Among corporate compliance professionals, Morgan Stanley is held up again and again as the best-case scenario of worst-case scenarios. A Morgan Stanley managing director ended up in prison for committing substantial Foreign Corrupt Practices Act (FCPA) violations, but the strength of the company’s compliance program helped it avoid enforcement actions from the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). The circumstances behind the 2012 Morgan Stanley declination were included among the real-life case studies highlighted in the FCPA guidance the DOJ and SEC published last year.

In court documents, the government outlined Morgan Stanley’s anti-corruption compliance efforts. These efforts included: strong internal policies periodically updated to reflect regulatory developments and specific risks; regular monitoring, including random and unannounced audits; frequent employee training (the employee who committed the violations had been trained on the FCPA seven times and reminded of FCPA compliance at least 35 times); and extensive due diligence and stringent controls on all business partners. Morgan Stanley discovered the violations, self-reported them to authorities and cooperated extensively in the government’s investigation.

“Show regulators you’re proactive and actively trying to do everything you can to ensure you’re compliant, and that goes a long way if they find a violation,” advises Thomas Zielinski, a partner at Morgan Lewis. As the former general counsel of Coventry Health Care Inc., Zielinski is familiar with operating in a heavily regulated space.

Rogue actors like the Morgan Stanley employee do exist, and well-meaning employees and third parties will make mistakes even in the face of the most extensive compliance training, yet most regulators will take into account sincere, ongoing and thorough compliance programs when considering enforcement actions.

The complicating factor, of course, is that there’s no one-size-fits-all approach to legal and regulatory compliance. But lawyers in the compliance arena—with U.S. Federal Sentencing Guidelines on program requirements as their roadmap and experience as their compass—have identified six fixable missteps that they see the most. Addressing these common shortcomings is a way for companies to ensure their compliance functions are poised to uncover and address looming problems.

“Crafting a compliance program is an art,” says Roy Snell, CEO of the Society of Corporate Compliance and Ethics, an association of compliance officers and other compliance professionals. “The thing that was lacking at Enron, at Tyco, atPennStatewasn’t legal acumen. What was missing was a compliance officer with authority, independence and good negotiation, collaboration and motivation skills. The best compliance programs are measured by their ability to facilitate action and change.”

Mistake: View compliance as a revenue suck.

Reality: There’s a strong business case for ethics and compliance.

These days there is increasing acceptance of the view that compliance is a revenue suck—at least among compliance professionals. In a 2013 survey of ethics and compliance leaders that regulatory compliance consultancy LRN published in June, 81 percent of respondents cited long-term value and business performance as the top benefit of an ethical corporate culture, surpassing compliance for the first time. Yet those same compliance leaders said “the lack of appreciation of culture as a business driver” was one of the top obstacles to building a strong ethical culture in their companies.

Now consider a recent survey of CFOs, a corporate population with a different viewpoint. Forty-seven percent of CFO respondents to a 2012 Ernst & Young survey said certain questionable actions (such as using cash payments, entertainment or gifts to retain business) could be justified to help the business survive in an economic downturn.

Why the disconnect? Some of it stems from the difficulty of trying to prove a negative: that compliance efforts saved companies from penalties, financial losses or reputational harm. Furthermore, measuring the corporate culture itself can be a murky exercise for managers and employees. “Many people regard corporate culture as somewhat abstract, ‘soft’ and tough to measure,” LRN reported. In the absence of hard data reflecting the impact of a strong ethical culture on their business, they tend to marginalize its importance.

There is data out there that shows a correlation. Ethisphere, for example, has tracked the performance on the S&P 500 of the companies it has deemed the “World’s Most Ethical” and found that they have consistently seen higher percent returns, even throughout the 2008 financial crash.

An ethical culture can also help companies retain employees and attract top candidates to their business. In 2004, with the Enron, WorldCom and Arthur Andersen scandals relatively close in their rearview mirrors, more than 97 percent of MBA students in leading programs in the U.S. and Europe said they would take a pay cut—on average, 14 percent—to work for an organization with a better social and ethical reputation.

