Since the enactment of Law 12.846/13 – The Anti-Corruption Law early last year, a great deal has been printed and stated about the impacts of this new legal edict with respect to business activities. In tandem with this, for over a year now, the newspapers have bombarded us with headlines about corporate scandals involving Brazilian companies in the most diverse sectors.

The need for professional and updated management in accordance with the best practices in terms of governance, risk management and compliance is no novelty in the business environment. Companies and organizations are already proactive in striving for compliance with specific laws and regulations, according to their line of business. This is indeed a fact. However, we are facing a new reality that is leading companies and organizations down a path in which there is no looking back: the urgent need to know and enhance, without exception, their governance structures through internal practices of risk management, internal controls and compliance.

The fact is that the Anti-Corruption Law was silent on many points and did not clarify, for example, what should be included in the compliance programs, nor how this should be assessed to demonstrate its effectiveness. This elicited many questions among businessmen, who even went as far as to doubt that the Anti-Corruption Law was applicable in its current form.

The recent regulation of the Anti-Corruption Law through Federal Decree 8420 of 18/03/15, came to dispel those doubts.

Indeed, in its Articles 41 and 42, Decree 8420 defined what the Compliance (or Integrity) Program represents, its structure and application, as well as the parameters of evaluation by the supervisory authority, respectively.

In this sense, in a complementary manner to the aforementioned Decree stipulations, among other regulations, on 07/04/15, the Office of the Federal Controller General (CG) issued Ordinance No. 909, which deals with the assessment of the compliance programs of companies, subject to the submission of program profile and compliance reports as per the details contained in Articles 3 and 4.

It is important to note that, pursuant to Decree 8420, for a company or organization to be able to benefit from reduced fines or even its eligibility to be granted a leniency agreement it must provide information about the structure of its Compliance Program, what the parameters are and how they have been implemented as well as the importance of their implementation. They must further demonstrate the operation of the Compliance Program through historical data, statistics and specific cases, taking into consideration the premises of prevention, detection and rectification within a compliance system.

In essence, the Compliance Programs must be structured in accordance with the current activities, characteristics and risks of the company, irrespective of the size and business sector of the company or organization. We must not overlook actions geared to third parties, defined as suppliers, service providers, intermediary and associate agents according to the provision contained in Article 42, III, of Decree 8420.

Whatever the case, when we think of compliance in general we must reflect about something far broader than legal or regulatory compliance, ethical conduct guidelines or even complaint filing channels. We must also think about how to manage risks, internal controls, contingency and continuity plans, relationship with third parties, identification of losses, staff training etc., the inadequacy of processes and procedures of which might jeopardize the continuity of the company or organization.

To adapt and strengthen the functioning of the system of governance, risk management, internal controls and compliance of any organization is a professional, arduous and ongoing task.

Remember: if a thing needs to be done, it should be done well!

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.