What is so difficult about implementing a compliance program?
As a provider of corporate compliance software, we have the opportunity to work with organizations of all sizes and see, firsthand, the uniqueness of each organization’s compliance programs. What’s interesting in many cases is that the maturity of programs comes in unexpected places. In some situations, we have seen organizations with 20,000 employees who have only one or two people dedicated to compliance, with little to no technology to help them. On the flip side, we’ve encountered organizations with 2,500 employees who have a dozen full-time compliance team members running a full stack of technology.
What this varied make-up of teams tells us that there is no one-size-fits-all compliance program. And further, there are no particular company characteristics (employee count, revenue, etc) that equate to a team or program of a certain make-up. Which begs the question:
How do you implement a compliance program?
For organizations looking to build a new compliance program, this lack of uniformity makes the process of building all the more difficult. There is no reference program to start with or set of guidelines around the number of people, technology, focus, etc.
Fortunately, there are many recommendations available from the various government entities throughout the world charged with compliance investigations and enforcement. For our purposes today, let’s take a look at the United States Department of Justice - Evaluation of Corporate Compliance Programs that was just updated in April of this year. This guidance is designed “to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense.”
Of course, implementing a compliance program is more about empowering the organization to do the right thing and ultimately protect the company from risk rather than avoiding prosecution. However, this guidance contains many keep tips on structuring a program that begins with some fundamental questions:
- “Is the corporation’s compliance program well designed?“
- “Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work“ in practice?
The guidance notes that the answers to these questions come from “...various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program.” These very same topics are incredibly helpful as a blueprint for establishing a new compliance program from scratch!
So, how do you begin implementing a compliance program?
Conduct a Risk Assessment
At its core, a compliance program is all about protecting an organization from risk. In order to do that, it’s important to have a complete view of what risks the company faces. And that begins with a thorough risk assessment.
The DOJ guidance recommends that the company analyzes and addresses “...the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”
There are numerous frameworks used for conducting a risk assessment including ISO 31000 and COSO. Many organizations will tailor their risk assessment process to their own particular needs. In any situation, a successful risk assessment will:
- Identify, analyze, and address all key organizational risks
- Provide the needed information to appropriately allocate resources to mitigate these risks based on their severity
- Be flexible enough to allow for iteration and regular revaluation of all risks
Establish Policies & Procedures
Policies and procedures are essential to any compliance program. They establish the overall standard operating procedure of ethical and compliant behavior within any organization. In addition, key policies should be informed by the risk assessment and be designed to help mitigate those identified risks. More importantly, however, is establishing a code of conduct that instills a true culture of compliance, with top-down support from the highest levels of the organization.
Train and Communicate with Employees
Establishing a strong code of conduct along with risk-based policies and procedures is critical, but those policies are only as good as the training and communications program that supports them. If employees are not fully trained they not only can’t be held accountable but they may also act in a way (at no fault of their own) that is opposed to the policies and procedures that have been created.
A well-rounded training and communications program should:
- Take a risk-based approach - Employees within high-risk business units should receive tailored content to their roles and management level employees must receive training that not only addresses their own conduct but also training to address issues with direct reports.
- Be tailored to the specific audience - Training should be delivered in the native language of the region and delivered in a format that makes it most digestible. An example would be to deliver mobile-friendly content to employees in remote locations who only have access to mobile devices vs local employees who can attend a live training.
- Be informed by past history and episodes of misconduct - Ensure the training includes areas that have caused issues in the past while also informing employees of what the consequences are for engaging in ethical conduct.
Reporting & Investigations
When risks are identified, policies & procedures established, and employees trained, the core components have been established for the compliance program. Unfortunately, there will be times when employees do not follow the rules. Organizations must put in place a system to ensure employees who are witness to violations can easily and anonymously report those violations. Once a report is made, there must be a systematic approach to investigating those reports and ultimately determining their veracity and potential consequences to those involved.
The most critical component of any reporting process is that employees feel that they can speak up without fear of retaliation from both the company and the individuals involved. Additionally, there should be measures in place to protect the whistleblower from other external factors.
A strong whistleblower process should include the ability to make submissions anonymously via phone and electronic means (web form, text, etc). Additionally, any report made should be responded to in an efficient manner. Additional steps must be taken to ensure investigations “are independent, objective, appropriately conducted, and properly documented.”
Third Parties
Third parties represent some of the most significant risks to organizations, especially those operating on the global stage. Nearly 90% of FCPA (Foreign Corrupt Practices Act) fines stem from third parties directly. To protect themselves, organizations must have a well defined due diligence process to vet third parties they are planning to do business with. This includes new vendors, partners, consultants, customers, and more.
Any due diligence system should:
- Take a risk-based approach - Spend more time investigating high-risk third parties while using technology and process to push lower risk third parties through the process.
- Be connected to a broader risk framework - Align your due diligence process with your organization’s broader risk framework and clearly communicate your company’s risk tolerance. Additionally, it is incredibly important to be transparent with your third parties on your risk approach
- Strike the right balance of internal resources and structure - Due diligence can be a people heavy process but it is important to leverage technology to identify and manage red flags and put red flags into context. Additionally, automation can be used to reduce the workload of compliance teams.
Ready to implement your compliance program?
Implementing a compliance program is a significant commitment. The steps above can be used to lay the groundwork for the program. But a truly successful compliance program needs a commitment from the highest levels of the organization to not only establish the program but also a desire to do the right thing as an organization. The most comprehensive compliance programs will fail if the organization is not fully committed to ethical behavior.
To learn more about implementing a compliance program, I highly suggest you read A Blueprint for an Automated Compliance Program. This eBook will provide you with a detailed guide to the building blocks of compliance including risk management, due diligence, training, policy management, reporting, and more.