The Corporate Training Program on Compliance Administration aims to guide and advise organizations on their compliance program. It will look into the various aspects of the administrative systems, tools, set-ups, and business operations that contribute to or are related to the compliance program. The training program will guide employees in better understanding the policies and procedures in place and the actions that need to be taken to prevent violation of any regulations or laws.
The regulatory and compliance landscape is never stagnant. There are news regulations being passed every other year and it is easy for organizations to falter. Businesses often get caught up in their day-to-day activities and tend to lose focus on their compliance requirements. A minor negligence in terms of compliance can cost an organization money, time, and, most importantly, its reputation. In this ever-changing environment of corporate compliance, this training program should help you operate safely, within regulations.
For an organization to succeed in compliance administration, it firstly needs to educate its employees on what compliance and compliance management mean. Employees need to understand why it is important to comply with regulations and what could be the consequences of negligence in this regard. Compliance management is all the more important in certain industries that deal with clients’/ customers’ personal, financial or other sensitive information. Industries such as Banking & Financial Services, Insurance, Business Services, etc. need to pay more attention to regulations, legal consequences, and compliance.
What is compliance management?
Compliance management refers to the process of ensuring that the abides by the laws, regulations, and standards set by different governing bodies. There may be different regulations that an organization or its individual departments need to adhere to. These regulations or standards can be set by government agencies, international standard-setting bodies, or industry-specific authorities, and all organizations within their jurisdiction are expected to comply.
Some of the common examples of regulatory compliance laws and acts include the Health Insurance Portability and Accountability Act (HIPAA), EU’s General Data Protection Regulation (GDPR), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), etc. A simple example of compliance is getting a license to do business in a particular country or following the ISO standards in the development of a product or service.
Compliance management includes documenting the policies and procedures that the organization is required to follow, performing internal/ third party audits to ensure compliance, and, lastly, compliance training to ensure that everyone in the organization is current with the regulatory landscape.
Why are compliance management and administration important?
It goes without saying that meeting legal obligations is a necessity for every organization. But apart from just the legal consequences of regulatory compliance, it is important from many other perspectives as well. Compliance to regulations and standards is not only beneficial for the customers or stakeholders of an organization, but also for the organization itself. It is only when an organization and its employees understand the real purpose behind a law or a regulation, will they be able to the hidden advantages behind them.
From the point of view of the organization, the benefits that it enjoys with efficient compliance management include:
Improved processes and better safety
Compliance with the industry’s regulations and the standards set by the government or international standard-setting bodies helps an organization improve its processes. These standards and regulations are made keeping in mind a minimum benchmark of quality that every organization should try to achieve. Compliance with these means that the company has surpassed the benchmark and met the internationally accepted standards.
It also means that the organization has a better work environment. Compliance with safety laws, diversity and inclusion rules, privacy laws, etc. ensures that the people working in the organization, as well as the people the organization deals with, are safe from threats. These may be data security threats, safety hazards, threats of discrimination, or others. Compliance makes the workplace safer for everyone, which in turn results in improved productivity.
So instead of seeing compliance as a liability, organizations should see it as an opportunity to continuously improve their standards and get more returns out of it.
Improved public relations and customer satisfaction
A company that is compliant with the industry standards and government regulations is always considered more reliable by people. When an organization is compliant or follows international standards in its products and services, it can boast about these on its website or in its other marketing materials. This can be very beneficial not only in attracting more customers to the company but also in attracting more talent, investors, and so on. Customers will tend to trust a company that is compliant because it ensures them of quality in their products and services.
Employees would be more interested in a company that is compliant because they can expect a healthy and safe work environment. Inclusion, safety, and physical and mental well-being are important to anyone looking to work in an organization. Similarly, an investor will see lesser risk in investing in a company that is compliant with regulations compared to one that does not pay heed to those regulations or standards. Funding agencies will usually look for evidence of a company’s compliance with regulations. It ensures them of the quality standards that the company maintains, which translates to customer satisfaction.
Complying with standards or laws is a mark of sincerity and dedication to the stakeholders of the company and it can help the organization garner a lot of goodwill.
Cost and time saving
An organization that does not comply with regulations has every chance of falling prey to a security breach or an accident at the workplace or some other kind of risk. Most of these scenarios have serious legal consequences. Employees, customers, the public, or other agencies can sue the company if it fails to comply resulting in damage to any other party. This leads to tedious court cases that run for years and often, millions in fines and compensation.
Proper compliance administration can save a company millions of dollars by reducing the risk of fines, penalties, strikes by workers, lawsuits, or even a shutdown of the business. It also protects the company from negative publicity which can ruin its image in the market even if there are no serious legal outcomes.
A direction to the efforts
Efficient compliance management also gives a sense of direction to the people working in the company. It ensures that everyone in the company is aware of the quality standards, workplace ethics, government regulations, etc. that the company aims to follow. This awareness and day-to-day practices that ensure compliance can help create a culture of quality, safety, inclusivity, and accountability. Everyone in the organization understands their responsibilities towards the company, their coworkers, their customer, and society as a whole. This guidance is of utmost importance to make sure that the organization continues to improve and grow through transparent, ethical, and safe practices.
Better control of processes and procedures
Good compliance administration also means that the organization’s leadership and management are in control of the processes and procedures implemented. This also gives them control over the quality of end products, the productivity of employees, and their overall image. Being in compliance also assures better risk management for the leaders and managers. By controlling the way the processes run, or how the people behave on a daily basis, the organization can achieve a level of excellence over time.
When trying to increase and ensure compliance in an organization, there are several important factors that an organization has to consider. Getting everyone in an organization to comply with some prescribed regulation is not as easy as it sounds. The management of an organization may tend to think that simply making people aware of the regulations should be enough to help them comply. But you cannot expect people to change their habits immediately and compliance does require people to change.
Compliance management goes deeper than that. It requires careful planning and strategy. There can be different approaches to compliance administration in an organization, which again depends on the organizational culture to an extent. The compliance administrator or manager has to decide which is the best way to get people to willingly bring behavioral changes and what will make these changes sustain.
Appoint a designated compliance administration team
The very first step in compliance administration is to have a dedicated team for the purpose. The team is usually led by the Chief Compliance Officer who is assisted by Compliance Administrators at various levels. The job of the compliance administration team is to design and implement all the administrative processes adhering to the organization’s policies, to ensure compliance. The Compliance administration team will also need to arrange for compliance training of employees and evaluate the application of the procedures taught within the organization.
The team should be responsible for carrying out all the correspondence and communication with the legal or regulatory department. They must keep the organization updated on recent developments or changes in regulations and standards. The team has to document any new information and report to the company’s leadership about the same.
As compliance requires continuous monitoring, the compliance administration team also has to define internal auditing processes and carry out audits regularly. The team has to design strategies to achieve all the objectives of compliance management and communicate the compliance requirements to employees and departments effectively.
Build a strategy
Once a compliance administration team is formed, the organization has to focus on building a strategy to ensure efficient compliance management. The strategy will include the plan of action that the organization will follow in administering the regulations as well as the approach that it is going to take.
For building the strategy, the compliance administration has to first identify the regulations applicable to the organization, which could be specific to the industry it functions in or to its operations. There may be other regulations that are applicable to all irrespective of their industry or operations, such as diversity and inclusion or corporate social responsibilities. After identifying the applicable regulations, the team must assess the organization’s current state and decide whether they are in a position to implement these regulations effectively. They must assess what resources may be required for successful implementation.
After this initial assessment of the whole situation is done, the organization has to build a compliance program. This program will focus on the organizational policies to be introduced. It should also define the processes in compliance with the regulations, which will depend on what products and services the company offers. The compliance program will also include training of employees to help employees understand existing and new regulations and their implementation. The program has to introduce both internal and third-party audits to monitor whether all guidelines are being followed in all areas of the business. And lastly, wherever a lapse is detected, corrective measures must be in place to improve those areas.
The organization also needs to decide on the kind of approach it wants to take in the enforcement of regulations. It can either resort to a rigid approach or a flexible approach. It primarily depends on the organizational culture and how authority flows within the organization.
• A rigid approach to compliance management
It is quite clear from the name above that the rigid approach allows almost no deviance from the set regulations. In case of violations, the organization takes very stern action. In large organizations where the compliance managers have to ensure that a large number of employees comply with the regulations, such a rigid approach often becomes necessary. They cannot afford to practice any leniency in the implementation of regulations as a minor lapse may soon cascade into uncontrollable deviance. So, organizations like these cannot manage the implementation of company policies on a circumstantial basis but have to stick to the guidelines end to end.
