(CLP) Programs

Appleton Greene corporate training programs are all process-driven. They are used as vehicles to implement tangible business processes within clients’ organizations, together with training, support and facilitation during the use of these processes. Corporate training programs are therefore implemented over a sustainable period of time, that is to say, between 1 year (incorporating 12 monthly workshops), and 4 years (incorporating 48 monthly workshops). Your program information guide will specify how long each program takes to complete. Each monthly workshop takes 6 hours to implement and can be undertaken either on the client’s premises, an Appleton Greene serviced office, or online via the internet. This enables clients to implement each part of their business process, before moving onto the next stage of the program and enables employees to plan their study time around their current work commitments. The result is far greater program benefit, over a more sustainable period of time and a significantly improved return on investment.

Appleton Greene uses standard and bespoke corporate training programs as vessels to transfer business process improvement knowledge into the heart of our clients’ organizations. Each individual program focuses upon the implementation of a specific business process, which enables clients to easily quantify their return on investment. There are hundreds of established Appleton Greene corporate training products now available to clients within customer services, e-business, finance, globalization, human resources, information technology, legal, management, marketing and production. It does not matter whether a client’s employees are located within one office, or an unlimited number of international offices, we can still bring them together to learn and implement specific business processes collectively. Our approach to global localization enables us to provide clients with a truly international service with that all important personal touch. Appleton Greene corporate training programs can be provided virtually or locally and they are all unique in that they individually focus upon a specific business function. All (CLP) programs are implemented over a sustainable period of time, usually between 1-4 years, incorporating 12-48 monthly workshops and professional support is consistently provided during this time by qualified learning providers and where appropriate, by Accredited Consultants.

---

Executive summary

Compliance Administration

The Corporate Training Program on Compliance Administration aims to guide and advise organizations on their compliance program. It will look into the various aspects of the administrative systems, tools, set-ups, and business operations that contribute to or are related to the compliance program. The training program will guide employees in better understanding the policies and procedures in place and the actions that need to be taken to prevent violation of any regulations or laws.

The regulatory and compliance landscape is never stagnant. There are news regulations being passed every other year and it is easy for organizations to falter. Businesses often get caught up in their day-to-day activities and tend to lose focus on their compliance requirements. A minor negligence in terms of compliance can cost an organization money, time, and, most importantly, its reputation. In this ever-changing environment of corporate compliance, this training program should help you operate safely, within regulations.

For an organization to succeed in compliance administration, it firstly needs to educate its employees on what compliance and compliance management mean. Employees need to understand why it is important to comply with regulations and what could be the consequences of negligence in this regard. Compliance management is all the more important in certain industries that deal with clients’/ customers’ personal, financial or other sensitive information. Industries such as Banking & Financial Services, Insurance, Business Services, etc. need to pay more attention to regulations, legal consequences, and compliance.

What is compliance management?

Compliance management refers to the process of ensuring that the abides by the laws, regulations, and standards set by different governing bodies. There may be different regulations that an organization or its individual departments need to adhere to. These regulations or standards can be set by government agencies, international standard-setting bodies, or industry-specific authorities, and all organizations within their jurisdiction are expected to comply.

Some of the common examples of regulatory compliance laws and acts include the Health Insurance Portability and Accountability Act (HIPAA), EU’s General Data Protection Regulation (GDPR), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), etc. A simple example of compliance is getting a license to do business in a particular country or following the ISO standards in the development of a product or service.

Compliance management includes documenting the policies and procedures that the organization is required to follow, performing internal/ third party audits to ensure compliance, and, lastly, compliance training to ensure that everyone in the organization is current with the regulatory landscape.

---

Why are compliance management and administration important?

It goes without saying that meeting legal obligations is a necessity for every organization. But apart from just the legal consequences of regulatory compliance, it is important from many other perspectives as well. Compliance to regulations and standards is not only beneficial for the customers or stakeholders of an organization, but also for the organization itself. It is only when an organization and its employees understand the real purpose behind a law or a regulation, will they be able to the hidden advantages behind them.

From the point of view of the organization, the benefits that it enjoys with efficient compliance management include:

Improved processes and better safety

Compliance with the industry’s regulations and the standards set by the government or international standard-setting bodies helps an organization improve its processes. These standards and regulations are made keeping in mind a minimum benchmark of quality that every organization should try to achieve. Compliance with these means that the company has surpassed the benchmark and met the internationally accepted standards.

It also means that the organization has a better work environment. Compliance with safety laws, diversity and inclusion rules, privacy laws, etc. ensures that the people working in the organization, as well as the people the organization deals with, are safe from threats. These may be data security threats, safety hazards, threats of discrimination, or others. Compliance makes the workplace safer for everyone, which in turn results in improved productivity.

So instead of seeing compliance as a liability, organizations should see it as an opportunity to continuously improve their standards and get more returns out of it.

Improved public relations and customer satisfaction

A company that is compliant with the industry standards and government regulations is always considered more reliable by people. When an organization is compliant or follows international standards in its products and services, it can boast about these on its website or in its other marketing materials. This can be very beneficial not only in attracting more customers to the company but also in attracting more talent, investors, and so on. Customers will tend to trust a company that is compliant because it ensures them of quality in their products and services.

Employees would be more interested in a company that is compliant because they can expect a healthy and safe work environment. Inclusion, safety, and physical and mental well-being are important to anyone looking to work in an organization. Similarly, an investor will see lesser risk in investing in a company that is compliant with regulations compared to one that does not pay heed to those regulations or standards. Funding agencies will usually look for evidence of a company’s compliance with regulations. It ensures them of the quality standards that the company maintains, which translates to customer satisfaction.

