Featured image

Small but mighty: 5 essential steps for an E&C department of one

Setting up an effective ethics and compliance program that makes an impact in your organization is difficult at the best of times. Compliance risks evolve and change. Laws and regulations are complex. Employee populations have different languages and cultures. Mergers and acquisitions require integration into the program. And misconduct can occur anytime, anywhere.   

It’s even more challenging when there’s just one person responsible for E&C, which frequently happens with startups or small companies. If you are in that situation, what are the most important steps to be effective and impactful? Here are five essential steps that can help set yourself up for success. 

Identify the E&C risks to mitigate 

It’s easy to get bogged down in a deluge of issues and questions if you are the only person running a program, particularly if the E&C function is new to the organization. But understanding the organization’s compliance risks and mitigating them as effectively as possible is the reason why there is an E&C function in the organization in the first place. Not everyone—even those in the same sector or business—faces the same risks in their operations, so spend time understanding yours.  

Dive into any available data from threatened or actual regulatory actions in your industry, or any other relevant sources. What are the catastrophic risks that could damage the company, and how likely are they given the company’s business operations? These risk areas could include: 

Even small companies have been prosecuted for regulatory failures or faced embarrassing and costly settlements of sexual harassment claims. Plan out your E&C program to address and prioritize the most serious risks.  

Tackle ethics and compliance training first 

Once you identify your risks, start training your colleagues as soon as possible. Heavily regulated areas such as insurance, pharma, and financial services require employees to follow strict rules that are not usually intuitive. For example, a technical services startup may find that its customers include banned Russian entities as a result of sanctions imposed in connection with the Ukraine war. A retail operation needs to ensure that its suppliers are not engaging in child labor or human slavery. Any business that handles customer information must care about data privacy. And biotech startups are subject to ongoing FDA oversight as the recent Theranos scandal dramatically illustrated.  

Getting any of these fundamental compliance requirements wrong can severely damage the company. However, trying to train everyone on every risk topic regularly (and in person) and keep the content updated will eat up your limited time. So, it's important to give employees the tools to do their jobs, including the rules they need to know. Getting in place a well-functioning E&C training program that is easy to access and includes foreign language capability is worth the investment and can address future risks and topics. It also shows a commitment to compliance that will resonate with regulators if things go wrong. 

Make everyone a compliance officer 

Training is only as good as employees’ willingness to internalize it. From the outset, use a values-based approach to engage and enlist everyone in building an ethical culture.  Ask the leadership team to regularly mention ethics and the values that guide the organization. Develop communications to reinforce key training messages and get them into the drinking water. Focus on individual responsibility to work in accordance with company values, whether written into a policy or not. You can’t have a rule for every occasion at the outset, but you can have a value that’s relevant, whether it’s respect, integrity, excellence, or another. 

Forming alliances and cooperative relationships will also help you scale out your program. Don’t just stay in the Legal department or other byway of the organization. Meet with the business leaders, heads of major functions (HR, Audit, Security, Risk, Finance, IT), and employees in key risk functions such as procurement.   Get their input on what keeps them up at night, what’s coming around the corner, and how they can reinforce key values and messages. 

Build your E&C program wisely and strategically 

Brief your management on your short-term and long-term objectives. If they understand your long-term vision, they are more likely to provide the right resources. Focusing on E&C as a catalyst for principled performance positions your program to enhance the organization’s culture overall.   

An increasing number of companies, including startups, understand that good ethics and compliance are part and parcel of sustainability and make their commitment to E&C a positive part of their brand. Framing your program as risk identification and mitigation, similar to IT security or EHS (environment, health, and safety), helps establish E&C as a necessary component of doing business profitably and sustainably, not just a burdensome legal requirement.   

Focus on simplicity and make the program user-friendly 

Too often, new compliance officers mistake activities for impact. Many companies that have spent millions of dollars on their E&C programs nonetheless have catastrophic compliance failures. You need to implement the other basic elements of a solid E&C program—policies, code of conduct, hotline, and audit/assurance—but it’s important you do so both in the context of values and with a focus on your “customers,” i.e., everyone else in the organization. This is your chance to get it right from the start.   

Don’t overload your program with long legalistic policies or a code of conduct that no one can (or will) voluntarily read. Keep it simple and to the point. Invest in your E&C website, consider a mobile app for your program, and use modular training that can be taken anywhere, anyplace. Look at how your colleagues work and find ways to add ethics and compliance messages and content that is relevant to them. 

The key takeaway 

At LRN, we think about E&C programs as evolving and maturing over time—not as static, paper-based checklists. Whether you’re a team of one or have a full team behind you, building an easy-to-use, accessible program that helps your business make the right decisions and your employees treat each other with respect is more impactful and sustainable in both the short-term and the long-term. To learn more, download a copy of the 2022 Ethics & Compliance Program Effectiveness Report. 

 This article was originally published in The Compliance & Ethics Blog.