Mr. Nelson is a Certified Learning Provider (CLP) at Appleton Greene. He has executive leadership and management experience in Operation Workflow, Financial Services, Regulatory Compliance and Consulting. His academic achievements include a Bachelor of Business Administration from the University of Miami and a Master of Business Administration from Nova Southeastern University. He is a Certified Compliance Professional, dedicated to developing and implementing operational processes and workflows, integrating automated and Artificial Intelligence technology to effectively administer and manage compliance programs. Mr. Nelson maintains active membership in professional associations such as the National Society of Compliance Professionals (NSCP) and the American Society of Administrative Professionals (ASAP).
To request further information about Mr. Nelson through Appleton Greene, please Click Here.
Appleton Greene corporate training programs are all process-driven. They are used as vehicles to implement tangible business processes within clients’ organizations, together with training, support and facilitation during the use of these processes. Corporate training programs are therefore implemented over a sustainable period of time, that is to say, between 1 year (incorporating 12 monthly workshops), and 4 years (incorporating 48 monthly workshops). Your program information guide will specify how long each program takes to complete. Each monthly workshop takes 6 hours to implement and can be undertaken either on the client’s premises, an Appleton Greene serviced office, or online via the internet. This enables clients to implement each part of their business process, before moving onto the next stage of the program and enables employees to plan their study time around their current work commitments. The result is far greater program benefit, over a more sustainable period of time and a significantly improved return on investment.
Appleton Greene uses standard and bespoke corporate training programs as vessels to transfer business process improvement knowledge into the heart of our clients’ organizations. Each individual program focuses upon the implementation of a specific business process, which enables clients to easily quantify their return on investment. There are hundreds of established Appleton Greene corporate training products now available to clients within customer services, e-business, finance, globalization, human resources, information technology, legal, management, marketing and production. It does not matter whether a client’s employees are located within one office, or an unlimited number of international offices, we can still bring them together to learn and implement specific business processes collectively. Our approach to global localization enables us to provide clients with a truly international service with that all important personal touch. Appleton Greene corporate training programs can be provided virtually or locally and they are all unique in that they individually focus upon a specific business function. All (CLP) programs are implemented over a sustainable period of time, usually between 1-4 years, incorporating 12-48 monthly workshops and professional support is consistently provided during this time by qualified learning providers and where appropriate, by Accredited Consultants.
The Corporate Training Program on Compliance Administration aims to guide and advise organizations on their compliance program. It will look into the various aspects of the administrative systems, tools, set-ups, and business operations that contribute to or are related to the compliance program. The training program will guide employees in better understanding the policies and procedures in place and the actions that need to be taken to prevent violation of any regulations or laws.
The regulatory and compliance landscape is never stagnant. There are news regulations being passed every other year and it is easy for organizations to falter. Businesses often get caught up in their day-to-day activities and tend to lose focus on their compliance requirements. A minor negligence in terms of compliance can cost an organization money, time, and, most importantly, its reputation. In this ever-changing environment of corporate compliance, this training program should help you operate safely, within regulations.
For an organization to succeed in compliance administration, it firstly needs to educate its employees on what compliance and compliance management mean. Employees need to understand why it is important to comply with regulations and what could be the consequences of negligence in this regard. Compliance management is all the more important in certain industries that deal with clients’/ customers’ personal, financial or other sensitive information. Industries such as Banking & Financial Services, Insurance, Business Services, etc. need to pay more attention to regulations, legal consequences, and compliance.
What is compliance management?
Compliance management refers to the process of ensuring that the abides by the laws, regulations, and standards set by different governing bodies. There may be different regulations that an organization or its individual departments need to adhere to. These regulations or standards can be set by government agencies, international standard-setting bodies, or industry-specific authorities, and all organizations within their jurisdiction are expected to comply.
Some of the common examples of regulatory compliance laws and acts include the Health Insurance Portability and Accountability Act (HIPAA), EU’s General Data Protection Regulation (GDPR), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), etc. A simple example of compliance is getting a license to do business in a particular country or following the ISO standards in the development of a product or service.
Compliance management includes documenting the policies and procedures that the organization is required to follow, performing internal/ third party audits to ensure compliance, and, lastly, compliance training to ensure that everyone in the organization is current with the regulatory landscape.
Why are compliance management and administration important?
It goes without saying that meeting legal obligations is a necessity for every organization. But apart from just the legal consequences of regulatory compliance, it is important from many other perspectives as well. Compliance to regulations and standards is not only beneficial for the customers or stakeholders of an organization, but also for the organization itself. It is only when an organization and its employees understand the real purpose behind a law or a regulation, will they be able to the hidden advantages behind them.
From the point of view of the organization, the benefits that it enjoys with efficient compliance management include:
Improved processes and better safety
Compliance with the industry’s regulations and the standards set by the government or international standard-setting bodies helps an organization improve its processes. These standards and regulations are made keeping in mind a minimum benchmark of quality that every organization should try to achieve. Compliance with these means that the company has surpassed the benchmark and met the internationally accepted standards.
It also means that the organization has a better work environment. Compliance with safety laws, diversity and inclusion rules, privacy laws, etc. ensures that the people working in the organization, as well as the people the organization deals with, are safe from threats. These may be data security threats, safety hazards, threats of discrimination, or others. Compliance makes the workplace safer for everyone, which in turn results in improved productivity.
So instead of seeing compliance as a liability, organizations should see it as an opportunity to continuously improve their standards and get more returns out of it.
Improved public relations and customer satisfaction
A company that is compliant with the industry standards and government regulations is always considered more reliable by people. When an organization is compliant or follows international standards in its products and services, it can boast about these on its website or in its other marketing materials. This can be very beneficial not only in attracting more customers to the company but also in attracting more talent, investors, and so on. Customers will tend to trust a company that is compliant because it ensures them of quality in their products and services.
Employees would be more interested in a company that is compliant because they can expect a healthy and safe work environment. Inclusion, safety, and physical and mental well-being are important to anyone looking to work in an organization. Similarly, an investor will see lesser risk in investing in a company that is compliant with regulations compared to one that does not pay heed to those regulations or standards. Funding agencies will usually look for evidence of a company’s compliance with regulations. It ensures them of the quality standards that the company maintains, which translates to customer satisfaction.
Complying with standards or laws is a mark of sincerity and dedication to the stakeholders of the company and it can help the organization garner a lot of goodwill.
Cost and time saving
An organization that does not comply with regulations has every chance of falling prey to a security breach or an accident at the workplace or some other kind of risk. Most of these scenarios have serious legal consequences. Employees, customers, the public, or other agencies can sue the company if it fails to comply resulting in damage to any other party. This leads to tedious court cases that run for years and often, millions in fines and compensation.
Proper compliance administration can save a company millions of dollars by reducing the risk of fines, penalties, strikes by workers, lawsuits, or even a shutdown of the business. It also protects the company from negative publicity which can ruin its image in the market even if there are no serious legal outcomes.
A direction to the efforts
Efficient compliance management also gives a sense of direction to the people working in the company. It ensures that everyone in the company is aware of the quality standards, workplace ethics, government regulations, etc. that the company aims to follow. This awareness and day-to-day practices that ensure compliance can help create a culture of quality, safety, inclusivity, and accountability. Everyone in the organization understands their responsibilities towards the company, their coworkers, their customer, and society as a whole. This guidance is of utmost importance to make sure that the organization continues to improve and grow through transparent, ethical, and safe practices.
Better control of processes and procedures
Good compliance administration also means that the organization’s leadership and management are in control of the processes and procedures implemented. This also gives them control over the quality of end products, the productivity of employees, and their overall image. Being in compliance also assures better risk management for the leaders and managers. By controlling the way the processes run, or how the people behave on a daily basis, the organization can achieve a level of excellence over time.
When trying to increase and ensure compliance in an organization, there are several important factors that an organization has to consider. Getting everyone in an organization to comply with some prescribed regulation is not as easy as it sounds. The management of an organization may tend to think that simply making people aware of the regulations should be enough to help them comply. But you cannot expect people to change their habits immediately and compliance does require people to change.
Compliance management goes deeper than that. It requires careful planning and strategy. There can be different approaches to compliance administration in an organization, which again depends on the organizational culture to an extent. The compliance administrator or manager has to decide which is the best way to get people to willingly bring behavioral changes and what will make these changes sustain.
Appoint a designated compliance administration team
The very first step in compliance administration is to have a dedicated team for the purpose. The team is usually led by the Chief Compliance Officer who is assisted by Compliance Administrators at various levels. The job of the compliance administration team is to design and implement all the administrative processes adhering to the organization’s policies, to ensure compliance. The Compliance administration team will also need to arrange for compliance training of employees and evaluate the application of the procedures taught within the organization.
The team should be responsible for carrying out all the correspondence and communication with the legal or regulatory department. They must keep the organization updated on recent developments or changes in regulations and standards. The team has to document any new information and report to the company’s leadership about the same.
As compliance requires continuous monitoring, the compliance administration team also has to define internal auditing processes and carry out audits regularly. The team has to design strategies to achieve all the objectives of compliance management and communicate the compliance requirements to employees and departments effectively.
Build a strategy
Once a compliance administration team is formed, the organization has to focus on building a strategy to ensure efficient compliance management. The strategy will include the plan of action that the organization will follow in administering the regulations as well as the approach that it is going to take.
For building the strategy, the compliance administration has to first identify the regulations applicable to the organization, which could be specific to the industry it functions in or to its operations. There may be other regulations that are applicable to all irrespective of their industry or operations, such as diversity and inclusion or corporate social responsibilities. After identifying the applicable regulations, the team must assess the organization’s current state and decide whether they are in a position to implement these regulations effectively. They must assess what resources may be required for successful implementation.
After this initial assessment of the whole situation is done, the organization has to build a compliance program. This program will focus on the organizational policies to be introduced. It should also define the processes in compliance with the regulations, which will depend on what products and services the company offers. The compliance program will also include training of employees to help employees understand existing and new regulations and their implementation. The program has to introduce both internal and third-party audits to monitor whether all guidelines are being followed in all areas of the business. And lastly, wherever a lapse is detected, corrective measures must be in place to improve those areas.
The organization also needs to decide on the kind of approach it wants to take in the enforcement of regulations. It can either resort to a rigid approach or a flexible approach. It primarily depends on the organizational culture and how authority flows within the organization.
• A rigid approach to compliance management
It is quite clear from the name above that the rigid approach allows almost no deviance from the set regulations. In case of violations, the organization takes very stern action. In large organizations where the compliance managers have to ensure that a large number of employees comply with the regulations, such a rigid approach often becomes necessary. They cannot afford to practice any leniency in the implementation of regulations as a minor lapse may soon cascade into uncontrollable deviance. So, organizations like these cannot manage the implementation of company policies on a circumstantial basis but have to stick to the guidelines end to end.
This type of approach may also be seen in organizations that have a rigid hierarchical structure. When authority to make lies only in the hands of the executive leaders, compliance managers are bound to follow their instructions. In such organizations, decisions cannot be changed to accommodate the circumstantial issues. Even if the managers have to deviate from the guidelines to make exceptions, they have to wait for approval from the leadership making the process long and tedious. There is no autonomy and compliance has to be administered strictly in these organizations.
A rigid approach may also be necessary where non-compliance inevitably leads to a crossing legal boundary. The organization cannot afford to take regulations lightly in such cases and compliance is a must.
• A flexible approach
A flexible approach may not be possible where there are legal implications to a regulation. But in the case of certain policies within the organization, the compliance managers may deal with the matter with a lighter hand. Under certain circumstances, relaxing a few guidelines or giving more flexible options to employees can boost their productivity and may even be necessary. As long as relaxing a particular standard does not compromise the company’s ethical or legal liabilities, a flexible approach can be used to improve workflows and performance.
Every organization faces such circumstances from time to time where it may not be practical or reasonable to rigidly stick to a rule. It may have to make exceptions and the flexible approach allows for it. This is a more suitable approach for smaller companies that have the liberty of making decisions on a case-to-case basis. They have fewer people to manage and anything that goes out of hand can be controlled much more easily.
