Several years ago Toronto-based insurance company Foresters found itself in a difficult situation. The Office of the Superintendent of Financial Institutions (OSFI), a government body that regulates federally incorporated financial institutions in Canada, had recently mandated that insurance companies comply with any Canadian legislation applicable to their businesses.

“OSFI didn't say insurance legislation,” said Stephen Cheeseman, assistant vice president and associate general counsel at Foresters. “It said any legislation that might impact your business.”

Facing the daunting task of sifting through thousands of pieces of legislation, Foresters' executives jumped into action. In the end, the company established a compliance program that was efficient and met OSFI's standards. Although the task was grueling and time consuming, for a Canadian company such as Foresters, it was all in a day's work.

“It's important to remember that the regulations in Canada are not the same as regulations in the U.S.,” said John Clifford, a partner at McMillan Binch Mendelsohn in Toronto. “We have different laws that often have more onerous compliance requirements that have to meet national and local needs of the company.”

In general, Canadian companies have to comply with far more regulations than their U.S. counterparts. As a result, Canadian companies are well versed in creating, structuring and implementing compliance programs. At a recent Martindale-Hubbell Counsel to Counsel session in Toronto titled “Corporate Counsel Best Practices: Models for Managing the Compliance Workload,” Foresters and a number of other Canadian companies shared their best practices for dealing with sweeping government regulations and what makes for good corporate governance.

“We are now in a world where it's just not enough for a company to make a lot of money,” said Francine Swanson, Q.C., senior legal counsel at BP Canada Energy Co. in Calgary, Alberta, president of the Canadian Corporate Counsel Association and a co-chair in the session. “Companies have to make a lot of money the right way.”

A Solid Foundation

For Foresters, creating a program that complied with OSFI's strict requirements relied heavily on structure. To accomplish its goal, senior management first had to determine which laws were relevant to Foresters' business.

“Rather than going through thousands of pieces of legislation, we took a broader look at each piece as it related to important aspects of the business,” said Cheeseman, a participant at the forum. “Then, from a risk matrix point of view, we had to figure out how to prioritize the compliance.”

For each piece of legislation the company determined was applicable to its business, senior management assigned someone within the organization to ensure compliance.

In the end, Foresters assigned 14 people, most at the senior management level, to oversee the compliance with various pieces of legislation. Those people report to the chief compliance officer, who reports to the board.

“While people knew there were laws around our business before we went through this, I don't think they were truly aware of the importance of compliance and the risks involved,” Cheeseman explained. “This has been an incredible exercise in awareness. It has really brought the compliance process into perspective for us.”

Experts at the session warned, however, that implementing a compliance program doesn't mean your work is over. Corporate behaviors are constantly coming under government investigators' microscope, and regulations are constantly in a state of flux. To safeguard their companies from investigation, senior managers must constantly test their internal controls and adjust their programs accordingly.

For example, Citibank recently restructured its compliance program to accommodate regulatory changes by focusing on risk aversion and ethics.

“Ethics is a new standard for which everyone in the organization is being held accountable,” said Charles Alexander, general counsel for Citibank Canada and a participant at the forum.

As part of its risk-aversion effort, Citibank implemented a policy it calls Risk Control Self Assessment (RCSA), a report in which business-group managers measure themselves against Citibank's corporate policies and any laws that are applicable to their businesses.

“That means when internal audit comes in, which they can do at anytime, the first thing they will ask to see is the RCSA,” Alexander explained. “If they find gaps or other problems with it, the manager responsible will be held accountable.”

Finally, Citibank's compliance team scheduled meetings at least once a week for at least one hour to compare notes and ensure everyone stays in the know about regulatory changes.

“Citigroup is no longer stamped with that Wild Wild West mentality anymore,” Alexander said. “It's an organization that is adhering to ethical standards, and we are pushing that through to all the employees.”

Training Days

For companies with a global reach, compliance is often tricky. Understanding the vast range of regulations that dictate the way a company conducts business on a global scale and ensuring it's in compliance with all of them is a cumbersome task. But many participants agreed that a companywide understanding of internal policies is the key to making it work.

One participant suggested global companies–especially those in regulated industries–create consistent training throughout the organization on all the varying compliance issues.

“Whether the company is in the Canadian market or anywhere else in the world, make it clear if they want to work for you, they have to abide by certain rules,” said the participant, who wished to remain anonymous.

Some global companies, for example, distribute handbooks throughout their organizations that outline appropriate behavior for everything from harassment polices and health and safety guidelines to media inquiries and gifts and entertainment. Oftentimes companies will have employees sign forms certifying they read and understand the policies. And most importantly, companies will continue to train and educate their employees on these compliance issues.

