Core principles of a credible and effective compliance program

On this page

140x140

Overview

In this section

What is a credible and effective compliance program?

A compliance program is a set of business practices scaled to your organization’s size, resources and risks. Organizations of all sizes can benefit from having a compliance program, but that does not mean all businesses must have the same compliance program.

You do not have to create a separate compliance program for competition law. But you should factor competition and marketing risks under Canadian laws into your compliance program.

To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

Even the most effective compliance program might not stop all illegal activities. Your organization could still face problems that, if left unchecked, could lead to fines and other penalties. The good news is that you can reduce these risks by having a credible and effective compliance program in place.

What are the core principles of a credible and effective compliance program?

A credible and effective compliance program should cover the following actions:

Principles of a credible and effective compliance program

Principles of a credible and effective compliance program
  • Description of image – Principles of a credible and effective compliance program

    The image is a diagram that represents how your organization can build a credible and effective compliance program.

    At the core of a credible and effective compliance program is having a culture of compliance and of management support and having a strong and independent compliance officer.

    To build a credible and effective compliance program, also adopt the principles given below:

    • assess your risks,
    • implement compliance policies, procedures and controls,
    • train and communicate with your people,
    • use effective reporting systems to empower your people to report concerns without fear of retaliation
    • monitor and audit compliance measures
    • offer incentives to compliance leaderships and penalize violations by imposing disciplinary measures

    Business is dynamic, so your compliance should be too. You should regularly evaluate your program and revise compliance measures in light of changes in any of the principles mentioned above.

How does the Bureau look at compliance programs?

We will consider a compliance program to be credible and effective when you can demonstrate to us that it was reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities. We will look at factors such as the size of your business, the industry in which you operate, and the efforts you have made to comply with the law.

If we investigate your organization, in some cases we might review your compliance program to understand whether it is credible and effective. We will consider information and evidence that we see throughout our investigation that speaks to the credibility and effectiveness of your compliance measures. Generally, we do not provide the service of reviewing compliance programs.

Build a culture of compliance with management support

In this section

What this means

Culture of compliance

Culture refers to the core values that define your organization. Having a strong culture of compliance means having an environment where everyone can say and do the right thing and this commitment is aligned with the goals and vision of the business.

Your business’ leaders should foster a culture of compliance in your organization. However, every employee working at all levels has a role to play. You should also encourage your service providers and other third parties working with your organization to develop a culture of compliance.

Management support

“Tone from the top” is an essential part of a culture of compliance. Your organization’s leaders should be clear, vocal and visible in promoting compliance. Managers should foster an open culture where compliance is part of an ongoing conversation. However, it takes more than mere words; they should lead by example. Leaders’ actions and decisions should demonstrate that breaking the law is unacceptable. This empowers your employees at all levels to keep compliance in mind in their everyday work. Having buy-in at all levels is a key part of a strong culture of compliance.

  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Your organization’s culture of compliance and management support impact all aspects of your compliance program.

Creating a culture of compliance has many benefits:

  • it enables management and employees at all levels to confidently do the right thing
  • it empowers them to speak up if they notice any non-compliance or risky behaviour
  • it will enhance the reputation of your organization among present and potential customers
  • it will help you in recruiting and retaining the best talent

You can undermine your business’s credibility if you say you have a compliance program but fail to act on it. Besides poisoning your culture, this will reduce the benefits that compliance measures may bring to your organization. Compliance programs can easily fail without effective implementation and management commitment.

Tips on how to do it

Tips on how to build a culture of compliance with management support

Tips on how to build a culture of compliance with management support
  • Description of image – Tips on how to build a culture of compliance with management support

    The image is a diagram that gives tips on how your organization can build a culture of compliance with management support.

    To foster a culture of compliance, all members of an organization must be involved.

    The board of directors should adopt a culture of compliance. Senior management and compliance officer should implement this culture. This will positively influence the employees to incorporate compliance in their activities.

    Management support and a culture of compliance go hand in hand. At the centre is a yin-yang diagram of the following tips:

    To build a culture of compliance:
    • Involve the whole organization
    • Make the compliance officer visible
    • Protect employees from retaliation
    • Practise diversity and inclusion
    To build management support:
    • Maintain oversight at the highest level
    • Practise what you preach
    • Incentivize compliance leadership
    • Choose the compliance officer wisely

To build and promote a culture of compliance, your organization needs the support of:

1. An engaged and committed board of directors or highest governing authority

  • Maintain oversight at the highest level
    • The board, either as a whole or through a committee, should set the mandate for a compliance program and approve it.
    • Only the board of directors should select and dismiss the compliance officer through strong, clearly defined terms.
    • The board should provide all necessary funds, staff and infrastructure to ensure that the compliance officer is able to fully implement the compliance program.
    • The board should receive direct, uncensored reports from the compliance officer and from senior management at least quarterly.