However, a flexible approach may be applicable to large companies under certain circumstances. Large companies may have several different policies to comply with and often there may be contradictory policies resulting in conflicting standards within the organization. In such cases, the organization has to take a flexible approach and choose which policies to comply with and which ones to leave out based on the priorities.
There is no hard and fast rule as to which approach a company should take. The same organization may choose to take a different stance under different circumstances. For rigid compliance, the company policies must be extremely clear and leave no scope for ambiguity. Wherever there is a lack of clarity, the company has to allow more flexibility. The organization must have procedures in place to allow for such exceptions, such as getting a written permission or informing the supervisor before deviating from the standard process.
Administer compliance training
The next step after creating the compliance management strategy is to prepare the employees for compliance. An employee will only be able to follow the guidelines when he or she is aware of them. This is why a robust compliance training program is absolutely necessary for every organization.
The compliance training educates your employees about the laws, regulations, and standards that the organization needs to abide by. These are, therefore, the regulations that they need to abide by as well being a part of the organization. The training program cannot be unidimensional though. Laws and regulations keep changing. So, the organization cannot expect to manage compliance successfully by simply training their employees once. There has to be a separate training program for onboarding or new employees, introducing them to the existing rules and policies. Also, there have to be training programs planned for whenever there is any change in the regulations or whenever new procedures are introduced.
Periodic training must be made mandatory in order to achieve the successful implementation of rules and regulations. Training may be conducted live in person or through e-learning platforms, video conferencing, or other modes, to make the training programs more accessible to everyone. In situations like the current Covid-19 pandemic the world has experienced, it is all the more important for organizations to experiment more with remote training and development programs.
Focus on monitoring and annual reporting
Any compliance framework has to have a monitoring and reporting method in place to ensure that the efforts to ensure compliance are hitting the target. The organizations should have oversight of its compliance management through constant monitoring and the compliance team must make sure that all employees are working within the compliance framework. This continuous monitoring allows the compliance managers to detect issues and eliminate them before they can lead to serious consequences.
Effective monitoring requires established protocols and controls to detect problems and reform them to ensure compliance at all times. In case of a breach in compliance, the monitoring method must be able to correctly identify how the breach occurred or where it originated. This helps the compliance managers address the correct issues and prevent similar problems in the future.
Compliance managers also need to have a standard method of reporting to the senior management of the company. The report should discuss in detail how the organization is enforcing or implementing rules, regulations, laws, and standards. It should include the analyses of the methods implemented and discuss whether they have been effective.
Regular audits and reporting are an extremely essential part of compliance administration as it allows the organization to avoid non-compliance in time. Internal audits from time to time can help them address issues before external auditors can find them. This can save the organization from regulatory penalties and lawsuits.
Track and report exceptions
We have already discussed above that an organization may need to make circumstantial exceptions when it comes to compliance. But these exceptions, if undocumented or untracked, may cause external auditors to consider them as non-compliance. This may land the organization in serious trouble.
Whenever an organization decides to make an exception to compliance with a given standard, it must immediately record it and report the same to the higher authorities, within or outside the company. For example, under the GDPR in the European Union, if a company has undergone a data breach and reported the breach to the Data Protection Agency (DPA) within 72 hours, the fine imposed on the organization may be lowered. But failure to report can result in even heavier penalties.
For internal policies, any exception made must be reported to the senior management along with circumstances that called for such an exception. This allows the appropriate authorities to investigate and confirm the incident in a timely manner.
Risk assessment is an important part of the compliance management framework. Conducting a compliance risk assessment is a necessary step in compliance administration. Every organization has certain areas where compliance risks are high and which may lead to potential legal, financial or reputational damage. Compliance risks are the threats to the organization’s operational performance or legal, financial, and reputational standing due to non-compliance with the law, standards, or codes of conduct.
To understand all the potential risks, an organization may need to improve its compliance risk assessment process. An organization may have experience with risk assessment in general. Every business has to carry out a risk assessment for various purposes, but not all of these risk assessments focus on legal or regulatory compliance implications. Though compliance risk assessments may follow a similar approach as enterprise risk assessment or internal audits, they are supposed to be much more focused on the legal aspects.
The compliance risk assessment framework can help compliance managers detect any inefficiencies or loopholes in the system and address them before they can create bigger problems for the organization. Compliance risks are even greater with the rapidly changing regulatory landscape today. Businesses find it challenging to keep up with the changes and the chances of non-compliance, and associated risks of penalties, increase as a result. A strong compliance risk assessment framework can prevent this from happening.
For efficient compliance risk assessment, an organization has to build a proper methodology for risk assessment. The methodology usually consists of a few basic steps which include the following:
Identifying the hazards
This is the first step, where the organization must assess its current state to identify any processes, procedures, systems, or transactions that may be non-compliant. This current state assessment also lets the compliance managers find existing materials already prepared for compliance purposes and see if they are being followed efficiently. The key people working closely with the business process need to be interviewed to understand how they are ensuring compliance.
This step allows the compliance administrators to get a clear picture of the company’s compliance landscape and identify the compliance risk points or areas that are potentially violating regulations. Evaluating all the key processes, systems, and recurring transactions in terms of regulatory compliance with the applicable laws and standards can give valuable insights.
During this initial assessment, the compliance managers may come across two types of risks, namely Inherent Risks, and Residual Risks. Inherent risks are simply the risks that already existed in the organization before the controls to mitigate risks were put into force. Understanding the inherent risks in a business allows the compliance managers to decide how to control them and build a compliance strategy well in advance.
Residual risks are those risks that still pose a threat despite applicable controls being in place. These risks could be a result of inefficiencies in the existing controls or compliance measures and will require corrective actions to improve the system.
Assessing the current controls
The next step is to assess the controls in place and detect any insufficiency in the policies, procedures, working instructions, or other applicable controls. To understand whether all controls are efficiently helping with compliance, the compliance managers must themselves be aware of all possible regulations and standards that are applicable to the business.
Taking measures to enhance compliance
The organization then needs to prioritize its compliance risks and address the compliance program gaps on the basis of the severity of risks. High-risk areas must be covered first then moving on to lower-risk areas systematically. Monitoring, feedback, and improving the risk assessment framework on a regular basis are important to ensure that it delivers results.
Testing & Certifications
Compliance with regulations and standards is only useful when the organization has valid evidence to prove it. An organization cannot self certify its compliance with international standards or industry certifications. Self-certification may only be valid as far as internal policies and codes of conduct go. But for all other regulations and standards set by regulatory bodies, testing and certification by the appropriate authorities are essential.
Compliance testing, also sometimes referred to as conformance testing, is the process of testing the controls that the organization has established to validate whether they meet the prescribed standards or not. This is one of the very first tests conducted in any audit for assessing the control environment of the organization. If all controls are found to be effective and the organization’s processes and procedures are found to conform with the standards, the regulatory body can certify the organization or its process/ product/ area as compliant.
The methods and approaches to compliance testing may be different in different industries. If the organization is undergoing an IT compliance testing, for example, the audit teams would check for compliance with the standards set by regulatory bodies such as the World Wide Web Consortium or the International Institute of Electrical and Electronics Engineers. For a manufacturing plant in the US, say, that must comply with the pollution control measures laid down in the Clean Air Act (CAA), the company may have to undergo emissions testing and so on.
For different industries, there may be different standards and, thus, different certifications. Companies working in the Banking & Finance, Insurance, or Investment industries, in particular, are required to operate in a very complex regulatory landscape. The US alone has several regulations at both the federal and state levels. There are privacy and cybersecurity laws, corporate finance regulations, investment regulations, and much more.
It is, therefore, important for organizations to have their own internal testing methods in place, so that external audits cannot find any gaps in the control environment and acquiring certification becomes easier. For compliance testing internally, compliance teams can first create a checklist of all the applicable regulations and certifications that the organization is required to have. Then, a testing methodology can be developed from their understanding of compliance testing, taking into consideration what external auditors could look for. This will help them identify issues and remediate them before an external compliance testing takes place.
The testing methodology may be simple. The aim here is to test whether the deliverables of each system or process are compliant with the prescribed standards or not.
Management of workflow processes is a crucial part of compliance management as well. The workflow processes are the series of tasks that need to be carried out sequentially to execute a business process successfully. But these workflows cannot be designed any way one likes. It has to follow some predefined rules and standards. That means, the workflow processes need to be compliant too. The workflow processes must be designed to comply with the company’s internal policies and applicable laws or regulations set by external agencies.
The organization has to define the compliance benchmarks based on these internal and external compliance requirements for the workflow.
Workflow management software
Till a few years ago, companies would try to achieve workflow compliance through manual efforts, trying to enforce the regulations and laws, seeing to it that they were followed to the T.
However, this is not only time-consuming but also leaves chances of human errors and reduces accountability, making the workflow process prone to violations. That is why companies today, rely on workflow management software that makes compliance a lot easier. A workflow management software streamlines the business process and automates most of the work involved in workflow design. Tasks can be assigned on the software along with instructions and guidelines to ensure that the person responsible for carrying it out is aware of the compliance requirements. So employees do not need to be reminded of regulations again and again.
A good workflow management software can ensure that all necessary steps in the workflow process are followed, control processes are enforced without fail and all information is verified. The workflow manager can assign approval checkpoints so that work is approved only when it meets the compliance requirements. This also saves time on monitoring and evaluation of the work.
Workflow automation can reduce the risk of non-compliance and result in no problems when the time for compliance testing comes. For example, let us consider the accounting workflow of an organization. There are a lot of factors to be remembered in this workflow, such as what comes in and what goes out, who comes under debit and who comes under credit, etc. Then there are tax calculations, standard formats and so much more to follow. By automating the accounting workflow through the workflow management software, the organization can ensure that all documents, calculations, etc. go to the appropriate departments at the right time. The chances of a lapse here are minimal as everything is input to the system beforehand and the rest of it is automated. With minimum human interference, compliance becomes more likely.
Every business has to develop a code of ethics for more than one reason. Ethics broadly define the values and principles that the organization stands for and they are supposed to guide the behavior of everyone working in the organization. As a business grows, it is not possible for the leaders to reinstate these ethics in each and every employee directly and that is why a code of ethics becomes essential. The code of ethics is a documented version of the values and principles that can be shared with everyone, making them easily accessible. It should remind each stakeholder of the organization of their responsibilities, towards the enterprise and the society.
There are usually two kinds of ethics codes in an organization – one that is based on integrity and one based on compliance.
Integrity-based code of ethics
The integrity- or value-based code of ethics refers to the company’s core values. It outlines the standards or responsible behavior of everyone in the company, for the greater good of society. These value-based codes of conduct may not always have any severe consequences if violated, so they require more self-regulation and cannot be enforced by others. Every individual has to consciously control their behavior to comply with these ethics. Instead of dictating a certain kind of behavior, an integrity-based code of ethics focuses on certain actions or outcomes that the organization hopes to achieve.
Compliance-based code of ethics
A compliance-based code of ethics, on the other hand, is developed so that everyone in the organization follows the regulations and laws set down by regulatory bodies. Issues that can have serious implications such as safety, workplace harassment, cybersecurity, privacy, environmental hazards, etc. are usually controlled by binding regulations. Compliance-based codes of ethics are not just guidelines for employees to follow, they can also result in heavy penalties if violated. The penalties are also, usually, defined in the code of ethics itself.
Employees may need to undergo formal training to fully understand the laws and regulations as well as the code of conduct. As there are legal implications of non-compliance with these ethics, the organization is usually at loss for even a single error at the employees’ end. So individual employees can also be penalized by the organization for failure to comply and follow guidelines, despite being constantly reminded.
In most organizations, it is the responsibility of the compliance administration team, or the compliance officer to ensure that the principles and conduct mentioned in the code of ethics are followed by all employees across all departments. They are also expected to keep track of any changes in regulations and update the code of ethics accordingly as well as communicate these changes to employees in order to encourage compliance.
