Corporate Culture

• Establish written standards, policies, and procedures that are updated as needed
• The written code of ethics should be clear, comprehensive, and easily accessible to employees for review
• Create an overall culture of compliance in the company’s day-to-day operations and through executive communication and training
• Conduct ongoing risk assessments, prioritizing high-risk areas
• The tone from the top should make compliance and risk management a strategic priority, emphasizing the importance of compliance and noting that everyone in the company shares in this responsibility and should take pride in the company's successes in this area
• Enforce the standards and polices consistently through appropriate disciplinary and enforcement mechanisms
• Executive management and organizational leadership should have specific compliance responsibilities
• Tie some of employee performance measurements to the business code of ethics and compliance standards
• Acknowledge and reward those employees who hold themselves to the highest ethical standards
• All managers should have an "open door" policy for reporting issues
• Specifically protect employees who, in good faith, report questionable behavior/activities and clearly state that retaliation will not be tolerated

Compliance Department

• Regularly review and update internal compliance programs and audit procedures to ensure they meet current standards
• Track access to policies and procedures to understand which ones attract the most attention from relevant employees
• Ensure policies and procedures include prohibiting retaliation
• Utilize monitoring, testing, and audit systems to assess and assure compliance with standards and policies on a continuous basis rather than a moment in time
• Chief Compliance Officer should have a direct reporting line to the Audit Committee of the BOD
• The compliance department should have the authority and backing of the Audit Committee of the BOD
• Consider whether the Chief Compliance Officer and General Counsel should be separate roles where the former does not provide purely legal advice to avoid potential issues related to attorney-client privilege

Document Retention Policies

• Implement a comprehensive policy that is audited regularly
• Include procedures for uniform and timely destruction of documents – both electronic and paper
• Apply the policy consistently and company-wide
• Compliance with the policy should be checked regularly
• Prepare litigation hold procedures with a pre-drafted litigation hold notice, which has certain sections that will be amended, as needed, for each particular circumstance, and other sections related to general policies and procedures that remain constant and uniform across all circumstances
• Determine trigger points for "anticipation of litigation" to suspend the routine retention policy and put in place litigation hold procedures to implement upon such triggers
• Consider when "sweep and collection" is necessary — as opposed to relying on employees retaining documents pursuant to a hold memorandum 
• Identify key roles within the company that should have data retention policies applied when the employee is terminated, switching roles, or leaving on their own accord

Internal Reporting Mechanisms

• Create user-friendly and easy to understand policies and procedures to encourage employees to report internally
• Include a hotline for anonymous, confidential reports of suspected violations to a neutral party (be mindful of privacy and data protection laws in various states that may prevent recording telephone calls) and ensure your employees are aware of it and feel comfortable using it
• Response procedures should include mechanisms for logging, evaluating, investigating, signing off on reports, and, importantly, advising complainants about the disposition of complaints
• Procedures should include protocols regarding who should be notified of complaints and procedures for addressing high-priority, time-sensitive complaints
• Procedures should establish what merits further investigation and ensure that investigations are objective, properly conducted, and properly documented
• If the allegation involves a serious potential violation of laws or regulations, retain outside counsel for an independent investigation on behalf of the company
• Keep the complaining employee informed of the status of the investigation, when appropriate and while maintaining privilege
• Establish direct lines of communication between the complaining employee and Human Resources to allow whistleblowers to raise any situations in which they perceive they are being treated inappropriately/retaliated against
• Document results, even if it is determined that a complaint is unsubstantiated, to create a detailed, objective report explaining how and why the conclusion was reached
• If the internal investigation finds credible evidence of a violation, consult outside counsel to consider self-reporting

Hiring

• Conduct background checks on all potential employees to ensure that they are not a litigation risk or previous relator
• Discuss the company’s positive compliance culture during the initial interview and assess the potential employee’s attitude toward corporate compliance

Employee Education

• Ensure that employees understand and have confidence in the fairness and effectiveness of internal compliance procedures for reporting allegations of misconduct
• Regularly educate employees about when, where, how, and to whom internal reporting can take place and how reports will be handled
• Provide employees with understandable and accurate information regarding whistleblower laws
• Regularly disseminate training materials and information and require employee acknowledgement
• Ensure employees are aware of the benefits of internal reporting, as a matter of company policy and under the relevant whistleblower laws
• Ensure employees are aware that anonymity of whistleblowers will be preserved to the extent possible
• To prevent retaliation or the perception of retaliation, directors, executives, managers, Human Resources, and compliance personnel should be educated on conduct that may constitute retaliation under Dodd-Frank and SOX

Dismissal

• Prior to dismissal, ensure that the company evaluates employees honestly and comprehensively in performance reviews
• Prior to dismissal, consult Human Resources and legal staff regarding any decisions involving compensation, performance reviews, and promotions
• Consult Human Resources and legal staff during every step
• Ensure similarly-situated employees are treated in the same fashion to ensure dismissal is non-retaliatory
• Document all steps taken to address employees who are being terminated, disciplined, or demoted to ensure that the rationale is not based on retaliation
• Conduct comprehensive exit interviews
• Mirror terminated employees’ hard-drive and retain for at least 6 months, and preferably 1 year