“It makes sense. People want to work for a company they feel has good values and a good reputation. They don’t want to work for an Enron,” says Eric Morehead, senior compliance counsel at advisory firm Corpedia Corp. Morehead helped develop ethics and compliance policy under the Federal Sentencing Guidelines as assistant general counsel for the U.S. Sentencing Commission. “If you want to retain top staff and not lose money to constant recruiting, a positive ethical culture is important,” he says.

Mistake: Establish a program and then let it do its job.

Reality: Compliance programs require constant monitoring.

Regular, documented auditing and monitoring of compliance programs are one of the Federal Sentencing Guidelines’ requirements for an effective compliance program. But a 2011 Association of Corporate Counsel/Corpedia benchmarking survey on compliance programs found that only 42 percent of organizations were conducting periodic assessment, reviews or benchmarks of their programs.

“Unless you make the effort to periodically audit your compliance procedures and make sure people are actually following them, you can get really tripped up,” says Greg Husisian, a partner at Foley and Lardner. “Your compliance system might look perfectly good viewed at 30,000 feet from headquarters or the general counsel’s office, but it may not be an effective program as actually carried out in the field.”

Auditing is a key component of the risk-based approach to compliance that grew out of accounting concepts, and theU.S.government has endorsed it across a wide range of laws, Husisian says. “It’s one of the foundations of 21st century compliance.”

Unlike financial auditing, however, compliance auditing is a common victim of cost cutting. It’s easy to view audits as a straight expense. In reality, the tradeoff is greater risk to the corporation. The best practice is to have an outside party conduct the audit, but Husisian says audits don’t always need to be carried out by an independent auditor: Sometimes, for example, a company can tack on a compliance-related audit to a financial audit that is already planned.

The key is to examine transactions subject to various requirements of the company compliance plan and see whether employees are following through on them. The simplest metrics may involve assessing hotline calls or administering surveys throughout the organization to see how employees view compliance.

Chip Jones, a managing shareholder at Littler Mendelson, says companies must understand that employee engagement and corporate culture are assets that require long-term management. “If employee engagement were an asset on your publicly reported balance sheet, it would most likely be one of the most important assets your organization has,” he says. “Employee engagement is an area where leading organizations are doing better than others.”

Surveys can uncover discrepancies between executives’ view of company culture and the way middle managers and employees view it. PricewaterhouseCoopers’ study found that while compliance budgets and staffing are stable or increasing, respondents frequently said they lacked sufficient resources and technology.

“If you conduct surveys by business unit or geography, you can start to identify the areas where particular leaders aren’t as effective and use that data to manage the business,” Jones says.

Mistake:  Fixate on tone from the top.

Reality: Tone at the middle matters, too.

“Tone at the top” is the familiar mantra of corporate compliance programs, and with good reason. But to ensure compliance spreads throughout the organization, tone at the middle is also key. Research from the Corporate Executive Board (CEB) found that middle managers have the most influence on “local” culture and have the power to positively influence the integrity levels of their teams. And when middle managers demonstrate their commitment to compliance, employees are more likely to speak up about perceived problems. Frontline managers, the CEB has found, receive 66 percent of employee misconduct allegations. Similarly, theEthicsResourceCentersays 60 percent of employees report first to their supervisor.

“A lot of employees are never really going to see the CEO and don’t have access to that top level of management. They’re reporting within separate units in those corporations,” says Holly Smith, a partner at Sutherland Asbill & Brennan who was an SEC lawyer for 13 years. “There has to be a strong compliance program at the departmental level, and managers have to be proactive about reaching out on a regular basis to everybody that works in the unit.”

CEB research has also found that tone at the top doesn’t always trickle down to middle managers and employees, even when there’s buy-in from the C-suite and the board.

“I’ve been working with compliance officers for about 17 years now, and a large percentage of them say their leadership is supportive of compliance and ethics,” says Snell, a former compliance officer. “I don’t think we have a problem with tone from the top as much as much as we have a problem communicating to the people in the company the fact that there is tone from the top.”

All supervisors, middle managers and upper managers need to state on a regular basis that they and their company support compliance and ethics and to market that support just like they would market their products or services to potential buyers, Snell says. This can be simple and inexpensive: a short comment at the beginning of meetings or an e-mail or a company newsletter that focuses not just on the bottom line but on compliance efforts and victories.