2. A visibly committed management team at all levels

  • Practice what you preach
    • Strong management should lead by example and show through their actions and active participation that complying with competition law is important.
    • Management should continuously learn about competition and marketing risks.
    • Management’s everyday actions should visibly uphold compliance and support programs that encourage compliance.
  • Incentivize compliance leadership
    • Management should create incentives promoting support of and leadership in the compliance program.
    • Management should convey the message that it is never acceptable for anyone in your organization to break the law.
    • When management does not do these things, employees could get the message that compliance is not important and could increase the chances of risky behaviour.
  • Protect employees from retaliation
    • Build and implement strong protections for staff who report misconduct and cooperate in investigations.

3. A strong and effective compliance officer

  • Choose the compliance officer wisely
    • The compliance officer should have:
      • a senior, board-appointed management position
      • sufficient seniority, authority, credibility and independence to create and enforce a compliance program across the business
      • financial and human resources that fit your business’ size, industry and risk profile
      • the opportunity to participate in senior management decision-making
      • a role in discussions on performance evaluation and promotion of employees
      • knowledge of what is taking place within the business and the industry
      • the ability to properly assess the potential risks of noncompliance
      • unrestricted access to the business’s data, subject to applicable privacy laws
      • the ability  to get answers for any questions or concerns about compliance and the law, but they do not need to be a lawyer.
  • Make the compliance officer visible
    • Your people should know who this person is and how to get in touch with them or their team.
    • They should have a title that reflects the authority and level of their position, such as “Chief Compliance and Ethics Officer”.
  • Communicate often
    • The compliance officer should :
      • provide frequent updates to management (monthly or as often as needed), and should report at least quarterly to the board
      • also inform the board of directors about disciplinary action for breaches of the compliance program and potentially illegal conduct, including any allegations regarding senior managers.

4. Engaged employees 

  • Involve the whole organization
    • Each employee at every level in the organization is accountable for participation in the compliance program. It should be clear that misconduct by anyone at any level in the organization will not be tolerated.
  • Empower business units and field offices
    • Except for very small companies, consider designating compliance liaisons or ethics ambassadors or champions in business units or field offices. These roles could be part time, based on the resources and size of the business.
  • Practice diversity and inclusion
    • There is a demonstrated link between diversity and compliance. Consider how to strengthen diversity and inclusion in your organization’s culture.

Diversity and inclusion

Recent research coordinated by the Organisation for Economic Co-operation and Development has studied the role of gender in competition. Some of the studies show that conspiracies are more likely to form in homogenous groups. They also show that traditionally male-dominated industries could be more prone to conspiracies than industries with a more diverse set of managers.

You can strengthen your organization’s compliance culture by taking steps to improve diversity and inclusion throughout your organization. These actions may include keeping diversity in mind when:

  • recruiting your compliance officer
  • appointing board members and senior management
  • recruiting and promoting employees at all levels of your organization

While the Competition Bureau’s focus is on competition, deceptive marketing and labelling issues, these actions may help you to do the right thing in all areas of the law.

If you’re a small business . . .

Organizations of all sizes should foster a culture of compliance. Some small businesses might not have a board of directors and a separate management team. The principles mentioned here still apply to the owners of the organization and its leaders.

You do not need to recruit a separate person as a compliance officer. Any person with authority and seniority in the organization can perform the role if they are aware of your business’ legal risks and know the compliance management steps needed to mitigate the risks. Senior management’s support for the compliance program is crucial for its success.

Businesses can be large or small, commitment is what makes the difference.

Assess your risks

In this section

What this means

All businesses, no matter their size, are likely to market products or services, or have contact with competitors. These activities can expose your business to serious risks. The nature and size of your organization could also make it susceptible to specific types of risks, like abuse of dominance. Your risk assessment will help you understand the risks that affect your specific business so that you can take steps to manage them.

Compliance with the law does not have to be a difficult task. Minimize the risk of non‑compliance by:

  • regularly assessing your risks to understand potential trouble areas
  • implementing a compliance program that addresses these risks
  • fostering a culture of compliance to proactively reduce those risks
  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’s genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Assessing your risks is one of the most important things you can do to prevent non-compliance. When you understand which parts of your business expose you to risk, you can effectively build and maintain a tailored program. Your program will then be stronger and more cost-effective.

However, risk assessment is not a one-time project. As your business and the market change, your risks will change too. If your compliance program does not recognize and address new risks as they emerge, it will become less effective in protecting you and your organization from non-compliance.

Tips on how to do it

The compliance officer should coordinate the risk assessment. Senior management should fully support the compliance officer in this task. Every department in your organization, including human resources, sales, marketing, legal, procurement, and information technology, should cooperate with the compliance officer and their team, and give them the information they need to understand all business operations and to identify risks.

If your business practices are particularly complex, consider getting a subject matter specialist – like a competition lawyer – to help your compliance officer.

Tips on how to assess your risks

Tips on how to assess your risks
  • Description of image – Tips on how to assess your risks

    The image is a diagrammatic representation of tips on how your organization can assess its risks.

