What the New Compliance Regulatory Environment Means for HR Professionals

- The Sarbanes-Oxley Act of 2002 and related legal and regulatory changes have created new and more comprehensive requirements for corporate compliance.

The Sarbanes-Oxley Act of 2002 and related legal and regulatory changes have created new and more comprehensive requirements for corporate compliance. These new requirements will have a major impact on HR professionals in public and private companies, who play a significant role in defining and implementing new corporate policies.

For public companies, the requirements are mandated and include new whistleblower procedures and protections, as well as guidelines for establishing and maintaining a code of conduct and ethics. These new requirements also come with increased penalties, including imprisonment terms of up to 10 years for retaliating against a whistleblower in certain circumstances.

For both private and public companies, the proposed changes to the US Sentencing Guidelines, scheduled to go into effect November 1, 2004, strengthen and expand the definition of an effective compliance and ethics program. They focus on promoting a culture that "encourages ethical conduct and a commitment to compliance with the law," through prevention and self-policing. They offer legal leniency for organizations that meet the new requirements, including the potential for reduced fines and a lower likelihood of probation if a company and/or its board or officers are found guilty of wrongdoing or malfeasance. The existence of a strong compliance program can even be a determining factor in whether a company is prosecuted at all.

HR professionals obviously need to be aware of these changes, but awareness is only the first step. As appropriate, HR professionals and others in the company may need to respond by updating or increasing training and background checks and establishing or reviewing procedures for handling employee complaints concerning illegal or unethical activity. HR officers will need to work closely with ethics and compliance officers and employee communications to implement the mandates and create a positive environment that values ethical and legal practices.

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act was passed in 2002 largely in response to the problems at companies like Enron and WorldCom where billions of dollars in savings and thousands of jobs were lost due to poor corporate governance and fraud. The Act impacts all public companies with a listing on a US stock exchange. Private companies that do business with publicly traded companies may be impacted in certain circumstances and various other organizations, such as banks, are being encouraged to follow key guidelines even though they are privately held. Whistleblower Provisions

From an HR perspective, the key requirements in the Act are focused on the provisions requiring procedures for employees to be able to report concerns about financial and auditing matters in a confidential and anonymous way. The Act states that companies must establish procedures for the "receipt, retention, and treatment" of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters." It goes on to state that employees must be offered a confidential and anonymous way to raise concerns about these issues. The Audit Committee of the Board is charged with setting up and reviewing these procedures, but management is expected to handle them on a day-to-day basis.

In response to this new requirement, companies are providing employees and others with telephone and web-based hotline services to report concerns. Best practice companies are using a third party to ensure the integrity of the submission process and allow for anonymous communication with the submitter. In addition, companies are developing and implementing procedures to handle issues as they arise, document their treatment and retain important records. While the Act does not provide any specific guidance on how long these records should be maintained, most companies are planning to retain them for 5 to 7 years.

In terms of timing, US public companies with more than $25 million in revenue need to have these procedures in place by the earlier of their annual shareholder meeting in 2004 or October 31, 2004. Smaller US companies and foreign companies with a US listing have until July 2005 to comply.

Retaliation Protections and Penalties

Whether or not companies have established procedures, they need to make sure that everyone in management is aware of the anti-retaliation provisions. The Act provides for protection of whistleblowers or anyone who provides information or assists in an investigation regarding fraud against shareholders or other violations of certain SEC and Federal rules and regulations. The Act states that no one can "discharge, demote, suspend, threaten, harass, or in any other matter discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee", essentially the whistleblower.

In the event of retaliation, whistleblowers are entitled to reinstatement, back pay with interest, and compensation for special damages sustained. An individual that is found to have retaliated against an employee who provided truthful information to a law enforcement officer may be fined and/or imprisoned for up to 10 years. These provisions of the Act were effective as of July 24, 2002 and impact treatment of any employees that have reported a concern since that date.