More mature companies are increasingly decentralizing the compliance function, distributing responsibilities to people lower and lower in the organization.

“Most multinational organizations today define principles and standards at the corporate level and then push them out regionally to the business, whereas five to eight years ago, compliance was centralized in most companies,” says Kenneth Kurtz, CEO of Steele Compliance and Investigation Services. “The breadth of compliance programs used to be more focused and limited, but today companies are contending with compliance actually intersecting the business.”

In the PricewaterhouseCoopers survey, 57 percent of respondents reported a hybrid operating environment that combines a centralized compliance function with compliance responsibilities in the business, and 45 percent said more than five people in their companies work in compliance outside the centralized function. Someone in finance and accounting, for instance, may vet travel and entertainment spending to ensure practices are in line with company anti-corruption policies. As such, compliance issues become more intertwined with the day-to-day operations of companies, and more employers expect that these types of employees have some understanding of compliance issues.

Such an approach also can help address bottlenecks. “One of the dangers in managing a compliance program is creating funnels—basically inefficiencies—because one or two people have too much responsibility and they’re unable to address the compliance needs of the organization,” says Greg Esslinger, senior managing director in the forensic and litigation consulting practice at FTI Consulting.

Mistake: Focus on punitive measures.

Reality: A carrot can be just as meaningful as the stick.

It is vital that companies enforce their compliance program internally, and 92 percent of Fortune 500 companies and 85 percent ofU.S.companies discipline employees who violate either organization standards or the law, according to theEthicsResourceCenter.

Companies that go beyond corrective action to actually reward employee compliance provide a friendlier incentive for employees while integrating the idea that compliance is an inalienable component of business success. LRN’s survey found that the most effective compliance programs are much more likely to “celebrate employee acts of ethical leadership,” a practice that is far less common in the least effective compliance programs.

A reward could be a bonus, recognition of compliance in performance reviews, or something as simple as offering praise in team meetings or company newsletters to employees who made the right move when faced with compliance challenges.

“Companies that actually reward employees who take compliance seriously and take the right steps stand out,” says Dan Collins, a partner at Drinker Biddle and a former assistant U.S. attorney and deputy chief of the Financial Crimes and Special Prosecution section of the U.S. Attorney’s Office. “It exemplifies from a management level a commitment to a culture of compliance, which is an important part of showing the government you have an effective compliance program.”

Mistake: Develop a one-size-fits-all compliance training plan.

Reality: Training needs to be customized.

In 2012, the Texas-based company Orthofix International paid $7.4 million in disgorgement and penalties to settle FCPA enforcement actions after a wholly owned Mexican subsidiary was found to have made improper payments to government employees. The SEC complaint against Orthofix noted that it had disseminated a code of ethics and anti-bribery training to its subsidiary, but the materials were in English while the Mexican subsidiary’s employees spoke minimal English. It may seem like an obvious training blunder, but Morehead says that a surprising number of companies only provide employees with English codes of conduct (the foundation of every compliance program).

The FCPA guidance the SEC and DOJ published in 2012 notes, “Regardless of how a company chooses to conduct its training … the information should be presented in a manner appropriate for the targeted audience,” including language considerations. The guidance also advises companies to provide different training approaches to sales personnel and accounting personnel, for example, incorporating hypotheticals and case studies tailored to the situations they’re most likely to encounter.

Customizing employee training can also involve more nuanced considerations. Multinational corporations need to consider not just language but local culture and customs surrounding learning styles.

“In Japan, you might see that individuals are not as open to Web-based training; in France, learning styles are more formal than in the U.S.,” says Nic McMahon, chief operating officer of VIA, which provides employee training solutions. In a bid for greater employee engagement, some companies have turned to gamelike approaches to training, he says—but if you’re working inChina, a crossword puzzle just isn’t going to work.

Industry culture matters too. Employees at social media and app development companies, for example, are primed to take advantage of training programs delivered on a mobile platform, one of the more cutting-edge approaches to compliance training that vendors now offer. Vendors are increasingly touting technology-based training solutions that measure individual strengths, weaknesses and learning styles to instantly customize training approaches. For companies that have the budget, they promise individually calibrated approaches to training with little effort.