This type of approach may also be seen in organizations that have a rigid hierarchical structure. When authority to make lies only in the hands of the executive leaders, compliance managers are bound to follow their instructions. In such organizations, decisions cannot be changed to accommodate the circumstantial issues. Even if the managers have to deviate from the guidelines to make exceptions, they have to wait for approval from the leadership making the process long and tedious. There is no autonomy and compliance has to be administered strictly in these organizations.
A rigid approach may also be necessary where non-compliance inevitably leads to a crossing legal boundary. The organization cannot afford to take regulations lightly in such cases and compliance is a must.
• A flexible approach
A flexible approach may not be possible where there are legal implications to a regulation. But in the case of certain policies within the organization, the compliance managers may deal with the matter with a lighter hand. Under certain circumstances, relaxing a few guidelines or giving more flexible options to employees can boost their productivity and may even be necessary. As long as relaxing a particular standard does not compromise the company’s ethical or legal liabilities, a flexible approach can be used to improve workflows and performance.
Every organization faces such circumstances from time to time where it may not be practical or reasonable to rigidly stick to a rule. It may have to make exceptions and the flexible approach allows for it. This is a more suitable approach for smaller companies that have the liberty of making decisions on a case-to-case basis. They have fewer people to manage and anything that goes out of hand can be controlled much more easily.
However, a flexible approach may be applicable to large companies under certain circumstances. Large companies may have several different policies to comply with and often there may be contradictory policies resulting in conflicting standards within the organization. In such cases, the organization has to take a flexible approach and choose which policies to comply with and which ones to leave out based on the priorities.
There is no hard and fast rule as to which approach a company should take. The same organization may choose to take a different stance under different circumstances. For rigid compliance, the company policies must be extremely clear and leave no scope for ambiguity. Wherever there is a lack of clarity, the company has to allow more flexibility. The organization must have procedures in place to allow for such exceptions, such as getting a written permission or informing the supervisor before deviating from the standard process.
Administer compliance training
The next step after creating the compliance management strategy is to prepare the employees for compliance. An employee will only be able to follow the guidelines when he or she is aware of them. This is why a robust compliance training program is absolutely necessary for every organization.
The compliance training educates your employees about the laws, regulations, and standards that the organization needs to abide by. These are, therefore, the regulations that they need to abide by as well being a part of the organization. The training program cannot be unidimensional though. Laws and regulations keep changing. So, the organization cannot expect to manage compliance successfully by simply training their employees once. There has to be a separate training program for onboarding or new employees, introducing them to the existing rules and policies. Also, there have to be training programs planned for whenever there is any change in the regulations or whenever new procedures are introduced.
Periodic training must be made mandatory in order to achieve the successful implementation of rules and regulations. Training may be conducted live in person or through e-learning platforms, video conferencing, or other modes, to make the training programs more accessible to everyone. In situations like the current Covid-19 pandemic the world has experienced, it is all the more important for organizations to experiment more with remote training and development programs.
Focus on monitoring and annual reporting
Any compliance framework has to have a monitoring and reporting method in place to ensure that the efforts to ensure compliance are hitting the target. The organizations should have oversight of its compliance management through constant monitoring and the compliance team must make sure that all employees are working within the compliance framework. This continuous monitoring allows the compliance managers to detect issues and eliminate them before they can lead to serious consequences.
Effective monitoring requires established protocols and controls to detect problems and reform them to ensure compliance at all times. In case of a breach in compliance, the monitoring method must be able to correctly identify how the breach occurred or where it originated. This helps the compliance managers address the correct issues and prevent similar problems in the future.
Compliance managers also need to have a standard method of reporting to the senior management of the company. The report should discuss in detail how the organization is enforcing or implementing rules, regulations, laws, and standards. It should include the analyses of the methods implemented and discuss whether they have been effective.
Regular audits and reporting are an extremely essential part of compliance administration as it allows the organization to avoid non-compliance in time. Internal audits from time to time can help them address issues before external auditors can find them. This can save the organization from regulatory penalties and lawsuits.
Track and report exceptions
We have already discussed above that an organization may need to make circumstantial exceptions when it comes to compliance. But these exceptions, if undocumented or untracked, may cause external auditors to consider them as non-compliance. This may land the organization in serious trouble.
Whenever an organization decides to make an exception to compliance with a given standard, it must immediately record it and report the same to the higher authorities, within or outside the company. For example, under the GDPR in the European Union, if a company has undergone a data breach and reported the breach to the Data Protection Agency (DPA) within 72 hours, the fine imposed on the organization may be lowered. But failure to report can result in even heavier penalties.
For internal policies, any exception made must be reported to the senior management along with circumstances that called for such an exception. This allows the appropriate authorities to investigate and confirm the incident in a timely manner.
Risk assessment is an important part of the compliance management framework. Conducting a compliance risk assessment is a necessary step in compliance administration. Every organization has certain areas where compliance risks are high and which may lead to potential legal, financial or reputational damage. Compliance risks are the threats to the organization’s operational performance or legal, financial, and reputational standing due to non-compliance with the law, standards, or codes of conduct.
To understand all the potential risks, an organization may need to improve its compliance risk assessment process. An organization may have experience with risk assessment in general. Every business has to carry out a risk assessment for various purposes, but not all of these risk assessments focus on legal or regulatory compliance implications. Though compliance risk assessments may follow a similar approach as enterprise risk assessment or internal audits, they are supposed to be much more focused on the legal aspects.
The compliance risk assessment framework can help compliance managers detect any inefficiencies or loopholes in the system and address them before they can create bigger problems for the organization. Compliance risks are even greater with the rapidly changing regulatory landscape today. Businesses find it challenging to keep up with the changes and the chances of non-compliance, and associated risks of penalties, increase as a result. A strong compliance risk assessment framework can prevent this from happening.
For efficient compliance risk assessment, an organization has to build a proper methodology for risk assessment. The methodology usually consists of a few basic steps which include the following:
Identifying the hazards
This is the first step, where the organization must assess its current state to identify any processes, procedures, systems, or transactions that may be non-compliant. This current state assessment also lets the compliance managers find existing materials already prepared for compliance purposes and see if they are being followed efficiently. The key people working closely with the business process need to be interviewed to understand how they are ensuring compliance.
This step allows the compliance administrators to get a clear picture of the company’s compliance landscape and identify the compliance risk points or areas that are potentially violating regulations. Evaluating all the key processes, systems, and recurring transactions in terms of regulatory compliance with the applicable laws and standards can give valuable insights.
During this initial assessment, the compliance managers may come across two types of risks, namely Inherent Risks, and Residual Risks. Inherent risks are simply the risks that already existed in the organization before the controls to mitigate risks were put into force. Understanding the inherent risks in a business allows the compliance managers to decide how to control them and build a compliance strategy well in advance.
Residual risks are those risks that still pose a threat despite applicable controls being in place. These risks could be a result of inefficiencies in the existing controls or compliance measures and will require corrective actions to improve the system.
Assessing the current controls
The next step is to assess the controls in place and detect any insufficiency in the policies, procedures, working instructions, or other applicable controls. To understand whether all controls are efficiently helping with compliance, the compliance managers must themselves be aware of all possible regulations and standards that are applicable to the business.
Taking measures to enhance compliance
The organization then needs to prioritize its compliance risks and address the compliance program gaps on the basis of the severity of risks. High-risk areas must be covered first then moving on to lower-risk areas systematically. Monitoring, feedback, and improving the risk assessment framework on a regular basis are important to ensure that it delivers results.
Testing & Certifications
Compliance with regulations and standards is only useful when the organization has valid evidence to prove it. An organization cannot self certify its compliance with international standards or industry certifications. Self-certification may only be valid as far as internal policies and codes of conduct go. But for all other regulations and standards set by regulatory bodies, testing and certification by the appropriate authorities are essential.
Compliance testing, also sometimes referred to as conformance testing, is the process of testing the controls that the organization has established to validate whether they meet the prescribed standards or not. This is one of the very first tests conducted in any audit for assessing the control environment of the organization. If all controls are found to be effective and the organization’s processes and procedures are found to conform with the standards, the regulatory body can certify the organization or its process/ product/ area as compliant.
The methods and approaches to compliance testing may be different in different industries. If the organization is undergoing an IT compliance testing, for example, the audit teams would check for compliance with the standards set by regulatory bodies such as the World Wide Web Consortium or the International Institute of Electrical and Electronics Engineers. For a manufacturing plant in the US, say, that must comply with the pollution control measures laid down in the Clean Air Act (CAA), the company may have to undergo emissions testing and so on.
