Bulletin on Corporate Compliance Programs

Previous     Table of Contents     Next

Part IV - Basic Requirements for a Credible and Effective Corporate

There are five elements that are fundamental to a proper compliance program regardless of the particular model adopted, its level of complexity or the size of a business. These five essential elements are:

1. Senior Management Involvement and Support
2. Corporate Compliance Policies and Procedures
3. Training and Education
4. Monitoring, Auditing and Reporting Mechanisms
5. Consistent Disciplinary Procedures

1) Senior Management Involvement and Support

Senior management's clear and unequivocal support is the foundation of a credible and effective corporate compliance program.

Senior management, in the performance of their fiduciary duties, must always exercise care, skill and diligence and act in the best interests of the business, with particular attention paid to relevant statutes and regulations. They must identify the principal risks faced by the business and implement appropriate systems to manage them.

Senior management must foster a culture of compliance within the business organization by playing an active and visible role in promoting its program. By demonstrating its commitment to compliance, senior management is conveying the message that contraventions of the Acts are not acceptable as legitimate business practices. To sustain a culture of compliance, senior management should periodically reinforce its message. It is important to note that presenting values and principles but not acting upon them could render them useless. Failure to execute is the main reason why programs fail.

Suggestions to help meet this basic requirement include the following:

• clearly promote compliance with the Acts as a fundamental part of the business policy;
• senior management should commit to compliance expressly;
• senior management should be accountable for promoting and complying with the Acts; and
• appoint a member of senior management as a compliance officer, responsible for ensuring compliance and who will deal with all questions and concerns pertaining to compliance with the Acts.

2) Corporate Compliance Policies and Procedures

The substantive content of a corporate compliance program is described in a company publication.

The development and documentation of compliance policies and procedures tailored to a business' operations are critical to a program's success. Such policies and procedures should be updated when required to reflect material changes to the business, the law, the Bureau's enforcement policies, or to the industry (for instance, deregulation). Reasonable measures should be taken to promptly notify all employees of such changes. This documentation should also be widely available to all employees in a readily accessible format.

Examples should be included to demonstrate the relevance of the policies and procedures to the employees' daily activities. For example, if a business often submits bids, a list of DOs and DON'Ts when preparing a bid submission could be included in the policies and procedures.

Suggestions to help meet this basic requirement include the following:

• establish clear compliance policies and procedures and distribute to all relevant¹⁶ staff;
• continuously assess compliance policies and procedures (for instance, based on a change in the industry, lessons learned, a Bureau investigation, or complaints) and take reasonable measures to promptly notify all employees of such changes;
• design policies and procedures for different business units based on the competition risks that may arise (for instance, a list of DOs and DON'Ts and "Red Flag" issues); and
• request employees to sign a certification letter (see sample at Appendix B) stating that they have read and understand the Corporate Compliance Program in place.

3) Training and Education

A credible and effective corporate compliance program includes an ongoing training component focussing on compliance issues for staff at all levels who are in a position to potentially engage in, or be exposed to, conduct in breach of the Acts.

1. Why Businesses Need to Conduct Training

A major objective of a program is to prevent contraventions of the Acts. Senior management and staff alike need to understand the parameters of acceptable behaviour. Training employees to be able to detect prohibited conduct and educating them about the range of penalties and remedies for non-compliance is essential.

2. How to Train Employees

Education and training should demonstrate to staff, in a practical way, how compliance policies and procedures affect their daily activities¹⁷. Documents alone can only go so far in promoting compliance. The most important thing is that a business chooses the most effective vehicles to train its employees. In this regard, small group seminars and workshops are a proven way to effectively educate staff. Bringing together employees who perform similar duties to present and discuss scenarios dealing with the specific realities of their work provides the link between the business’ policies and procedures and the situations an employee may face. Additional training could include descriptions of prohibited conduct and the issuance of regular bulletins that discuss current compliance issues that may affect the operations of the business.

A credible and effective program must be successful at training on the general principles and the specifics for individuals who deal with situations that could raise issues under the Acts.

The Bureau offers a variety of publications and compliance tools that can be used in the training and education component of a business' program¹⁸.

3. Delivery of Training

Effective training is best delivered by experts (i.e. by legal counsel or a compliance officer) and should be given consistently throughout the business to avoid conflicting information. Regardless of the methods used, it is crucial to allow employees the opportunity for extensive discussions on questions and answers.

Senior management should also play an active role in delivering compliance messages to employees, reinforcing their support for the program. As such, senior management may wish to capitalize on the information made available by the Bureau to train its employees and provide them with examples of how companies and individuals have been sanctioned for breaching the Acts.

4. Evaluation of Training

The effectiveness of a compliance training program must be regularly evaluated by the business' compliance officer or its equivalent. One way is to regularly test the employees’ knowledge of the law and the company's compliance policies and procedures to determine whether its program needs to be updated or modified.

Suggestions to help meet this basic requirement include the following:

• train all employees at an early stage (for instance, during an initial orientation session) regarding the importance and expectation of compliance;
• train senior management and staff as required in the particular circumstances to recognize and address compliance issues;
• regularly assess the employees’ knowledge of compliance policies and procedures; and
• document all training sessions.

