In order for a compliance program to be deemed effective, it needs to be structured properly. This begins with the designation of an independent compliance officer and establishment of a compliance committee. A compliance program needs support, too—from the board, management, key professionals, and staff. Adequate resources are also essential, including the program’s budget, staff, and operational expenses. Once in place, the compliance department needs to establish annual goals, report on its activities, and work to continually improve. A primary objective for the program is to establish itself as an integral part of the organization. This chapter covers the important aspects of structuring and administering an effective compliance program.
Compliance Officer
Industry standards recommend designation of a compliance officer to serve as the focal point for compliance activities. In most cases, the position should be a full-time role (depending on the size, scope, and resources of the organization), and the organization’s executives will determine the feasibility and scalability of dedicating resources. Also, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access all documents that are relevant to compliance activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other accounting records. In the big picture, however, appropriate authority comes from the unquestionable backing by the CEO and board of directors or its equivalent—the sources of ultimate authority within an organization.
To carry out such operational responsibility, the compliance officer should be a high-level person in the organization who is provided adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. This access is appropriate as it should have been the board that supported the launch of the compliance initiative and approved the hiring of the compliance officer. Board members may even be actively involved in the interviewing of the compliance officer candidates. They also should be involved in developing the compliance officer’s job description and should remain an important part of the compliance officer’s reporting structure.
Reporting Structure
There is concern and some risk involved in having the compliance officer report to general counsel or the chief financial officer. Such a reporting arrangement creates real and potential appearance of conflict of interest due to their respective roles with management. Separation of compliance from legal and finance helps ensure that all aspects of the compliance officer’s role will be independent and objective (meaning there is no real or perceived vested interest in the outcome). There are different reporting structures for the compliance officer role, and many variables must be considered to determine what works best for the individual organization. However, the dominant reporting structure across industries has the compliance officer reporting directly to the organization’s CEO and/or internal governing body (e.g., oversight committee, supervisory board, administrative body, board of directors, or audit committee) to maintain the compliance officer’s real and perceived independence.
Most agree that the compliance officer role should be independent, yet the size and setting of your organization will influence the reporting structure. It is recommended that the board or its liaison committee have, at minimum, a dotted-line or indirect reporting relationship with the compliance officer. See Table 1. Compliance Officer Reporting Structures: 2018 Survey Results, which includes the 2018 SCCE & HCCA survey results on compliance officer reporting structures from more than 260 respondents working in non-healthcare organizations that are for-profit, publicly traded; for-profit, privately held; nonprofit; and governmental.[1]
Table 1. Compliance Officer Reporting Structures: 2018 Survey Results[2]
Reporting to the Board | |
For-Profit: Publicly Traded |
53.3% |
For-Profit: Privately Held |
61.7% |
Nonprofit |
53.2% |
Governmental |
48.1% |
Reporting to a Position within Organization | ||||||
CEO |
CFO |
General Counsel |
Human Resources |
Audit |
Other | |
For-Profit: Publicly Traded |
28.6% |
4.8% |
52.4% |
0.0% |
0.0% |
14.3% |
For-Profit: Privately Held |
47.8% |
17.4% |
17.4% |
0.0% |
4.3% |
13.0% |
Nonprofit |
47.3% |
12.2% |
17.6% |
4.1% |
2.7% |
16.2% |
Governmental |
53.8% |
7.7% |
0.0% |
0.0% |
7.7% |
30.8% |
Duties
The compliance officer’s duties will vary depending on size and scope of the program. The focus of the position should be the implementation, administration, and daily oversight of the compliance program. Primary responsibilities should include the following:
-
Designing, implementing, overseeing, and monitoring the compliance program
-
Reporting on a regular basis to the organization’s governing body, CEO, and compliance committee
-
Revising the compliance program periodically as appropriate
-
Developing, coordinating, and participating in a multifaceted educational and training program
-
Ensuring that the organization’s customers and business partners are aware of its compliance program requirements
-
Serving as a source of compliance-related information for employees, management, suppliers, and the board
-
Ensuring that appropriate background checks are conducted
-
Assisting with internal compliance review and monitoring activities
-
Ensuring management has mechanisms in place to mitigate risks
-
Independently investigating matters related to compliance
-
Ensuring management takes corrective action to resolve identified noncompliance issues
-
Ensuring the organization has provided employees a mechanism for reporting potential issues
The compliance officer is a unique position that requires an individual who understands the nature of the business or industry; is capable of understanding and questioning practices in the organization, including financial areas; is knowledgeable of applicable legal requirements that may be imposed upon the industry for wrongdoing; has strong written and verbal communication skills; and is approachable. Whatever the tenure or educational level, the compliance officer (as focal point of the program) must be a person who is respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. See Appendix 1, Sample Compliance Officer Job Description.
