To be compliant, or not to be, that is the question. Is it more dignified to deny and bear the risk of criminal prosecution of your business company, or to resist and be prepared? Enough of classics, if we choose the option to be ready, let’s see what we should do or know.
Did you miss the first part of the article? Worry not, you can find it here.
1. Identify risks
To sufficiently identify risks, one should be familiar with the following issues at first:
- corporate personnel structure and relationships between individual departments/employees;
- powers and responsibilities of individual departments and employees;
- corporate business activities and established relationships with suppliers and buyers;
- other non-business activities in which the company is involved;
- internal processes and already implemented internal rules of the company.
Based on the performed analysis, one will be able to identify the assets/values of the company, as well as the assets of a third party, which could be threatened in the event of a crime committed by a company employee. These assets must include not only tangible property, but also, for example, qualified human resources, secured information network, established corporate culture, internal information or properly maintained accounting.
The assets must be assessed in the context of a list of crimes that can be committed on behalf of a legal entity.
2. Establish rules (a compliance program)
An elaborated compliance program in the area of criminal liability should:
- contain basic components of a well-functioning system, which are the following components (i) crime prevention, (ii) detection or control, and (iii) response to detected cases;
- take into account the processes already in place, if the company has implemented other compliance programs (e.g. in the area of IT security, personal data protection, occupational safety and health or environmental protection);
- by its adaptation, have impact on all job positions and processes within the performed analysis and identified risks;
- by the scope of regulation, take into account the typical criminal actions (such as, for example, crimes of favouritizing a creditor, embezzlement, fraud, evasion of taxes and fees, environmental damage, bodily harm by negligence etc.).
The established rules must mainly (i) take into account the individual needs of the company, (ii) be understandable to the addressees, and (iii) address the actual risk, not just a fictitious one.
Relevant persons have to repeatedly acquaint themselves with the established program, compliance must be checked, violations punished, and its content regularly updated.
Small and medium-sized companies usually have their criminal compliance programs developed by an external consultant who has the knowledge, capacity and experience, and they subsequently use them as a compliance consultant. Large companies recruit their own employees and use external consultants especially during assessment of a specific existing situation and processing of a counter-opinion.