compliance management - profit... · new york chicago san francisco lisbon london madrid mexico...

Download Compliance Management - PROFIT... · new york chicago san francisco lisbon london madrid mexico city…

Post on 28-Jun-2018




0 download

Embed Size (px)


  • ComplianceManagement

    forPublic,Private, or mNonprofit


  • This page intentionally left blank

  • N E W Y O R K C H I C A G O S A N F R A N C I S C O L I S B O NL O N D O N M A D R I D M E X I C O C I TY M I L A N N E W D E L H I

    S A N J U A N S E O U L S I N G A P O R E S Y D N E Y T O R O N T O


    forPublic,Private, or mNonprofit


    michael G. Silverman

  • Copyright 2008 by Michael G. Silverman. All rights reserved. Manufactured in the United States ofAmerica. Except as permitted under the United States Copyright Act of 1976, no part of this publica-tion may be reproduced or distributed in any form or by any means, or stored in a database or retrievalsystem, without the prior written permission of the publisher.


    The material in this eBook also appears in the print version of this title: 0-07-149640-8.

    All trademarks are trademarks of their respective owners. Rather than put a trademark symbol afterevery occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

    McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact GeorgeHoare, Special Sales, at or (212) 904-4069.


    This is a copyrighted work and The McGraw-Hill Companies, Inc. (McGraw-Hill) and its licensorsreserve all rights in and to the work. Use of this work is subject to these terms. Except as permittedunder the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may notdecompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hills prior consent. You may use the work for your own noncommercial and personal use; any otheruse of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

    THE WORK IS PROVIDED AS IS. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESSOF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OROTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guar-antee that the functions contained in the work will meet your requirements or that its operation will beuninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone elsefor any inaccuracy, error or omission, regardless of cause, in the work or for any damages resultingtherefrom. McGraw-Hill has no responsibility for the content of any information accessed through thework. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inabilityto use the work, even if any of them has been advised of the possibility of such damages. This limita-tion of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

    DOI: 10.1036/0071496408

  • To Liz and to all those I love . . .

    . . . with a special thanks to Beatrice and Carl

  • This page intentionally left blank

  • Contents

    Acknowledgments xiii

    Introduction xv

    Part I: Setting the Context

    1 The Expanded Focus on Compliance 3The Forces at Work 5The Judiciary 6The Legislative Response 10The Expanding Role of Federal Agencies 12State Governments 17Government Examines Its Own Operations 18The Nonprofit Sector 19Private-Sector Oversight 21Corporate Social Responsibility 21Shareholders and NGOs 22Global Telecommunications and the Internet 27Summary 28

    2 The Mandate for Compliance 31Regulatory Compliance 33

    For more information about this title, click here

  • Internal Corporate Compliance Systems 37The Private Sector and Organizational Compliance 39The Nonprofit Sector 47The Public Sector 50Summary 52

    Part II: The Foundations of Compliance

    3 Compliance and Ethics: Challenges and Approaches 55Intertwined but Not Interchangeable Concepts 56Motivations for Compliance 57Barriers to Compliance 59The Organizations Cultural Framework 61Rules versus Integrity 63Corporate Codes of Conduct 64Creating an Ethical Culture: The Linchpin 70Nonprofit Organizations 72Public Sector 74Summary 75

    4 Leadership and Culture: The Foundations of Compliance 77The Legal and Regulatory Underpinnings 79Self-Regulatory Organizations: New York Stock

    Exchange 84Boards of Directors 85Nonprofit Organizations 92Senior Management 96Public-Sector Organizations 99Summary 101

    Part III: The Modern Compliance Organization

    5 Managing Compliance: Goals and Structure 105Designing the Compliance Program 106

    viii Contents

  • Government and Regulators Guidance 108The Compliance Program Charter 110Features of a Modern Compliance Program 113The Compliance Structure 116Outsourcing Compliance 124Coordinating the Compliance Program 127Staffing the Compliance Program 131The Role of the Chief Compliance Officer 134Budgeting for the Compliance Program 141Small and Medium-Sized Organizations 144Summary 149

    6 Policies, Communication, and Training 151Policies and Procedures 151Communication 158Training 161Summary 173

    7 Hotlines, Whistle-Blowers, and Investigations 175Whistle-Blowing Programs 175Instituting a Whistle-Blowing Program 179Managing Information 187Tracking Inquiries 188International Operations 189Related Issues 189Conducting Investigations 191Summary 197

    8 Information and Technology: Challenges and Tools for Compliance 199Federal Regulatory Requirements 200State Regulatory Requirements 201International Requirements 201Technology Standards 202The Challenge of Multiple Regulations 202Creating a Multidimensional Compliance Framework 204

    Contents ix

  • Privacy and Information Security 206Third-Party Relationships and Outsourcing 211Compliance Technology Tools 211Education, Communication, and Training 213Summary 214

    9 Compliance and Oversight: Risk, Monitoring, Audits, and Regulators 215Compliance Risk 215Regulatory Requirements 216Standards-Setting Organizations 218Governance and Compliance Risk 219Compliance Risk Assessment Process 221Compliance Monitoring and Audits 235Regulators 243Summary 245

    10 Compliance and Controls 247Government Regulations 248Internal Control Regulation and the Public Sector 251Self-Regulatory Organizations: New York Stock Exchange 251Standards Setting Organizations: Committee of Sponsoring

    Organizations of the Treadway Commission 252The Internal Control Program 258Summary 264

    11 Evaluating Compliance 267Criteria for Compliance Effectiveness 269The Need for Evaluation 271Techniques for Evaluating Compliance 271Assessing Compliance Effectiveness 272Postevaluation Actions 283Summary 284

    x Contents

  • Part IV: The Future of Compliance

    12 Compliance, Going Forward 287Brief Retrospective 288A Profession with Growing Pains 288At the Crossroads 289The Road Ahead 294

    Resources 295Index 299

    Contents xi

  • This page intentionally left blank

  • Acknowledgments

    I want to thank all those persons who freely and generously gave me theirtime, thoughts, and help throughout the different stages of this book:Steve Michaelson, Fred Dietz, Hans Decker, Joan Helpern, LaurieZeligson, Kalisa Barratt, Sadie Koga-Kadish, John Lenzi, and AbigailGoren Matthews.

    A thank-you to Freddy Trejo for his illustrations, and special thanksto Richard Goren.

    I also wanted to acknowledge the number of people who spoke tome on background whose ideas, candor, opinions, and insights madethis book possible.

    Copyright 2008 by Michael G. Silverman. Click here for terms of use.

  • This page intentionally left blank

  • Compliance Management for Public, Private, or Nonprofit Organizationsoffers a comprehensive look at the role that compliance plays in ourmodern organizations. It examines not only the traditional complianceissues associated with law and regulation, but, equally important, thebroader role that ethical behavior, organizational structure, technology,administration, and risk management play in developing an effectivecompliance program.

    In the last two decades, the concept of compliance has becomeincreasingly intertwined with the governance of our modern complexorganizations. The failure of organizations, from Enron to the Red Cross,to comply with laws, regulations, codes of conduct, and ethical standardsof good practice have heightened our awareness of these critical issues.Indeed, accountability, transparency, adherence to laws and regulations,ethical conduct, and standards of conduct and behavior have become asmuch a part of how organizations manage their affairs as their primarymission and operations. This simple fact applies to organizations in thepublic, private, and nonprofit sectors of our economy.

    Why should organizations care about compliance and about devel-oping an effective compliance and ethics prog