For different industries, there may be different standards and, thus, different certifications. Companies working in the Banking & Finance, Insurance, or Investment industries, in particular, are required to operate in a very complex regulatory landscape. The US alone has several regulations at both the federal and state levels. There are privacy and cybersecurity laws, corporate finance regulations, investment regulations, and much more.
It is, therefore, important for organizations to have their own internal testing methods in place, so that external audits cannot find any gaps in the control environment and acquiring certification becomes easier. For compliance testing internally, compliance teams can first create a checklist of all the applicable regulations and certifications that the organization is required to have. Then, a testing methodology can be developed from their understanding of compliance testing, taking into consideration what external auditors could look for. This will help them identify issues and remediate them before an external compliance testing takes place.
The testing methodology may be simple. The aim here is to test whether the deliverables of each system or process are compliant with the prescribed standards or not.
Management of workflow processes is a crucial part of compliance management as well. The workflow processes are the series of tasks that need to be carried out sequentially to execute a business process successfully. But these workflows cannot be designed any way one likes. It has to follow some predefined rules and standards. That means, the workflow processes need to be compliant too. The workflow processes must be designed to comply with the company’s internal policies and applicable laws or regulations set by external agencies.
The organization has to define the compliance benchmarks based on these internal and external compliance requirements for the workflow.
Workflow management software
Till a few years ago, companies would try to achieve workflow compliance through manual efforts, trying to enforce the regulations and laws, seeing to it that they were followed to the T.
However, this is not only time-consuming but also leaves chances of human errors and reduces accountability, making the workflow process prone to violations. That is why companies today, rely on workflow management software that makes compliance a lot easier. A workflow management software streamlines the business process and automates most of the work involved in workflow design. Tasks can be assigned on the software along with instructions and guidelines to ensure that the person responsible for carrying it out is aware of the compliance requirements. So employees do not need to be reminded of regulations again and again.
A good workflow management software can ensure that all necessary steps in the workflow process are followed, control processes are enforced without fail and all information is verified. The workflow manager can assign approval checkpoints so that work is approved only when it meets the compliance requirements. This also saves time on monitoring and evaluation of the work.
Workflow automation can reduce the risk of non-compliance and result in no problems when the time for compliance testing comes. For example, let us consider the accounting workflow of an organization. There are a lot of factors to be remembered in this workflow, such as what comes in and what goes out, who comes under debit and who comes under credit, etc. Then there are tax calculations, standard formats and so much more to follow. By automating the accounting workflow through the workflow management software, the organization can ensure that all documents, calculations, etc. go to the appropriate departments at the right time. The chances of a lapse here are minimal as everything is input to the system beforehand and the rest of it is automated. With minimum human interference, compliance becomes more likely.
Every business has to develop a code of ethics for more than one reason. Ethics broadly define the values and principles that the organization stands for and they are supposed to guide the behavior of everyone working in the organization. As a business grows, it is not possible for the leaders to reinstate these ethics in each and every employee directly and that is why a code of ethics becomes essential. The code of ethics is a documented version of the values and principles that can be shared with everyone, making them easily accessible. It should remind each stakeholder of the organization of their responsibilities, towards the enterprise and the society.
There are usually two kinds of ethics codes in an organization – one that is based on integrity and one based on compliance.
Integrity-based code of ethics
The integrity- or value-based code of ethics refers to the company’s core values. It outlines the standards or responsible behavior of everyone in the company, for the greater good of society. These value-based codes of conduct may not always have any severe consequences if violated, so they require more self-regulation and cannot be enforced by others. Every individual has to consciously control their behavior to comply with these ethics. Instead of dictating a certain kind of behavior, an integrity-based code of ethics focuses on certain actions or outcomes that the organization hopes to achieve.
Compliance-based code of ethics
A compliance-based code of ethics, on the other hand, is developed so that everyone in the organization follows the regulations and laws set down by regulatory bodies. Issues that can have serious implications such as safety, workplace harassment, cybersecurity, privacy, environmental hazards, etc. are usually controlled by binding regulations. Compliance-based codes of ethics are not just guidelines for employees to follow, they can also result in heavy penalties if violated. The penalties are also, usually, defined in the code of ethics itself.
Employees may need to undergo formal training to fully understand the laws and regulations as well as the code of conduct. As there are legal implications of non-compliance with these ethics, the organization is usually at loss for even a single error at the employees’ end. So individual employees can also be penalized by the organization for failure to comply and follow guidelines, despite being constantly reminded.
In most organizations, it is the responsibility of the compliance administration team, or the compliance officer to ensure that the principles and conduct mentioned in the code of ethics are followed by all employees across all departments. They are also expected to keep track of any changes in regulations and update the code of ethics accordingly as well as communicate these changes to employees in order to encourage compliance.
The compliance-based code of ethics has very clearly defined rules and consequences. It usually does not allow for circumstantial changes or individual monitoring and applies to all, irrespective of the circumstances. There is no place for ambiguity in compliance-based conduct as ambiguity makes way for different interpretations by different people.
Training and communication
In the case of both integrity-based and compliance-based codes of ethics, it is very important for organizations to focus on training and communication. Organizations can never expect to comply with their codes of ethics if employees are not well versed in the organizational policies and procedures. Employees need to be communicated about their ethical boundaries within the organization and their responsibilities as a part of the organization.
The compliance program in an organization has to go hand in hand with a professional ethics program. Professional ethics in the organization play a very important role in ensuring compliance. Professional ethics began to be seen as an integral component for compliance when more and more cases of financial scandals, scams, money laundering, etc. began to come to light. Major events like the tech bubble that burst in 2002 leading the stock market to crash, or the housing bubble in the US in 2008, cause governments and regulatory bodies to strengthen regulations and focus more on professional ethics, transparency, and rigorous scrutiny.
Such events have caused professional ethics and compliance to take center stage and made them a part of the strategic foundation of the organization. Good professional ethics are not just necessary for an organization now but are the key to gaining stakeholders’ trust and a reputation in the industry. A strong professional ethics and compliance program can enhance the company’s reputation, increase employee engagement and create a healthy organizational culture where ethical behavior is not exceptional but rather a norm.
Identifying the gaps
For a strong and effective business ethics program, it is important for the organization to first understand where it stands. The compliance managers need to ask several questions, such as:
What challenges in terms of business ethics does the organization face?
Which group of people, departments, locations, or business units show the highest risk of non-compliance or poor ethics?
What are the organizational values that employees need to stand by?
What other values may be necessary for the organization to be compliant?
What resources may be needed to help employees understand and comply with the necessary ethics?
Which group of people’s inputs may be important or useful in developing the company’s code of ethics?
Answering these and other similar questions can help compliance administrators create a meaningful and clear plan of action. This gives them a detailed picture of their current strengths and weaknesses. A gap analysis like this will tell them what needs to be done to promote strong professional ethics among the employees.
Establishing a strong foundation
Once an organization knows what it needs, it can start laying the foundation for strong professional ethics and thus, for strong compliance. The first step to laying a strong foundation is building a robust ethics and compliance program. An ethics and compliance program has been proven to be a very powerful tool in preventing the compromise of standards and observations of misconduct. It results in increased reporting of misconduct by employees and also reduces the fear among people to point out wrongdoings. With a strong professional ethics program in the organization, employees cannot feel pressured to compromise standards or break laws and assures strict action against those who themselves deviate or pressurize others to do so.
As more people value professional ethics and the organizational culture encourages it, bad conduct comes to light more easily making it easier to address the problems internally.
Building a strong foundation requires several tools. These include a written code of conduct, employee training in ethics and compliance, company resources offering advice and information about ethics and compliance, a prescribed method for reporting potential violations, and so on. Any reporting of violations should be kept confidential and anonymous to build confidence among employees. Also, it is important to have a regular evaluation of performance in terms of ethical conduct and a strong system in place to discipline and penalize those who violate.
Committing to ethics and compliance from the top down
Professional ethics and compliance are not meant for employees alone. The commitment towards professional ethics must be exhibited by the top executives of a company as well. Integrity, honesty, and transparency among the organization’s leadership are essential to influence good conduct among employees. The leaders of the company are the people who develop the organizational culture over time, and so they have the power to change the organizational culture for the better as well.
Leaders can, therefore, promote strong professional ethics through their words and actions. They need to talk more about the importance of ethics. They must communicate the issues that arise every day due to a lack of professional ethics. Leaders must themselves keep their word and uphold promises they make to employees or other stakeholders to demonstrate their integrity. Apart from this, the company’s leaders should also make an effort to recognize and acknowledge those who show highly ethical conduct and hold accountable those who violate regulations and codes of conduct.