New Exchange Requirements

Responding both to Sarbanes-Oxley and shareholder concerns, the NYSE and the NASDAQ created new corporate governance standards for listed companies. As part of the new requirements, both exchanges require listed companies to develop a Code of Conduct and make it publicly available. Key details are summarized in the table below.

In addition to requiring a code of conduct, both Exchanges have added language regarding effective handling of any issues that are reported. The NASDAQ notes: "The code of conduct must provide for an enforcement mechanism that ensures prompt and consistent enforcement, protections for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations."( NASDAQ Corporate Governance Standards for Listed Companies", Fenwick & West, LLP, December 11, 2003).

U. S. Sentencing Guidelines

The new U.S. Sentencing Guidelines go beyond Sarbanes-Oxley and introduce a new definition of an "effective compliance and ethics program" that is more comprehensive and specific than the existing definition of an "effective program to prevent and detect violations of law".

The proposed amendment applies to all organizations - public and private, large and small -- even though the level of effort is expected to increase with the size and complexity of the enterprise.

To meet the definition of having an effective compliance program, organizations are required to promote a culture that encourages ethical conduct and a commitment to compliance with the law. Organizations must take a proactive approach, taking affirmative and detailed steps that demonstrate the presence of an appropriate culture where doing the right thing is the norm and the standard.

Companies that comply with the new guidelines can benefit from reduced fines and a lower likelihood of probation, if they are ever charged in a federal court. At the same time, effective compliance programs that include an employee reporting mechanism have been shown to reduce fraud and related costs. Any company with more than a handful of employees can benefit from implementing an effective compliance program.

Summary of New Requirements

The latest amendment to the U.S. Sentencing Guidelines outlines 7 key requirements that are intended to broaden and strengthen the concept of an effective compliance program. The amendment proposes that such a program would include each of the following attributes:


  1. Established standards and procedures - Organizations must have established "standards and procedures to prevent and detect criminal conduct," which should include "standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct." ( Quotations refer to specific language in the proposed Amendments and related Notes. Other language is excerpted from the Reader Friendly version of the Proposed Amendments of the Sentencing Guidelines, published by the US Sentencing Commission on May 10, 2004.)
  2. Management and Board level commitment, leadership and oversight - To demonstrate senior level involvement and commitment to the program, organizations need to ensure the program has the following attributes:


    • Board-level oversight. The Board needs to be knowledgeable about the content and operation of the program and exercise reasonable oversight.
    • Senior management leadership. "High-level personnel" are responsible for ensuring the program is effective. The organization must assign a specific individual within high level personnel to have ultimate responsibility for the program´s effectiveness.
    • Adequate resources and access to Board. Certain individual(s) with appropriate authority needs to be assigned day-to-day responsibility for the program, report directly to the Board and have sufficient resources.


  3. Appropriate hiring, placement and promotion practices - Organizations are expected to "use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program."
  4. Ongoing communication and training - An organization must now regularly communicate its standards and procedures and other aspects of the compliance and ethics program "by conducting effective training programs and otherwise disseminating" appropriate information. This communication and training obligation is ongoing, requiring "periodic" updates and is targeted to all employees, including the Board, and the firm´s agents, if appropriate.
  5. Procedures for monitoring effectiveness and whistleblowing - The amendment states that an organization shall take reasonable steps to do the following:


    • Ensure consistent application of the program - Organizations need to ensure that the "compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct"
    • Periodically review program effectiveness - Firms should "evaluate periodically the effectiveness of the organization´s compliance and ethics program" and
    • Provide channels for whistleblowing - Organizations need "to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization´s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation."

  7. Alignment with incentives and disciplinary action - "The organization´s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct."
  8. Appropriate response and prevention - "After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization´s compliance and ethics program."