    At the centre is the title ‘risk assessment’. There are three overlapping circles. Each circle represents one of the three elements of the assessment that the compliance officer should do:

    • Identify business areas and practices exposed to risk
    • Identify roles exposed to risks
    • Identify business changes that may lead to risk

To identify risks, the compliance officer should carry out a three-pronged assessment:

1. Identify business areas and practices exposed to risk

  • Do a cultural and environmental scan
    • Examine your organization’s culture, business and marketing practices, industry, competitors and interactions with them.
  • Examine your business units and regional offices
    • People outside of your headquarters could be aware of activities and developments that could affect your organization’s risks. If you have limited resources, think about which business units or regional offices are most likely to expose your business to risk and focus on them.
  • Understand the risks involved in your business practices
  • Think of what your people do in their personal time
    • Sometimes, the conduct of employees in their personal lives could also expose them and your organization to risk (for instance, using personal social media to promote your organization’s products).
  • Do not forget about third parties
    • Your organization should encourage third parties, such as those acting for your organization and trade associations, to address the risks associated with their operations. You could monitor the third party’s conduct and require that they have their own credible and effective compliance program.
  • Expect the unexpected
    • Flag any unusual circumstance or unique scenario that could lead your organization or others to break the law.

2. Identify roles exposed to risk

  • Identify the ‘At-risk roles’ - employees and managers exposed to legal risk
    • Employees with direct exposure to risk: certain employees and managers are more likely to face compliance risks due to the nature of their role (e.g., sales representatives, marketing department, human resources managers etc.)
    • Administrative staff: support staff who work with the employees in roles with direct exposure to compliance risks
    • Gatekeepers: employees in roles that can identify any wrongdoing, such as governance, legal, finance and audit
  • Tips to assess at-risk roles
    • Use job descriptions to assess risk factors for different positions.
    • When creating new roles, consider how they may be exposed to risk.
    • Revisit your assessment regularly, and whenever conditions change that could expose employees to new risk factors.

3. Identify business changes that may lead to risk

  • Conduct assessment regularly
    • Risks will change as your business and the market evolve, especially with the rapid changes brought on by digitalization.
    • Your compliance officer and senior management should conduct risk assessment routinely, and whenever circumstances change, to identify risks and assess compliance issues.
  • Review impactful changes to your business or in the market
    • Your compliance officer must monitor new risks arising from changes within and outside your business. They should develop an appropriate strategy to minimize those risks.
    • Changes in your business - New compliance risks may arise for your organization in many situations, such as when:
      • launching a new product
      • adopting new marketing strategies
      • entering a new geographic market
      • your business grows
      • reorganizing your business into a new business
      • reorganizing your existing business
      • adopting new technologies
      • changing an employee’s role
      • assigning new duties to specific positions
    • Changes in the market: Changes in the market may also affect your risks, such as:
      • new regulations
      • mergers or changes in ownership of competitors, suppliers or customers
      • development of new technology
      • changes in the law
      • decisions of courts and tribunals
      • the Competition Bureau’s enforcement policies

If you’re a small business . . .

Smaller businesses should also carry out a risk assessment. You do not need to recruit a separate person to perform this task. Any person with authority and status in your organization who is aware of your business’ legal risks and knows the compliance management steps needed to mitigate the risks can do the assessment.

You can apply the principles in Core principles of a credible and effective compliance program to your operations and available resources. Also, consider reaching out to your trade association or local chamber of commerce for resources, workshops or seminars on risk assessment.

Implement tailored compliance policies, procedures and controls

In this section

What this means

Each business is unique. Your compliance policies should be too. There are no ready-made solutions to ensuring compliance. Your policies must be tailored to your operations, risk profile and the tasks your employees do every day.

Compliance policies spell out your organization’s expectations from your employees and your organization’s leadership. They should include standards such as a code of conduct and organizational policies.

Procedures and controls are systems designed to help your employees and your organization avoid breaking the law. The procedures should be customized to mitigate the specific risks faced by your organization that you would have identified in your risk assessment.

Policies

Examples:

  • core values of the organization
  • code of business conduct
  • general do’s and don’ts for staff

Procedures and controls

Examples:

  • internal controls to prevent possible misconduct (for example, approvals to participate in trade associations, procedures for vetting marketing campaigns)
  • mechanisms to report possible illegal activity or risky behaviour anonymously
  • protocol to be followed in case of possible illegal activity
  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Maintaining compliance policies, procedures and controls is an ongoing commitment that is critical to the effectiveness of your compliance program. Without proper policies, procedures and controls, your compliance program will not be set up to actually prevent and detect potentially illegal activity and risky behaviour.

