Developing a compliance plan is the first element of a company’s compliance efforts. When devising such plans, enterprises must take into account their nature, industry affiliation and business focus to tailor specific compliance strategies.

Many companies just initiating compliance plans may encounter challenges, risking operational inefficiencies and exposing themselves to multiple compliance risks. Therefore, in tandem with formulating a compliance plan, it is essential to establish a well-suited compliance management mechanism based on the various types of risks the enterprise faces.

There are four key areas on which enterprises can focus when developing an effective compliance plan.

1.Develop a compliance charter. Nestlé leads by example. In a case of infringement of citizens’ personal information by employees, Nestlé submitted to the court its compliance charter and corresponding articles of association, together with other compliance documents.

These eventually convinced the court that the employees’ actions were personal acts, and that Nestlé had established an effective compliance management system and fulfilled its compliance management obligations, proving the company did not bear criminal liability.

A compliance charter plays a crucial role in ensuring the effectiveness of compliance plans and should be given the same status as the articles of association. It should set out the basic philosophy, fundamental principles and operational framework of a company’s compliance and have a binding force on all departments and employees of the company, including the board of directors and executives, as well as branches and departments.

2.Establish a compliance organisation system. A compliance organisation system serves as the organisational guarantee for implementing a compliance plan and is a crucial element. Typically, a complete compliance organisation forms a top-down, vertically led system comprising four main components: a compliance management committee, chief compliance officer, compliance department and compliance officers.

To ensure smooth functioning of the compliance organisation system, the principle of independence should be followed in its construction, ensuring there is no conflict of interest between either members of the organisation or the business and financial management activities of the enterprise.

During operation of the organisation, the principle of effective communication should be upheld. This involves transmitting instructions from the compliance management committee both upwards and downwards, and facilitating compliance officers in conveying their opinions to the committee.

Additionally, enterprises should allocate appropriate resources – such as qualified compliance professionals and adequate compliance funding – to the compliance department to ensure that sufficient human and material resources are invested.

3.Improve compliance policies. The compliance policy serves as the substantive law within a compliance plan. It should encompass key aspects of compliance including the compliance concept, management framework, specific compliance regulations, and operational guidelines for different departments, covering management standards and codes of conduct for every aspect of business operations, and providing precise guidance to employees engaging in compliance work.

For instance, in the area of anti-bribery compliance, companies should translate relevant provisions from national administrative regulations and criminal laws on bribery into specific policy clauses. These clauses should further refine applicable situations and provide detailed guidelines for various activities such as hospitality, travel, business promotion, partner selection, expense reimbursement, and third-party oversight.

By incorporating all relevant prohibitions from administrative and criminal laws into internal regulations, compliance policies allow employees to understand behavioural norms and boundaries without needing to consult national laws.

4.Standardise compliance implementation procedures. It is essential to design three key implementation procedures when developing a compliance plan: a compliance risk prevention system, non-compliance monitoring system, and non-compliance response system.

The compliance risk prevention system, known also as a precautionary system, aims to proactively address potential risks within the company. It comprises four components: compliance assessment, due diligence, compliance training and internal policy communication.

Compliance assessment should be conducted to investigate and evaluate the risk points and key areas of corporate compliance. Due diligence should be carried out specifically to investigate whether there are any irregularities or risks to the client.

Compliance assessment should be conducted to investigate and evaluate the risk points and key areas of corporate compliance. Due diligence should be carried out specifically to investigate whether there are any irregularities or risks to the client.

The general non-compliance monitoring system, also known as in-process control, comprises three specific requirements: full process compliance monitoring, reporting system, and compliance auditing.

Full process compliance monitoring demands strict surveillance at every stage of operations.

In the event of any violations, an internal reporting system is established to encourage employees to report in real-time, preventing further damage from non-compliant behaviour.

Finally, companies should implement compliance auditing systems to conduct specialised or regular audits on key personnel, leveraging auditing as a means of compliance monitoring.

The non-compliance response system is the mechanism in place to address non-compliant behaviour after it occurs. Once such behaviour is detected or discovered, companies become subject to investigations by external regulatory and law enforcement agencies.

To avoid facing more severe investigations and penalties resulting from blind or improper responses such as destruction or falsification of evidence, companies should establish an internal professional response mechanism.