Such a display of integrity and ethics by the leadership can play a huge role in changing the environment of the organization.
Making professional ethics central to all operations
To promote a culture of professional ethics and compliance, it is not enough to just talk about it once a month or conduct a workshop every year. Professional ethics have to be central to everything that the organization does. Ethics should be an integral part of the company’s day-to-day functioning. Starting from the company’s HR policies to the hiring processes, from performance management to reward systems, everything that the company does must be done within the value system and ethical framework that it hopes to establish.
Even in a time of crisis, leaders have to take the opportunity to teach ethics that can help find a feasible as well as an honest solution to the problem. Employees should never be encouraged to compromise on standards, take shortcuts or adopt unethical means to solve a problem. Staying firm on their ethics even during crises, helps leaders show employees that professional ethics are an important element for a successful business.
Types of Ethics
The three major approaches in normative ethics are virtue ethics, consequential ethics and deontological or duty-based ethics. Virtue ethics emphasize moral character in judging whether something is right or wrong. Consequential ethics make this judgment based on the consequences engendered. Deontological ethics suggest that an action is right or wrong depending on a specific set of rules.
The roots of virtue theory go back to the beginning of philosophy in Athens, set out in Aristotle’s ethical treatise the Nicomachean Ethics. Ethical values can arise from a moral rule and have a corresponding vice. For example, a moral rule around ‘not lying/always speaking truthfully’ is associated with honesty and divergent to dishonesty. Moral agnosticism naturally stands in the way of fostering an ethical culture within the organization. It can lead to ‘ethical blindness’, where people (good or bad) behave unethically without being aware of it, usually from not considering the ethical dimensions of a decision they’re making.
Consequential theories base the moral evaluation of actions on the outcomes they produce. Utilitarianism is a famous consequentialist theory that assesses character traits and actions based solely in terms of overall net benefits. It is concerned with the question ‘what outcomes should I want?’ and as you can imagine, be problematic if used to defend actions or decisions that impact the organization’s compliance posture.
Deontology, associated with the philosopher Immanuel Kant, emphasizes the motivations, ideals and principles underlying an action or decision rather than the consequences of that action/decision. According to deontological theories, some actions are always wrong even if they lead to an undesirable outcome.
Judging the morality of actions based on an ethical framework can help shape the ethical character of the entire organization.
Gifts & Entertainment
There is a very high-risk compliance area that companies often tend to neglect and that is gifts and entertainment compliance. Although gifts and entertainment may be an important tool for companies to foster good business relationships, there are regulations on their use as well. That is because gifts and entertainment can also lead to inappropriate influences and undue favors. Bribery in government and corporate offices, anti-kickback laws, violation of contract policies with third parties, etc. have increased the requirement for these regulations governing gifts and entertainment in an organization.
Every organization should understand the risks involved regarding conflicts of interest, bribery, or their interactions with certain customers, etc. when creating a gifts and entertainment compliance framework. They should also be aware of the gifts and entertainment policies of their stakeholders, such as clients, suppliers, IT partners, and so on. This helps ensure that the policies of the company do not result in the violation of the other party’s compliance policies.
Building a gifts and entertainment compliance program follows a procedure similar to most other compliance programs. It starts with an assessment of the compliance risks and the applicable regulations, followed by the creation of standards and policies for the company, training and communication, monitoring, and control.
The traditional approach to gifts and entertainment
Till not so long ago, gifts and entertainment were not viewed as a matter of concern. Companies allowed acceptance and gifting of luxury items, visits to luxurious places, or donations without the need for any documentation. During those times, regulations on gifts and entertainment were only seen as an obstruction in building relationships with partners and other businesses.
But the scenario is very different today. Organizations cannot afford to accept or give away expensive gifts or large amounts in donation, without a valid reason or documentation. There are numerous lawsuits and fines associated with inappropriate gifting/ acceptance of gifts, which may be considered corruption. Apart from the legal consequences of violating these regulations and the loss of reputation, employees today are themselves more aware and give importance to ethics and values. So, this traditional approach to gifts and entertainment is no longer valid in today’s world of business.
Creating policies for gifts and entertainment
When creating gifts and entertainment policies for a company, there are certain key factors to keep in mind. First of all, like all other compliance requirements, the gifts and entertainment policies should also be documented and circulated throughout the organization. The documented policy should clearly explain why certain gifts or entertainment activities are not acceptable and why putting these limits on them is important.
It should also clearly mention which gifts and entertainment activities are acceptable within the company. If there are any particular business units or functions where the rules need to be stricter, that should be clearly defined in the policy. The policy should also discuss the penalties and possible action that will be taken against violators.
Training and education of employees in this regard is also equally important. All employees should know the standard code of conduct regarding the acceptance of gifts and the values that the organization upholds.
Insider trading has caused trouble to many big names in the Investment and Finance sector. Employees of companies in these industries have access to a lot of confidential information pertaining to the stock market and trading. Using this information for trading in the stock market for personal gains is not just unethical but also legally prohibited. This is why regulatory bodies have put down very stringent laws against insider trading.
It is very important the compliance program in an organization is adequately designed to deliver maximum effectiveness in detecting and preventing unlawful, criminal activities by employees. the government also requires that these compliance policies be efficiently enforced, although it may not be possible to keep an eye on every activity of employees.
Creating a strong insider trading policy
The organization must have well-defined rules on personal trading for employees. the management should ensure that trading policies for employees are effectively enforced, and distributed, and reviewed regularly. The documented policy on employee trading should clearly differentiate between permitted and restricted employee trading activities. It should also include who the covered persons are and what are the covered securities. If employees are required to avail permission before entering a trade in a covered security, the procedure for approval must also be mentioned clearly. Employees are also required to report their holdings over a fixed period and the policy should define the time period and frequency of reporting.
The rules of insider trading are not limited to employees alone; covered persons may include family members and others over who the company has discretionary authority. So a full list of accounts and trading reports of such persons may also be asked for verification by the company.
A strong process of regularly reviewing employees’ compliance to trading policies and restricted investments must be in place. Organizations also have to take care of who has access to confidential information. For instance, regulatory bodies require companies to regulate and maintain detailed records regarding the sharing of material non-public information (MNPI) with employees. The management of the company must control who gets the privilege of accessing MNPI and keep valid records of it, including when the information is shared and for how long a piece of information is considered MNPI.
Efficient insider trading compliance program characteristics
A strong compliance program for insider trading should have the following characteristics:
– The commitment of top leadership
– Adequate resources, qualifications, and structure to ensure compliance
– A strong code of conduct, policies, and procedures
– Effective training of and communication of policies to employees
– An efficient method for confidential and anonymous reporting, as well as investigation
– Internal auditing and controls testing
– Regular review and improvement of the compliance program
It may be difficult to completely prevent insider trading even with the most efficient compliance program but having robust policies and strong ethics within the company can mitigate the risk to a great extent.
Governance and Audit
Proper governance and auditing are an integral and critical part of any compliance program. Internal audits are a necessary way of ensuring that all the controls employed to ensure compliance are working effectively. They also serve as a means of assuring stakeholders that compliance is being taken seriously.
Moreover, regulatory bodies are always increasing the requirement for mandatory disclosures regarding compliance and governance that must be submitted by companies from time to time. That makes governance and auditing all the more important to organizations that have an ongoing compliance program. But despite the pressing need for efficient governance and auditing, the challenges to these activities are not getting any smaller. The regulatory and business landscape is continuously changing. From regulations to people to technology and processes, everything changes rapidly today and adds complexity to governance methods.
Between 2002 till date, that is merely within the past 18 years or so, there have been numerous new regulations and compliance requirements that have been introduced, particularly in the Banking & Finance, Insurance, and Investment industries. From corporate governance requirements to SOX to the Regulatory Mandate for Risk Management, there have been several cultural shifts in the business environment.
This requires businesses to not only focus on governance and auditing but also ensure that their methods are sustainable in the face of an ever-changing environment.
Role of executive suite in governance
Governance and auditing comprise all the activities carried out by the compliance, risk assessment, legal, finance, HR, and IT teams within the organizations. It also includes any auditing done by third parties or external stakeholders. However, it is not just the compliance and auditing teams that are responsible for managing governance, risk, and compliance. The top executives and the board of directors in a company are also equally responsible for governance and compliance. Governance refers to the ways and means by which an organization is controlled. Since most of the major decisions in an organization are made by, or in consultation with, the company’s leaders, their involvement in governance and risk management becomes imperative.
