Creating an effective compliance program
I have just finished a two-day hands-on Data Protection Officer (DPO) training and can clearly tell you that building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-sizefits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.
Whether you are building a compliance program from scratch or looking to benchmark your current one, my views can hopefully help you optimize your compliance program.
Here are the seven main components all compliance programs should address:
1. Risk Assessment
2. Policies and Code of Conduct
3. Exception Requests for Gifts & Entertainment
4. Training
5. Due Diligence
6. Hotline & Case Management
7. Reporting & Monitoring
RISK ASSESSMENT
Performing risk assessments can prove to be a difficult art to master.Yet, risk assessments are the first and most important step in the process of building a compliance program. If your program is addressing the wrong risks, no amount of internal control will be successful in detecting or preventing offenses.
POLICIES AND CODE OF CONDUCT
As risks change, the need to create policies will always be present. It is therefore essential that compliance officers can systemize the creation and adoption of these policies, highlighting the common traits of a compliance policy that engages your employees.
EXCEPTION REQUESTS
While procedures instruct employees on how to mitigate risks, once these policies meet the real world, exception requests are likely to follow. Some of the areas where exception requests are most needed are gifts and hospitality. Ensure you have an established mechanism to allow for exception requests.
TRAINING
Without effective training, policies and procedures are reduced to nothing more than a pile of papers. Training programs have to cater to the targeted audience, and technology can help automate training programs to employee groups.
DUE DILIGENCE
Rogue third parties pose the single greatest risk to a company. It is essential for companies to mitigate risks by conducting robust third party due diligence which should help to assess third-party risk.
CASE MANAGEMENT
Case management can bring a disciplined approach to tracking issues from the moment they arise to their conclusion. This process allows the compliance officers to juggle multiple allegations, inquiries, and investigations all at the same time. While a whistleblower hotline is the most common example of case management all systems should establish an effective intake system that allows employees to submit a complaint.
REPORTING AND MONITORING
A robust reporting system needs to provide the compliance officer with a complete picture of all activity. The ideal is continuous monitoring, where the flow of data is constant and human intervention is minimal. The goal is to simplify your reporting and monitoring processes and reduce the chance of manual error. Of course, automation is the answer; during the DPO training we used a very effective Data Protection Management System (DPMS) which I highly recommend companies to use.
By elevating your team to a more strategic position by creating an effective compliance program, compliance can be viewed as a critical business partner rather than a crisis intervention team.
Feedback is most welcome – please contact my at Schumacher@eitsc.com