“When you educate your employees, they become part of the process,” said Amita Kent, vice president of legal affairs at Schering Canada, a division of Schering-Plough Corp., in Toronto and co-chair of the forum. “At the end of the day, we developed an action plan that really works for Schering-Plough worldwide.”

Swanson agreed.

BP Canada Energy makes its code of conduct easily accessible to its employees on its Web site. The code outlines the standards under which BP expects its employees to follow.

“We want them to be able to access it any time they need to,” Swanson explained. “The code of conduct is designed to help employees by providing clear guidance on what to do in particular situations, and examples are given. Everyone at BP is accountable for upholding the code's requirements. Failure to do so may be cause for disciplinary action or dismissal.”

Like Schering-Plough, BP requires employees to sign a form verifying they have read and understand the code. The company also provides extensive training to ensure employees fully understand the company's policies.

“If employees can't make or miss their scheduled training session, we will ensure they get to another training session being offered,” she said. “They may have to fly to another BP office for training. That's how important it is to us.”

A Smaller Scale

While companies in all industries are still struggling to implement effective corporate compliance programs, participants agreed there is no one-size-fits-all program. What works for Schering-Plough and BP may not work for smaller companies.

For example, Robert Kay, senior vice president and general counsel at KaralCo Corp., an Internet wholesale company, suggests small companies place the compliance onus on outside counsel.

“We empower outside counsel in various countries to be de facto compliance officers,” he said. “It's basically their responsibility to alert the head office about anything going on in their areas of compliance.”

Jennifer Babe, a partner in the Toronto office of Miller Thomson, agreed that this is a highly effective way for companies lacking a compliance officer to stay on the straight and narrow.

“A couple of my American clients who have no in-house counsel in Canada rely on me to provide them with the regulatory issues they need to know about,” she said. “It is very much a part of my job to make sure an in-house counsel is never embarrassed and to be totally aware of what is changing in the legal and regulatory environment. And it works well.”

In the end, participants agreed that each company requires its own unique compliance program. But they all believe there is one common thread among every successful corporate compliance program–support from the top.

“The moral compass of a company resides in the captain's cabin,” said Andrew Roman, partner at Miller Thomson in Toronto. “If you lose that moral compass, it's very easy to get lost, and it takes a lot of hard work to find your way back.”

Several years ago Toronto-based insurance company Foresters found itself in a difficult situation. The Office of the Superintendent of Financial Institutions (OSFI), a government body that regulates federally incorporated financial institutions in Canada, had recently mandated that insurance companies comply with any Canadian legislation applicable to their businesses.

“OSFI didn't say insurance legislation,” said Stephen Cheeseman, assistant vice president and associate general counsel at Foresters. “It said any legislation that might impact your business.”

Facing the daunting task of sifting through thousands of pieces of legislation, Foresters' executives jumped into action. In the end, the company established a compliance program that was efficient and met OSFI's standards. Although the task was grueling and time consuming, for a Canadian company such as Foresters, it was all in a day's work.

“It's important to remember that the regulations in Canada are not the same as regulations in the U.S.,” said John Clifford, a partner at McMillan Binch Mendelsohn in Toronto. “We have different laws that often have more onerous compliance requirements that have to meet national and local needs of the company.”

In general, Canadian companies have to comply with far more regulations than their U.S. counterparts. As a result, Canadian companies are well versed in creating, structuring and implementing compliance programs. At a recent Martindale-Hubbell Counsel to Counsel session in Toronto titled “Corporate Counsel Best Practices: Models for Managing the Compliance Workload,” Foresters and a number of other Canadian companies shared their best practices for dealing with sweeping government regulations and what makes for good corporate governance.

“We are now in a world where it's just not enough for a company to make a lot of money,” said Francine Swanson, Q.C., senior legal counsel at BP Canada Energy Co. in Calgary, Alberta, president of the Canadian Corporate Counsel Association and a co-chair in the session. “Companies have to make a lot of money the right way.”

A Solid Foundation

For Foresters, creating a program that complied with OSFI's strict requirements relied heavily on structure. To accomplish its goal, senior management first had to determine which laws were relevant to Foresters' business.

“Rather than going through thousands of pieces of legislation, we took a broader look at each piece as it related to important aspects of the business,” said Cheeseman, a participant at the forum. “Then, from a risk matrix point of view, we had to figure out how to prioritize the compliance.”

For each piece of legislation the company determined was applicable to its business, senior management assigned someone within the organization to ensure compliance.

In the end, Foresters assigned 14 people, most at the senior management level, to oversee the compliance with various pieces of legislation. Those people report to the chief compliance officer, who reports to the board.

