Preparing for an IPO? Here’s four compliance must-haves to set you up for success

Congratulations! You’re pre-IPO

You’ve spent countless days, nights, and weekends at your private company gearing up for this moment.

It’s an exciting time,and the level of preparedness required is instrumental to your company’s success. After all, an IPO is just the beginning of a long road to delivering growth and shareholder value. And now, you’re responsible for ensuring compliance at your company.

So where do you start? As you work to set up the elements of an effective compliance program, prioritize these four compliance fundamentals to set yourself up for success:

1. Develop and deploy a Code of Conduct (and supporting policies)

It is imperative that employees understand how to behave and make decisions aligned with your company’s values and in compliance with all applicable laws and regulations.  The Evaluation of Corporate Compliance Programs (ECCP) underscores this, stating:

“As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.”

A Code of Conduct establishes the rules and behaviors expected of employees. Internally, it serves as a resource and performance benchmark. Externally, it communicates your company’s commitments to third parties, shareholders, and the broader community.

Where to start (three options):

1. Leverage existing templates. Adapt Code and policy templates from organizations with similar risk profiles to reflect your company’s tone and voice.
2. Build in-house. Develop a values-based Code and supporting policies from scratch, including guidance on ethical decision-making, links to policies, and FAQs. Draft policies in plain language rather than legalese.
3. Engage third-party experts. Collaborate with an external provider to build your Code in partnership with your internal SMEs and key stakeholders.

2. Establish an employee reporting mechanism

In addition to well-communicated standards, employees need an easy, safe, and secure way to report suspected wrongdoing.

The ECCP calls for an:

“...efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of breaches…of suspected or actual misconduct.”

Where to start:

Engage a third-party reporting provider that:

• Is available 24/7/365 via multiple modalities 
• Allows anonymous reporting, if desired
• Tracks calls or web-based allegations end-to-end, including  response times and handoffs
• Provides dashboards and outputs for Compliance to actively monitor and report

3. Enable effective training

Policies and helplines only work if employees know about them and have opportunities to practice making the right decisions.

Risk-based training is essential to promote awareness of your company’s risks and support sustainable growth. Trust drives successful businesses, and training builds that trust.

The ECCP does not mandate a specific number of training hours but focuses on preventing misconduct. Think about the activities that could get your company into trouble and work backwards to ensure you’re delivering the right guidance to the right people.

Where to start:

1. Begin with foundational courses: Code of Conduct, harassment prevention, and one additional topic aligned to your top business risks (e.g., data privacy, anti-bribery and anti-corruption, information security, conflicts of interest).
2. Deliver training optimized for each learner that emphasizes learning by doing, provides real-time feedback and coaching, and ensures any identified gaps are remediated before course completion, achieving 100% proficiency.
3. Review behavioral intelligence data to identify readiness or clarity issues around certain risks. Use these insights to pinpoint potential hot spots and plan targeted reinforcement.

Once you’ve launched initial training, explore how to reduce seat time in future years while remaining aligned with DOJ guidance.

4. Create an ongoing risk assessment process and targeted disclosures

A robust compliance program mitigates risks specific to your business. To help employees do their jobs compliantly, you must first identify the risky tasks and behaviors that could lead to violations.

This is especially important pre-IPO, as employees engage with third parties including VC firms, investment bankers, and shareholders.

Where to start:

• Use the risk areas identified in your Code as a guide for .
• Research common regulatory concerns among your industry peers and competitors, considering risks by region and jurisdiction.
• Meet with HR, Audit, and Legal for a listening tour to understand their top concerns and uncover additional risks you may not have considered.
• For each risk category identified, assess likelihood and impact as high, medium, or low, and review these ratings with other stakeholders to build consensus.
• Implement conflict disclosures to establish a baseline across employees, including third-party interactions and outside business activities.

Setting the foundation for compliance excellence

Think of these four compliance fundamentals as your foundational building blocks. They will help you drive a culture of compliance and mitigate risk as you prepare for your IPO. Once this foundation is in place, you can begin building out a long-term strategy for compliance excellence.

Harper Wells is a governance, risk, and compliance leader with over 20 years of experience developing enterprise-wide ethics and compliance programs. As Chief Compliance Officer at Learning Pool, she leverages data-driven insights and innovative training strategies to foster ethical, high-performing workplace cultures.