bruce; and Lemire, Katherine A., ‘Resisting Temptation in a Crisis: Making Sure Ethics and Compliance Don’t Get Diluted Under Financial Strain’, Compliance & Enforcement (16 June 2020) <https://wp.nyu.edu/compliance_enforcement/2020/06/16/resisting-temptation-in-a-crisis-making-sure-ethics-and-compliance-dont-get-diluted-under-financial-strain/>
 See, e.g., ‘Operation Car Wash: Is this the biggest corruption scandal in history?’, The Guardian, 1 June 2017 <https://www.theguardian.com/world/2017/jun/01/brazil-operation-car-wash-is-this-the-biggest-corruption-scandal-in-history>.
 See, e.g., US DOJ Evaluation, p. 5; OFAC Framework, p. 3.
 See, e.g., US DOJ Evaluation, p. 5.
 See FINRA Notice to Members, ‘Insider Trading and Securities Fraud Enforcement Act of 1988’ <http://www.finra.org/rules-guidance/notices/89-5>.
 OCC Management Systems, p. 12; CFPB Procedures, pp. 9 and 10.
 US DOJ Evaluation, p. 5; OCC Management Systems, p. 22; CFPB Procedures, p. 11.
 See Ellis, Matteson, The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region (2016), Chapter 4.
 US DOJ and US Securities and Exchange Commission, ‘A Resource Guide to the Foreign Corrupt Practices Act’, at 61 (2012).
 See, e.g., US DOJ Evaluation, p. 5; see also United States Sentencing Commission, ‘2018 Guidelines Manual’, Annotated §8B2.1(b)(5)(C).
 Gedan, Benjamin N; Alonso, Daniel R, ‘Only Criminals Can Clean Up Argentina’s Corruption,’ Foreign Policy (15 November 2018) <https://foreignpolicy.com/2018/11/15/only-criminals-can-clean-up-argentinas-corruption/>.
 US DOJ Evaluation, p. 7.
 See CFPB Procedures, p. 11; OCC Management Systems, p. 13.
 See, e.g., OFAC Framework, p. 3.
 See OCC Management Systems, p. 14; CFPB Procedures, p. 10.
 See OCC Management Systems, p. 14.
 See, e.g., Federal Financial Institutions Examination Council, ‘Bank Secrecy Act/Anti-Money Laundering Manual’, p. 28 <https://bsaaml.ffiec.gov/docs/manual/BSA_AML_Man_2014_v2_CDDBO.pdf>.