Sifting through my e-mail last week, I came across a product announcement from GRC software provider Axentis. Most often I send such things straight to the recycle bin, but about halfway through this one, there was a reference to the U.S. Sentencing Commission and the seven elements of an effective compliance program in the U.S. Sentencing Guidelines.
What are guidelines for compliance programs doing in the sentencing guidelines? Besides, if you're dealing with the sentencing guidelines, you've already been found guilty of a federal crime, I thought. Isn't it a little late for compliance program tips? And I couldn't believe I'd never heard of these "seven elements" in all the time I have covered compliance issues.
So I asked Axentis vice president of GRC and privacy practices, Brett Curran, to help me understand how these things fit together. (You can see the full interview here.)
First of all, the U.S. Sentencing Guidelines were promulgated in 1991 to provide a means for just punishment. The seven elements of an effective compliance program are found in Chapter 8 of those guidelines, Curran says. After a company has been found guilty of certain federal crimes, the courts use sentencing guidelines and the seven elements to assign a culpability score to the company's actions.
According to Curran, a summary of the seven elements is as follows:
- defining and having policies, procedures and controls.
- designating high-level personnel to manage and oversee the program day-to-day.
- periodically communicating policies, procedures, standards and training to individuals based on roles and responsibilities.
- auditing and monitoring the program periodically to assess its effectiveness.
- promoting the program and enforcing it consistently throughout the organization.
- taking action to prevent future problem occurrences.
- periodically assessing risks and modifying controls and policies accordingly.
The courts then use the culpability score to determine the proper punishment. If a company can demonstrate that it has implemented the seven elements of an effective compliance program, Curran says, its culpability score can decrease significantly.
The story doesn't end there, though. As Curran pointed out, the elements are being included as requirements in federal legislation with increasing regularity:
There's increasing awareness of those guidelines, probably because a lot of the federal agencies have begun modeling their laws and regulations in a way that those same seven elements are being included and required. ...If you look at HIPAA, that's a good example... Same thing in the PATRIOT ACT or the Bank Secrecy Act ... Even in Sarbanes-Oxley ... It's all about controls and monitoring and testing and signing off at the top that, yes, we know what's going on and [the reports are] accurate.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
And the advice Curran would give to companies looking to preemptively implement an effective compliance program as set out in the U.S. Sentencing Guidelines?
[T]hose guidelines have to be applied in a real way. It's more than lip service. You've got to be able to produce accurate and timely evidence that due diligence has been applied consistently according to those guidelines. And that's at minimum.