Internal audit functions
Internal audits can cover several key areas of governance, risk, and compliance. Risk-based internal audits are necessary for risk assessment and control assessment within the organization. Audits on operational efficiency review the policies and procedures defined by the organization to ensure compliance. It also reviews the operational framework and the system’s integrity with the business operations and organizational needs. Operational efficiency audits need to focus on the information systems too as communication and information sharing are crucial to effective compliance.
Apart from these, internal audits may also focus on governance processes. This includes reviewing the code of conduct, the risk management committee’s performance, and the audit committee’s effectiveness. There are other forms of internal audits too that may not be directly related to compliance programs but can have an indirect influence. These are cost efficiency audits of the business, performance efficiency audits, and audits of the business strategy and plan.
Paying attention to governance and audit can greatly improve decision-making in the organization. It also helps integrate the company and break down silos for better collaboration and better flow of information. It can make an organization much more agile and confident.
Importance of compliance auditing
Compliance auditing, both internal and external, is important to an organization for several reasons. External auditing is often necessary for confirming compliance and attaining certifications. But internal audits are also equally useful and important. Timely and regular audits can help a company determine its weaknesses in the regulatory compliance framework and processes. This gives an opportunity to fill up the gaps and improve the processes and procedures to increase compliance.
Audits can also help companies attain guidance from expert auditors that can help reduce compliance risks and avoiding potential legal consequences and penalties due to non-compliance. We have emphasized several times that the regulatory landscape is very volatile and constantly changing. This means that compliance programs also need to keep up with changes and evolve. Regular audits enable businesses to improve their compliance programs by keeping them current with regulatory changes and incorporating these changes in the organization.
Focusing on governance and audits allows organizations to monitor how the business leaders, shareholders, and stakeholders are behaving in terms of compliance. It helps increase accountability for the decisions and actions they take. Published audited financial statements or any such crucial information are very important in this regard.
The right approach to governance, risk, and compliance
The best way to implement governance, risk, and compliance, also referred to as GRC, is to have a holistic approach to it. GRC is not limited to a certain department or business unit. It is applicable to the entire organization. There are three most common areas where GRC is applied in any organization – financial, IT, and legal. Financial GRC ensures that all financial processes are being carried out correctly and transparently, including reviewing their adherence to any financial regulations that may apply.
The IT GRC relates to the activities of the IT department of an organization and ensures that all processes, products, vendors, etc. support the current and future business needs while being compliant with all applicable IT regulations.
Legal GRC covers all the different areas of the business through the organization’s legal department and ensures compliance with all applicable laws and mandates.
A very useful model to apply this holistic GRC approach, suggested by the Open Compliance & Ethics Group (OCEG), is the GRC Capability Model. This open-source approach combines all the different sub-disciplines of governance, risk, compliance, audit, ethics, and IT.
The Capability Model is made up of four components, namely – learn, align, perform and review.
Learn – this refers to learning about the organization’s culture, context, and key stakeholders. This helps build and inform objectives, strategies, and actions in the organization.
Align – This refers to aligning the organization’s strategies with its objectives and the actions with the strategies. It focuses on effective decision-making keeping in mind the organizational values, requirements, opportunities, and threats.
Perform – Perform refers to performing actions that promote desirable outcomes, remediating policies and procedures that are undesirable, and being quick in detecting issues.
Review – This refers to reviewing the strategies and actions in terms of their effectiveness as well as the relevance of the objectives, to help the organization improve.
This model is crucial to GRC as it presents an iterative approach to continuous improvement and can drastically improve the governance and compliance in an organization.
Personal trading by employees of an organization can often lead to a conflict of interest. Employees, particularly in companies in the Investment sector or companies offering trading advice to clients, may have access to material non-public information. Such information can give them an undue advantage in trading with their personal accounts and this is considered a misuse of the MNPI.
Many legislations such as the Investment Advisers Act and Code of Ethics rules in most countries require organizations to have a personal trading policy. Under these acts, companies should have strong policies that make it mandatory for employees to disclose all their personal securities transactions and holdings which must be recorded and reviewed from time to time.
According to guidelines, the organization of the people in the organization responsible for managing the personal trading policy must define who an “access person” is. An access person could be an employee who has access to non-public information of clients’ transactions or holding, or employees who have access to, or themselves make, securities recommendations to clients. Employees with such access could misuse the information to cause a conflict of interest with the organization. For instance, they could time their trades so as to disadvantage the company’s clients, as they have access to crucial MNPI. Or they could place trades that put the market itself at a disadvantage. Such acts can be considered as a breach of their fiduciary duty.
Access persons are not just employees who have access to such MNPI or make recommendations to clients. It may also include people working in close association with them, such as their supervisors, or anyone who can have access including company partners, officers, and senior executives.
The company’s code of conduct should require access persons to disclose holdings within 10 days of entering a new trade or what may be called entering an “access” role. There are also certain securities that are covered by the personal trading policy of every company. An access person has to report on their holdings and transactions of these securities on a quarterly basis after the initial reporting.
The compliance managers must keep adequate records of employee’s personal trading disclosures as evidence of compliance with the policies and the company’s efforts of monitoring personal trading. Some companies allow access persons to report their holdings and transactions by simply sending a duplicate copy of the trading statements to the compliance adviser, while others require employees to have trading accounts managed only by an affiliated firm. No matter which method a company chooses to follow, careful examination and monitoring of personal trading information is a must.
Compliance, though necessary for every organization to ensure safety and integrity, may receive different responses from employees and stakeholders. Compliance is often seen as an obligation, something that an employee has to follow by any means. It can even lead to repulsion among employees and what is called ‘compliance fatigue’. Organizations should, therefore, focus on changing the attitude of people towards compliance. When people stop seeing compliance as a checklist with a number of regulations to fulfill, and start seeing it as an integral part of the company’s identity, that is when the organization develops a compliance culture.
Compliance culture cannot be built overnight by an organization. It has to start at the top and gradually seep into the lower layers of the organization. It requires a change in organizational behavior. Professional ethics and social responsibility are at the core of this change.
Building compliance culture
The development of a compliance culture in an organization starts from the organization’s vision, mission, and values. The leaders of the organization must demonstrate their commitment to the vision and values of the organization. They must be able to uphold these values for everyone else to see and realize that these ethics are central to the organization’s functioning.
Before expecting others to dedicatedly follow the code of conduct of a company, the leaders must themselves live by the code. The top executives set the standards for everyone else to follow. If leaders themselves are seen compromising on ethics, standards, and regulatory compliance, be it for personal gain or for the organization’s, employees will also be influenced to do the same. But if the leaders stand firmly with ethics, reward compliant behavior, and do not show any tolerance toward non-compliance, employees will be encouraged to maintain integrity as well. This is what is commonly called “tone from the top”.
The management of the organization also plays an important role in fostering a culture of compliance. Managers are usually in close contact with employees and are responsible for implementing the processes and procedures for compliance at different levels. So, managers’ actions must exhibit exemplary ethical standards for others to follow suit.
It is also important to ensure that such ethical and compliant behavior is applied to everyday interactions and activities. Ethical behavior can only turn into culture when it is practiced daily, by everyone. Employees must be motivated to practice the organization’s ethics in every formal or informal interaction they have, every single day. In case of violations, visible actions must be taken to assure that the organization takes compliance seriously. If the company keeps making exceptions to its own rules and policies often, employees start believing that the rules are arbitrary and can be bent at will.
Fair, reasonable but consistent enforcement of the organization’s policies is a must to create a culture of compliance. Compliance programs that put in this extra effort to turn compliance into culture can help the business achieve all its regulatory goals through ethical and responsible behavior.
The following list represents the Key Program Objectives (KPO) for the Appleton Greene Compliance Administration corporate training program.
Compliance Administration – Part 1- Year 1
1. Compliance Essentials
Before an organization starts creating a compliance program, the first thing that it needs to know is the essential elements for the compliance program. The organization has to do some diligent research on the applicable laws and regulations. But simply communicating these regulations and standards to employees will not make them comply from day one. The company has to appoint a dedicated compliance administration team that will take care of all related activities. The team has to design and implement all the administrative processes to ensure compliance with organizational policies. They will also be responsible for updating the policies and monitoring compliance on a regular basis.
The organization will need a strong strategy for the implementation of the compliance program. The strategy has to define whether the organization will take a rigid or flexible approach to compliance, or switch between the two based on circumstances.