The compliance-based code of ethics has very clearly defined rules and consequences. It usually does not allow for circumstantial changes or individual monitoring and applies to all, irrespective of the circumstances. There is no place for ambiguity in compliance-based conduct as ambiguity makes way for different interpretations by different people.
Training and communication
In the case of both integrity-based and compliance-based codes of ethics, it is very important for organizations to focus on training and communication. Organizations can never expect to comply with their codes of ethics if employees are not well versed in the organizational policies and procedures. Employees need to be communicated about their ethical boundaries within the organization and their responsibilities as a part of the organization.
The compliance program in an organization has to go hand in hand with a professional ethics program. Professional ethics in the organization play a very important role in ensuring compliance. Professional ethics began to be seen as an integral component for compliance when more and more cases of financial scandals, scams, money laundering, etc. began to come to light. Major events like the tech bubble that burst in 2002 leading the stock market to crash, or the housing bubble in the US in 2008, cause governments and regulatory bodies to strengthen regulations and focus more on professional ethics, transparency, and rigorous scrutiny.
Such events have caused professional ethics and compliance to take center stage and made them a part of the strategic foundation of the organization. Good professional ethics are not just necessary for an organization now but are the key to gaining stakeholders’ trust and a reputation in the industry. A strong professional ethics and compliance program can enhance the company’s reputation, increase employee engagement and create a healthy organizational culture where ethical behavior is not exceptional but rather a norm.
Identifying the gaps
For a strong and effective business ethics program, it is important for the organization to first understand where it stands. The compliance managers need to ask several questions, such as:
What challenges in terms of business ethics does the organization face?
Which group of people, departments, locations, or business units show the highest risk of non-compliance or poor ethics?
What are the organizational values that employees need to stand by?
What other values may be necessary for the organization to be compliant?
What resources may be needed to help employees understand and comply with the necessary ethics?
Which group of people’s inputs may be important or useful in developing the company’s code of ethics?
Answering these and other similar questions can help compliance administrators create a meaningful and clear plan of action. This gives them a detailed picture of their current strengths and weaknesses. A gap analysis like this will tell them what needs to be done to promote strong professional ethics among the employees.
Establishing a strong foundation
Once an organization knows what it needs, it can start laying the foundation for strong professional ethics and thus, for strong compliance. The first step to laying a strong foundation is building a robust ethics and compliance program. An ethics and compliance program has been proven to be a very powerful tool in preventing the compromise of standards and observations of misconduct. It results in increased reporting of misconduct by employees and also reduces the fear among people to point out wrongdoings. With a strong professional ethics program in the organization, employees cannot feel pressured to compromise standards or break laws and assures strict action against those who themselves deviate or pressurize others to do so.
As more people value professional ethics and the organizational culture encourages it, bad conduct comes to light more easily making it easier to address the problems internally.
Building a strong foundation requires several tools. These include a written code of conduct, employee training in ethics and compliance, company resources offering advice and information about ethics and compliance, a prescribed method for reporting potential violations, and so on. Any reporting of violations should be kept confidential and anonymous to build confidence among employees. Also, it is important to have a regular evaluation of performance in terms of ethical conduct and a strong system in place to discipline and penalize those who violate.
Committing to ethics and compliance from the top down
Professional ethics and compliance are not meant for employees alone. The commitment towards professional ethics must be exhibited by the top executives of a company as well. Integrity, honesty, and transparency among the organization’s leadership are essential to influence good conduct among employees. The leaders of the company are the people who develop the organizational culture over time, and so they have the power to change the organizational culture for the better as well.
Leaders can, therefore, promote strong professional ethics through their words and actions. They need to talk more about the importance of ethics. They must communicate the issues that arise every day due to a lack of professional ethics. Leaders must themselves keep their word and uphold promises they make to employees or other stakeholders to demonstrate their integrity. Apart from this, the company’s leaders should also make an effort to recognize and acknowledge those who show highly ethical conduct and hold accountable those who violate regulations and codes of conduct.
Such a display of integrity and ethics by the leadership can play a huge role in changing the environment of the organization.
Making professional ethics central to all operations
To promote a culture of professional ethics and compliance, it is not enough to just talk about it once a month or conduct a workshop every year. Professional ethics have to be central to everything that the organization does. Ethics should be an integral part of the company’s day-to-day functioning. Starting from the company’s HR policies to the hiring processes, from performance management to reward systems, everything that the company does must be done within the value system and ethical framework that it hopes to establish.
Even in a time of crisis, leaders have to take the opportunity to teach ethics that can help find a feasible as well as an honest solution to the problem. Employees should never be encouraged to compromise on standards, take shortcuts or adopt unethical means to solve a problem. Staying firm on their ethics even during crises, helps leaders show employees that professional ethics are an important element for a successful business.
Types of Ethics
The three major approaches in normative ethics are virtue ethics, consequential ethics and deontological or duty-based ethics. Virtue ethics emphasize moral character in judging whether something is right or wrong. Consequential ethics make this judgment based on the consequences engendered. Deontological ethics suggest that an action is right or wrong depending on a specific set of rules.
The roots of virtue theory go back to the beginning of philosophy in Athens, set out in Aristotle’s ethical treatise the Nicomachean Ethics. Ethical values can arise from a moral rule and have a corresponding vice. For example, a moral rule around ‘not lying/always speaking truthfully’ is associated with honesty and divergent to dishonesty. Moral agnosticism naturally stands in the way of fostering an ethical culture within the organization. It can lead to ‘ethical blindness’, where people (good or bad) behave unethically without being aware of it, usually from not considering the ethical dimensions of a decision they’re making.
Consequential theories base the moral evaluation of actions on the outcomes they produce. Utilitarianism is a famous consequentialist theory that assesses character traits and actions based solely in terms of overall net benefits. It is concerned with the question ‘what outcomes should I want?’ and as you can imagine, be problematic if used to defend actions or decisions that impact the organization’s compliance posture.
Deontology, associated with the philosopher Immanuel Kant, emphasizes the motivations, ideals and principles underlying an action or decision rather than the consequences of that action/decision. According to deontological theories, some actions are always wrong even if they lead to an undesirable outcome.
Judging the morality of actions based on an ethical framework can help shape the ethical character of the entire organization.
Gifts & Entertainment
There is a very high-risk compliance area that companies often tend to neglect and that is gifts and entertainment compliance. Although gifts and entertainment may be an important tool for companies to foster good business relationships, there are regulations on their use as well. That is because gifts and entertainment can also lead to inappropriate influences and undue favors. Bribery in government and corporate offices, anti-kickback laws, violation of contract policies with third parties, etc. have increased the requirement for these regulations governing gifts and entertainment in an organization.
Every organization should understand the risks involved regarding conflicts of interest, bribery, or their interactions with certain customers, etc. when creating a gifts and entertainment compliance framework. They should also be aware of the gifts and entertainment policies of their stakeholders, such as clients, suppliers, IT partners, and so on. This helps ensure that the policies of the company do not result in the violation of the other party’s compliance policies.
Building a gifts and entertainment compliance program follows a procedure similar to most other compliance programs. It starts with an assessment of the compliance risks and the applicable regulations, followed by the creation of standards and policies for the company, training and communication, monitoring, and control.
The traditional approach to gifts and entertainment
Till not so long ago, gifts and entertainment were not viewed as a matter of concern. Companies allowed acceptance and gifting of luxury items, visits to luxurious places, or donations without the need for any documentation. During those times, regulations on gifts and entertainment were only seen as an obstruction in building relationships with partners and other businesses.
But the scenario is very different today. Organizations cannot afford to accept or give away expensive gifts or large amounts in donation, without a valid reason or documentation. There are numerous lawsuits and fines associated with inappropriate gifting/ acceptance of gifts, which may be considered corruption. Apart from the legal consequences of violating these regulations and the loss of reputation, employees today are themselves more aware and give importance to ethics and values. So, this traditional approach to gifts and entertainment is no longer valid in today’s world of business.
Creating policies for gifts and entertainment
When creating gifts and entertainment policies for a company, there are certain key factors to keep in mind. First of all, like all other compliance requirements, the gifts and entertainment policies should also be documented and circulated throughout the organization. The documented policy should clearly explain why certain gifts or entertainment activities are not acceptable and why putting these limits on them is important.
It should also clearly mention which gifts and entertainment activities are acceptable within the company. If there are any particular business units or functions where the rules need to be stricter, that should be clearly defined in the policy. The policy should also discuss the penalties and possible action that will be taken against violators.
Training and education of employees in this regard is also equally important. All employees should know the standard code of conduct regarding the acceptance of gifts and the values that the organization upholds.
Insider trading has caused trouble to many big names in the Investment and Finance sector. Employees of companies in these industries have access to a lot of confidential information pertaining to the stock market and trading. Using this information for trading in the stock market for personal gains is not just unethical but also legally prohibited. This is why regulatory bodies have put down very stringent laws against insider trading.
It is very important the compliance program in an organization is adequately designed to deliver maximum effectiveness in detecting and preventing unlawful, criminal activities by employees. the government also requires that these compliance policies be efficiently enforced, although it may not be possible to keep an eye on every activity of employees.
Creating a strong insider trading policy
The organization must have well-defined rules on personal trading for employees. the management should ensure that trading policies for employees are effectively enforced, and distributed, and reviewed regularly. The documented policy on employee trading should clearly differentiate between permitted and restricted employee trading activities. It should also include who the covered persons are and what are the covered securities. If employees are required to avail permission before entering a trade in a covered security, the procedure for approval must also be mentioned clearly. Employees are also required to report their holdings over a fixed period and the policy should define the time period and frequency of reporting.
The rules of insider trading are not limited to employees alone; covered persons may include family members and others over who the company has discretionary authority. So a full list of accounts and trading reports of such persons may also be asked for verification by the company.
A strong process of regularly reviewing employees’ compliance to trading policies and restricted investments must be in place. Organizations also have to take care of who has access to confidential information. For instance, regulatory bodies require companies to regulate and maintain detailed records regarding the sharing of material non-public information (MNPI) with employees. The management of the company must control who gets the privilege of accessing MNPI and keep valid records of it, including when the information is shared and for how long a piece of information is considered MNPI.
Efficient insider trading compliance program characteristics
A strong compliance program for insider trading should have the following characteristics:
– The commitment of top leadership
– Adequate resources, qualifications, and structure to ensure compliance
– A strong code of conduct, policies, and procedures
– Effective training of and communication of policies to employees
– An efficient method for confidential and anonymous reporting, as well as investigation
– Internal auditing and controls testing
– Regular review and improvement of the compliance program
It may be difficult to completely prevent insider trading even with the most efficient compliance program but having robust policies and strong ethics within the company can mitigate the risk to a great extent.
Governance and Audit
Proper governance and auditing are an integral and critical part of any compliance program. Internal audits are a necessary way of ensuring that all the controls employed to ensure compliance are working effectively. They also serve as a means of assuring stakeholders that compliance is being taken seriously.
Moreover, regulatory bodies are always increasing the requirement for mandatory disclosures regarding compliance and governance that must be submitted by companies from time to time. That makes governance and auditing all the more important to organizations that have an ongoing compliance program. But despite the pressing need for efficient governance and auditing, the challenges to these activities are not getting any smaller. The regulatory and business landscape is continuously changing. From regulations to people to technology and processes, everything changes rapidly today and adds complexity to governance methods.
Between 2002 till date, that is merely within the past 18 years or so, there have been numerous new regulations and compliance requirements that have been introduced, particularly in the Banking & Finance, Insurance, and Investment industries. From corporate governance requirements to SOX to the Regulatory Mandate for Risk Management, there have been several cultural shifts in the business environment.
This requires businesses to not only focus on governance and auditing but also ensure that their methods are sustainable in the face of an ever-changing environment.