Tips on how to do it

Tips on how to implement tailored compliance policies, procedures and controls

Tips on how to implement tailored compliance policies, procedures and controls
  • Description of image – Tips on how to implement tailored compliance policies, procedures and controls

    The image is a diagrammatic representation of tips on how to implement tailored compliance policies, procedures and controls. The important steps are:

    First, design
    • Tailor to your business and risks
    • Update regularly

    Second, implementing compliance policies, procedures and controls

    Third, communicate
    • Document in simple language
    • Notify your employees and 3rd parties
    • Publish on website

1. Design

  • Design specifically for your business
    • Tailor your compliance policies, procedures and controls to the operations of your business.
  • Learn from your risk assessment
    • Design policies, procedures and controls for your different business units and regional operations based on their specific risks that you have identified (for instance, a list of dos and don’ts and “red flag” issues).
  • Update your measures
    • Implementing compliance policies, procedures and controls is an ongoing activity. Monitor risks regularly and update your compliance policies, procedures and controls to factor in changes to your risk profile.

2. Implement

  • Enforce your policies, procedures and controls
    • The compliance officer should check regularly that your policies, procedures and controls are properly implemented.

3. Communicate

  • Document your compliance program
    • Draft your compliance policies, procedures and controls clearly. Think about the jargon and languages best understood by your employees. Use plain language where possible.
  • Communicate with your employees and agents
    • Communicate your policies, procedures and controls to your employees and make sure they are understood, as well as to any third parties acting on behalf of your organization.
    • Notify employees and third parties acting on behalf of your organization promptly of any updates to the compliance program. For major updates, consider holding special training sessions for your employees.
  • Publish your code of conduct
    • Consider publishing your code of conduct on your organization’s website. This will help third parties such as suppliers, service providers and customers dealing with your organization to understand your values and expectations.

If you’re a small business . . .

Small and medium-sized businesses can have simple yet effective compliance policies, procedures and controls without huge expense or overburdening their day-to-day operations. However, your entire organization has to make a serious commitment towards compliance.

You do not have to create a separate compliance program for competition law. You could simply factor in competition law risks into your existing compliance program.

If you do not have adequate resources to create a compliance program in-house, trade associations might be able to help you build compliance policies, procedures and controls. Also, many free or low-cost resources are available online to help you understand compliance best practices and how to apply them in your business.

Train and communicate

In this section

What this means

Everyone in your organization should know and understand what they need to do to operate within the law — from the board and senior leaders down to front-line staff. Employee and management training and compliance communication are critical for the effectiveness of any compliance program.

  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

The main objective of a compliance program is to stop people from breaking the law. Employees and management alike need to understand what is acceptable business behaviour and what is unacceptable. They all should know what the law prohibits and the consequences of not following the law. Training employees and communicating your principles and program can help everyone be vigilant.

Regular communication with employees at all levels of your organization conveys your management’s commitment and support to build a culture of compliance.

Tips on how to do it

What to train on?

Your organization should choose training and communication methods based on your size and risks.

A credible and effective compliance program should include training on:

Tips on how to train and communicate

Tips on how to train and communicate
  • Description of image – Tips on how to train and communicate

    The image is a diagrammatic representation of tips on how to train and communicate. There are three hexagons which show the three important steps:

    Whom to train?
    • Senior executives
    • Managers
    • Staff
    • At-risk employees
    When to train?
    • New hires – at onboarding and before exposure to risk
    • At risk roles – regular intervals
    How to train?
    • Relevant
    • Engaged
    • Well designed

Who should be trained ?

Train all senior executives, managers and staff on your overall compliance program, especially the reporting system and code of conduct.

For those in at-risk roles, you should provide additional, mandatory training on competition and deceptive marketing issues. Include new people coming from competitors in training for people in at-risk roles.

You should not only train your full-time, permanent staff, but also

  • employees who have joined your organization as secondees from other companies
  • temporary workers in at-risk roles

Be vigilant about third parties that your business deals with to minimize your exposure to risk. These third parties could include:

  • employees of services providers
  • dealers, distributors and contractors
  • any person who a third party might believe represents your organization

When should they be trained?

New hires: New hires should complete training as part of their onboarding. They should not be exposed to risk until they have been trained and know what to do.

At-risk roles: Training on competition and deceptive marketing issues should be updated regularly.

Management support

Managers should always be highly visible in promoting compliance training to employees. This visibility creates a culture of accountability. To encourage everyone to take compliance seriously, managers should:

  • take the training themselves along with the employees
  • talk about the program in emails, meetings, presentations and other speaking engagements
  • firmly reject any action that could break the law
  • deliver training and communications along with compliance staff, if they are well versed in the law

How to train?

