Posted on: November 17, 2021
Last month my colleague, Blaine Stahl, Director Emerging Products, and I had an opportunity to speak to industry peers at the annual RMA conference. Our session focused on how organizations can leverage compliance program management to enable their teams to build a more resilient culture and how investments in integrated risk management technology are critical in fostering that effort.
Regulators are increasingly expecting organizations to be able to clearly demonstrate that their compliance program works. It is no longer sufficient to just have a program written on paper or stored in a spreadsheet somewhere to check the box. Siloed and outdated compliance programs often have undiscovered gaps, and these gaps have led to many highly public scandals in recent years. The result of an ineffective compliance program can lead to costly fines, penalties, and harm to brand reputation. But worst of all, these companies have lost the trust of their customers.
Compliance programs are not meant to eliminate all risk; however, they do serve as a mechanism to help organizations and their stakeholders understand how to proactively address issues and mitigate the disruptive impact when they arise. Developing requires embedding compliance into the fabric of the organizational culture, framework, policies, and processes. Taking these essential steps to build a comprehensive program can help your organization better respond to internal and external threats.
All effective programs start with a governance model. At the conference, we discussed how the framework for effective corporate compliance programs can be applied whether you are looking to implement compliance with one regulation or an entire enterprise program. By leveraging this framework, your organization can better integrate compliance risks into your risk assessment software process; have a clearer understanding of your organization’s business processes and dependencies; work cross-functionally to build a resilient culture; and enable your executives and board members to make informed strategic decisions with detailed and accurate reporting of your program.
7 crucial pillars of an effective compliance program
- Effective Governance – A successful compliance program requires internal resources and broad cross-functional support, including executive leadership. To begin defining governance, start by drafting a program charter that clearly outlines roles and responsibilities. At the enterprise level, this could result in the formation of an organizational compliance committee, but moving down to an individual regulation, your primary governance document could be a standard operating procedure. The next step is understanding and documenting your risk and determining which compliance risks apply to your organization. Additionally, you will want to codify the frequency by which you assess risk related to your program.
- Define Policy and Procedures – Once you have identified your key risk areas and clearly determined your areas of compliance, you should then design and implement policy and procedure. Good policy is generally tightly aligned to your organization’s values, company culture, and legal obligations.
- Train and Educate – Once your policy and procedures are established, you’ll need to consider how to train the organization on the program’s deliverables and value. If you are drafting a playbook for a narrow risk area, you should identify exactly who is being trained, on what cadence, and how you will measure the effectiveness of the training. Training effectiveness can be as simple as creating questions in an online training format, or you can specify that an internal audit will ask a sample of trainees questions about the content at a later time.
- Open Lines of Communication – Include how members of your organization can work to report violations of policy or even suggest feedback on a new procedure. A description of this process should include where to report concerns and details of how concerns will be investigated and, ultimately, resolved. Developing two-way communication with your employee stakeholders is critical to understanding what works within your program and which aspects need to be refined or iterated as you move forward.
- Auditing and Monitoring – Build robust functions that differentiate between auditing and monitoring. The key difference between monitoring and auditing is that monitoring is an ongoing activity that can detect issues in real-time, whereas an audit is a moment-in-time review.
- Enforcement, Incentives, and Discipline – Make compliance targets and goals be a part of everyone’s performance and remove your low performers from your organization. Successful programs embed their organizational value statements, mission, and vision into their programs. In situations where you have team members working on tightly regulated processes, structure tangible compliance targets as part of their goals. For example, the achievement of an overall score of 95% in compliance audits would be an effective measure of employee success. Discipline should always be documented and applied fairly and consistently throughout your organization.
- Continuous Improvement – Remember, your compliance program is never complete; rather, it is an ongoing process requiring continuous iteration and innovation. Regulators emphasize that companies should treat compliance as a “living program” that is constantly evolving in response to changes in the company (acquisitions, new technology, employee survey responses, etc.). At a more granular level, when an issue is detected, use root cause analysis to determine the cause. Try to not assert blame when an issue arises and instead uncover what led to the issue occurring so that you are better able to correct it and apply learnings in the future.
How to use technology to create a more valuable compliance program
Running an effective program takes time and concerted effort, but leveraging new, emerging technologies enables you to build an effective program quickly. Technology can help you improve efficiency with control testing; track, monitor, and resolve issues; and scan the environment for changes to regulations and standards that could impact your organization.
By using technology to form a single source of truth for all of your compliance risks, organizations can better track what they are obligated to adhere to, which controls in place are working, and how deeply their obligations and controls are embedded into their business processes. This type of enablement allows compliance managers and risk teams to better visualize where they may have weaknesses in their organization and can help to build the business case to gain additional resources to resolve.