4) Monitoring, Auditing and Reporting Mechanisms

Monitoring, auditing and reporting mechanisms are vital to the success of any corporate compliance program.

Effective monitoring, auditing and reporting mechanisms help prevent and detect misconduct; educate staff; provide both employees and managers with the knowledge that they are subject to oversight; and determine the program’s overall efficacy.

The most effective monitoring, auditing and reporting procedures are those that also enable companies to identify areas of risk, areas where additional specific training is required and areas where new compliance issues may require new policies to be developed. The format of this component will depend on the business' particular needs, such as the extent of its exposure to potential contraventions of the Acts. The Bureau does not endorse any particular procedure or combination of procedures; rather, a business should be satisfied that the measures it implements are generally effective to prevent breaches of the Acts and to detect and address them if and when they do occur.

1. Monitoring

Monitoring refers to the ongoing procedures implemented to prevent contravention of the Acts. Evidence of such efforts may also support a due diligence defence should litigation arise¹⁹. Depending on the risks, periodic or continuous monitoring may be necessary. A business could take the opportunity to verify whether any of its internal or external practices may potentially contravene the Acts.

2. Auditing

Audits may be periodic, ad hoc or event-triggered and are designed to determine whether a contravention has occurred. The way in which audits are conducted is likely to vary from one company to another depending on the specific risks faced. Audits are designed to identify whether a contravention of the law has occurred and, if so, to ensure that it has been dealt with appropriately.

3. Reporting

An internal reporting procedure encourages employees to provide timely and reliable information that can be the basis for further investigation by the business. Employees must be encouraged to freely report conduct that they believe contravenes the Acts or company policy. The program, should clearly identify which actions require reporting, and when and to whom they should be reported.

An effective reporting system can be achieved in different ways, for example by implementing a confidential reporting system, endorsing an open-door policy, promoting an anonymous hotline or by identifying legal counsel as compliance resources.

While an internal reporting mechanism is important, there may be situations where the use of an external reporting mechanism would be more appropriate. A program should also educate employees at all levels on the Bureau’s Immunity Program and the whistleblowing provisions (sections 66.1 and 66.2 of the Competition Act)²⁰.

Suggestions to help meet this basic requirement include the following:

• monitor business activities continuously or periodically, as appropriate, to ensure compliance;
• review the program when issues arise or are detected;
• conduct audits to confirm whether a business is fully complying with the Acts; an audit may include a review of paper and computer files of staff who are exposed to a greater risk;
• take immediate action to stop any contravention of the Acts;
• cooperate with the government where a breach has occurred (which involves self-reporting);
• put in place a confidential reporting procedure (for instance, inform senior management when an incident occurs and report to legal counsel);
• identify employees who are exposed to a heightened risk (for instance, based on roles and responsibilities, previous issues and misconduct); and
• document all compliance efforts.

5) Consistent Disciplinary Procedures

Consistent disciplinary measures demonstrate the seriousness with which the company views conduct in breach of the Acts.

A disciplinary code or policy addressing those who initiate or participate in conduct in breach of the Acts, or those who do not abide by a business’program, is important not only for deterrence purposes, but also as a reflection of the business' policy against such conduct. A credible and effective program should explicitly state that disciplinary actions (for example, suspension, demotion, dismissal and even legal action) will be taken where an employee contravenes the Acts.

All disciplinary actions and procedures should be recorded as proper documentation can support a claim of due diligence defence where a business is found to be in contravention of the Acts²¹.

Suggestions to help meet this basic requirement include the following:

• take appropriate and consistent disciplinary action (up to and including dismissal) for failing to comply with the business' program or with the Acts; and
• create an incentive system for employees at all levels to adhere to the business' program (for instance, compliance could be considered for the purposes of employee evaluations, promotions and bonuses).

---

¹⁶For the purposes of this document, "relevant staff" means those who could be in a position to potentially engage in, or be exposed to, conduct in breach of the Acts.

¹⁷See Appendix C - The DOs and DON’Ts.

¹⁸Appendix D - Selected Bureau Publications and Multimedia Tools- lists a number of such publications, including a series of pamphlets explaining various provisions of the Acts, multimedia tools as well as detailed guidelines and bulletins on various provisions of the Acts. See also Appendix A - Corporate Compliance Program Framework and Appendix C - The DOs and DON’Ts.

¹⁹See Part V - Consideration Given to Corporate Compliance Programs which refers to the due diligence defence.

²⁰For more information on how to apply for immunity under the Competition Act, see the Bureau’s Immunity Program under the Competition Act (Ottawa, Industry Canada, 2007), the Adjustments to the Immunity Program (Ottawa, Industry Canada, 2007) and the Responses to Frequently Asked Questions (Ottawa, Industry Canada, 2007). For the other three statutes enforced by the Commissioner, see The Federal Prosecution Service Deskbook, Part VII Policy in Certain Types of Litigation, Chapter 35 - Immunity Agreements (Ottawa, Department of Justice Canada, 2005) available online at www.justice.gc.ca.

²¹See Part V - Consideration Given to Corporate Compliance Programs which refers to the due diligence defence.