The details of what makes up an effective compliance program have already been discussed and dissected tirelessly in the compliance community. But once the effective compliance program has been established, what’s next?
You have probably spent a lot of time designing and establishing systems, devising the right policies, figuring out the perfect due diligence, training and whistleblowing program, selecting the right vendor and more. However, running the program is just as critical as designing it. Just as much thought and effort must be put into the monitoring and review process.
Not only does a business evolve over time, e.g. by engaging new third parties, starting operations in new markets, etc., but so do regulations and the laws that govern your industry and your business operations, thus rendering initial assessments of risks possibly obsolete. Risks constantly change and evolve as should your compliance monitoring process. All guidance released by enforcement authorities equally emphasize the above point: A stale program is a failed program, no matter how well your compliance monitoring processes were designed in the first place.
The UK Bribery Act, France’s Sapin II and the FCPA equally emphasize monitoring and review to ensure that as risks change your controls adapt accordingly. Compliance officers must adopt an evaluative approach and ensure that the objectives set out by the compliance program are achieved, and, whenever flaws or failures are detected, proactively addressed.
According to the FCPA compliance guide from 2012 “[The] DOJ and SEC evaluate whether companies regularly review and improve their compliance programs … [The] DOJ and SEC will give meaningful credit to thoughtful efforts … undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” The same goes for the UK Bribery Act, under which ‘adequate procedures’ can only be a defense if they were in place before a breach happens.
Likewise, amongst the guiding questions the DOJ includes in its 2017 release on how to evaluate the effectiveness of compliance programs, several address continuous evaluation and improvement. This may take several forms, including, but not limited to, internal audits, control testing of relevant controls and collection and analysis of relevant data, as well as evolving updates, which mainly concerns updating risk assessments and review of internal controls. Remediation and follow-up should guide you in improving your compliance program.
What Should a Compliance Monitoring Plan Look Like?
Here are a few practical guidelines on how to monitor compliance with policies and procedures:
- Plan: Put a plan in place and follow up on it. Set one, two or three-year goals and make sure to measure results. Whether it is to rewrite your code of conduct or provide more and better workforce training, make sure you track the progress of your initiative to figure out whether or not your compliance program is evolving and keeping up with best practices.
- Capture data: Collect as much data on your compliance activity as possible and consolidate that information in accurate and useful ways.
- Be proactive: Groom and aggregate your data. Analyse and track trends in compliance activity and report it to the right executives. One example could be tracking trends in exception request submissions: If you have a greater number of exception requests, it could attest to your success at making people understand the policy and the process, or maybe it’s a sign that do you have a bigger problem.
- Escalate: Create a clear and appropriate escalation system, so that the right managers or risk owners can quickly and adequately respond to any identified red flags or breaches.
- Remediate: When flaws and failures are identified in the system they should be addressed through the development of internal controls to match and mitigate those risks.
- Train: Train your employees. Remember, building a human firewall is one of the most effective defence against compliance breaches. When employees recognize a reportable event when they see it and know how to report it, then you have managed to install a sound corporate compliance culture. You can even measure that engagement through survey results
- Document: Getting documentation in place must not be secondary. Document all your efforts and keep auditable records that prove of all your compliance activities. A strong reporting system will always allow you to be prepared for any inquiry in case authorities come knocking at your door.
- Automate: Moving from manual to automated reporting and monitoring processes will allow the flow of data to be constant and human intervention minimal, leaving less room for human error.