Professional Standards
As the field of compliance has grown and matured as a profession, it has, like other professions, sought to identify and distinguish those who have, with experience and education, achieved the necessary skill set to be effective compliance officers.
Moreover, compliance officers are also stewards of public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The SCCE Code of Professional Ethics for Compliance and Ethics Professionals addresses three principles, which are broad standards of an inspirational nature. They include:
Principle I: Obligations to the Public—Compliance and ethics professionals (CEPs) should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.
Principle II: Obligations to the Employing Organization—Compliance and ethics professionals (CEPs) should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.
Principle III: Obligations to the Profession—Compliance and ethics professionals (CEPs) should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs and to promote professionalism in compliance and ethics.[3]
These principles and the accompanying rules of conduct should be reviewed and studied—and adhered to—by all compliance officers. See Appendix 2 for the full Code of Professional Ethics for Compliance and Ethics Professionals.
Board Oversight Committee
The compliance officer may be the focal point of a compliance program, but cannot be the only point, nor does this role ensure compliance for the organization. It is important that the compliance officer have support from the governing body through engagement and involvement in a board oversight committee. This committee’s role is to understand and provide guidance on the compliance program efforts, ask appropriate questions related to management’s ability to address and mitigate compliance risks, and ensure that the compliance officer and the compliance program are adequately addressing areas of compliance risks for the organization.
Compliance Committees
Industry has demonstrated that the formation of a management compliance committee can be an effective addition to the program, although the specific composition of the committee may vary. This committee benefits from having varying perspectives from professionals working in operations, finance, audit, risk management, human resources, and legal, as well as employees and managers of key operating units. The committee assists the compliance officer in ensuring effective mechanisms are in place to mitigate risk areas—real or potential.
The compliance officer’s role on the committee can vary. In some organizations the compliance officer sits ex officio. In other organizations, the compliance officer may chair the committee. Regardless of who chairs the committee, the compliance department commonly is responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.
Management compliance committee functions, in addition to aiding and supporting the compliance officer, can include:
-
Analyzing legal requirements (along with counsel) on the committee and specific risk areas
-
Regularly reviewing and assessing accuracy of and adherence to policies and procedures
-
Assisting with the development of standards, a code of conduct, policies, and procedures
-
Monitoring internal systems related to standards, policies, and procedures
-
Regularly reviewing industry guidance and new information and integrating it into the compliance program
-
Participating in the risk assessment process
-
Determining the appropriate strategy to promote compliance
-
Developing a system to solicit, evaluate, and respond to complaints and problems
The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance program. Furthermore, the committee should include individual representatives of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer on compliance activities and risk areas within their departments. The members also provide important communication back to their respective departments on the organization’s compliance requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization. See Appendix 3, Sample Compliance Oversight Committee Confidentiality Statement.
Compliance Committee Members
The compliance committee could include the following members:
-
Chair
-
Compliance officer (could be the chair)
-
Senior management/administrators
-
Legal counsel
-
Employees or managers of key operating units (high-risk areas):
-
Finance
-
Audit
-
Information technology security
-
Human resources
-
Sales
-
Organizations also are implementing leadership/board compliance committees that may oversee the management compliance committee. The management compliance committee reports to the leadership or board compliance committee, and they report to the full board.
Board of Directors or Governing Board Support
Compliance begins at the top tier of the organization. The FSG states, “The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”[4] The board sets the tone for the rest of the company and is ultimately responsible for the compliance program. Support from the top is fundamental—there can be no program at all, much less an effective one, without the vision, support, and guidance of the board. It is the board that officially recognizes the need for a compliance program and authorizes its launch and implementation, including the hiring of a compliance officer.
The first step toward implementing a compliance program is management’s communication of commitment. A resolution or memo from the board stating its unequivocal support for the program is a strong beginning. The source of such a statement may be different depending on the organization. In some organizations the statement might come from the chairman of the board, in others from the CEO. Whatever the source, board endorsement should be in a written format; must communicate unqualified support for and commitment to the compliance process and ethical business behavior; and must be communicated effectively to everyone in the organization. For an example resolution of support, see Appendix 4, Sample Board of Directors Resolution.