Effective compliance training and communication is:

Relevant - use real-life situations faced by your organization
  • Use illustrations
    • Give simple dos and don’ts to your people.
    • Use examples that directly relate to the work your organization and employees do.
    • Explain the consequences of non-compliance. Include real cases where people and companies paid the price for breaking the law.
    • Identify situations when employees should seek help.
    • Use practical and simple language in your communications.
  • Keep your staff up-to-date
    • Alert your employees in a timely way about new or changing compliance issues.
Engaging - involve your employees and management
  • Train in teams
    • If resources and expertise are available, you should train your employees in groups.
    • If you can, invite employees with similar roles and responsibilities to the same sessions to benefit from group work and shared insights. This may help employees see the link between the compliance policies and the practical situations they face at work.
  • Keep it lively
    • Provide plenty of time for interactive discussions and questions in the training sessions. Employees might use these discussions to raise issues that your organization needs to address.
    • Actively engage your audience during question-and-answer sessions.
    • Offer variety depending on the situation, for example:
      • small group seminars and discussions
      • practical do’s and don’ts
      • realistic business dilemmas
      • email alerts
      • apps, videos and gamification
      • in-person, online or blended training depending on your situation
      • workshops
Well-designed – tailor your mode of training and communication to your organization
  • Deliver training effectively
    • Bring in experts, such as your compliance officer or other legal or compliance experts.
    • Use trainers who know the law and are skilled at engaging a diverse group of employees using inclusive techniques.
  • Be consistent
    • Ensure that training and communication messages are consistent.
    • If your people are working remotely or in a hybrid environment, make sure the impact of your various training and communication methods is consistent.
    • If yours is a larger organization, you might need “train the trainer” programs too.
  • Be mindful of your audience
    • Consider the various needs of your audience, including language, cultural appropriateness, accessibility and learning styles.
  • Track attendance but also assess if your employees grasp the content
    • Keep a record of all employees who have completed training. This ensures you do not overlook individuals or work areas.
    • To see if your training is actually working, supervisors should regularly assess the knowledge and attitudes of employees toward compliance policies and procedures.
    • Consider asking the employees and managers in at-risk roles to certify in writing that they have read and understood the company’s programs, policies and procedures.
  • Build training into your performance reviews
    • Supervisors’ performance evaluations should include a review of the steps they took to ensure that their team members are trained.
    • Consider making training for employees in at-risk roles a mandatory element of their performance review.

If you’re a small business . . .

Training managers and employees and communicating the benefit of compliance to all employees does not have to cost a lot. You do not necessarily need to buy expensive learning management systems or hire an external lawyer to offer credible and effective compliance training.

For example, you could:

  • use time during all-staff meetings or informal gatherings to talk about how compliance is important
  • train your employees during team meetings
  • take advantage of free publications and compliance tools from the Competition Bureau.

Consider whether your industry or trade association offers or could develop compliance training resources.

Use effective reporting mechanisms

In this section

What this means

Anyone in your organization should feel that they can come forward and report anonymously without any fear of retaliation. This also applies to third parties, such as consumers, suppliers, contractors and distributors. An effective reporting system is an important part of a strong culture of compliance within your organization.

For your compliance program to work, you should develop confidential, secure and easy mechanisms to raise compliance concerns, and to ask and answer compliance-related questions.

  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Reporting is a vital yet delicate step in the compliance process. It ensures that your employees and third parties can provide timely and reliable information about risky behaviour or potentially illegal activity, or raise questions they might have.

Without a reporting system, your compliance program cannot be truly effective and credible. A reporting system can help you detect misconduct early. It can also give you valuable data that you can use to spot trends in compliance issues.

Overall, a strong system helps you show that your organization takes compliance seriously.

Tips on how to do it

Tips on how to have effective reporting mechanisms

Tips on how to have effective reporting mechanisms
  • Description of image – Tips on how to have effective reporting mechanisms

    The image is a diagrammatic representation of tips on how to have effective reporting mechanisms. This is a circular process with four elements which show the important steps to take:

    • Encourage a speak up culture
    • Create a formal reporting process
    • Respond to questions and concerns
    • Protect whistleblowers

For your reporting system to support a credible and effective compliance program, your organization should:

1. Encourage a speak-up culture

  • Employees and third parties dealing with your organization (such as customers, suppliers, contractors, distributors) should feel empowered to speak up, obtain advice, ask questions and report any compliance concerns.
  • Retaliation is a common reaction to criticism. Make managers aware of this risk. Through their words and actions, your management should reassure employees that no adverse action will be taken against people who report concerns.
  • Train your managers on how to respond to concerns effectively.

2. Create a formal reporting process

  • Clearly identify which actions should be reported, and when, how and to whom they should be reported.
  • Create reporting channels that are simple, safe, secure and confidential.
  • Adopt a system suitable to your size, operations and risk profile. Some examples include:
    • 24-hour helpline
    • confidential and anonymous feedback boxes
    • online reporting systems
    • designated legal counsel as a point of contact
    • a designated committee of the board of directors
    • the compliance officer
    • an independent system operated by a third party agency
  • Large businesses may want to consider having multiple reporting channels.
  • Share information about reporting mechanisms widely throughout the organization and make it known to all employees and appropriate third parties.

