Regulatory compliance: Best practices to meet the updated guidelines

March 21, 2022

Orange gradient background

In 2019 and 2020, the U.S. Department of Justice (DOJ) updated its guidelines for evaluating corporate compliance programs. And in 2021, the EU Whistleblower Protection Directive went into effect for companies based in or with a presence in the European Union. Recent years have seen a massive uptick in regulatory compliance—the legal standards companies must live up to for corporate compliance and whistleblower protection. 

So, how do companies ensure that they are checking all of the boxes—and that their employees are actually inspired to maintain ethical behavior? Explore these topics below. 

The importance of regulatory compliance

Adhering to regulatory compliance (and even going beyond) ensures that your company has sufficient protections in the event of misconduct. Doing at least the bare minimum as required by regulators can help you:

  • Avoid hefty fines and fees 
  • Minimize internal and external risk levels 
  • Protect your corporate reputation among employees, stakeholders, consumers, and the general public

Furthermore, fostering a culture of compliance can help minimize the likelihood of any foul play in the first place. Operating with trust, transparency, and humanity will help employees feel more comfortable speaking up and sharing their concerns with you.

Regulatory compliance in the U.S.

In recent years, regulations have begun placing more emphasis on the quality and design of a compliance program—along with the resources, support, and information provided to employees. Let’s explore these updated guidelines.

DOJ guidance for corporate compliance programs

The DOJ’s latest guidance on compliance programming came in 2020. To sum up that guidance, any company’s corporate compliance program must be well designed, applied earnestly, and prove to be effective in order to prevent wrongdoing. This approach ensures that employees are well-informed of their rights and the expectations they must adhere to, and also helps companies to establish a paper trail. 

Additionally, the DOJ now expects companies to present policies in a searchable, trackable format. The purpose of these requirements is twofold: searchability makes it easier for employees to review policies that are relevant to their day-to-day tasks, while the ability to track views and clicks ensures your compliance department can measure what policies employees are engaging with—and what policies are being ignored. 

Common policies that cover legal requirements include (but are not limited to): equal opportunity and non-discrimination; anti-bribery; gifts, travel, and entertainment; electronic communications and internet usage; work health and safety; and more. 

The Federal Sentencing Guidelines for Organizations (FSGO)

Per the FSGO, an organization may be held criminally liable for the actions of an individual employee. These guidelines were initially introduced in 1987 to promote justice and help mitigate systemic problems across companies. 

However, in line with the DOJ guidance, organizations may be let off the hook if they can demonstrate that an effective compliance program is in place. This includes ensuring the proper policies and codes of conduct are in place, providing communications and training, and regularly measuring and auditing the compliance program. In addition, proof of a whistleblower helpline that allows for anonymity and a system that prevents retaliation can help round out an effective program. 

The bottom line, per the FSGO: establishing the proper protocols and prioritizing your program can only help you and your employees, so it should be a no-brainer for companies to go beyond the basic requirements.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act (otherwise known as SOX) was passed in 2002 to govern financial recordkeeping and, as a result, reduce the chances of fraud and misconduct. 

Under SOX, companies are required to have a code of conduct that is made publicly available, and disclose and changes or amendments to that code. 

While the act does not specify exactly which content or form the code of conduct should take, potential relevant policies may pertain to: 

  • Protection of company assets and intellectual property 
  • Use of company computers and equipment 
  • Insider trading 
  • Conflicts of interest 
  • Gifts, travel, and entertainment 
  • Confidentiality

The requirements put in place under SOX set a powerful precedent and paved the way for future guidance. 

Regulatory compliance in the EU

Similar to the United States, the European Union (EU) has shifted its focus toward whistleblowers in recent years. In effect, new guidelines have placed more emphasis on the company’s responsibility to protect the individual and prevent wrongdoing. 

The EU Whistleblower Protection Directive

Enacted in late 2021, the EU Whistleblower Protection Directive governs nearly all public and private employers headquartered or operating in any of the European Member States. 

The Directive requires companies to have an employee helpline that provides the ability to submit a named or anonymous report, and to report locally (at the subsidiary level) or centrally (at the parent level).

One of the main focuses of the Directive is information. The Directive requires companies to make information on whistleblowing available to a wide variety of people, including direct employees of the organization as well as contractors, subcontractors, temporary workers, and other third parties. The Directive has also broadened the scope of what types of reports are protected under the Directive, encompassing at least 12 categories from financial misconduct to public health and safety. 

GDPR and other regulations

The General Data Protection Regulation (GDPR) holds companies to stringent standards in how they handle, store, process, protect, and share data. Thus, companies must have data protection and privacy policies in place and ensure those handling data are fully aware of how to operate ethically. 

The EU also requires companies to have policies pertaining to corporate social responsibility (CSR) and corporate law and governance

Making compliance content most effective

While providing pages and pages of legalese policies for employees to sort through does fulfill regulatory requirements, the fact is that most people won’t absorb these kinds of hefty, traditional documents. And if employees don’t engage with your content, is your compliance program meeting the DOJ’s definition of “effective?” Ideally, your compliance content won’t go unnoticed—it will be effective, engaging, and accessible to employees. With that in mind, here are some ways to increase your program’s effectiveness. 

  • Make your compliance content interactive and accessible. Turn your static paperwork into living, breathing documentation. Convercent by OneTrust’s Interactive Code of Conduct translates your code of conduct into a dynamic format, making it easier for employees to absorb and engage. Putting codes and policies in terms that employees understand can assist in making information more digestible and relevant.
  • Benchmark your compliance program. Digitizing your platform is an easy way to begin collecting data—and then benchmarking it over time. From seeing what policies employees are most engaging with to reporting trends, digging into the data will help you identify blind spots, iterate, and improve over time.
  • Update policies, procedures, and training regularly. Don’t just wait until laws and regulations change to update your compliance content and program. Your company is constantly evolving, and so should your policies. Using a dynamic policy manager like OneTrust’s enables you to test and track what is working, and easily deploy updates and introduce new policies.
  • Build a culture that empowers employees to speak up. Having a speak-up culture doesn’t necessarily mean nothing will ever go wrong. But developing a culture where employees have buy-in, are comfortable raising concerns, and feel like they are seen and heard is completely invaluable. In turn, you’ll be better informed of potential issues within the organization and can investigate before they spiral out of control. 

The bottom line is that complying with regulations already puts you a step ahead, but looking beyond the traditional approach and checking additional boxes can really take your program the extra mile. OneTrust is here to help you navigate the ever-evolving landscape with the Ethics Cloud, a comprehensive solution that empowers you to manage your entire ethics and compliance program in one place. 

Ready to learn more? Request a demo today

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Privacy Management

Embedding privacy by design to enforce responsible use of data

In this webinar, we explore the latest in Privacy by Design standards and how to effectively manage the balance between Privacy and Data Governance.

October 18, 2023

Learn more