Role of executive suite in governance
Governance and auditing comprise all the activities carried out by the compliance, risk assessment, legal, finance, HR, and IT teams within the organizations. It also includes any auditing done by third parties or external stakeholders. However, it is not just the compliance and auditing teams that are responsible for managing governance, risk, and compliance. The top executives and the board of directors in a company are also equally responsible for governance and compliance. Governance refers to the ways and means by which an organization is controlled. Since most of the major decisions in an organization are made by, or in consultation with, the company’s leaders, their involvement in governance and risk management becomes imperative.
Internal audit functions
Internal audits can cover several key areas of governance, risk, and compliance. Risk-based internal audits are necessary for risk assessment and control assessment within the organization. Audits on operational efficiency review the policies and procedures defined by the organization to ensure compliance. It also reviews the operational framework and the system’s integrity with the business operations and organizational needs. Operational efficiency audits need to focus on the information systems too as communication and information sharing are crucial to effective compliance.
Apart from these, internal audits may also focus on governance processes. This includes reviewing the code of conduct, the risk management committee’s performance, and the audit committee’s effectiveness. There are other forms of internal audits too that may not be directly related to compliance programs but can have an indirect influence. These are cost efficiency audits of the business, performance efficiency audits, and audits of the business strategy and plan.
Paying attention to governance and audit can greatly improve decision-making in the organization. It also helps integrate the company and break down silos for better collaboration and better flow of information. It can make an organization much more agile and confident.
Importance of compliance auditing
Compliance auditing, both internal and external, is important to an organization for several reasons. External auditing is often necessary for confirming compliance and attaining certifications. But internal audits are also equally useful and important. Timely and regular audits can help a company determine its weaknesses in the regulatory compliance framework and processes. This gives an opportunity to fill up the gaps and improve the processes and procedures to increase compliance.
Audits can also help companies attain guidance from expert auditors that can help reduce compliance risks and avoiding potential legal consequences and penalties due to non-compliance. We have emphasized several times that the regulatory landscape is very volatile and constantly changing. This means that compliance programs also need to keep up with changes and evolve. Regular audits enable businesses to improve their compliance programs by keeping them current with regulatory changes and incorporating these changes in the organization.
Focusing on governance and audits allows organizations to monitor how the business leaders, shareholders, and stakeholders are behaving in terms of compliance. It helps increase accountability for the decisions and actions they take. Published audited financial statements or any such crucial information are very important in this regard.
The right approach to governance, risk, and compliance
The best way to implement governance, risk, and compliance, also referred to as GRC, is to have a holistic approach to it. GRC is not limited to a certain department or business unit. It is applicable to the entire organization. There are three most common areas where GRC is applied in any organization – financial, IT, and legal. Financial GRC ensures that all financial processes are being carried out correctly and transparently, including reviewing their adherence to any financial regulations that may apply.
The IT GRC relates to the activities of the IT department of an organization and ensures that all processes, products, vendors, etc. support the current and future business needs while being compliant with all applicable IT regulations.
Legal GRC covers all the different areas of the business through the organization’s legal department and ensures compliance with all applicable laws and mandates.
A very useful model to apply this holistic GRC approach, suggested by the Open Compliance & Ethics Group (OCEG), is the GRC Capability Model. This open-source approach combines all the different sub-disciplines of governance, risk, compliance, audit, ethics, and IT.
The Capability Model is made up of four components, namely – learn, align, perform and review.
Learn – this refers to learning about the organization’s culture, context, and key stakeholders. This helps build and inform objectives, strategies, and actions in the organization.
Align – This refers to aligning the organization’s strategies with its objectives and the actions with the strategies. It focuses on effective decision-making keeping in mind the organizational values, requirements, opportunities, and threats.
Perform – Perform refers to performing actions that promote desirable outcomes, remediating policies and procedures that are undesirable, and being quick in detecting issues.
Review – This refers to reviewing the strategies and actions in terms of their effectiveness as well as the relevance of the objectives, to help the organization improve.
This model is crucial to GRC as it presents an iterative approach to continuous improvement and can drastically improve the governance and compliance in an organization.
Personal trading by employees of an organization can often lead to a conflict of interest. Employees, particularly in companies in the Investment sector or companies offering trading advice to clients, may have access to material non-public information. Such information can give them an undue advantage in trading with their personal accounts and this is considered a misuse of the MNPI.
Many legislations such as the Investment Advisers Act and Code of Ethics rules in most countries require organizations to have a personal trading policy. Under these acts, companies should have strong policies that make it mandatory for employees to disclose all their personal securities transactions and holdings which must be recorded and reviewed from time to time.
According to guidelines, the organization of the people in the organization responsible for managing the personal trading policy must define who an “access person” is. An access person could be an employee who has access to non-public information of clients’ transactions or holding, or employees who have access to, or themselves make, securities recommendations to clients. Employees with such access could misuse the information to cause a conflict of interest with the organization. For instance, they could time their trades so as to disadvantage the company’s clients, as they have access to crucial MNPI. Or they could place trades that put the market itself at a disadvantage. Such acts can be considered as a breach of their fiduciary duty.
Access persons are not just employees who have access to such MNPI or make recommendations to clients. It may also include people working in close association with them, such as their supervisors, or anyone who can have access including company partners, officers, and senior executives.
The company’s code of conduct should require access persons to disclose holdings within 10 days of entering a new trade or what may be called entering an “access” role. There are also certain securities that are covered by the personal trading policy of every company. An access person has to report on their holdings and transactions of these securities on a quarterly basis after the initial reporting.
The compliance managers must keep adequate records of employee’s personal trading disclosures as evidence of compliance with the policies and the company’s efforts of monitoring personal trading. Some companies allow access persons to report their holdings and transactions by simply sending a duplicate copy of the trading statements to the compliance adviser, while others require employees to have trading accounts managed only by an affiliated firm. No matter which method a company chooses to follow, careful examination and monitoring of personal trading information is a must.
Compliance, though necessary for every organization to ensure safety and integrity, may receive different responses from employees and stakeholders. Compliance is often seen as an obligation, something that an employee has to follow by any means. It can even lead to repulsion among employees and what is called ‘compliance fatigue’. Organizations should, therefore, focus on changing the attitude of people towards compliance. When people stop seeing compliance as a checklist with a number of regulations to fulfill, and start seeing it as an integral part of the company’s identity, that is when the organization develops a compliance culture.
Compliance culture cannot be built overnight by an organization. It has to start at the top and gradually seep into the lower layers of the organization. It requires a change in organizational behavior. Professional ethics and social responsibility are at the core of this change.
Building compliance culture
The development of a compliance culture in an organization starts from the organization’s vision, mission, and values. The leaders of the organization must demonstrate their commitment to the vision and values of the organization. They must be able to uphold these values for everyone else to see and realize that these ethics are central to the organization’s functioning.
Before expecting others to dedicatedly follow the code of conduct of a company, the leaders must themselves live by the code. The top executives set the standards for everyone else to follow. If leaders themselves are seen compromising on ethics, standards, and regulatory compliance, be it for personal gain or for the organization’s, employees will also be influenced to do the same. But if the leaders stand firmly with ethics, reward compliant behavior, and do not show any tolerance toward non-compliance, employees will be encouraged to maintain integrity as well. This is what is commonly called “tone from the top”.
The management of the organization also plays an important role in fostering a culture of compliance. Managers are usually in close contact with employees and are responsible for implementing the processes and procedures for compliance at different levels. So, managers’ actions must exhibit exemplary ethical standards for others to follow suit.
It is also important to ensure that such ethical and compliant behavior is applied to everyday interactions and activities. Ethical behavior can only turn into culture when it is practiced daily, by everyone. Employees must be motivated to practice the organization’s ethics in every formal or informal interaction they have, every single day. In case of violations, visible actions must be taken to assure that the organization takes compliance seriously. If the company keeps making exceptions to its own rules and policies often, employees start believing that the rules are arbitrary and can be bent at will.
Fair, reasonable but consistent enforcement of the organization’s policies is a must to create a culture of compliance. Compliance programs that put in this extra effort to turn compliance into culture can help the business achieve all its regulatory goals through ethical and responsible behavior.
Compliance Administration – Part 1- Year 1
- Part 1 Month 1 Compliance Essentials
- Part 1 Month 2 Risk Assessment
- Part 1 Month 3 Testing & Certifications
- Part 1 Month 4 Workflow Processes
- Part 1 Month 5 Ethics Code
- Part 1 Month 6 Professional Ethics
- Part 1 Month 7 Types of Ethics
- Part 1 Month 8 Gifts & Entertainment
- Part 1 Month 9 Insider Trading
- Part 1 Month 10 Governance and Audit
- Part 1 Month 11 Personal Trading
- Part 1 Month 12 Compliance Culture
The following list represents the Key Program Objectives (KPO) for the Appleton Greene Compliance Administration corporate training program.
Compliance Administration – Part 1- Year 1
1. Compliance Essentials
Before an organization starts creating a compliance program, the first thing that it needs to know is the essential elements for the compliance program. The organization has to do some diligent research on the applicable laws and regulations. But simply communicating these regulations and standards to employees will not make them comply from day one. The company has to appoint a dedicated compliance administration team that will take care of all related activities. The team has to design and implement all the administrative processes to ensure compliance with organizational policies. They will also be responsible for updating the policies and monitoring compliance on a regular basis.
The organization will need a strong strategy for the implementation of the compliance program. The strategy has to define whether the organization will take a rigid or flexible approach to compliance, or switch between the two based on circumstances.
Training of employees to educate them about the laws, standards, and codes of conduct is essential. Without periodic training, employees cannot be expected to commit to compliance or understand its importance. Along with periodic training, monitoring and audits are equally important. Monitoring with established protocols and controls allows the organization to identify gaps in the compliance program and remediate them in time. Audits and reporting help prevent non-compliance and associated penalties.
It is also important to document and report any exceptions to compliance that may have been made. Untracked/ undocumented exceptions may be treated as non-compliance during external audits and may land the organization in trouble.
2. Risk Assessment
Risk assessment is a very crucial part of a compliance management framework. Compliance risk assessment refers to identifying those areas in the organization where the risk of non-compliance is high, which may lead to legal, financial, or reputational damage to the company. The risk assessment process in a company has to be efficient to be able to identify and understand all potential risks. The risk assessment process starts with identifying the high-risk areas in the business. Risks may be of two kinds – inherent and residual. Organizations usually have control measures in place to ensure compliance. Inherent risks are risks in those areas where such controls have not been used to mitigate them. So the risks assessment will tell the compliance administrators where there is a lapse in controls and help them remediate these areas.
Residual risks, on the other hand, are those risks that exist despite controls being put in place. This goes on to imply that the existing controls are either not sufficient or not effective. Based on the calculation of both inherent and residual risks, a business can judge its current controls and introduce changes wherever there is scope for improvement.
To make risk assessment more efficient, the organization must develop a well-thought-out risk assessment framework. The risk assessment should include a few key components such as the regulatory matrix, compliance risk analysis, and compliance review. The regulatory matrix should contain all the various laws, regulations, standards, and guidelines the company needs to follow along with the compliance risks and necessary controls. The compliance risk analysis and review will then help suggest corrective action where necessary.
3. Testing & Certifications
To prove its compliance with all applicable regulations and standards set by the government or other regulatory bodies, an organization has to have valid certification. Except for their internal standards and policies, all other compliance needs to be tested and certified by appropriate authorities. Compliance testing refers to the testing of the existing controls in the organization with an aim of verifying whether they help the organization meet the prescribed standards. If the controls are found to be effective, the regulatory body can certify the organization or its departments/ business units to be compliant.
Compliance testing and certification are important to a business for a number of reasons. Once an organization is certified as compliant it can boast of these certifications on its website or any other marketing material. Obtaining certification helps win customers’ trust in the company. It also helps them win over investors as companies that are certified as compliant are considered to be more reliable by funding agencies. Investors may often ask for evidence of a company’s compliance with standards too. In such cases, the certification from different regulatory bodies is invaluable.