Implications for Human Resources

HR professionals are sure to become involved in many, if not all of the new regulations and proposed guidelines. Much of what is being codified in these new requirements is similar to best practices that companies have previously adopted to handle harassment and discrimination issues in the past. From a practical standpoint, HR officers may need to address:

Policies and Procedures

HR may wish to review the Employee Handbook and any existing codes of conduct or policies to ensure that they are broad enough to address any potential criminal acts or other violations. At the same time, HR may wish to establish more comprehensive procedures to have employees review and acknowledge these policies and reporting procedures as part of new employee orientation and on an ongoing basis, perhaps annually.

Training and Communication

There is a heightened emphasis on training and communication of the standards and procedures and other aspects of the compliance and ethics program. It is extended to include the Board, high level personnel and those with substantial authority. At a minimum, HR will need to review and update current training programs to ensure that the company´s policy and procedures regarding the compliance and ethics program is fully communicated throughout the organization on an ongoing basis.

Background Checks

Key positions must exclude persons the organization knows to have acted contrary to ethical and legal standards. Due diligence will be required. Formerly, companies had only to disclose employees in key positions who had a propensity to engage in illegal conduct.

Board and Executive Responsibilities

Responsibility for the effectiveness of the compliance and ethics program is shifted to high level management and the Board, from compliance officers and committees. Effective oversight and management presumes active leadership in defining content and operation of the program. Oversight must have impact, with officers given the authority and resources they need. HR will be involved in revising existing and/or creating new job descriptions for the company positions responsible for development, implementation and management of the new compliance and ethics program.

Whistleblower Procedures and Anti-Retaliation

All companies must have an anonymous and confidential system to permit employees and others to report potential financial, accounting and any criminal and unethical activity without fear of retaliation. These procedures for handling complaints must ensure and facilitate proper handling and resolution, and provide proper document retention. Companies need to make sure everyone in management is aware of the anti-retaliation provisions, which protect whistleblowers and impose fines and/or imprisonment for retaliation. HR will become involved in informing all employees of the procedures for complaints as well as anti-retaliation provisions. HR will likely handle the personnel-related whistleblower complaints.

Other Personnel Implications and Risk Management

HR professionals may get involved in preventing and responding to misconduct: a) aligning incentives with performance in accordance with the compliance and ethics program, and b) ensuring appropriate disciplinary measures for misconduct and for failing to take reasonable steps to prevent or detect such conduct. HR may also become involved in periodic risk assessment. Organizations are required under the amended U.S. Sentencing Guidelines to "evaluate the nature and seriousness of potential criminal conduct, the likelihood that criminal conduct might occur because of the nature of the organization´s business and prior history of the organization." For example, this could be in the areas of sales, international payments, pricing, or any other area in which the potential for criminal conduct may higher given the nature of the business.


HR professionals have a key and integral role in helping their organizations comply with The Sarbanes-Oxley Act of 2002 and the proposed changes to the U.S. Sentencing Guidelines. Best practices that previously were implemented by HR to handle harassment and discrimination issues need to be expanded and modified to handle other legal and ethical concerns. By working side by side with fellow senior management, compliance officers, and employee communications officers, HR can help create an organizational culture that encourages ethical conduct and a commitment to compliance.

A successful compliance program can help prevent legal and regulatory problems and reduce the severity of charges if problems arise. At the same time, an effective compliance program helps maintain and improve employee morale and performance and is something that employees, customers and investors all value. Bottom line: effective compliance leads to better, more sustainable business results.

The HR industry´s premier online community and resource for Human Resource professionals: HR, human resources, HR community, human resources community, HR best practices, best practices in human resources, online communities for HR, HR articles, HR news, human resources articles, human resources news, HR events, leadership, performance management, staffing and recruitment, benefits, compensation, staffing, recruitment, workforce acquisition, human capital management, HR management, human resources management, HR metrics and measurement, organizational development, executive coaching, HR law, employment law, labor relations, hiring employees, HR outsourcing, human resources outsourcing, training and development
hr.com. human resources management resources for hr professionals. | HR menus | HR events | HR Sitemap