Training of employees to educate them about the laws, standards, and codes of conduct is essential. Without periodic training, employees cannot be expected to commit to compliance or understand its importance. Along with periodic training, monitoring and audits are equally important. Monitoring with established protocols and controls allows the organization to identify gaps in the compliance program and remediate them in time. Audits and reporting help prevent non-compliance and associated penalties.
It is also important to document and report any exceptions to compliance that may have been made. Untracked/ undocumented exceptions may be treated as non-compliance during external audits and may land the organization in trouble.
2. Risk Assessment
Risk assessment is a very crucial part of a compliance management framework. Compliance risk assessment refers to identifying those areas in the organization where the risk of non-compliance is high, which may lead to legal, financial, or reputational damage to the company. The risk assessment process in a company has to be efficient to be able to identify and understand all potential risks. The risk assessment process starts with identifying the high-risk areas in the business. Risks may be of two kinds – inherent and residual. Organizations usually have control measures in place to ensure compliance. Inherent risks are risks in those areas where such controls have not been used to mitigate them. So the risks assessment will tell the compliance administrators where there is a lapse in controls and help them remediate these areas.
Residual risks, on the other hand, are those risks that exist despite controls being put in place. This goes on to imply that the existing controls are either not sufficient or not effective. Based on the calculation of both inherent and residual risks, a business can judge its current controls and introduce changes wherever there is scope for improvement.
To make risk assessment more efficient, the organization must develop a well-thought-out risk assessment framework. The risk assessment should include a few key components such as the regulatory matrix, compliance risk analysis, and compliance review. The regulatory matrix should contain all the various laws, regulations, standards, and guidelines the company needs to follow along with the compliance risks and necessary controls. The compliance risk analysis and review will then help suggest corrective action where necessary.
3. Testing & Certifications
To prove its compliance with all applicable regulations and standards set by the government or other regulatory bodies, an organization has to have valid certification. Except for their internal standards and policies, all other compliance needs to be tested and certified by appropriate authorities. Compliance testing refers to the testing of the existing controls in the organization with an aim of verifying whether they help the organization meet the prescribed standards. If the controls are found to be effective, the regulatory body can certify the organization or its departments/ business units to be compliant.
Compliance testing and certification are important to a business for a number of reasons. Once an organization is certified as compliant it can boast of these certifications on its website or any other marketing material. Obtaining certification helps win customers’ trust in the company. It also helps them win over investors as companies that are certified as compliant are considered to be more reliable by funding agencies. Investors may often ask for evidence of a company’s compliance with standards too. In such cases, the certification from different regulatory bodies is invaluable.
Compliance testing for certification is done by external agencies but an organization can also conduct internal compliance testing. Having an effective internal testing process helps prevent any lapses in the compliance program so that certifying bodies do not find any gaps during compliance testing. Companies in Banking & Finance, Insurance, and Investment industries have to particularly more vigilant and pay more attention to testing and certification, as the regulatory landscape in these industries is quite complex.
4. Workflow Processes
Compliance in workflow processes is extremely crucial to the overall compliance program of a company. Workflow refers to the series of activities that need to be undertaken in a sequence to complete a business process successfully. When workflow processes are standardized and compliant, the likeliness of the end product also being compliant increases. But in a workflow, there may be several people involved. Someone needs to assign the tasks and communicate the applicable guidelines; others need to execute the tasks while staying within the prescribed guidelines. When done manually, managing the workflow process becomes very tedious. But more importantly, the chances of errors and, thus, non-compliance also increase many folds.
It may not be possible to keep reminding employees of the standards and regulations every time throughout a process. That is where workflow automation is helping organizations to ensure compliance without fail. Workflow management software helps automate workflow processes to reduce the amount of human intervention. All the details regarding a particular task, including the regulations, standards, and guidelines applicable to it, can be input into the software. So when the task is assigned, the person responsible for executing it has access to all the relevant information and this helps them improve compliance.
Automation also allows the workflow manager to assign approval checkpoints so that the work is only approved and accepted when the set standards are met. Thus, workflow automation streamlines the workflow process, minimizes the chances of errors, reduces the time spent on monitoring and evaluation, and prevents problems arising due to non-compliance.
5. Ethics Code
To ensure compliance in an organization, a strong code of ethics is of primary importance as it leads to better compliance. Ethics are the values and standards that an organization stands by. These ethics define how the organization functions in its day-to-day activities and dictates how its employees are required to behave. The code of ethics of an organization is the documented form of these organizational ethics. There may be two kinds of codes of ethics – integrity-based and compliance-based.
Integrity-based ethics are not necessarily enforceable. They may not have any legal implications. But they can be considered as a moral responsibility for everyone working in the organization. Integrity-based ethics define what the standard behavior or responsible behavior of every employee of the company should be, for the greater good of the society. Employees need to be morally conscious and willingly accept these policies as compliance with integrity-based ethics codes cannot be forced.
A compliance-based code of ethics can have legal implications. These are ethics based on the laws, regulations, and standards set down by the regulatory bodies. An organization needs to clearly communicate these laws/ standards through the code of ethics and ensure compliance at any cost. Non-compliance to this code of ethics can result in serious legal problems and heavy penalties for the organization. Compliance-based code of ethics usually covers areas like workplace safety, workplace harassment, cybersecurity, privacy laws, environment laws, racial discrimination laws, and so on.
The compliance administrators are responsible for implementing these codes of ethics across the organization.
6. Professional Ethics
Professional ethics should be at the core of any compliance program in any company. Professional ethics began to be considered as a necessity for compliance management after many organizations faced several scams, financial scandals, money laundering, etc. as a result of employees’ misconduct. Some of the most popular examples of such unethical behavior that led to the downfall of several companies are the Tech bubble that burst in 2002 and the housing bubble scam of 2008. Such major events not only cost organizations huge amounts of money but also their hard-earned reputation. After such events, professional ethics became an integral and irreplaceable component of compliance requirements.
Strong professional ethics in an organization can win stakeholders’ trust and bring more goodwill to the organization. Professional ethics always need to start at the top. The leaders of an organization have a responsibility of demonstrating and promoting strong ethics among employees. When leaders and managers show their commitment to compliance, stand true to their words and never compromise on values, employees automatically follow their example.
To inculcate strong professional ethics in employees, the organization must have a strong ethics and compliance program. The program should focus on turning professional ethics into a part of the organizational culture. It should reward employees for good conduct and compliance, and also define the actions to be taken against anyone who violates the codes of conduct. A display of integrity at every level and in every action of the people of the company will help make ethics a norm.
7. Types of Ethics
Compliance is the act of conforming to organizational policies and procedures in light of applicable laws and regulations. It provides a framework for organizational members to make decisions and act in accordance with the law. Ethics are an integral component of compliance. Organizations don’t have a uniform view of ethics, as explained below.
Some organizations are of the opinion that ethics involve doing the right thing, and following both the spirit and letter of the law. Perhaps it is why defining ethics may be difficult for businesses as employees’ personal code of conduct will come into question. Everyone has their own ethics, but when the goal is doing the right thing, then virtues such as honesty, fairness, transparency and due diligence will matter a great deal as far as compliance goes. If organizational values promote respect, trust, integrity or other virtues, then behaving in a manner that aligns with these values is everyone’s responsibility.
A focus on moral character and code of conduct augers well for organizational culture. If an organization has a poor ethical culture, then none of its controls, policies and procedures will matter. The opposite is also true: culture drives ethical behavior. An organization that promotes ethical behavior among employees is likely to see culture and compliance benefits. If it has a poor culture or doesn’t promote ethical behaviors, employees will not feel discouraged to act in ways that increase risk of compliance failures.
Some organizations believe that ethics don’t always hold them to a higher standard than the rules, and that there are times when regulations demand more than upholding moral principles. Decisions of a complex nature and an absence of vital information can make organizations struggle to act according to the standards of ethics, affecting their compliance decisions.
8. Gifts & Entertainment
Incidences of inappropriate acceptance of gifts and favors in the past have led regulatory bodies and government agencies to look into gifts and entertainment as an area of concern. Bribery of government officials, compromise in contract policies with third parties in exchange for favors, anti-kickback laws, etc. have driven the need for a strong gifts and entertainment policy in every organization. Though gifts and entertainment are a way of building and maintaining business relationships, yet they may be misused for personal gains or for that of the organization. In either case, acceptance of undue favors can be considered unethical and even criminal in extreme cases.