Compliance testing for certification is done by external agencies but an organization can also conduct internal compliance testing. Having an effective internal testing process helps prevent any lapses in the compliance program so that certifying bodies do not find any gaps during compliance testing. Companies in Banking & Finance, Insurance, and Investment industries have to particularly more vigilant and pay more attention to testing and certification, as the regulatory landscape in these industries is quite complex.
4. Workflow Processes
Compliance in workflow processes is extremely crucial to the overall compliance program of a company. Workflow refers to the series of activities that need to be undertaken in a sequence to complete a business process successfully. When workflow processes are standardized and compliant, the likeliness of the end product also being compliant increases. But in a workflow, there may be several people involved. Someone needs to assign the tasks and communicate the applicable guidelines; others need to execute the tasks while staying within the prescribed guidelines. When done manually, managing the workflow process becomes very tedious. But more importantly, the chances of errors and, thus, non-compliance also increase many folds.
It may not be possible to keep reminding employees of the standards and regulations every time throughout a process. That is where workflow automation is helping organizations to ensure compliance without fail. Workflow management software helps automate workflow processes to reduce the amount of human intervention. All the details regarding a particular task, including the regulations, standards, and guidelines applicable to it, can be input into the software. So when the task is assigned, the person responsible for executing it has access to all the relevant information and this helps them improve compliance.
Automation also allows the workflow manager to assign approval checkpoints so that the work is only approved and accepted when the set standards are met. Thus, workflow automation streamlines the workflow process, minimizes the chances of errors, reduces the time spent on monitoring and evaluation, and prevents problems arising due to non-compliance.
5. Ethics Code
To ensure compliance in an organization, a strong code of ethics is of primary importance as it leads to better compliance. Ethics are the values and standards that an organization stands by. These ethics define how the organization functions in its day-to-day activities and dictates how its employees are required to behave. The code of ethics of an organization is the documented form of these organizational ethics. There may be two kinds of codes of ethics – integrity-based and compliance-based.
Integrity-based ethics are not necessarily enforceable. They may not have any legal implications. But they can be considered as a moral responsibility for everyone working in the organization. Integrity-based ethics define what the standard behavior or responsible behavior of every employee of the company should be, for the greater good of the society. Employees need to be morally conscious and willingly accept these policies as compliance with integrity-based ethics codes cannot be forced.
A compliance-based code of ethics can have legal implications. These are ethics based on the laws, regulations, and standards set down by the regulatory bodies. An organization needs to clearly communicate these laws/ standards through the code of ethics and ensure compliance at any cost. Non-compliance to this code of ethics can result in serious legal problems and heavy penalties for the organization. Compliance-based code of ethics usually covers areas like workplace safety, workplace harassment, cybersecurity, privacy laws, environment laws, racial discrimination laws, and so on.
The compliance administrators are responsible for implementing these codes of ethics across the organization.
6. Professional Ethics
Professional ethics should be at the core of any compliance program in any company. Professional ethics began to be considered as a necessity for compliance management after many organizations faced several scams, financial scandals, money laundering, etc. as a result of employees’ misconduct. Some of the most popular examples of such unethical behavior that led to the downfall of several companies are the Tech bubble that burst in 2002 and the housing bubble scam of 2008. Such major events not only cost organizations huge amounts of money but also their hard-earned reputation. After such events, professional ethics became an integral and irreplaceable component of compliance requirements.
Strong professional ethics in an organization can win stakeholders’ trust and bring more goodwill to the organization. Professional ethics always need to start at the top. The leaders of an organization have a responsibility of demonstrating and promoting strong ethics among employees. When leaders and managers show their commitment to compliance, stand true to their words and never compromise on values, employees automatically follow their example.
To inculcate strong professional ethics in employees, the organization must have a strong ethics and compliance program. The program should focus on turning professional ethics into a part of the organizational culture. It should reward employees for good conduct and compliance, and also define the actions to be taken against anyone who violates the codes of conduct. A display of integrity at every level and in every action of the people of the company will help make ethics a norm.
7. Types of Ethics
Compliance is the act of conforming to organizational policies and procedures in light of applicable laws and regulations. It provides a framework for organizational members to make decisions and act in accordance with the law. Ethics are an integral component of compliance. Organizations don’t have a uniform view of ethics, as explained below.
Some organizations are of the opinion that ethics involve doing the right thing, and following both the spirit and letter of the law. Perhaps it is why defining ethics may be difficult for businesses as employees’ personal code of conduct will come into question. Everyone has their own ethics, but when the goal is doing the right thing, then virtues such as honesty, fairness, transparency and due diligence will matter a great deal as far as compliance goes. If organizational values promote respect, trust, integrity or other virtues, then behaving in a manner that aligns with these values is everyone’s responsibility.
A focus on moral character and code of conduct augers well for organizational culture. If an organization has a poor ethical culture, then none of its controls, policies and procedures will matter. The opposite is also true: culture drives ethical behavior. An organization that promotes ethical behavior among employees is likely to see culture and compliance benefits. If it has a poor culture or doesn’t promote ethical behaviors, employees will not feel discouraged to act in ways that increase risk of compliance failures.
Some organizations believe that ethics don’t always hold them to a higher standard than the rules, and that there are times when regulations demand more than upholding moral principles. Decisions of a complex nature and an absence of vital information can make organizations struggle to act according to the standards of ethics, affecting their compliance decisions.
8. Gifts & Entertainment
Incidences of inappropriate acceptance of gifts and favors in the past have led regulatory bodies and government agencies to look into gifts and entertainment as an area of concern. Bribery of government officials, compromise in contract policies with third parties in exchange for favors, anti-kickback laws, etc. have driven the need for a strong gifts and entertainment policy in every organization. Though gifts and entertainment are a way of building and maintaining business relationships, yet they may be misused for personal gains or for that of the organization. In either case, acceptance of undue favors can be considered unethical and even criminal in extreme cases.
Gifts and entertainment policy in a company should clearly define what kinds of gifts or entertainment activities are acceptable and what is unacceptable. Any donations or gifts presented to others, such as partners, suppliers, third parties, etc. should be reasonable and documented correctly. There may be certain business units or departments in an organization that are under stricter scrutiny by vigilance agencies. The gifts and entertainment policy should be even more stringent for those business functions, to avoid any unwanted charges of corruption against the company or its employees.
The gifts and entertainment policy of the organization should be efficiently unambiguous and efficiently executed. Training of employees may also be necessary in this regard to help them realize the importance of the rules and their consequences. Employees today are more aware and take ethics very seriously, which should make compliance with gifts and entertainment policies much easier.
9. Insider Trading
Insider trading has been a big nuisance to many companies, particularly those in the financial advising or investment sectors. Internal trading is when an employee of a company has access to confidential and critical information on trading in the stock market and uses this information for personal trading. This is a misuse of confidential information and is considered an unfair way of trading. It can even put the company’s clients at a disadvantage. This has led regulatory bodies to put strict restrictions on employee trading which companies are required to enforce and monitor.
Every company that holds valuable trading information must have a robust insider trading policy. The insider trading policy defines who a ‘covered person’ is under the policy and what are the ‘covered securities’ for monitoring. The covered persons can be employees of the organization or anyone close to them such as immediate family members, who could also have access to the information. Covered persons may even be business partners or other stakeholders with access.
The organization must have an efficient process of tracking and reviewing employee trading activities. The organization must keep track of who has access to material non-public information (MNPI) that the company deals with. Employees who hold trading accounts in a covered security must disclose their holdings to the compliance administrators on a regular basis (half-yearly or quarterly). Employees who have entered a new trade must also disclose their transactions and holdings within a stipulated time. Trading account reports of other covered persons may also be asked by the company for review.
10. Governance and Audit
A compliance program’s success depends to a great extent on the governance and audit carried out by the company. Governance involves all the measures that the organization takes to control and manage its activities. In compliance management, governance plays a key role in ensuring the effective implementation of rules and regulations. Audits are also equally important to compliance administration. Internal audits can help with risk assessment and control assessment that help the organization identify the gaps in the system. Audits can also review the operational efficiency of the organization as well as the information and communication systems within the company. All of these are directly or indirectly related to compliance.
Apart from internal auditing, external auditing from time to time is also essential. External audits allow the company to have an outside perspective on the compliance program. The auditors can give valuable insights as well as advice to further improve the compliance in the organization. They can educate the compliance administrators about the legal implications of various rules and regulations.
Governance of the compliance efforts of an organization is the joint responsibility of several groups within the organization. Everyone from legal to finance to HR to IT must be involved in governance, risk, and compliance (GRC) activities. Apart from these teams, the executive leaders of the company need to show their involvement in governance too. As most of the major decisions and policies are made by the top leadership of the company, they are invariably involved in the governance and risk management activities taking place.
11. Personal Trading
Personal trading by employees can often pose a great risk for an organization, particularly in the investment and finance industries. Employees’ personal trading can give rise to a conflict of interest. A company that offers trading advice to its clients, for instance, has to make sure that their advice helps the client trade successfully in the stock market. But most employees in the organization have access to the material non-public information (MNPI) the company holds and uses to advise their clients. Employees could misuse this MNPI to trade for personal gains, putting the clients at a disadvantage. This is both unethical and unlawful in many cases.
Companies, therefore, need to have very stringent policies for personal trading by employees. Employees who have access to MNPI must be kept under scrutiny. First of all, the organization needs to identify everyone who has the privilege of accessing MNPI in the company. These are the access persons. The company’s code of conduct should clearly define how an access person is allowed to trade. For instance, if an access person opens a new account and enters a trade, he or she must report the transactions and holdings within the next 10 days. For an access person already trading, the holdings and transactions must be reported every quarter.
The organization also needs to decide how these reports are to be submitted. Some organizations allow employees to submit a copy of their trading statements while others require employees to open an account only with company affiliated firms for easier monitoring.
12. Compliance Culture
A company’s efforts to ensure compliance can only be truly successful when it turns into a culture. As long as employees don’t understand the importance of compliance in their daily activities and only consider it as a binding obligation, compliance can never be implemented in full force. Employees need to be shown that compliance is an extension of the organizational values and an integral part of the company’s mission.
The leadership of the organization has to take the lead in this regard as well. The company has to practice what is called “tone from the top”. When the leadership shows commitment to compliance and ethics, the employees tend to be motivated to follow them as well. Compliance should not be treated as a matter of discussion in a yearly workshop or before an important audit alone. It should be practiced and encouraged every day.
Managers can also play a major role in promoting a compliance culture. As managers work in close association with the employees and oversee the implementation of rules and standards directly, they are in a much better position to influence them. Managers must demonstrate strong ethics and compliance in everything they do.
Even in times of crisis, the leadership and management should never compromise on their ethics and commitment to the code of conduct, nor encourage others to do so. As long as everyone in the organization puts in the effort to ensure compliance every day, consistently, it doesn’t take long for compliance to become a part of the company’s culture.
The first stage in any corporate training program, including this compliance administration training, is to build a robust plan. It is impossible to deliver the desired results from a training program unless there is a clear direction. The organization, as well as the training providers, must first understand the organization’s needs thoroughly. It requires diligent research, assessment, and brainstorming during the initial phase to gain meaningful insights into the organization’s current state and, thus, the gaps in its system.
In this corporate training program on Compliance Administration, we start the program planning stage with a few critical questions. There are 5 critical questions that every organization needs to answer before choosing/ designing a training program on compliance which include – who, what, when, where, and why.
Who should know about the compliance program?
When choosing or designing a training program, the first thing to know is who the training is meant for. In the case of the training program on compliance, the organization needs to deliberate on who the training program is supposed to target. For instance, compliance to safety standards in an organization primarily needs to be designed for people working in hazardous areas, such as shop floors in a factory or on a construction site. Compliance with workplace ethics, on the other hand, has to include everyone working in the organization. Compliance with cybersecurity and privacy laws may target IT departments, customer service departments, legal departments, and so on.
Depending on who the training program is for, it may have to be designed differently to cater to the specific audience.