One option is for the chairman of the board or CEO to distribute the memo or resolution to management. Management can then distribute the document to employees so that the word spreads and the message is reinforced that all managers endorse the compliance program. This approach also makes the compliance program directly accessible to staff members, creating an opportunity to discuss the document in relatively small groups. A special department or unit meeting to discuss the program and distribute the letter can lend weight to the message, or it can be an agenda item for a regularly scheduled meeting. Whatever the venue, staff should be given ample opportunity to ask questions and offer feedback.
The board’s role does not end with voting to establish a compliance program and distributing a letter of support—nor does its responsibility. Ongoing, visible support from the board of directors is crucial. Most people care about what their boss cares about regarding the organization. When the board takes compliance seriously, that sense of importance will spread. The board may need guidance in understanding the seriousness of compliance, though. Board members may not immediately recognize that “doing the right thing” equates to a good business practice, or that compliance is a valuable, long-term investment. The board of directors, which meets infrequently and is not always aware of daily operations, can be insulated from problems. In the case of compliance, however, the board must understand the implications of not taking active measures to prevent potential wrongdoing.
Board members should be educated about the potential for liability and reminded of the In re Caremark International Derivative Litigation case, which makes the board responsible for implementation of a system to gather information on the company’s efforts to prevent and detect fraud and abuse.[5] It is in the best interest of the organization for the board to take an active, rather than a passive, role in compliance. The compliance officer should report regularly to the board. Also the FSG is very clear regarding corporate responsibility.[6]
Support from Management
Management plays an influential role in making compliance programs work, expressing support in a myriad of ways. Attendance at educational programs is one way, which cannot be mandatory for everyone but voluntary for managers and vice presidents. Managers must make time to demonstrate their personal commitment to compliance—this goes a long way to enhancing a systemwide commitment to compliance. After attending training sessions, managers should discuss the content with staff either at a regular department meeting or as circumstances permit one-on-one.
Supervisors or managers also must lead by example; as the adage goes, their actions speak louder than words. A manager cannot encourage employees to report questionable behavior and then give special treatment to a friend. Once a potential infraction is reported, the nonretaliation policy must be rigorously observed. It is up to management to make sure employees do not hesitate to come forward out of fear of retaliation. “Tone in the middle” is also very important for an organization’s culture. While top leaders may support the compliance efforts, if middle management lacks follow-through and has no incentive to support the program, the organization’s culture will undermine efforts to achieve an effective compliance program.
Staying on top of compliance issues is a manager’s daily obligation. Managers and supervisors must closely follow news and information from their professional organizations and pass along any compliance-related issues to the compliance officer. Likewise, the compliance officer is encouraged to be proactive and occasionally ask managers and supervisors what new regulations are developing in their fields.
Support from Professionals
Central to certain fields are key professionals who hold influential positions in their organizations—and their industries. Examples of key professionals in select industries include physicians in healthcare, engineers in building, attorneys in legal, programmers in computer science, investigators in research, etc. Frequently, situations arise in which the support of one of these individuals can make all the difference in creating an authentic culture of compliance. Therefore, it is to your advantage to find a key professional champion—someone who understands and supports the mission of the compliance program and who will back you up when needed. Moreover, this professional can be a model of how employees can effectively incorporate compliance into other job functions, without distracting from the performance of their duties and consuming inordinate and unacceptable amounts of time.
This key professional can advocate for compliance in several ways, including:
-
Emphasizing operational and fiscal improvements gained through compliance
-
Providing data to support compliance activities and improvements
-
Building trust through involvement
-
Being a partner, not a dictator
-
Cultivating the early adopters and enthusiasts
-
Communicating, communicating, communicating
The sooner you achieve professional buy-in, the better. Invite key professionals to compliance implementation committee meetings and actively seek their input throughout the start-up and beyond. Many organizations have a strong professional presence on their compliance committees. If at all possible, consider having a key professional serve as chair of the compliance committee. When funding permits, send a key professional to a compliance conference to provide valuable education and increase their awareness. This can facilitate greater compliance program support. Achieving professional buy-in may be challenging, but it is a critical element of running an effective compliance program.
