So don’t die of surprise at this news, but sometimes companies don’t have a robust compliance function. Which means that when they want to build that function—either because the executive team is forward-thinking, or regulators have ordered corrective action—the business needs to create a compliance framework.
Well, what exactly do we mean by that? What things does a compliance framework provide, that lead to an effective compliance program?
A compliance framework is one of the most important tools a compliance officer can use to build a program. So let’s take the time to unpack and understand everything contained in those two words.
What Is a Compliance Framework?
Formally, a compliance framework is a structured set of guidelines to aggregate, harmonize, and integrate all the compliance requirements that apply to your organization.
In practice, a compliance framework lets you take a collection of documents—policy manuals, procedure descriptions, mission statements, regulatory mandates, control documentation—and meld those things into one cohesive whole. A compliance framework brings order to the ceaseless stream of regulatory mandates that rain down on a large organization so that when something new comes along, you have a method for integrating that new requirement into your existing approach to compliance.
Compliance frameworks are usually tailored to a specific issue. For example, you might follow one framework to guide your anti-bribery compliance, another to guide your data privacy compliance, and a third to guide anti-discrimination compliance. Your compliance program would use those frameworks to measure its progress on all three issues. (How, exactly? We’ll get to that shortly.)
Why Do Compliance Frameworks Exist?
Well, just imagine how you would develop a compliance program without frameworks.
In all likelihood, you couldn’t. You would miss too many steps, or take certain steps out of ideal order and end up repeating your work, or repeat the same step over and over and waste program resources. Some parts of the enterprise might be managing compliance risk brilliantly, while another part is managing the same risk terribly—and you, the compliance officer, might not be aware of the discrepancy. Which could lead to awkward conversations with regulators if you experience a compliance failure, and those regulators start asking about the effectiveness of your compliance program.
Put another way: compliance frameworks exist to help compliance officers build a compliance program efficiently.
Let’s remember that all large organizations already have at least some compliance activities happening around their enterprise, and many will even have quite a lot of compliance activity happening. Your job as a compliance officer is to wrestle all that activity into one disciplined program that meets all the regulatory obligations your company has. A compliance framework lets you proceed through that work in a methodical way, so you can reap the most benefit for the least expense of time, resources—and your own sanity!
Moreover, compliance frameworks provide a standard that others can use to judge your compliance program. That is, when regulators (or the board, or auditors, or business partners) ask, “How strong is your compliance program? Why did you build it the way you did?”—you can map your program and its activities to what those frameworks require. Those parties can then better understand the program improvements you’ve already made or the ones you still need to make.
How Do You Implement a Compliance Framework?
You implement a compliance framework first by finding a framework that you can use and then comparing what that framework requires against what your company already does. That analysis reveals the gaps in your compliance program, and you remediate those gaps one step at a time.
Of course, the reality of implementing a framework is more complicated than that abstract theory. So let’s consider an example from the anti-bribery world.
You would begin by researching where you could find an anti-bribery framework. For example, the U.S. Justice Department has published lengthy guidance in the form of the FCPA Resource Guide. The U.K. Serious Fraud Office (SFO) has published its own guidance about adequate procedures for the U.K. Bribery Act. ISO 37001 is a standard for anti-bribery management systems. Any number of professional services firms could also help you identify an anti-bribery framework or fashion one together from regulatory guidance.
Then comes the gap analysis: comparing what that framework requires for a compliance program, against what your compliance program already does.
Let’s say the compliance framework requires that your company has an anti-bribery policy; procedures to help employees follow that policy, and controls to assure that employees can’t easily evade those policies and procedures. How do all those things fit together? We’ll consider each one in turn.
Compliance with Company Policies
A policy is a written statement about how your company views certain risks. It can be a simple rule that states what the company’s compliance objective is. So for anti-bribery, the policy could be something like:
The company is committed to conducting its business in an ethical, honest, and transparent manner. Bribery and corruption are not consistent with our values, and present significant risks to its business. Therefore employees should never offer, give, solicit, or accept a bribe; whether cash or other inducement to or from any person or company. The company is committed to the prevention, deterrence, and detection of bribery and corruption.
Corporate policies are the backbone of a compliance program. Unto itself, however, a policy usually does little to teach employees (or agents and other third parties) how to act when faced with a particular temptation or risk. That’s where procedures come in.
What Are Compliance Procedures?
Procedures provide employees and agents with guidance about how to act under certain circumstances, to ensure that they don’t violate corporate policies.
For example, you could require employees to seek approval from the legal or finance department demonstrating a legitimate business purpose before offering to pay travel and lodging expenses for a foreign government official. You could also require prospective agents to complete a due diligence questionnaire, or have employees complete their own due diligence checklists as part of the agent pre-hire process.
A compliance framework will help you understand what procedures you should put into place. As you can imagine, the total number of procedures necessary to operate a global anti-bribery program can grow quite large—procedures to submit requests, procedures to review requests, procedures to document decisions, and so forth. A framework can identify which ones make the most sense for your organization, and clarify the work that will be necessary to put those procedures into effect.
What Are Compliance Controls?
Controls, by contrast, are specific checks or gateways intended to prevent improper transactions from happening. They’re usually administered by accounting or compliance personnel—or, even better, are automated parts of your IT systems—to help assure that policies and procedures aren’t subverted.
For example, a control could be something as simple as requiring two authorized signatures on an approval to spend money entertaining a foreign official; or as complex as disallowing any payment to an agent or reseller whose due diligence isn’t already complete. Another might be to disallow any spending requests at all from employees who haven’t completed necessary anti-bribery training or policy attestations.
All controls aim at the same goal: control and oversight of corporate transactions, so those transactions unfold according to company policy and regulatory obligations.
Tying Your Frameworks Together
As we mentioned, most large organizations will use multiple compliance frameworks at the same time, to chart their progress on multiple compliance obligations. And when you consider the myriad steps involved even within one compliance framework—the remediation work to build and maintain a robust compliance program can be overwhelming.
To that end, compliance officers must consider what technology they can use to coordinate their frameworks and remediation steps. Those tools can map regulatory requirements to specific policies, procedures, and controls; and let you see which of those items you don’t currently have. Then you can prioritize remediation work, assign tasks, monitor progress, and report your program’s compliance posture to senior executives.
That’s the rigor and structure that an effective compliance program needs. That’s what compliance frameworks provide.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.