“While people knew there were laws around our business before we went through this, I don't think they were truly aware of the importance of compliance and the risks involved,” Cheeseman explained. “This has been an incredible exercise in awareness. It has really brought the compliance process into perspective for us.”

Experts at the session warned, however, that implementing a compliance program doesn't mean your work is over. Corporate behaviors are constantly coming under government investigators' microscope, and regulations are constantly in a state of flux. To safeguard their companies from investigation, senior managers must constantly test their internal controls and adjust their programs accordingly.

For example, Citibank recently restructured its compliance program to accommodate regulatory changes by focusing on risk aversion and ethics.

“Ethics is a new standard for which everyone in the organization is being held accountable,” said Charles Alexander, general counsel for Citibank Canada and a participant at the forum.

As part of its risk-aversion effort, Citibank implemented a policy it calls Risk Control Self Assessment (RCSA), a report in which business-group managers measure themselves against Citibank's corporate policies and any laws that are applicable to their businesses.

“That means when internal audit comes in, which they can do at anytime, the first thing they will ask to see is the RCSA,” Alexander explained. “If they find gaps or other problems with it, the manager responsible will be held accountable.”

Finally, Citibank's compliance team scheduled meetings at least once a week for at least one hour to compare notes and ensure everyone stays in the know about regulatory changes.

“Citigroup is no longer stamped with that Wild Wild West mentality anymore,” Alexander said. “It's an organization that is adhering to ethical standards, and we are pushing that through to all the employees.”

Training Days

For companies with a global reach, compliance is often tricky. Understanding the vast range of regulations that dictate the way a company conducts business on a global scale and ensuring it's in compliance with all of them is a cumbersome task. But many participants agreed that a companywide understanding of internal policies is the key to making it work.

One participant suggested global companies–especially those in regulated industries–create consistent training throughout the organization on all the varying compliance issues.

“Whether the company is in the Canadian market or anywhere else in the world, make it clear if they want to work for you, they have to abide by certain rules,” said the participant, who wished to remain anonymous.

Some global companies, for example, distribute handbooks throughout their organizations that outline appropriate behavior for everything from harassment polices and health and safety guidelines to media inquiries and gifts and entertainment. Oftentimes companies will have employees sign forms certifying they read and understand the policies. And most importantly, companies will continue to train and educate their employees on these compliance issues.

“When you educate your employees, they become part of the process,” said Amita Kent, vice president of legal affairs at Schering Canada, a division of Schering-Plough Corp., in Toronto and co-chair of the forum. “At the end of the day, we developed an action plan that really works for Schering-Plough worldwide.”

Swanson agreed.

BP Canada Energy makes its code of conduct easily accessible to its employees on its Web site. The code outlines the standards under which BP expects its employees to follow.

“We want them to be able to access it any time they need to,” Swanson explained. “The code of conduct is designed to help employees by providing clear guidance on what to do in particular situations, and examples are given. Everyone at BP is accountable for upholding the code's requirements. Failure to do so may be cause for disciplinary action or dismissal.”

Like Schering-Plough, BP requires employees to sign a form verifying they have read and understand the code. The company also provides extensive training to ensure employees fully understand the company's policies.

“If employees can't make or miss their scheduled training session, we will ensure they get to another training session being offered,” she said. “They may have to fly to another BP office for training. That's how important it is to us.”

A Smaller Scale

While companies in all industries are still struggling to implement effective corporate compliance programs, participants agreed there is no one-size-fits-all program. What works for Schering-Plough and BP may not work for smaller companies.

For example, Robert Kay, senior vice president and general counsel at KaralCo Corp., an Internet wholesale company, suggests small companies place the compliance onus on outside counsel.

“We empower outside counsel in various countries to be de facto compliance officers,” he said. “It's basically their responsibility to alert the head office about anything going on in their areas of compliance.”

Jennifer Babe, a partner in the Toronto office of Miller Thomson, agreed that this is a highly effective way for companies lacking a compliance officer to stay on the straight and narrow.

“A couple of my American clients who have no in-house counsel in Canada rely on me to provide them with the regulatory issues they need to know about,” she said. “It is very much a part of my job to make sure an in-house counsel is never embarrassed and to be totally aware of what is changing in the legal and regulatory environment. And it works well.”

In the end, participants agreed that each company requires its own unique compliance program. But they all believe there is one common thread among every successful corporate compliance program–support from the top.

“The moral compass of a company resides in the captain's cabin,” said Andrew Roman, partner at Miller Thomson in Toronto. “If you lose that moral compass, it's very easy to get lost, and it takes a lot of hard work to find your way back.”