Support from Staff
It is not a crime to make a mistake, but it can be a crime not to do anything about the mistake once it is detected. In a compliance program, staff need to be convinced that looking for problem areas is not the sole responsibility of the compliance officer—it is everyone’s responsibility. Education is the first step to building this awareness, but the compliance officer should also look for ways to heighten awareness on a daily basis. When informing staff about a compliance program, some organizations will distribute items with a compliance slogan and the organization’s name or logo. Most employees enjoy receiving something free that they can use, and if the budget permits, these items can increase awareness and foster cooperation with the program.
Staff buy-in will directly correlate with the organization’s ability to foster an environment of trust. As emphasized earlier, ensuring that the nonretaliation policy will be followed is the best way to secure active staff participation. Rewarding and thanking those who come forward to do the right thing will provide immediate positive feedback to staff and reap long-term rewards for the compliance program overall.
Financial Support and Budget
Management, up to and including the board of directors, must be willing to make a financial commitment to compliance in order for the program to be successful. Staff, resources, auditing, education, and office space cost money, and most organizations have limited, even diminishing, resources. While commitment level is not necessarily directly correlated with resources allocated to the program (both human and financial), a reasonable budget must be developed in consultation with the compliance officer. An organization unwilling to commit the necessary resources is not demonstrating support for the compliance program and—unquestionably and unfortunately—that message will also spread through the organization.
Simply knowing what to do will not make a compliance program happen. The reality is you can’t run a compliance program without money. But how much money does the program need? The right amount will depend on the organization, its size, and scope. Remember, a compliance program must influence everyone in the organization; adequate funding will go a long way in demonstrating and eliciting commitment. This is a good place to mention again that the only thing worse than having no policies is having them and not following them. Underfunding can lead to such a situation. If the organization is investigated, a compliance program’s value in any settlement will depend largely on how regulatory agencies interpret the organization’s commitment to good corporate citizenship. A compliance program that lacks management accountability, a culture that backs the compliance program, and the budgetary support of management may be deemed as tacit approval for the inappropriate activities.
Both external and internal risks and the controls to manage those risks factor into a budget. An identified risk area may require immediate attention and hence extra expense, perhaps specialized training or a new computer software program. Bear in mind that certain internal factors can affect, directly or indirectly, the compliance budget. For instance, if your organization has a high turnover rate, the compliance budget will need to provide training for new employees as well as existing staff. A highly decentralized operation may call for either a centralized compliance process or additional monitoring to ensure procedures are consistent across operations—or at least consistently enforced. Other factors that can have an impact on the compliance budget are a poor communications infrastructure, poor data analytics, and incentives not aligned with compliance objectives.
Compliance Program Staffing
Organization size, setting, scope, resources, and culture will influence how the compliance department is staffed. In some organizations the compliance officer role may not be a full-time one, but rather a fraction of a full-time equivalent (FTE) position. In a large, multisite location the compliance department will be much more extensive. A variety of staffing possibilities exist for a compliance department. An education coordinator can make a vital contribution to a program’s effort, as a large amount of employee compliance education needs to be conducted. Other valuable positions include someone to accumulate and analyze compliance data and an auditor who can regularly audit or monitor compliance risks and help with documentation. Administrative support is also helpful. If you are unable to add these resources to your staffing contingent, identify where in your organization you could leverage these types of resources through a shared model; this option may suffice while you are building a program’s capacity and provide rationale for ongoing compliance resources.
For larger organizations considering staffing needs, it will be important to include a compliance designate or compliance field liaison, a position that can help facilitate compliance efforts at remote locations. For organizations with offices outside the US, it is very important to have a compliance designate or field liaison in other countries, particularly considering cultural and language differences that may exist. Full-time or part-time compliance personnel need appropriate training and resources, and this can be provided in many ways on-site. Some examples include making available a reference binder, offering a phone number or email address to direct questions, and giving focused training on key areas of risk and process. Additionally, involving designates or field liaisons in process and approach development encourages ownership of their roles. Be sure to budget accordingly.
All compliance department staff should have job descriptions. If need be, the compliance officer should develop their job description. For an example, see Appendix 1, Sample Compliance Officer Job Description. Job descriptions for additional department staff should include a detailed list of duties and responsibilities and, to the extent possible, measurable expectations. For an educational coordinator, for example, you might want to require an annual educational plan that is due by a specific date. An auditor might be expected to review a certain number of risks on a monthly basis. As time passes and compliance requirements change, job descriptions may need to be modified and adapted. Regular employee input to the job description, perhaps in preparation for an annual performance review, will keep the document relevant.