Gifts and entertainment policy in a company should clearly define what kinds of gifts or entertainment activities are acceptable and what is unacceptable. Any donations or gifts presented to others, such as partners, suppliers, third parties, etc. should be reasonable and documented correctly. There may be certain business units or departments in an organization that are under stricter scrutiny by vigilance agencies. The gifts and entertainment policy should be even more stringent for those business functions, to avoid any unwanted charges of corruption against the company or its employees.
The gifts and entertainment policy of the organization should be efficiently unambiguous and efficiently executed. Training of employees may also be necessary in this regard to help them realize the importance of the rules and their consequences. Employees today are more aware and take ethics very seriously, which should make compliance with gifts and entertainment policies much easier.
9. Insider Trading
Insider trading has been a big nuisance to many companies, particularly those in the financial advising or investment sectors. Internal trading is when an employee of a company has access to confidential and critical information on trading in the stock market and uses this information for personal trading. This is a misuse of confidential information and is considered an unfair way of trading. It can even put the company’s clients at a disadvantage. This has led regulatory bodies to put strict restrictions on employee trading which companies are required to enforce and monitor.
Every company that holds valuable trading information must have a robust insider trading policy. The insider trading policy defines who a ‘covered person’ is under the policy and what are the ‘covered securities’ for monitoring. The covered persons can be employees of the organization or anyone close to them such as immediate family members, who could also have access to the information. Covered persons may even be business partners or other stakeholders with access.
The organization must have an efficient process of tracking and reviewing employee trading activities. The organization must keep track of who has access to material non-public information (MNPI) that the company deals with. Employees who hold trading accounts in a covered security must disclose their holdings to the compliance administrators on a regular basis (half-yearly or quarterly). Employees who have entered a new trade must also disclose their transactions and holdings within a stipulated time. Trading account reports of other covered persons may also be asked by the company for review.
10. Governance and Audit
A compliance program’s success depends to a great extent on the governance and audit carried out by the company. Governance involves all the measures that the organization takes to control and manage its activities. In compliance management, governance plays a key role in ensuring the effective implementation of rules and regulations. Audits are also equally important to compliance administration. Internal audits can help with risk assessment and control assessment that help the organization identify the gaps in the system. Audits can also review the operational efficiency of the organization as well as the information and communication systems within the company. All of these are directly or indirectly related to compliance.
Apart from internal auditing, external auditing from time to time is also essential. External audits allow the company to have an outside perspective on the compliance program. The auditors can give valuable insights as well as advice to further improve the compliance in the organization. They can educate the compliance administrators about the legal implications of various rules and regulations.
Governance of the compliance efforts of an organization is the joint responsibility of several groups within the organization. Everyone from legal to finance to HR to IT must be involved in governance, risk, and compliance (GRC) activities. Apart from these teams, the executive leaders of the company need to show their involvement in governance too. As most of the major decisions and policies are made by the top leadership of the company, they are invariably involved in the governance and risk management activities taking place.
11. Personal Trading
Personal trading by employees can often pose a great risk for an organization, particularly in the investment and finance industries. Employees’ personal trading can give rise to a conflict of interest. A company that offers trading advice to its clients, for instance, has to make sure that their advice helps the client trade successfully in the stock market. But most employees in the organization have access to the material non-public information (MNPI) the company holds and uses to advise their clients. Employees could misuse this MNPI to trade for personal gains, putting the clients at a disadvantage. This is both unethical and unlawful in many cases.
Companies, therefore, need to have very stringent policies for personal trading by employees. Employees who have access to MNPI must be kept under scrutiny. First of all, the organization needs to identify everyone who has the privilege of accessing MNPI in the company. These are the access persons. The company’s code of conduct should clearly define how an access person is allowed to trade. For instance, if an access person opens a new account and enters a trade, he or she must report the transactions and holdings within the next 10 days. For an access person already trading, the holdings and transactions must be reported every quarter.
The organization also needs to decide how these reports are to be submitted. Some organizations allow employees to submit a copy of their trading statements while others require employees to open an account only with company affiliated firms for easier monitoring.
12. Compliance Culture
A company’s efforts to ensure compliance can only be truly successful when it turns into a culture. As long as employees don’t understand the importance of compliance in their daily activities and only consider it as a binding obligation, compliance can never be implemented in full force. Employees need to be shown that compliance is an extension of the organizational values and an integral part of the company’s mission.
The leadership of the organization has to take the lead in this regard as well. The company has to practice what is called “tone from the top”. When the leadership shows commitment to compliance and ethics, the employees tend to be motivated to follow them as well. Compliance should not be treated as a matter of discussion in a yearly workshop or before an important audit alone. It should be practiced and encouraged every day.
Managers can also play a major role in promoting a compliance culture. As managers work in close association with the employees and oversee the implementation of rules and standards directly, they are in a much better position to influence them. Managers must demonstrate strong ethics and compliance in everything they do.
Even in times of crisis, the leadership and management should never compromise on their ethics and commitment to the code of conduct, nor encourage others to do so. As long as everyone in the organization puts in the effort to ensure compliance every day, consistently, it doesn’t take long for compliance to become a part of the company’s culture.
The first stage in any corporate training program, including this compliance administration training, is to build a robust plan. It is impossible to deliver the desired results from a training program unless there is a clear direction. The organization, as well as the training providers, must first understand the organization’s needs thoroughly. It requires diligent research, assessment, and brainstorming during the initial phase to gain meaningful insights into the organization’s current state and, thus, the gaps in its system.
In this corporate training program on Compliance Administration, we start the program planning stage with a few critical questions. There are 5 critical questions that every organization needs to answer before choosing/ designing a training program on compliance which include – who, what, when, where, and why.
Who should know about the compliance program?
When choosing or designing a training program, the first thing to know is who the training is meant for. In the case of the training program on compliance, the organization needs to deliberate on who the training program is supposed to target. For instance, compliance to safety standards in an organization primarily needs to be designed for people working in hazardous areas, such as shop floors in a factory or on a construction site. Compliance with workplace ethics, on the other hand, has to include everyone working in the organization. Compliance with cybersecurity and privacy laws may target IT departments, customer service departments, legal departments, and so on.
Depending on who the training program is for, it may have to be designed differently to cater to the specific audience.
The organization also needs to decide who would deliver the training. In this case, we will be offering all the material and delivering the training as well. But for your future needs, the organization may need to design its own training program, during which this question becomes relevant. The organization may opt for available training programs on compliance online, outsource the training to a professional Training & Development firm, or conduct training in-house.
For in-house training, the personnel responsible for designing and delivering the training program have to be appointed based on their knowledge, background, and capabilities. Every organization should ideally have a Compliance Officer or Committee who would take the lead in planning the training programs.
What should compliance training include?
Every organization has different needs. So, we cannot expect to deliver the same results with a training program in every organization we work with. The corporate training program on Compliance Administration primarily focuses on the Banking & Financial Services, Insurance, Business Services, and Technology industries. So, most of the topics and modules included in this training program have been designed keeping in mind the specific needs and challenges of these industries.
For any other organization, belonging to a different sector, the compliance administration training needs would be different. The organization needs to first find out what the compliance risks of the company are, which areas require more attention in terms of compliance, what are all the applicable laws and regulations, and so on. Once this information is available at hand, the organization can then decide on the content of the training program. It will help decide what should be the key takeaways of the training. This will also enable the training providers to gather relevant information and training material so that the trainees can receive correct and adequate knowledge.
The training program should be able to tell the learners what exactly it delivers, from the very beginning, and how it applies to their roles.
When do employees need compliance training?
The next question for an organization to answer is when do they want their employees to learn about compliance and compliance risks. Should the training be a part of the employee onboarding process, delivered every time new employees are recruited to the company? Or should it be a continuous process, with training being imparted periodically? The answer here is simple but it does depend on a lot of factors.
The honest answer is that an organization should consider compliance training as a continuous, ongoing process. Delivering compliance training only during employee onboarding does not truly serve the purpose as rules and regulations keep changing. One-time training is not enough to keep them current with the recent developments and employees won’t usually learn about the changes themselves. As a result, the outcomes of the one-time training program get lost in the shuffle.
So, it is important to create awareness from time to time. But not all organizations may have the budget or resources to indulge in training every 6 months or every year. In such cases, an organization can still increase employee awareness on compliance and risks by sharing resources with them regularly and updating them on the key issues, instead of conducting full-fledged training.
If the company has the resources for it, though, compliance training can very well become a part of the company’s culture. Short-term training programs that share interesting and entertaining compliance modules, be it online or in a classroom training, can refresh employees’ perspectives on compliance management.
Where will the knowledge be applied?