3. Respond to questions and concerns

  • Your organization should follow up on all reports, otherwise your reporting system will not be useful.
  • Your responses should be prompt, effective and adequate to meet the concern raised.
  • Provide feedback to those who report concerns in a timely manner so they know their report has been taken seriously, but with due respect for the privacy of all those involved.
  • Carry out appropriate investigations and take suitable action
    • The compliance officer should be empowered to coordinate a detailed, professional investigation of compliance issues; and take necessary steps to stop ongoing misconduct and prevent future problems.
  • When an investigation finds that the law was broken, act quickly and cooperate with the Competition Bureau fully.
  • Document the responsive actions you take.

4. Protect whistleblowers

  • To inspire confidence in the reporting system, all people reporting concerns should be protected from retaliation.
  • Retaliation is a serious and pervasive risk; so depending on the circumstances in your organization, consider treating retaliation as a separate risk area in your risk assessment.
  • Sensitize your managers to the fact that unfair criticism of a whistleblower is retaliation.
  • Your human resources department should advise the compliance team and/or senior management if it observes or hears about any retaliatory action taken or threatened against a whistleblower.
  • Investigate all complaints of retaliatory threats or actions.
  • Follow up on any findings of retaliation with strong disciplinary measures.
  • As far as possible, respect someone’s request for anonymity. However, be candid in explaining confidentiality and anonymity. You might have to disclose information in litigation. Work to protect personal information but recognize you cannot guarantee confidentiality.
  • People in at-risk roles should also be trained about the Competition Bureau’s Immunity and Leniency programs and whistleblowing initiatives.

If you’re a small business . . .

Small businesses do not have to spend a lot of money building complicated reporting systems. Below are a few tips to consider:

  • An anonymous reporting box or online reporting system can help.
  • Occasionally, the compliance officer can talk quietly with employees off-site and ask about any concerns. This does not replace an anonymous system, but can be very effective in identifying concerns and answering questions.
  • The organization’s external accountant or lawyer can be used as a contact for employees to report concerns.
  • Interviewing employees when they leave your organization (exit interviews) can also help in identifying concerns.

Monitor and audit compliance measures

In this section

What this means

Monitoring and auditing are tools to check for risky or potentially illegal activity. They can help you determine if your compliance program actually works in practice.

Monitoring is carried out proactively and in real time. Auditing may be periodic, ad hoc or event-triggered, and is done after events or activities have happened. Through monitoring and auditing, you can check whether your people are following your compliance policies, procedures and internal controls.

If you find any instances where the law might have been broken, do an internal investigation. Your investigation can help you decide what to do next.

  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Monitoring and auditing are fundamental to any credible and effective compliance program because they can help you understand if your program actually works in practice. For example, these practices can help you to determine whether your program was helpful in preventing illegal activity in a challenging situation. If you make it known within the organization that you monitor and audit, you can deter or discourage risky behaviour or potentially illegal activity.

Effective monitoring and auditing procedures can also help your business to identify:

Tips on how to do it

Tips on how to monitor and audit compliance measures

Tips on how to monitor and audit compliance measures
  • Description of image – Tips on how to monitor and audit compliance measures

    The image is a diagrammatic representation of tips on how to monitor and audit compliance measures. There are three elements which show the important steps to take:

    First element: Empower your compliance officer, by giving them

    • sufficient autonomy and resources
    • unrestricted access to records, personnel, etc.
    • the ability to conduct internal investigation and to take steps to stop and prevent misconduct

    Second element: Monitor regularly and audit as required, by

    • monitoring on an on-going basis depending on your operations and risks
    • auditing periodically or on suspicion of risky or illegal activity

    Third element: Use different methods suited to your organization, for example using planned and unannounced checks and data analysis. It is important to document monitoring and auditing efforts.

1. Empower your compliance officer

  • Monitoring and auditing activities should be coordinated by the compliance officer. The compliance officer and their team should be allowed to:
    • thoroughly inspect the implementation of compliance policies, procedures and controls
    • conduct a detailed, professional internal investigation of compliance issues
    • have unrestricted access to all records, data, locations and personnel
    • take necessary steps to stop ongoing misconduct and prevent future problems
  • Senior management should support the compliance officer in these duties. They should ensure the compliance officer has enough resources and autonomy to effectively monitor and audit.
  • Everyone in your organization should cooperate with the compliance officer and their team by providing necessary information and access to people, records and systems.

2. Monitor regularly and audit as required

  • Monitor on an ongoing basis, including reviewing and updating your policies and procedures to cover key risk areas for your business. You should determine the frequency of monitoring based on your particular business operations and risks.
  • Auditing should definitely be done when any risky or illegal activity is suspected. It can also be done at periodic intervals. When illegal activity is discovered, act quickly and cooperate with the Competition Bureau fully.

3. Use different methods suitable to your organization

  • A few examples of monitoring and auditing methods include:
    • Conducting occasional checks — both planned and unannounced — to audit compliance, including reviews of paper or electronic files.
    • Using data analysis to look for unusual patterns in pricing, market share, and sales figures. The results from data analysis can help you determine which people to interview in an internal investigation.
  • Document all compliance monitoring and auditing efforts thoroughly. For example, your records could support a due diligence defence in relation to certain types of deceptive marketing practices.