Whatever the size and scope of the organization, all compliance department staff should have certain characteristics. As it is an outreach department, good people skills are vital. There will also be daily interaction with a wide variety of personality types. The ability to stay calm and focused is an asset to someone working in compliance. Compliance involves a lot of change, and people often don’t like change. On occasion, the compliance staff must be able to deal with unhappy, dissatisfied staff—especially when delivering difficult news that may mean more work. Strong communication and listening skills are critical. Discretion is also required. A good sense of humor helps, too. As you interview for compliance department roles, probe for these qualities. If you don’t find them, keep looking. Once you have hired staff, foster these qualities in them and provide feedback and guidance in performance reviews.
Most compliance officers agree that a sizeable majority of compliance activities are related to education and training. Therefore, an education coordinator must be high on the list of early hires. As noted in this book, education is the first and best line of defense in compliance. An educated employee will be less likely to engage in an act of noncompliance and, knowing the organization’s commitment to compliance, will be much more likely to come forward if there is a question or concern about potential noncompliance. Having a staff member focus on education can make for better educational programs and allow the compliance officer to coordinate the big picture of the program. An education coordinator should have a strong background in the industry and solid experience in adult learning strategies. Computer skills are needed not only for development of presentations, but also for preparing and creating handouts. Organizational skills are also important; just keeping track of attendance can be a daunting task. Here, too, strong people skills are important.
Monitoring and auditing efforts help ensure that the organization remains vigilant in its compliance efforts. These activities are detective and preventive in nature. Having someone on staff to coordinate these efforts will ensure that regular review happens and that it is objective, documented, reported, and analyzed. This individual should also have specific and high-level experience in the industry, as the complexity of an organization’s compliance can only be fully understood by an individual who understands the field. The first step toward prevention is to check competency up front.
Ongoing Operations
Other operational expenses to consider include some sort of reporting method, educational materials, internet access, professional journals and newsletters, and legal counsel. Reporting mechanisms (such as hotline phone numbers and email addresses) can be handled internally or externally, and the costs of each option will need to be assessed. Having a mechanism handled externally may be more economically feasible for many organizations. When looking for outside help, secure competitive bids and be sure they are based on comparable information. It may be worthwhile to request outside proposals before making a final decision. There’s nothing to lose in finding out what an external resource can do for you.
Educational materials can be a considerable compliance expense. A video program for general sessions may be helpful. A video customized to your organization can be very expensive, but off-the-shelf videos exist that may well meet your needs. You also will need to provide for specialized training for certain professionals as well as key departments and employees. Such training is often provided through outside consultants or specialists, and hence will have budgetary implications. In-house and ongoing training may require audio-visual equipment and software to create engaging visual materials.
There will be costs for printing announcements, agendas, and handouts. Costs for printing the code of conduct and policies and procedures can be surprisingly large, and while the code of conduct doesn’t need to look like the annual report produced by a marketing company, a credible code for the organization deserves to have a professional design. Find the right look and feel for your organization—just remember to budget accordingly.
Internet access is a must. All relevant regulatory documents are available online as are innumerable other helpful compliance-related sites. Adequate computer support is critical.
Professional journals and newsletters are vital ways of keeping abreast of new developments, best practices, and industry trends. They also provide articles, suggestions, and ideas that can be circulated to appropriate managers or adapted for internal newsletters. Consider budgeting each year for electronic and printed materials to build a compliance library that will be a resource for the organization. Also, membership in professional associations, such as the Society of Corporate Compliance and Ethics (SCCE), is a good investment. Belonging to a professional association reinforces your professional standing and provides you with a growing network of invaluable resources.
Investigative costs can be unpredictable, especially when an organization is in a state of crisis or turmoil. The compliance office should at least use an annual comparison to try to estimate these costs. If the program is new, an estimate of costs could be based on what other departments spent on compliance-related investigations, especially those that have relied on outside resources, since a compliance function could have conducted the investigations internally at a comparative savings.
Finally, if your organization has in-house counsel, consult with that person to determine budgetary needs. If you currently rely on external counsel, you may want to alert the law firm of your new or expanding compliance program and solicit estimates for additional costs. Such expenses may be part of the legal budget, but it is best to be sure they are appropriately covered somewhere.
Six Tips for Saving on Future Costs of Compliance
1. Embed quality into existing processes: If processes that pose the greatest risk to the organization are revisited with an emphasis on quality, then the outcome of this exercise will be increased efficiency, increased customer satisfaction, and better, less expensive compliance.
