Creating a Corporate Environmental Compliance Program

[Originally posted several weeks ago]

Creating a Corporate Environmental Compliance Program

Inordinate attention is often given to the DOJ Criminal Division guidance, “Evaluation of Corporate Compliance Programs”, as the sole standard or benchmark for compliance programs. It provides valuable criteria, but it might be an inadequate standard to “hang your hat on” alone.

The DOJ guidelines focus on preventing “misconduct” in the context of criminal actions. They are skewed toward avoiding criminal prosecution. The more common environmental compliance risk, administrative enforcement by an agency, is not covered.

With a focus limited to criminal enforcement risks, one might conclude the goal is only to protect senior leaders from prosecution. The fiduciary duty to shareholders may warrant a broader compliance focus to include administrative enforcement risks.

The DOJ guidelines provide useful compliance criteria including the following:

- The environmental compliance program must be based upon a risk management program focusing greater attention and resources on the highest ranked risks. Is a shared Enterprise Risk Management system used to make business, operational, compliance monitoring, and audit focus decisions? Is the risk management system driven by data? Are risk assessments regularly updated? If the answer to any of these questions is “no”, the compliance program may fail to satisfy the risk management criteria.
- Company procedures should be aligned with the risk management system.
- Compliance training must be driven by the risk management system.
- An anonymous internal compliance reporting system is essential.
- The company must conduct effective compliance investigations with a process for ensuring accountability for the response to any findings or recommendations.
- The company must perform gap analysis to determine whether compliance risks are addressed in policies, procedures, controls, and training.
- Is the company’s compliance program adequately resourced and empowered?
- How often does the company measure its compliance culture?
- The company must conduct root cause analysis of non-compliance events (audits, investigations, gap analysis, etc.) with timely remedial actions.

To mitigate environmental administrative enforcement risks we must look to EPA and state policies for calculating penalties. Factors can include:

·      Seriousness of the violation(s)
·      Degree of culpability & standard of care
·      Efforts to minimize or mitigate the noncompliance
·      History of prior violations
·      The violators ability to pay a penalty
·      Any Economic benefit to the violator from the violation

Administrative penalty factors provide additional insights on creating a corporate compliance program. They demonstrate the importance of adequate management systems that establish an appropriate standard of care and ensure quick mitigation of non-compliance. It’s about risk management.

How do you measure up?