If you’re a small business . . .

Businesses of all sizes should monitor and audit compliance with the law. The process does not need to be complex or costly.

In fact, smaller teams can more easily monitor compliance efforts and audit compliance. For example:

  • To monitor compliance, a manager could “ride along” with a salesperson to see what they do on sales calls.
  • Auditing could include having a manager check out expense reports from employees in at-risk roles to see if there was contact with competitors.

Offer incentives and impose disciplinary measures

In this section

What this means

One of the best ways for you to communicate to your organization that compliance is important is to reward those who show leadership in this area. Having a policy that aligns your organization’s incentives with compliance shows your commitment to compliance. This has positive consequences for all your people who support this commitment.

Similarly, your policy should also prescribe disciplinary action for anyone who does not support compliance. This will clearly send a message that your organization will not tolerate misconduct by anyone at any level.

  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

Rewards and disciplinary measures are powerful drivers of individual behaviour.

If your organization provides compliance-linked incentive plans and takes consistent compliance-linked disciplinary action, it shows that you are committed to compliance. For example, if managers or employees who engage in risky behaviour or potentially illegal activities get promoted, you will send the wrong message to your people. However, if managers and employees at all levels in your organization who encourage compliance and create an ethical work environment are rewarded, everyone will see that it is worth taking compliance seriously.

Real incentives and consistently applied consequences will help you make compliance a part of your culture, strengthening the credibility and effectiveness of your compliance program.

Tips on how to do it

 

Tips on how to offer incentives and impose disciplinary measures

Tips on how to offer incentives and impose disciplinary measures
 
  • Description of image – Tips on how to offer incentives and impose disciplinary measures

    The image is a diagrammatic representation of tips to offer incentives and impose disciplinary measures. Incentives and disciplinary measures go hand-in-hand.

    When incentivizing compliance, it is important to:

    • spell out incentives,
    • get creative,
    • rewards individuals and teams,
    • link compliance leadership to performance evaluations, and
    • keep records of the actions taken.

    When disciplining misconduct, it is important to:

    • spell out consequences,
    • take appropriate action,
    • be consistent at all levels,
    • get HR support, if necessary and
    • keep records of the actions taken.

Your compliance policy only records your organization’s commitment to compliance. Depending on how your organization works, your human resources department may have to design and implement the actual incentives and disciplinary measures.

1. Incentivize compliance leadership

  • Clearly spell out the incentives for encouraging compliance
    • Incentivize managers and employees who demonstrate compliance leadership and foster an ethical work environment.
  • Be creative
    • Try different kinds of incentives, for example, appreciation letters, cash prizes, or promotions.
    • Try targeting teams with your incentives. For example, instead of giving incentives to an employee, reward every member of a team for achieving a goal, such as completing training.
  • Make compliance part of career advancement
    • Before giving promotions, review the person’s commitment to compliance leadership and check with the compliance officer on pending investigations or violations.
    • Give your compliance officer a say in promotions and identification of high-performing and senior employees and managers.
    • Treat your compliance department employees well. For example, having this function be a path to promotion can clearly communicate to other employees that compliance is an important job.
  • Consider linking compliance leadership to performance evaluations, promotions and bonuses
    • Include compliance in your 360 degree reviews of your people. These are reviews that include colleagues of an individual who are above, below and at peer level.
    • If you have a board-level compensation committee, have leadership in compliance and ethics as a factor in assessments of top executives.
    • Treat compliance awards at least on par with other awards in your organization.
    • Review the effect of all your incentives. They should not encourage people to take short cuts or break the rules.
  • Keep records
    • Document everything related to incentives. Your records could be relevant in case of an internal or external investigation.

2. Discipline misconduct

  • Have a clear policy of appropriate discipline for
    • misconduct by anyone in your organization, including the highest-level executives
    • not following the compliance program
    • retaliation against whistleblowers
    • managers failing to take reasonable steps to prevent or detect misconduct
    • managers who do not initiate or impose appropriate disciplinary action
  • Take appropriate action
    • Consequences could include warning, suspension, holding back a promotion, demotion, dismissal or even legal action.
    • Disciplinary measures should be proportionate to the wrong committed.
  • Be consistent
    Consequences should apply to people at all levels, including
    • employees and managers who break the law
    • managers who ignore risky behaviour or potentially illegal activity or who see and fail to report them
    • senior leaders
  • Keep records
    • Document everything related to discipline. Your records could be relevant in case of an internal or external investigation.

If you’re a small business . . .

Small businesses can easily align incentives with a commitment to compliance and set out penalties for misconduct. Incentives do not need to cost your organization a lot of money. Even small actions show your seriousness about compliance. For example, these can include recognition from the leader of the organization, or a note about the employee in your internal newsletter.

To convey a strong pro-compliance message, you can also consider more substantial recognition for employees who go above and beyond when it comes to your organization’s commitment to compliance.