2. Centralize common processes and controls where it makes sense: Scattered efforts could lead to redundancy, inadequate oversight, and extra expense if the same functions are being handled within many different departments, e.g., education.
3. Focus on corporate culture: This is critical to a program’s success and efficiency. Employee satisfaction and retention are good indicators of culture; employee turnover can be costly to an organization, not only in recruitment efforts, but also in training new employees.
4. Improve information system processes: It is important and cost-effective to embed compliance into technology through controls such as edit checks and reports that facilitate monitoring. Efficient technology frees up resources to be used in other areas.
5. Emphasize training: The best way to “correct” an error is to prevent its occurrence. A major reason people are noncompliant is because they did not know or understand the area of compliance involved.
6. Monitor marketing and compensation: Review marketing materials to ensure the message is consistent with corporate philosophy, evaluate new business ventures for risk and the ability of the organization to manage the risk; and embed compensation structures with measurable compliance objectives.[7]
Compliance Department Mission and Goals
Once the members of the compliance program are in place, they must function as a team toward a common goal. Building that sense of community within the compliance department is critical before it’s possible to build organization-wide compliance camaraderie. One way to build that cohesive team is to conduct an annual retreat for compliance personnel. As always, the size and setting of the organization, as well as logistical issues, must be considered, but when possible, holding the retreat off site can be invigorating, motivating, and enormously productive. Off-site sessions are preferred only to eliminate or at least minimize the distractions of telephone calls, meetings, and quick questions from staff. The first retreat could be dedicated to drafting a department mission statement that is consistent with the organization’s mission statement. It is important for everyone in the compliance department to understand and have consensus regarding this fit.
Sample Compliance Department Mission Statement
The Office of Compliance provides standards, education, monitoring, and investigations in an ongoing effort to assist management and the organization in identifying, prioritizing, and mitigating risk.
Goals for the upcoming year (which need not be a calendar year) and a review of progress toward current-year goals should also be a focus. Be sure to identify a realistic number of goals that are achievable and measurable. Not all goals will be measured quantitatively, but when discussing goals, explore with staff how success will be measured. Goals need not be directly tied to specific problems. The following are some sample compliance department annual goals:
-
Ensure compliance in the organization’s activities.
-
Develop and maintain clear lines of communication with key personnel throughout the organization.
-
Provide diverse educational opportunities to meet the demands of the organization and its community.
-
Create and maintain quality compliance resources that are easily accessible.
-
Promote the Code of Professional Ethics for Compliance and Ethics Professionals.
-
Elevate awareness and increase participation regarding compliance issues.
-
Expand the collaborative relationships with key stakeholders.
-
Maintain an open-door policy that fosters confidentiality and trustworthiness.
The more active a role the staff members take in developing the mission statement, especially the goals, the more they will feel ownership of the mission and goals, and the more likely they will succeed at achieving them.
No matter how the goals are determined, it is important that they be effectively and regularly communicated to the department staff. Discussing and measuring progress along the way, with updates at regular staff meetings, will contribute significantly toward progress. Assigning a department “liaison” for each goal can also contribute to ownership and stimulate progress. A department retreat will facilitate communicating goals to staff. Any goals that come to the department from executive management should be communicated and incorporated into tracking and measuring practices.
Annual Compliance Report and Evaluation
Consider creating an annual compliance report. The compliance department will provide a detailed annual compliance status report to the board of directors or the board of trustees and the organization’s executive management. An annual compliance report, however, is a different document, one meant for all staff. The annual compliance report is the program’s opportunity to communicate its mission and goals to the organization and provide benchmarking data. It is also an opportunity to talk about the organization’s compliance success stories, thereby reinforcing positive images of compliance and fostering support. Thanking compliance champions and those who came forward to identify problems provides positive reinforcement organization-wide. The all-staff annual compliance report need not be glitzy and expensive. The point is to get the word out and build support for the program. Use the data that you’ve gathered and show your enthusiasm. It can be contagious.
Once a compliance program is up and running, it needs ongoing evaluation and updating based on findings. Getting in a routine of regular review can be difficult; indeed, it can be as daunting as getting a program started. Here are some aspects to remember when evaluating the program:
1. Look to your compliance program. Meet with the compliance committee to discuss and document current position and possible next steps.