The compliance training program a company carries out should have real-world outcomes. It should be more than just a classroom lecture on compliance and its importance. Employees need to be clear about where they are going to apply the knowledge, they gain from this corporate training program.
The compliance program, therefore, has to be designed keeping in mind the real-world applications. It has to focus on actual scenarios, enlighten the learners with examples and case studies, and answer any questions that they might have regarding the application of compliance to their area of work.
If possible, after the initial corporate training, the organization should involve in refresher courses and on-the-job compliance training that allows employees to see the impact of compliance on their day-to-day activities.
Why do employees need to learn about compliance?
Lastly, the organization needs to be clear about the purpose of the training. You need to know what you are trying to achieve with this training program and why employees should see this as more than something they just need to get through.
The organization needs to reinforce their faith in the training program and demonstrate how it is going to add value for everyone. The goals and desired outcomes of the compliance program should be clear before the organization proceeds with training.
When the organization has found the appropriate answer to these 5 critical questions, it becomes much easier to apply the knowledge from the corporate training program and design an efficient compliance program that meets all the organizational needs. This initial assessment is a very crucial part of program planning.
Identifying compliance essentials
The program planning stage needs to focus on what resources or capacities are required to build a robust compliance program. There are certain activities that the organization has to carry out to ensure compliance in every area of the business. For example, one of the most essential aspects of a strong compliance program is having a dedicated team to manage compliance and compliance risks in the organization. The organization will have to appoint a Compliance Officer or a compliance committee to oversee all the compliance-related work.
Another essential aspect of a compliance program is a compliance strategy. The organization has to device a strategy for the implementation of the compliance program and ensure its success. A strategy provides a sense of direction to the compliance committee, clearly laying out the plan of action and the expected outcomes. The strategy will define the activities to be undertaken step by step, the frequency of these activities, the people to be involved, and more. This strategy usually has to be developed during the program development stage itself and applied during the program implementation stage.
The compliance program strategy will also define the kind of approach the organization plans to take towards compliance implementation – rigid or flexible. So, all the important factors that determine what the compliance program of the company will be like are covered in the strategy, making it much easier to execute later.
One more essential part of the compliance program is going to be the monitoring and auditing measures to keep track of the program’s effectiveness. The organization will have to conduct regular audits to assess whether the compliance program is delivering the expected results and if there is scope for improvement.
It is also equally important to have a list of the compliance requirements. Different industries and organizations have different compliance requirements. Unless the organization is sure about the compliance requirements, that is the applicable laws and standards that it has to comply with, proceeding with a plan becomes meaningless. Once the requirements are known, the organization can move ahead to risk assessment based on this knowledge.
During the program planning stage, one of the most important activities to be carried out is the risk assessment throughout the organization. This stage of the corporate training program will discuss in detail risk assessment, types of risk, managing high-risk areas, controls, and corrective actions.
Every organization is exposed to various compliance risks – both inherent and residual. Inherent risks are those risks that exist within the organization from the very beginning and there are no controls in place to mitigate these risks yet. Residual risks, on the other hand, exist although controls have been used to mitigate them. This means the controls are not as effective as initially thought.
A thorough risk assessment helps the organization find out its high-risk areas and assess whether the current controls are working as expected. In case a risk is detected, new controls can then be placed or the existing controls can be enhanced to remediate them.
Risk assessment is a very crucial and tricky part of program planning. A little negligence or callousness in risk assessment can lead an organization to make wrong decisions at some point, ending up in expensive lawsuits or loss of reputation. Assessment of compliance risks, therefore, has to be done very diligently so that no potential hazard can escape the eyes of the compliance administrators.
For efficient risk assessment, it is important to gather as much data from every business unit as possible. The compliance administrators need to work closely with employees from every department and gather their inputs on the probable compliance risks. They also need to gather information on the best practices adopted by other companies within their industry for benchmarking. This comparison will help them assess where the organization is lacking and if there is scope for improvement in any particular area. All of this data should be carefully consolidated and documented for a thorough review.
Compliance risks are not only posed due to negligence or lack of effective controls on the part of the organization. They may also be a result of the ever-changing regulatory environment. The organization has to keep track of all the regulatory changes taking place in their environment. New laws and standards are being introduced every other day. If an organization fails to monitor these developments, it may fall behind and increase its risk of non-compliance.
So, the program planning stage also needs to focus on monitoring changes and having a systematic process for this.
Understanding the regulations/ standards/ laws
One of the most important requirements of any compliance program is to have a clear, thorough understanding of the regulations and standards, as well as their impacts. It is important to understand what a particular law or regulation wants the organization to achieve. For instance, a certain regulation may aim to increase the standard of quality of the company’s services for better customer satisfaction. Another regulation may want the organization to improve its data security protocols to ensure the safety of people’s personal information. These outcomes in turn improve the reliability and reputation of the organization itself.
Understanding why each applicable law or standard is important to the company’s growth helps develop a better compliance program as well as build people’s commitment towards it. When the compliance administrators are clear about the expectations that a regulatory body has from an organization through the rules and standards it introduces, it becomes easier to deliver on those expectations.
The company can assess whether it has all the required resources to meet those expectations and comply with the regulations. If it lacks the resources to deliver the desired outcomes, the company will be aware of it and can plan on building capacities and developing a compliance program that helps them achieve the outcomes.
Budgeting and time management
The compliance program planning stage during the corporate training program will focus on two more, very important, aspects – the budget and the time allocated. Although everything in the compliance program – every compliance requirement, every compliance risk – seems to be equally important and urgent, it is not possible for a company to address them all at once. The company does not usually have enough budget, manpower, or time to devote entirely to compliance and so the compliance administrators have to be resourceful in this regard.
An annual budget for compliance-related activities, such as training, audits, certification, etc., must be set aside during the planning stage itself. This helps develop the compliance plan in accordance with the budget and helps make it more effective. Similarly, company leaders, managers, and even employees have several responsibilities to take care of apart from compliance management. Taking them away from their desks for compliance training or audits or related activities very often may not be good for the company’s productivity. This is why time management is equally important. Compliance administrators must determine the timeline and frequency of compliance-related activities during the planning stage to ensure that company time is optimally used. This also adds more structure to the compliance program
The program development stage of the corporate training program is the second phase which discusses the compliance program framework. Once the organization has completed the risk assessment and control assessment, the compliance administrators have a clear idea of what the organization needs in terms of compliance management. We can now start to gradually build the policies and procedures that will be the backbone of the company’s compliance program.
The corporate training program at this point will focus on how to build a strong foundation for the organization’s compliance program. During program development, it is of foremost importance to ensure that everyone in the organization understands the need for compliance. Inputs must be taken from employees, managers and leaders at all levels to make sure that no important business area is left open to compliance risks.
Before an organization can start developing its compliance program effectively, the support and involvement of the executive leadership are essential. The corporate training program on compliance administration will discuss why leadership plays an important role in compliance program planning and development. The leadership of an organization set the organizational culture and are responsible for all major decisions in the organization. This makes them important when it comes to setting the tone for the compliance program as well.
The leadership’s approach to professional ethics, social responsibility and compliance as a whole, influences how the entire organization views these areas as well. Unless the leadership sees value in these things, all policies and standards would be meaningless and implementation would be all the more difficult.
The leadership has to demonstrate enough faith in the company’s value system and show their commitment to ethics, irrespective of the circumstances. When the leadership stands its ground firmly in terms of compliance and ethics, no one in the organization would risk compromising on those values. It is also important for the leadership to effectively communicate the need for compliance to employees and adopt methods for motivating them to be compliant as well. For instance, there should be a reward and recognition system that appreciates those who have shown exemplary behavior. There should also be a strict redressal system for non-compliant behavior. These systems have to be introduced by the company’s leadership and require their oversight at all times.
Written policies and procedures
After leadership buy-in, the next step in the program development stage discusses the importance of written policies. It is extremely important for an organization to document its policies, rules, standards and codes of conduct to ensure that everything is present in writing and leaves no loose ends. The written policies and procedures are easier to apply as they are shared with all stakeholders of the company. When everyone in the organization is aware of the policies, there are fewer incidences of non-compliance due to lack of knowledge.
Apart from the codes of conduct and regulations, it is also important to document the corrective action plans and the penalties for misconduct that anyone may have to face in case of non-compliance. This makes sure that employees understand the gravity of the matter and the importance of compliance to the organization. This stage of the corporate training workshop will discuss how to effectively document all the policies and procedures in an organization. The written policies should be clear, succinct and easy to understand for people at all levels.
The written policies should cover all the significant areas of concern, particularly legal, financial, social and environmental regulation