Make sure that your overall incentive systems and staff promotions do not undermine this commitment.

Evaluate your program and revise your compliance measures

In this section

What this means

New business risks emerge all the time. So you need a compliance program that can keep up. The only way to be sure your program is working effectively is to evaluate it regularly and, if necessary, revise your compliance measures.

When you evaluate your program, you should touch on three areas:

  • Design. You should ensure that the design of your compliance program addresses all of the principles in Core principles of a credible and effective compliance program.
  • Implementation. You should also ensure that your compliance program is fully implemented.
  • Impact. You should check to make sure it actually works in practice.
  • A small reminder on what makes a compliance program credible and effective

    Your compliance program needs to be credible and effective to truly help you.

    To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

    To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

    Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why this matters

Regular evaluation of the effectiveness of your compliance program can help you confirm whether the money and resources you spend on a compliance program have in fact mitigated the risks your organization faces.

Evaluation can help in checking whether:

The results of an evaluation should guide how you revise your compliance program to keep it effective and up-to-date.

Finding areas in your compliance program that need improvement and taking steps to revise them are not signs of failure. They are a normal part of any management review. It is not very credible to claim that you have never made a change because everything was always perfect.

Tips on how to do it

Who will evaluate?

The compliance officer should have the authority and necessary resources to coordinate the evaluation process at regular intervals. They should use appropriate methods to get accurate information. They should be allowed to make necessary changes to the compliance program.

When to evaluate?

Evaluate your compliance program at regular intervals. In addition to periodic review, you should review the parts of your compliance program that might be affected when there are business changes that can lead to risk or when you spot a gap in the existing program.

You can choose different methods to evaluate your program, depending on what you are evaluating and the goals you have identified for the assessment.

Based on the result of your reviews, make improvements quickly.

What to evaluate?

Tips on how to evaluate your program

Tips on how to evaluate your program
  • Description of image – Tips on how to evaluate your program

    The image is a diagrammatic representation of tips on how to evaluate your program.

    This is an iterative, circular process. There are three phases to take into consideration when evaluating your compliance measures:

    Design: it is important to

    • evaluate each part of your program,
    • look at the program’s overall design, and
    • review your compliance governance structure.

    Implementation: it is important to

    • check whether all parts of your program are rolled out, and
    • to review resources for compliance.

    Impact: is it important to

    • evaluate whether your people actually follow your program,
    • check how your reporting mechanisms are working, and
    • assess your culture of compliance.

For your compliance program to be credible and effective, you should evaluate:

Design – is your compliance program designed according to the principles in this guidance?
  • Evaluate the design of each part of your compliance program —cover all the principles of compliance discussed in Core principles of a credible and effective compliance program.
  • Determine the effectiveness of your compliance program’s overall design.
  • Determine whether the governance structure for your compliance function suits the overall structure of your organization, especially when there are changes to your organization.
Implementation – is your compliance program fully rolled out?
  • Determine whether all elements of the program have been effectively rolled out.
  • Assess whether the resources you have provided to your compliance officer are sufficient to actually implement your program.
Impact – does your compliance program actually work in practice?
  • Evaluate whether or not management, employees and others are actually following your compliance program.
  • Determine whether your reporting mechanisms or other parts of your program have actually identified risky behaviour or potentially illegal activity and allowed you to address them early and effectively.
  • Understand the impact of your compliance program on the overall culture of your organization.

How to evaluate?

These are some examples of methods to evaluate your compliance program:

  • Surveys
    • regularly examine your employees’ attitudes, beliefs and knowledge about the law and your compliance procedures
    • consider seeking input from third parties dealing with your organization, such as contractors and customers
  • Post-training follow-up meetings
  • Focus groups
  • Exit interviews of employees including senior individuals
  • Tests of reporting and verification tools with simulated violations
  • Audits
  • Monitoring
  • Closer scrutiny of particular business units or locations that have presented a history of compliance risks in the past
  • Analysis of data from your compliance controls and from relevant business functions (for example, sales, pricing and marketing)
  • Test calls to your helpline
  • Peer reviews and benchmarking with international standards or comparable organizations, in accordance with competition law and the Competition Bureau’s guidance on competitor collaborations and wage-fixing and no-poaching agreements
  • Reviews of external compliance news for new potential compliance best practices
  • Occasional review of your compliance program and the performance of your compliance officer by independent third parties who report directly to the board of directors (or the highest governing authority in your organization)

If you’re a small business . . .

Evaluating your program and updating compliance measures does not have to be costly. Program evaluation can be carried out internally by your organization. Consider whether your industry or trade association can act as a forum to share compliance best practices.

Important notice: Because every situation presents unique facts, the information set out herein is provided for general information only. This content is not a substitute for legal advice, nor is it a binding statement of the Commissioner of Competition’s position on the requirements or efficacy of any particular compliance program. Indeed, there is no one-size-fits-all approach when it comes to achieving credible and effective compliance.