2. Take small steps. Make preliminary attempts at next steps with full knowledge that there may be some missteps along the way.
3. Review lessons learned. Gather the key takeaways and lessons for those preliminary attempts.
4. Examine what still needs to be addressed. With your compliance committee, decide how to incorporate what you’ve learned with what you still need to do.
Remember: compliance is an ongoing process.
Program Development and Maturity
Compliance programs usually start small and continue to mature over time. Avoid trying to achieve everything overnight. Building a compliance program is a process that takes thought, consideration, and time.
Structure is the critical first step. Give consideration as to what your compliance program will be called. You may have noticed that some organizations have compliance programs, others have integrity or ethics programs. They are often considered synonymous, but a subtle distinction can be made between the terms. The title “compliance program” implies a primary concern with following rules and regulations, whereas the title “integrity or ethics program” puts the emphasis on values and doing the right thing. There may be differences in approach and subtleties of content, but there are basic elements common to both compliance and integrity or ethics programs. Whatever the title of the program, these common elements should form its basis (although for convenience, the term “compliance program” is used throughout). Each organization must pick a title—or perhaps create an entirely new title—depending on its needs and culture. The title needs to accurately reflect the focus of the program, i.e., values-based (ethics or integrity) versus rules-based (compliance) versus a hybrid approach for the title—which might be the organization’s Ethics and Compliance Program.
When building a compliance program, survey departments to determine what compliance-related activities are already occurring in your organization to comply with applicable rules/regulations. In the US, these areas might include employment and labor laws, employee and environmental safety, purchasing and supply chain, research, finance, requirements for publicly traded organizations, defense, energy and utilities, banking, privacy, and contract agreements. Every industry is subject to the regulations and guidance of regulatory bodies such as the United States Sentencing Commission (USSC), Food and Drug Administration (FDA), Environmental Protection Agency (EPA), Federal Information Security Management Act (FISMA), Federal Deposit Insurance Corporation (FDIC), National Institute of Standards and Technology (NIST), Securities and Exchange Commission (SEC), Occupational Safety and Health Administration (OSHA), Federal Communications Commission (FCC), and Federal Trade Commission (FTC). Demonstration to the regulatory agencies and stakeholders that you are committed to engaging in compliant behavior—in all that you do and everywhere that you conduct business—is important for every organization. This will occur with the implementation of a formal compliance program, which allows the organization to identify employees who are potential “bad actors.”
Discussing basic components of compliance programs for organizations doing business in the United States is the focus of this book. However, most principles of a sound compliance and ethics program are applicable to organizations worldwide and have been adopted into international standards.
There are many definitions of a compliance program. On a basic level, it is about education, prevention, detection, collaboration, mitigation, and enforcement. It is a system of processes, policies and procedures, and controls that are developed to ensure compliance with all applicable rules, regulations, contracts, and policies governing the actions of the organization. A compliance program is not merely a piece of paper or a binder on a shelf. It is not a quick fix to the latest hot problem. And it is not a collection of hollow words. A compliance program—an effective compliance program—must be a living, ongoing process that is woven into the fabric of the organization and that demonstrates commitment to the organization’s values and ethics as well as compliance with applicable laws and regulations. An effective program assists individuals within the organization to be aware of and understand the expectations to do the right thing.
To achieve this goal, a small organization may need to work with compliance liaisons/ambassadors to help fulfill the compliance mission. Compliance officers usually find themselves with multiple roles in the organization and the compliance committee is much smaller. Having compliance liaisons/ambassadors expands the compliance program’s reach and helps get the word out to others throughout the organization. These positions can champion the compliance message through education, identifying and escalating issues in their respective areas, and helping to explain the purpose and focus of the compliance program. It is important to ensure that the selected liaisons/ambassadors are credible, trusted, and can serve as advisers to the compliance program.
As an organization’s compliance programs matures, you can begin to benchmark against your program. This process helps to determine if your program is effective. You will better understand the organization’s risks and mitigation plans that need to be put in place. Data analytics are useful for this process and help drive compliance programs to the next level.
A compliance program is never finished; it should always be a work in progress. You must work to expand your program to fit the needs of your organization. Never be satisfied with the status quo. Look at the big picture. Add new areas to your program—many programs begin with a key risk, but other risk areas also need attention. As new information is released from industry and regulatory agencies, your program will need to expand to encompass these changes. The compliance officer needs to constantly be on the lookout for ways to enhance and strengthen the compliance program.