The organization also needs to decide who would deliver the training. In this case, we will be offering all the material and delivering the training as well. But for your future needs, the organization may need to design its own training program, during which this question becomes relevant. The organization may opt for available training programs on compliance online, outsource the training to a professional Training & Development firm, or conduct training in-house.
For in-house training, the personnel responsible for designing and delivering the training program have to be appointed based on their knowledge, background, and capabilities. Every organization should ideally have a Compliance Officer or Committee who would take the lead in planning the training programs.
What should compliance training include?
Every organization has different needs. So, we cannot expect to deliver the same results with a training program in every organization we work with. The corporate training program on Compliance Administration primarily focuses on the Banking & Financial Services, Insurance, Business Services, and Technology industries. So, most of the topics and modules included in this training program have been designed keeping in mind the specific needs and challenges of these industries.
For any other organization, belonging to a different sector, the compliance administration training needs would be different. The organization needs to first find out what the compliance risks of the company are, which areas require more attention in terms of compliance, what are all the applicable laws and regulations, and so on. Once this information is available at hand, the organization can then decide on the content of the training program. It will help decide what should be the key takeaways of the training. This will also enable the training providers to gather relevant information and training material so that the trainees can receive correct and adequate knowledge.
The training program should be able to tell the learners what exactly it delivers, from the very beginning, and how it applies to their roles.
When do employees need compliance training?
The next question for an organization to answer is when do they want their employees to learn about compliance and compliance risks. Should the training be a part of the employee onboarding process, delivered every time new employees are recruited to the company? Or should it be a continuous process, with training being imparted periodically? The answer here is simple but it does depend on a lot of factors.
The honest answer is that an organization should consider compliance training as a continuous, ongoing process. Delivering compliance training only during employee onboarding does not truly serve the purpose as rules and regulations keep changing. One-time training is not enough to keep them current with the recent developments and employees won’t usually learn about the changes themselves. As a result, the outcomes of the one-time training program get lost in the shuffle.
So, it is important to create awareness from time to time. But not all organizations may have the budget or resources to indulge in training every 6 months or every year. In such cases, an organization can still increase employee awareness on compliance and risks by sharing resources with them regularly and updating them on the key issues, instead of conducting full-fledged training.
If the company has the resources for it, though, compliance training can very well become a part of the company’s culture. Short-term training programs that share interesting and entertaining compliance modules, be it online or in a classroom training, can refresh employees’ perspectives on compliance management.
Where will the knowledge be applied?
The compliance training program a company carries out should have real-world outcomes. It should be more than just a classroom lecture on compliance and its importance. Employees need to be clear about where they are going to apply the knowledge, they gain from this corporate training program.
The compliance program, therefore, has to be designed keeping in mind the real-world applications. It has to focus on actual scenarios, enlighten the learners with examples and case studies, and answer any questions that they might have regarding the application of compliance to their area of work.
If possible, after the initial corporate training, the organization should involve in refresher courses and on-the-job compliance training that allows employees to see the impact of compliance on their day-to-day activities.
Why do employees need to learn about compliance?
Lastly, the organization needs to be clear about the purpose of the training. You need to know what you are trying to achieve with this training program and why employees should see this as more than something they just need to get through.
The organization needs to reinforce their faith in the training program and demonstrate how it is going to add value for everyone. The goals and desired outcomes of the compliance program should be clear before the organization proceeds with training.
When the organization has found the appropriate answer to these 5 critical questions, it becomes much easier to apply the knowledge from the corporate training program and design an efficient compliance program that meets all the organizational needs. This initial assessment is a very crucial part of program planning.
Identifying compliance essentials
The program planning stage needs to focus on what resources or capacities are required to build a robust compliance program. There are certain activities that the organization has to carry out to ensure compliance in every area of the business. For example, one of the most essential aspects of a strong compliance program is having a dedicated team to manage compliance and compliance risks in the organization. The organization will have to appoint a Compliance Officer or a compliance committee to oversee all the compliance-related work.
Another essential aspect of a compliance program is a compliance strategy. The organization has to device a strategy for the implementation of the compliance program and ensure its success. A strategy provides a sense of direction to the compliance committee, clearly laying out the plan of action and the expected outcomes. The strategy will define the activities to be undertaken step by step, the frequency of these activities, the people to be involved, and more. This strategy usually has to be developed during the program development stage itself and applied during the program implementation stage.
The compliance program strategy will also define the kind of approach the organization plans to take towards compliance implementation – rigid or flexible. So, all the important factors that determine what the compliance program of the company will be like are covered in the strategy, making it much easier to execute later.
One more essential part of the compliance program is going to be the monitoring and auditing measures to keep track of the program’s effectiveness. The organization will have to conduct regular audits to assess whether the compliance program is delivering the expected results and if there is scope for improvement.
It is also equally important to have a list of the compliance requirements. Different industries and organizations have different compliance requirements. Unless the organization is sure about the compliance requirements, that is the applicable laws and standards that it has to comply with, proceeding with a plan becomes meaningless. Once the requirements are known, the organization can move ahead to risk assessment based on this knowledge.
During the program planning stage, one of the most important activities to be carried out is the risk assessment throughout the organization. This stage of the corporate training program will discuss in detail risk assessment, types of risk, managing high-risk areas, controls, and corrective actions.
Every organization is exposed to various compliance risks – both inherent and residual. Inherent risks are those risks that exist within the organization from the very beginning and there are no controls in place to mitigate these risks yet. Residual risks, on the other hand, exist although controls have been used to mitigate them. This means the controls are not as effective as initially thought.
A thorough risk assessment helps the organization find out its high-risk areas and assess whether the current controls are working as expected. In case a risk is detected, new controls can then be placed or the existing controls can be enhanced to remediate them.
Risk assessment is a very crucial and tricky part of program planning. A little negligence or callousness in risk assessment can lead an organization to make wrong decisions at some point, ending up in expensive lawsuits or loss of reputation. Assessment of compliance risks, therefore, has to be done very diligently so that no potential hazard can escape the eyes of the compliance administrators.
For efficient risk assessment, it is important to gather as much data from every business unit as possible. The compliance administrators need to work closely with employees from every department and gather their inputs on the probable compliance risks. They also need to gather information on the best practices adopted by other companies within their industry for benchmarking. This comparison will help them assess where the organization is lacking and if there is scope for improvement in any particular area. All of this data should be carefully consolidated and documented for a thorough review.
Compliance risks are not only posed due to negligence or lack of effective controls on the part of the organization. They may also be a result of the ever-changing regulatory environment. The organization has to keep track of all the regulatory changes taking place in their environment. New laws and standards are being introduced every other day. If an organization fails to monitor these developments, it may fall behind and increase its risk of non-compliance.
So, the program planning stage also needs to focus on monitoring changes and having a systematic process for this.
Understanding the regulations/ standards/ laws
One of the most important requirements of any compliance program is to have a clear, thorough understanding of the regulations and standards, as well as their impacts. It is important to understand what a particular law or regulation wants the organization to achieve. For instance, a certain regulation may aim to increase the standard of quality of the company’s services for better customer satisfaction. Another regulation may want the organization to improve its data security protocols to ensure the safety of people’s personal information. These outcomes in turn improve the reliability and reputation of the organization itself.
Understanding why each applicable law or standard is important to the company’s growth helps develop a better compliance program as well as build people’s commitment towards it. When the compliance administrators are clear about the expectations that a regulatory body has from an organization through the rules and standards it introduces, it becomes easier to deliver on those expectations.
The company can assess whether it has all the required resources to meet those expectations and comply with the regulations. If it lacks the resources to deliver the desired outcomes, the company will be aware of it and can plan on building capacities and developing a compliance program that helps them achieve the outcomes.
Budgeting and time management
The compliance program planning stage during the corporate training program will focus on two more, very important, aspects – the budget and the time allocated. Although everything in the compliance program – every compliance requirement, every compliance risk – seems to be equally important and urgent, it is not possible for a company to address them all at once. The company does not usually have enough budget, manpower, or time to devote entirely to compliance and so the compliance administrators have to be resourceful in this regard.
An annual budget for compliance-related activities, such as training, audits, certification, etc., must be set aside during the planning stage itself. This helps develop the compliance plan in accordance with the budget and helps make it more effective. Similarly, company leaders, managers, and even employees have several responsibilities to take care of apart from compliance management. Taking them away from their desks for compliance training or audits or related activities very often may not be good for the company’s productivity. This is why time management is equally important. Compliance administrators must determine the timeline and frequency of compliance-related activities during the planning stage to ensure that company time is optimally used. This also adds more structure to the compliance program
The program development stage of the corporate training program is the second phase which discusses the compliance program framework. Once the organization has completed the risk assessment and control assessment, the compliance administrators have a clear idea of what the organization needs in terms of compliance management. We can now start to gradually build the policies and procedures that will be the backbone of the company’s compliance program.
The corporate training program at this point will focus on how to build a strong foundation for the organization’s compliance program. During program development, it is of foremost importance to ensure that everyone in the organization understands the need for compliance. Inputs must be taken from employees, managers and leaders at all levels to make sure that no important business area is left open to compliance risks.
Before an organization can start developing its compliance program effectively, the support and involvement of the executive leadership are essential. The corporate training program on compliance administration will discuss why leadership plays an important role in compliance program planning and development. The leadership of an organization set the organizational culture and are responsible for all major decisions in the organization. This makes them important when it comes to setting the tone for the compliance program as well.
The leadership’s approach to professional ethics, social responsibility and compliance as a whole, influences how the entire organization views these areas as well. Unless the leadership sees value in these things, all policies and standards would be meaningless and implementation would be all the more difficult.
The leadership has to demonstrate enough faith in the company’s value system and show their commitment to ethics, irrespective of the circumstances. When the leadership stands its ground firmly in terms of compliance and ethics, no one in the organization would risk compromising on those values. It is also important for the leadership to effectively communicate the need for compliance to employees and adopt methods for motivating them to be compliant as well. For instance, there should be a reward and recognition system that appreciates those who have shown exemplary behavior. There should also be a strict redressal system for non-compliant behavior. These systems have to be introduced by the company’s leadership and require their oversight at all times.
Written policies and procedures
After leadership buy-in, the next step in the program development stage discusses the importance of written policies. It is extremely important for an organization to document its policies, rules, standards and codes of conduct to ensure that everything is present in writing and leaves no loose ends. The written policies and procedures are easier to apply as they are shared with all stakeholders of the company. When everyone in the organization is aware of the policies, there are fewer incidences of non-compliance due to lack of knowledge.
Apart from the codes of conduct and regulations, it is also important to document the corrective action plans and the penalties for misconduct that anyone may have to face in case of non-compliance. This makes sure that employees understand the gravity of the matter and the importance of compliance to the organization. This stage of the corporate training workshop will discuss how to effectively document all the policies and procedures in an organization. The written policies should be clear, succinct and easy to understand for people at all levels.
The written policies should cover all the significant areas of concern, particularly legal, financial, social and environmental regulations that are most important to comply with. The language of the written policies should be common to all. Using legal language that is hard to understand for a layman can lead to misinterpretation of the rules or may even discourage people from reading the policies fully.
The written policies should leave no scope for ambiguity. The rules and their consequences must be clear and any exceptions that may be allowed under particular circumstances must be mentioned as well. Covering most of the special case scenarios and defining what exceptions may be made ensures that even in unforeseen circumstances, everyone goes by the book. In case of pf exceptions, if the employee or the compliance administrator is to take prior permission from competent authorities or report the exception within a stipulated time, that must be included in the documented policies too.
The written policies and standards should have a holistic approach by taking into account the entire environment, both internal and external, in which the organization thrives.
Another important aspect of compliance program development that will be discussed during this stage of the training is the formation of a Compliance Committee. Depending on the size of the organization and its operations, the organization may choose to either appoint a Compliance Officer or an entire team. The responsibilities of the Compliance Officer/committee will be to implement and manage the compliance program company-wide.
