Congratulations! You’re pre-IPO. You’ve spent countless days, nights, and weekends at your private company gearing up for the big day. It’s such an exciting time – and the level of preparedness needed is instrumental to your company’s success. After all, IPO is just the beginning of a long road of delivering growth and shareholder value. And to boot – you’re now responsible for ensuring compliance at your company.
So where do you start? As you work to set up the elements of your effective compliance program, prioritize these four must-have compliance fundamentals to set you up for success:
#1: Develop and deploy a Code of Conduct (and supporting policies)
It is imperative that your employees know on a day-to-day basis how to behave and make decisions aligned with the company’s values and in compliance with all laws and regulations. The Evaluation of Corporate Compliance Programs (the “ECCP”) agrees, as it states “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.”
A Code of Conduct establishes rules and behaviors for which your employees are expected to adhere. It sends a positive message internally as a resource for employees and performance benchmark. Externally, a Code serves as the company’s explicit commitments to third parties, shareholders, and the community in which it serves.
Where to start (three options):
- Leverage existing Code and policy templates from organizations that carry similar risk and adapt to your organization’s tone and voice.
- Build an in-house Code of Conduct and supporting policies from scratch. Best practice codes are generally values based and include guidance around ethical decision making, links to company policies, and frequently asked questions. Policies are best when drafted in plain language (versus legalese).
- Hire a third-party expert to build a Code of Conduct for you in collaboration with your subject matter experts/key stakeholders.
#2: Establish an Employee Reporting Mechanism
In addition to having well communicated standards and expectations in place, employees must have an easy, safe, and secure avenue to report suspected violations of wrongdoing.
The ECCP calls for companies to have an “efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of breaches…of suspected or actual misconduct”.
Where to start:
Engage with a third-party provider that:
- Is available to employees via multiple modalities 24/7/365.
- Gives employees the ability to anonymously report, if desired.
- Tracks calls or web-based allegations with and an end-to-end process from intake to closure that includes items like response times and who and when to hand off a case.
- Provides outputs, like dashboards, for Compliance to actively track and report.
#3: Enable Effective Training
The first two tools are effective only if employees know about them and have ample opportunity to practice making effective decisions.
Therefore, risk-based training is an essential way to educate and promote awareness around your company’s risks and ensure that business can have sustainable growth. Trust is what drives the most successful businesses.
The ECCP does not mandate a particular amount of training time, but rather wants companies to focus on preventing crime. So, think about what types of activities would get your company into trouble, and work backwards from there to ensure you’re delivering the right guidance to the right people.
Where to start:
- Start with fundamental courses: Code of Conduct, Harassment and one additional topic most apt for your business risk (e.g., data privacy, bribery and corruption, information security, conflict of interest).
- To ensure efficacy, deliver training that is optimized for each learner and focuses on learning by doing, provides real-time feedback and coaching, and ensures any gaps identified are remediated real-time and all employees attain 100% proficiency.
- Review the behavioral intelligence collected to understand if there are learner readiness or clarity issues around certain risks. This will help you identify potential hot spots and plan subsequent awareness and reinforcement.
Once you get initial training under your belt, check out how to issue less training in future years and still be in alignment with DOJ Guidance here.
#4: Create an ongoing risk assessment process and targeted disclosures
A robust compliance program works to mitigate risks specific to your business. In order to make sure employees do their jobs the right way, you first need to identify the risky tasks and behaviors that can get well intentioned people, and ultimately your company, into trouble.
This is especially important for a pre-IPO company, as employees may be interfacing with third parties including VC firms, investment bankers, and shareholders.
Where to start:
- Use the risk areas identified in your Code as a guide for what to focus on and prioritize.
- Look into common regulatory concerns facing your industry peers and competitors. You will want to ensure you are looking at risks based on region and jurisdiction as well.
- Set up meetings with HR, Audit, and Legal and go on a listening tour to understand what’s keeping them up at night. They can point you to additional areas of risk you may not be considering.
- For each risk category identified, determine a likelihood and impact rating as high/medium/low and review these ratings with the other stakeholders to get consensus.
- Implement conflicts disclosures to all employees to establish a baseline, including third-party interactions and outside business activities.
Think of these four compliance must-haves as foundational building blocks. One which you can build on to drive a culture of compliance while mitigating risk at your new company. Once you have this pre-IPO foundation in place, you can start to build out a long-term strategy for compliance excellence. But that’s for another blog post!