Providing reports about corporate compliance is one of the most important duties that a compliance officer performs. So let’s review the fundamentals of that task, and begin with a simple question: what is compliance reporting, exactly?
The simplest definition is that a compliance report documents how well a company is or isn’t complying with some regulation that applies to the business. That compliance report is usually (but not always) written by the compliance officer, and it can go to several audiences—the board, senior executives, regulators, business partners, and others.
Broadly speaking, a compliance report tries to answer three questions:
- Is the organization in compliance with the regulation?
- Does the company have a reliable process to be in compliance?
- What else could or should be done to improve compliance?
That’s the overview of compliance reporting, at least. Now let’s consider the details of how to do compliance reporting well.
Solution
Change management
Scaling your compliance program to address growing policy demands requires careful planning and airtight execution. Learn how to scale successfully in our sustainability webinar.
Watch the webinarWhy Compliance Reporting Is Important
Compliance reporting is important for many reasons.
First, some compliance reports can be required by regulatory obligation. For example, banks must file certain reports with their industry regulators to demonstrate compliance with rules governing liquidity risk. A business working under a settlement for antitrust or FCPA infractions might need to file reports with the Justice Department about corporate compliance. An inability to generate those reports could invite serious trouble.
Second, even where a compliance report isn’t required by regulation, compliance reports can inform your regulatory reporting. For example, in the state of New York, financial firms need to certify the effectiveness of their cybersecurity programs. That certification isn’t a compliance report in the strictest sense—but just about every CISO would want an internally generated report about the firm’s compliance with cybersecurity regulations before he or she certifies anything.
To put it another way, compliance reports are important because they document the current state of your company’s compliance posture.
Spoiler alert: that posture is not perfect. Whether you are documenting compliance with anti-corruption, privacy, human trafficking, or anything else, inevitably you will find shortcomings. A compliance report identifies those shortcomings and provides a roadmap to remediation.
Third, compliance reports can often be required by customers. For example, a customer might want to understand your company’s cybersecurity or anti-corruption programs, before it agrees to do business with you. A compliance report can answer those questions. (And as the business landscape keeps marching toward a world of high regulatory and ethical expectations, those demands from customers will only get more insistent.)
Examples of Compliance Reports
Compliance reports come in all shapes and sizes, on many subjects. Some might have a designated structure, if they’re driven by specific regulatory requirements. Many, however, take whatever form and structure makes the most sense for your organization’s needs; the content of the report is what matters most.
Examples of a compliance report include:
- A review of due diligence programs or internal accounting controls for FCPA compliance
- A summary of the documentation and testing of security controls for PCI compliance
- A report on policies and procedures necessary for HIPAA or GDPR compliance
- A review of policies and internal controls for AML or Know Your Customer compliance
The Justice Department’s guidelines for effective compliance programs don’t specifically say, “Thou shalt do compliance reporting.” They do, however, talk about a company’s ability to see warning signs of compliance risk, “such as audit reports identifying relevant control failures.”
That implies an ability to study your compliance posture—which is what a compliance report allows you to do. So whatever compliance obligations your company might have, an effective compliance program should be able to generate reports on all of them.
What a Compliance Report Should Include
A compliance report should include four main components:
- A statement regarding the regulation in question.
- A discussion around the scope of the report—that is, precisely what the compliance officer reviewed, and what he or she didn’t. In many instances, affirming what was not reviewed is just as important as stating what was.
- A review of the compliance process itself. For example, if reporting about the effectiveness of third-party due diligence, describe how those procedures are supposed to work.
- A summary of the findings of your analysis. How well is the company meeting the stated compliance obligation, or not?
A compliance report can, and usually should, also include action items to improve compliance. In some instances, however, such as a regulatory report with a fixed structure, that might not be the case.
What Makes Compliance Reporting Effective
First, effective compliance reporting makes reports that are useful to the reader. Remember that many compliance reports go to senior executives or board directors. While they might understand the concepts for regulatory compliance, they won’t necessarily know all the lingo or terms of art that compliance officers might use internally.
A compliance report should anticipate that reality, and be written in such a way that its readers can put the report to good use. To that end, all compliance reports should:
- Use clear language and sentence structure
- Be concise
- Include an executive summary
- List action items or timelines for improvement
- State any necessary action from executives or the board, such as decisions that only they should make
Second, effective compliance reporting generates reports as quickly as possible. This quality is more important for the compliance officer making the reports, rather than for the executive reading the report—but it’s still important. Manual creation of compliance reports is expensive, painstaking, and more prone to error.
For example, all useful compliance reports include data. So one place for a compliance officer to start is to consider which parts of data collection and analysis can be automated and then fed into a pre-existing compliance report. (Say, a quarterly analysis of due diligence efforts.)
That also means the compliance officer should consider the design of your compliance reports, and how much of the report can be pre-formatted so data flows into the report automatically.
In the ideal world, many compliance reports can follow predesigned templates, to capture data based on predetermined metrics. Then you can present those reports quickly, clearly, and easily.
The one thing you probably shouldn’t automate: the analysis of weak spots in your compliance program, and recommendations for improvement. Some things are still better left to good old human judgment.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.