The Compliance Officer or the members of the Compliance Committee must be well-versed in the applicable laws, regulations and standards in all areas of the organization. They should preferably have a background in compliance administration and legal governance. It should also be made clear at the time of appointment, who the Compliance Officer or Compliance Committee reports to. The Chief Compliance Officer is usually required to report to the CEO regularly and to the Board of Directors on certain occasions.
Apart from ensuring compliance within the organization, the Compliance Officer/ Committee must also monitor all processes, systems and business functions to identify existing risks and assess the controls put in place, regularly. It is their responsibility to ensure that controls are effectively mitigating the compliance risks and in case of a gap in the system, they must adopt corrective measures immediately.
Compliance Officers/ Committees may also be involved in policy building. They are responsible for monitoring the regulatory environment of the industry, keep track of changes and review or update the policies of the company to ensure they stay within the regulatory framework. They are also required to regulate all the outside communications from the angle of compliance by adding disclaimers with emails and so on. Compliance Committees may need to lead internal audit teams for reviewing the company’s procedures and controls from time to time.
Compliance Officers must ensure that all policies and regulations are communicated to the employees and any updates or changes are notified timely as well. They must arrange for employee training to promote knowledge sharing and improve employees’ awareness of the regulatory requirements in the organization and industry.
Compliance Officers/ Committees must work closely with the management and different business units to develop appropriate contingency plans on how the company responds in case of a compliance breach. Efficient Compliance Officers/ Committees should have enough foresight and must be able to anticipate potential problems, enabling the company to be prepared for action.
In all industries, adhering to legal and regulatory compliance is essential for safeguarding the organization as well as the employees. Therefore, it is crucial that everyone in the organization is well-trained for it. Compliance training adds a lot of value to a business. By providing proper training and regular briefings to the employees, they become more knowledgeable about the various regulations and how they affect their job roles. When employees are well-trained, it also protects the organization from several detrimental impacts. Hence, it is important to formalize a training program for new employees and create a system for providing regular updates to all existing employees.
Compliance training must not be viewed as a one-time activity. It is an ongoing process. Also, employees should not be bombarded with a lot of information that they are unable to retain. A lack of compliance knowledge ultimate affects employee behavior and can also have a disastrous impact on the organization.
The primary objective of compliance training is to ensure that the organization and the employees remain on the right side of the law. Organizations are evolving with time and so is the way they conduct business. Naturally, laws and regulations are also evolving, making it all the more important for organization to keep up-to-date with ongoing training. Non-compliance leads to legal complications, which can harm the reputation of an organization. Companies that maintain a good reputation manage to attract more new clients while retaining their old ones, increasing their sales and profits.
Developing a compliance training program can also help an organization become more cost-efficient. Non-compliance can lead to business disruptions, legal fines, and productivity losses, which can also be prevented with effective compliance training.
Compliance training can also have a positive impact on the people working in the organization. Internal compliance policies cover several aspects such as wages, compensation, employee benefits, safety and employee protection. Being fully compliant in these areas can create a better working environment in the organization. When employees feel safe in the work environment and feel that they are adequately compensated for the work they do, their morale and productivity is boosted.
Compliance training also protects the company in the long run. An organization’s best practices are aligned with compliance, and as compliance requirements evolve with time, it ensures that the organization is compliant with rules and regulations even before they have come into effect. Following laws and regulations creates a pleasant working environment, encouraging employees to deliver their best performance.
Effective communication is extremely important to the success of a compliance program. Getting the right message to your employees, stakeholders, and third parties helps the compliance program stick and creates a culture of ethics and compliance in your organization over time. Therefore, an effective communication plan is vital to the success of your compliance program.
Developing a compliance framework is not enough. For all compliance measures to be enforced throughout the organization, it is imperative that it is communicated properly and repeatedly throughout the organization.
Before you create a communication plan, you must first determine your goals. You will need to develop your communication strategy depending on the goal that you want to achieve. Raising awareness about a certain compliance issue would require a different approach then when you are trying to create a culture of compliance in your organization.
Your communication is only effective if the intended audience understands it the way it was meant to be understood. Take into account the knowledge, attitude, and behavior of your audience to ensure that you choose the right communication channels and resources.
The ethics and compliance function has significantly evolved over the past decade or so. It has now become extremely important for organizations to comply with various laws and regulations to ensure smooth business operations and minimize damage to their reputation or clients. The incredible growth of mobile technologies, social media, and Big Data, has welcomed a new era of transparency, raising questions about the way business is conducted. The compliance function is now at the centerstage, its responsibilities greatly expanded. Compliance activities have now become integral to the strategic core of the organizations and implementation of effective compliance programs has become a priority.
Building an effective compliance program involves a lot of work. Organizations need to create dozens of policies, procedures, systems, and processes to address all the compliance requirements. This involves prevention of any fraudulent or unlawful behavior and also the detection and correction of any such activities. It is also extremely important to ensure that everyone in the organization is on the same page. Everyone needs to understand the benefits of a compliance program and the expectations that the organization has from them. Providing proper training to the staff is crucial, and so is regular monitoring of what’s working and what’s not in the program.
Here are a few essentials of implementing a successful compliance program:
Create the right tone at the top
The starting point for any compliance program is the board and senior management, and the sense of responsibility they share to protect the organization’s reputational and financial assets. The board and senior management have a pivotal role to play when it comes to implementing a compliance program.
The top leadership team needs to empower and provide proper resources to the individuals who have been entrusted with day-to-day responsibilities of mitigating risks and building organizational trust. Without a doubt, reputational risks in today’s day and age are as significant as strategic, operating, and financial risks. That’s because, once an organization’s reputation is compromised, the impact can be devastating, from a plummeting stock price to a loss of customers. To protect an organization against reputational risk you need to set the proper tone at the top that the organization values and embraces a culture of integrity.
In the context of a compliance program, the tone at the top sets an organization’s guiding values and ethical climate. When properly nurtured, it forms the foundation upon which the culture of an organization is built. Ultimately, it is what holds an organization together. The leadership at the top, including the CEO, the board of directors, and the CCO (Chief Compliance Officer) play critical roles in setting the tone at the top.
Board of directors
Setting the tone begins with the organization’s governing authority, and most often this means the board of directors. The board’s most fundamental tasks would typically include hiring the CEO, approving strategy, monitoring execution of the plan, and setting risk appetite. They also play a key role in exercising appropriate oversight regarding risk mitigations, all with the underlying goal of preserving and creating shareholder value.
The board sets the tone of the organization in the way that it executes each of these responsibilities. However, no other decision drives tone at the top more than the selection of the CEO. That process must necessarily focus on competence, character, and chemistry and emphasize on choosing a prospective CEO who has the requisite skills and experience to move the organization forward. The CEO should also possess the character and moral fiber to model and contribute to the development of a values-centered enterprise and strategy. He should also have the chemistry and communication skills necessary to rally others to successfully and consistently deliver on the organization’s value proposition to all stakeholders.
The board of directors is responsible for monitoring the CEO’s performance based upon appropriate metrics for competence, character, and chemistry. In short, the board must ensure that ethical objectives are built into strategies and actions of the organization, and that they are not merely a bunch of words.
Setting the proper tone at the top is so much more than a compliance system. Establishing the right tone is important to strengthening the organization’s reputation and its relationship with all stakeholders. The CEO is the face of the organization, someone whom employees ultimately look for vision, guidance, and leadership. The behavior of a CEO tells employees what truly matters, and what’s rewarded and punished. Leadership derives from trust, and trust is built upon a common understanding between people. Leadership, therefore, is relational, not transactional.
The tone at the top demands that leaders, especially the CEO, figure out ways to connect with people inside and outside the organization. It is important for leaders to openly communicate their values, using different platforms and communication systems. Developing a sense of shared values, a set of beliefs against which all decisions can be measured and tested is increasingly the basis on which long-term strategies and successful implementations are built. Failure to align ethics and values to business strategies and operating plans bears potentially heavy costs.
The Chief Compliance Officer plays a critical role in setting and reinforcing the tone at the top. The person selected for this role must be beyond reproach, someone whose integrity is clear and who can earn the respect of personnel at all levels. The stature and character of the person selected as the CCO speaks a lot about the organization’s commitment to ethics and compliance.
The CCO contributes to tone at the top in both direct and indirect ways. The CCO has a built-in platform for reinforcing the organization’s values, balancing the messaging related to sales and growth. Whenever employees have ethical concerns, it is the CCO that they turn to. Therefore, the CCO plays a crucial role in creating a culture where employees do not fear to speak up, an essential element of tone at the top.
The best CCOs are forever on the lookout for opportunities for the CEO to convey important ethics and compliance messages in their communications, both internal and external. He also proactively assists the board in both understanding and executing their role in setting the tone at the top.
Compliance risk assessment
With the passage of time, laws and regulations have become more and more complex. Also, stakeholder expectations from an organization have also increased tremendously, exposing organizations to a greater degree of compliance risk than ever before. Global regulatory convergence and with businesses venturing into new or adjacent industries has also increased the need for a broader view of compliance risk. Proper compliance risk assessment is one of the fundamental steps of implementing an effective and successful compliance program in an organization.
Compliance risk is the threat posed to an organization’s financial, organizational, or reputational standing resulting from the breach of laws, regulations, codes of conduct, or organizational standards of practice. Many organizations do not perform a compliance risk assessment, which puts them at a risky position. Such organizations may need to improve their risk assessment process to fully incorporate compliance risks, to understand their complete risk exposure.
The way businesses operate these days has greatly evolved and therefore, organizations face new ethics, compliance, and reputational risks every day. For instance, the recent global pandemic forced many corporate functions to closely examine their budgets and resources. As such, organizations now need to do a lot more with less resources and still adhere to the growing regulatory obligations. Ethics and compliance professionals need to make sure that they continue to add value to their organizations by understanding the complete range of compliance risks that may be present in different departments of an organization. Once they have identified the risks, they need to evaluate which risks have the highest potential for legal, operational, financial, or reputational damage and allocate resources accordingly to reduce those risks.
Difference between compliance risk assessment and other risk assessments
Organizations conduct various assessments to identify different types of organizational risk. For example, enterprise risk assessments help organizations identify strategic, financial, operational, and compliance risks to which the organization may be exposed. More often than not, the enterprise risk assessment process is mainly focused on identifying those risks that could impact the ability of an organization to achieve its strategic objectives. Many organizations also conduct internal audit risk assessments that play a key role in the creation of the internal audit plan.
A conventional internal audit risk assessment is likely to consider operational and financial statement risks besides compliance risks. While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither are designed to specifically identify legal or regulatory compliance risks. Compliance risk assessment, therefore, requires a more focused approach. While it is okay to link compliance risk assessments with the enterprise or internal audit risk processes, compliance officers should ensure that they identify all legal and regulatory risks. Only when you are completely aware of all the risks that your organization may be exposed to can you implement a proper compliance program. A program that does not address all the potential compliance risks is not likely to stick, making all your time and effort go in vain.
Understanding your top compliance risks
The compliance risk assessment can help an organization identify its complete range of risk exposure. This includes the likelihood that an event causing a risk may occur, the reasons it may occur, and the severity of its impact.
An effective compliance risk assessment process also helps an organization prioritize risks. Risks are prioritized in the order of those that may have a substantial impact to those that have little impact. Such a process also maps these risks to the designated risk owners, and effectively allocates resources to help them put measures in place for risk mitigation.
Building a framework and methodology
The range of potential compliance risks that an organization may face is typically very complex. Hence, a robust and effective assessment process should make use of both a framework and methodology.
The framework can be used to lay out the various compliance risks that an organization may face and segregate it into risk domains. The methodology can be used to identify both objective and subjective ways to evaluate those risks.
