Every compliance professional wants to maintain a state of organizational compliance—that is, the whole enterprise embracing the directives of the compliance program, rather than you and your team chasing the rest of the business, trying to force compliance on other business functions after they have already done whatever they want.
The good news is that most employees and business functions want to conduct themselves in an ethical and compliant manner if the compliance team comes to them with policies, procedures, and controls that make sense for what those other functions do.
The bad news is that corporations are also in a constant state of flux: new products, new strategies, new leaders, new regulations, new economic pressures. So even if you achieve organizational compliance at one point in time, you won’t necessarily maintain that organizational compliance, since circumstances might evolve in a way that leaves the program out of alignment with business operations.
This means that if compliance officers do want to maintain organizational compliance, you need to recalibrate your program at regular intervals—assessing business risks and retooling your program to keep pace with whatever has changed. That’s how you achieve success here.
What does that mean in practice? Let’s consider eight ways to recalibrate your program to keep organizational compliance sharp.
1. Reassess Your Risks Regularly
All recalibration happens in response to something that has changed. So above all, reassess the company’s risks at regular intervals to see whether operations have changed in some way that renders current compliance program operations no longer fit for purpose.
Think expansively about how those changes might arise. For example, the pandemic forced vast numbers of employees to work remotely; that’s one set of risks. Recession has led some companies to cut or furlough staff, which can mean certain approval procedures no longer work because the approver is gone; that’s another type of risk. New executives, new strategies, new customer targets—they can all change the company’s ethics and compliance risks.
If your company has an internal audit function, perhaps use the auditor’s annual enterprise risk assessment. If not, perform your own risk assessment at least annually, or, preferably, in real-time on an on-going basis.
2. Keep Pace With Regulatory Change
The pandemic has also reminded corporations of how quickly regulations can change—although, for global organizations, it’s always been the case that national, state, local, and industry regulations can evolve at dizzying speed. An ability to monitor regulatory change, and then to flag changes relevant to your business, is critical to maintaining organizational compliance.
Once upon a time, companies managed regulatory change by consulting with law firms and reading whatever legal bulletins those firms published. In today’s highly regulated world, where regulators even from far-flung jurisdictions can cause expensive enforcement problems, that reactive, manual approach to regulatory change isn’t sufficient. Companies need an efficient way to monitor regulatory pronouncements and then perform a gap analysis against current policies, procedures, and controls.
3. Review Your Hotline Calls
An invaluable window into the state of organizational compliance is the internal hotline. Compliance officers should analyze hotline activity extensively to see what that might reveal about poor corporate culture, flawed policies, ineffective controls, emerging risks, and more.
For example, merely tracking the number of hotline calls tells you nothing other than your phone line works. Much more productive would be to analyze the details of calls about retaliation: how many calls as a percentage of all calls; where the calls originate; what type of conduct provoked the alleged retaliation; level of manager doing the retaliation, and so forth.
That level of analysis can help compliance officers understand the true state of corporate culture—and from there, implement new policies, discipline offenders, or take other actions as necessary to keep organizational compliance sharp.
4. Monitor Investigations
Along similar lines, compliance officers should monitor ongoing investigations to see what those issues reveal about corporate compliance. Investigations, however, can also illuminate changes that might be necessary within the compliance and legal functions themselves.
For example, if investigations of the same issue (say, harassment) are taking longer, that could mean that the investigations team needs more manpower or better case management technology. If regulators investigating the company keep faulting the company for sloppy e-discovery, that might mean the company needs to invest more in records retention. Investigations are a reflection of how well the legal and compliance teams perform their own jobs, which is a part of organizational compliance like any other.
5. Measure Employee Engagement
Organizations achieve compliance when employees engage with the compliance program, so measure employee engagement regularly and see how that engagement changes over time.
Hotline calls can be one barometer here: If the company rolls out training on a new subject, do you see a corresponding change in calls about that issue? Alternatively, you could measure queries that employees make to an online repository of policies or an interactive Code of Conduct, if your company uses either of those technologies. Completion rates for third party due diligence, data from exit interviews—any data that can inform you about employee attitudes to corporate compliance is worth studying.
6. Test Procedures and Controls
Another way to recalibrate your organizational compliance is to test things and determine which ones don’t work. Hence we see so much focus on monitoring, testing, and remediating the performance of procedures and internal controls.
Exactly which procedures and controls to test depends on the result of risk assessments and prior audits. In principle, however, the weakest controls for the greatest risks take priority. Compliance officers can seek help on testing from internal auditors (or outside consultants), and remediation work should then be guided by compliance frameworks that can help you plan and manage each step.
7. Update Your KPIs and KRIs as Necessary
For all our talk of recalibrating your program for better organizational compliance, the implicit question is: recalibrating the program to do what? The answer: to stay within the company’s stated risk tolerances. That means the company needs key performance indicators (KPIs) and key risk indicators (KRIs) that match its most significant risks—and as risks change, your KPIs and KRIs should change along with them.
This recalibration will usually involve discussion among the chief compliance officer, business unit leaders, senior management, and (ideally) the board about what those most pressing risks are, and how much risk the organization is willing to accept in pursuit of objectives.
8. Document Your Changes
The final step to recalibrating organizational compliance is to document the changes that you make. First, that’s necessary simply so others within the company can follow whatever new policies and procedures might come along. Beyond that need for clear communication, however, the compliance team also needs to be able to show its reasoning to others: regulators, business partners, the board, and so forth.
After all, your recalibrations will come under scrutiny at some point, even if only in routine matters such as a regulator’s examination or business partners performing due diligence on your company. At worst, your company might fall under investigation, where regulators will ask why you made the changes you did. Regardless, you will need to be able to explain your program’s logic. Documentation does that.