The framework needs to be dynamic, comprehensive, and customizable, empowering the organization to identify and evaluate the various categories of compliance risk to which it may be exposed. Some compliance risks are specific to an industry. For instance, worker safety regulations in the manufacturing industry or laws governing the behavior of medical sales representatives in the pharmaceutical industry. Some compliance risks are universal and may be present in all industries regardless of their geographies. Such compliance risks include conflicts of interest, privacy, harassment, and document retention.
An effective framework should also outline and organize the elements of an effective risk mitigation strategy. The strategy should not only define the necessary steps to be taken to mitigate the risks, but also identify the designated risk owner.
Create an organizational culture of ethics and compliance
With the proliferation of social media, even the smallest error can pose a big reputational risk. A wrong post or tweet on social media is enough to harm the reputation of even large-scale organizations. Reputational threats are present around every corner. Therefore, a strong culture of ethics and compliance is the foundation of a compliance administration program.
Culture has always been vital to how an organization operates. Why is organizational culture getting so much attention lately? One reason is that regulators have realized that organizations that do not follow a culture of integrity are likely to view their ethics and compliance programs as a set of activities that need to be ticked off the list. Worse, such organizations may view compliance and ethics as roadblocks to achieving their business objectives. If you look back at the last couple of decades, the organizations responsible for some of the most appalling acts of wrongdoing have had quite impressive, formalized ethics and compliance guidelines. The problem was that either the leadership or a group of influential insiders decided not to follow those compliance guidelines.
Culture of integrity
Culture determines, more than anything else, how employees behave. Strong cultures have two common elements:
– There is a high level of agreement about what is valued, and
– A high level of intensity with regard to those values.
The truth, however, is that not all organizational cultures encourage ethical behaviors. When it comes to implementing an effective ethics and compliance program, the starting point is to create a positive culture of integrity.
Organizations with strong positive cultures create trusting relationships with stakeholders, both internal and external. These relationships often become reciprocal, that is, stakeholders trust the organization and the brand, creating employee, customer, and supplier loyalty. A strong organizational culture helps to build positive relationships with regulators and also attracts long-term investors. Ultimately, a culture of integrity is reflected in superior, long-term performance.
Train and Communicate with Employees
It is critical for organizations to establish a strong code of conduct along with policies that address compliance-based risks. However, those policies will only be as effective as the training and communications program that supports them. If employees are not fully trained, they cannot be held accountable for compliance violations. such employees may also act in a way that goes against the policies and procedures of the organization, for no fault of theirs.
A well-rounded training and communications program should:
Follow a risk-based approach
Employees working in high-risk business units should receive tailored content to their job roles. Employees at the management level must receive training that not only addresses their own conduct but also to address issues with direct reports.
Be tailored to the specific audience
Training, wherever possible, should be delivered in the local language to ensure that all employees understand the intended message. It must be delivered in a format that makes it easy to understand. For example, an organization that has employees working in remote locations should be provided with mobile-friendly content. Such employees are more likely to have access only to mobile devices compared to local employees who can attend a live training.
Learn from past history and episodes of misconduct
Leaders must ensure that the employee training program includes areas that have caused issues in the past. Employees must also be aware of and understand the consequences for engaging in unethical conduct.
Facing up to the challenges
More and more organizations are choosing to create additional structures around their ethics and compliance program for more successful implementation. This can include expanding the Chief Compliance Officer’s role to include specific responsibility for the ethics program or appointing a Chief Ethics Officer. Organizations are also taking steps to enhance the code of conduct and related controls and procedures, and improving accountability for ethical behavior through training and performance assessments.
These actions are a great start toward the creation of a strong culture and will benefit the broader efforts around risk management and compliance.
The key to a successful legal compliance and ethics program lies with a program’s fundamental ability to mitigate a company’s potential legal risks. Designing a program itself can prove challenging, though guidance on basic program elements and operating processes have emerged over the years.
Importance of reviewing a compliance program’s effectiveness
Beyond legal expectations, the most important reason to review a program’s effectiveness is simply that things change. You would not want your compliance program to become outdated because of regulatory or business process changes. An outdated compliance program is more susceptible to lapses or increased scrutiny. Ultimately, program effectiveness largely depends on how up-to-date a compliance program is.
Assessing program effectiveness can also identify process improvement opportunities and efficiencies. It can also highlight emerging risks or trends impacting a program. Performing a review assures that the initiatives designed to address each hallmark criteria remain current, relevant and in alignment with regulatory standards and broader business objectives.
Mitigating ethics and compliance risks can have far-reaching effects, often addressing other operational or strategic risks. A good example of a compliance program process that mitigates multiple types of risks is third party due diligence. Performing third party due diligence allows an organization proper insight into a potential partner’s operating history, business model and performance. This information can include legal or regulatory issues, financial status, and management background enabling the organization performing the diligence to make decisions related to larger operational and strategic goals like geographic expansion, market penetration, and capital investments.
Ongoing evaluation of a compliance program has multiple benefits, besides achieving strategic business objectives across the organization.
Measuring a program’s effectiveness
Most, if not all, compliance teams know they should be measuring program effectiveness, but many professionals still struggle with meaningful execution. Best practice and regulatory standards call for risk-based program reviews to specifically account for an organization’s unique risk profile. Working from a risk-based assessment framework can establish the metrics needed to identify program improvement opportunities.
Here’s how you can rate the effectiveness of your compliance program:
The compliance risks identified within the organization are either not fully mitigated by controls or there are inconsistencies in the processes that make them susceptible to breakdowns or scrutiny.
Program processes and controls are in place to prevent or minimize risk and are consistently operating.
The process area has achieved best practice criteria.
The process area has matured beyond best practice criteria and may be re-engineered due to high impact changes affecting the process.
Your risk profile of your organization should be defined within the context of your compliance program, best accomplished by a compliance risk assessment or as part of a larger enterprise risk assessment.
How can you judge the effectiveness of the implementation of a compliance program?
The effectiveness of a compliance program is measured by the commitment of the top leaders of the company, the board of directors, and executives to creating a culture of ethics and compliance within the organization. Regulators look at how senior leaders have encouraged or discouraged compliance through their words and actions.
Effective implementation of a compliance program requires that an organization give appropriate autonomy and resources to those responsible for overseeing the compliance program. Doing so can help these people act with the required authority and stature.
Regulators look at whether a compliance function has sufficient personnel and resources. They also evaluate if those responsible for compliance have:
– Adequate seniority within the organization
– Sufficient resources and staff to effectively undertake the required tasks of auditing, documentation, and analytics
– Enough autonomy from management to have direct access to the board of directors or the audit committee.
In addition, an organization should have policies and controls in place that incentivizes employees for compliance and takes them to task for noncompliance. The organization should ensure that incentives and disciplinary actions are fairly and consistently applied across all departments.
Stages of compliance program review
Before you initiate your compliance program review, you need to create a project plan with these four stages.
1. Stakeholder identification and engagement
When identifying project stakeholders, include your reporting audience, such as the board of directors, CEO, and the executive team as well as those who have a vested interest in the program review results due to their organizational role or program oversight responsibility. Involving other departments, managers and front-line workers who play an active in protecting your company from risk on a daily basis is a good way to spread the compliance culture throughout the entire organization and ensure it aligns with overall business goals and practices.
Knowing who you need to speak with and where they are located will help determine how much time you’ll need to accomplish these milestones:
Onboard the stakeholders
Once you’ve identified who needs to be part of this process, inform them about the project and rationale for performing the program review. Developing a project onboarding presentation that explains the project’s purpose and some high-level steps will engender support and also set expectations about project deliverables or outcomes.
– Schedule interviews and arrange to collect pertinent documents from stakeholders.
– Identify and communicate a consistent way to receive and collect documents.
– Determine the final reporting audience and method.
Document collection and interviews
The most resource intensive parts of a compliance program review are the stakeholder interviews and document collection. To manage the interviews, maintain an interview schedule and cross check it against your stakeholder list to be sure you speak to everyone with a role in supporting, managing or influencing the program. Use questionnaires created and reviewed ahead of time to conduct interviews that focus on the individual stakeholder’s role, their particular governance responsibilities, process or document descriptions and any changes or updates to processes or documents.
The document collection process should adhere to company security procedures with regard to the access, transmission and storage of any proprietary, confidential or sensitive information. You should follow a designated process for requesting and storing all program documentation and data.
Use a standardized policy inventory template to help identify and track organizational policies relevant to the compliance program. Assess policy effectiveness by including ratings for each document. Review and approval dates should also be tracked either on the inventory template or through a policy management process to ensure regular and consistent reviews for revisions. To help track policy documents, a sample policy inventory template is included on the next page.
By aggregating the information provided in interviews and documents, an effectiveness rating of can be determined for each process or control. The rating refers to whether a process needs improvement or has reached the best practice stage. When incorporating interviews from stakeholders outside the compliance department, you should evaluate feedback through the lens of their roles and responsibilities. Their feedback should be weighted and measured as it relates to the organization as a whole.
When evaluating each process area or program control, consider some of the following factors:
– Proper approval levels are in place, as applicable, for actions like expense report approvals, policy approvals, etc.
– Consistent (repeatable) and complete processing—e.g., documented gift and entertainment approvals if required per policy, standardized internal investigation process and protocols, etc.
– Accessible to all employees and third parties such as vendors, suppliers and agents.
– Relevant risk coverage, reflecting current regulatory and business process environments.
If a particular process or control is deficient by one measure or another, the rating should inherently begin moving towards “Needs Improvement.” Risk prioritization, impact and likelihood should also influence the effectiveness ratings.
Aggregating the ratings within each hallmark can produce an average hallmark effectiveness rating. The final aggregate rating of all hallmarks will provide your organization with the overall health of the program. It is important to note that one weak area can negatively impact and weaken the overall effectiveness of your compliance program.
Developing a final report or scorecard of the program review can be done using various approaches: custom dashboards, verbal report, executive summary, or slide presentation. At the outset of the project, you should have determined your final reporting audience. Knowing your audience should in turn drive the reporting method.
The report should include the individual hallmark rating averages, particularly if certain areas are weaker or stronger than the rest, and the overall review rating. The final assessment may give rise to action plans to address improvement opportunities, which should also be outlined in your report. The final assessment should also be used as a recurring metric or benchmark to reflect program effectiveness as improvements or process changes are made.
It is strongly recommended that the assessment results and resulting action plans for improvements be shared with your Board of Directors, given their oversight responsibilities for an organization’s ethics and compliance program.
All identified action plan owners should be notified of the results and provided an explanation of the process improvement opportunity and recommended action, along with a timeline for follow up.
In the spirit of transparency, it’s also best practice to circulate results and identified process improvements to all the people you interviewed. This reinforces the fact that their time and input were important and the assessment results are being evaluated and acted upon.
Finally, you should have a set schedule and tracking method for following through with action plans and improvement opportunities. Sharing these plans and timelines with the board will help you stay on track and keep all involved parties accountable.
How can your business evaluate your current compliance program?
The following steps can help evaluate your current compliance program:
A compliance program is incomplete without an employee training program. Hence, your organization should already have a compliance training program in place. Compliance training is an ongoing process. At the end of every training session, you should test your employees on their retained knowledge. Reiterate the important takeaways through team briefings and mailers. It is a good idea to follow up after a few months to see if the employees have actually retained the important information.
Similarly, you should assess misconduct reporting trends after completing a training session. Have employees reported more or less incidents after a session has ended? Such information can be invaluable for understanding the value of the program and for identifying ways to improve it.
Along with training assessments, your organization should also conduct surveys every six months or yearly that capture important details about your compliance programs. These surveys should present questions about compliance, ethics, and organizational policy to understand employee attitudes. These surveys can be a great way to get an honest view of your existing organizational culture.
You can also use these surveys to record employee responses regarding any compliance violations that they have observed. This information can be used to compare the results against reporting histories. If your surveys reveal that employees observe a significantly higher volume of misconduct than they are reporting, your compliance program is not working the way it should.
To evaluate the overall success of your compliance program, you should utilize sources of data outside of your compliance and ethics department. For instance, you could partner with your human resources team to ask questions about ethics and compliance during hiring procedu