Complying with standards or laws is a mark of sincerity and dedication to the stakeholders of the company and it can help the organization garner a lot of goodwill.

Cost and time saving

An organization that does not comply with regulations has every chance of falling prey to a security breach or an accident at the workplace or some other kind of risk. Most of these scenarios have serious legal consequences. Employees, customers, the public, or other agencies can sue the company if it fails to comply resulting in damage to any other party. This leads to tedious court cases that run for years and often, millions in fines and compensation.

Proper compliance administration can save a company millions of dollars by reducing the risk of fines, penalties, strikes by workers, lawsuits, or even a shutdown of the business. It also protects the company from negative publicity which can ruin its image in the market even if there are no serious legal outcomes.

A direction to the efforts

Efficient compliance management also gives a sense of direction to the people working in the company. It ensures that everyone in the company is aware of the quality standards, workplace ethics, government regulations, etc. that the company aims to follow. This awareness and day-to-day practices that ensure compliance can help create a culture of quality, safety, inclusivity, and accountability. Everyone in the organization understands their responsibilities towards the company, their coworkers, their customer, and society as a whole. This guidance is of utmost importance to make sure that the organization continues to improve and grow through transparent, ethical, and safe practices.

Better control of processes and procedures

Good compliance administration also means that the organization’s leadership and management are in control of the processes and procedures implemented. This also gives them control over the quality of end products, the productivity of employees, and their overall image. Being in compliance also assures better risk management for the leaders and managers. By controlling the way the processes run, or how the people behave on a daily basis, the organization can achieve a level of excellence over time.

---

Compliance Essentials

When trying to increase and ensure compliance in an organization, there are several important factors that an organization has to consider. Getting everyone in an organization to comply with some prescribed regulation is not as easy as it sounds. The management of an organization may tend to think that simply making people aware of the regulations should be enough to help them comply. But you cannot expect people to change their habits immediately and compliance does require people to change.

Compliance management goes deeper than that. It requires careful planning and strategy. There can be different approaches to compliance administration in an organization, which again depends on the organizational culture to an extent. The compliance administrator or manager has to decide which is the best way to get people to willingly bring behavioral changes and what will make these changes sustain.

Appoint a designated compliance administration team

The very first step in compliance administration is to have a dedicated team for the purpose. The team is usually led by the Chief Compliance Officer who is assisted by Compliance Administrators at various levels. The job of the compliance administration team is to design and implement all the administrative processes adhering to the organization’s policies, to ensure compliance. The Compliance administration team will also need to arrange for compliance training of employees and evaluate the application of the procedures taught within the organization.

The team should be responsible for carrying out all the correspondence and communication with the legal or regulatory department. They must keep the organization updated on recent developments or changes in regulations and standards. The team has to document any new information and report to the company’s leadership about the same.

As compliance requires continuous monitoring, the compliance administration team also has to define internal auditing processes and carry out audits regularly. The team has to design strategies to achieve all the objectives of compliance management and communicate the compliance requirements to employees and departments effectively.

Build a strategy

Once a compliance administration team is formed, the organization has to focus on building a strategy to ensure efficient compliance management. The strategy will include the plan of action that the organization will follow in administering the regulations as well as the approach that it is going to take.

For building the strategy, the compliance administration has to first identify the regulations applicable to the organization, which could be specific to the industry it functions in or to its operations. There may be other regulations that are applicable to all irrespective of their industry or operations, such as diversity and inclusion or corporate social responsibilities. After identifying the applicable regulations, the team must assess the organization’s current state and decide whether they are in a position to implement these regulations effectively. They must assess what resources may be required for successful implementation.

After this initial assessment of the whole situation is done, the organization has to build a compliance program. This program will focus on the organizational policies to be introduced. It should also define the processes in compliance with the regulations, which will depend on what products and services the company offers. The compliance program will also include training of employees to help employees understand existing and new regulations and their implementation. The program has to introduce both internal and third-party audits to monitor whether all guidelines are being followed in all areas of the business. And lastly, wherever a lapse is detected, corrective measures must be in place to improve those areas.

The organization also needs to decide on the kind of approach it wants to take in the enforcement of regulations. It can either resort to a rigid approach or a flexible approach. It primarily depends on the organizational culture and how authority flows within the organization.

• A rigid approach to compliance management

It is quite clear from the name above that the rigid approach allows almost no deviance from the set regulations. In case of violations, the organization takes very stern action. In large organizations where the compliance managers have to ensure that a large number of employees comply with the regulations, such a rigid approach often becomes necessary. They cannot afford to practice any leniency in the implementation of regulations as a minor lapse may soon cascade into uncontrollable deviance. So, organizations like these cannot manage the implementation of company policies on a circumstantial basis but have to stick to the guidelines end to end.

This type of approach may also be seen in organizations that have a rigid hierarchical structure. When authority to make lies only in the hands of the executive leaders, compliance managers are bound to follow their instructions. In such organizations, decisions cannot be changed to accommodate the circumstantial issues. Even if the managers have to deviate from the guidelines to make exceptions, they have to wait for approval from the leadership making the process long and tedious. There is no autonomy and compliance has to be administered strictly in these organizations.

A rigid approach may also be necessary where non-compliance inevitably leads to a crossing legal boundary. The organization cannot afford to take regulations lightly in such cases and compliance is a must.

• A flexible approach

A flexible approach may not be possible where there are legal implications to a regulation. But in the case of certain policies within the organization, the compliance managers may deal with the matter with a lighter hand. Under certain circumstances, relaxing a few guidelines or giving more flexible options to employees can boost their productivity and may even be necessary. As long as relaxing a particular standard does not compromise the company’s ethical or legal liabilities, a flexible approach can be used to improve workflows and performance.

Every organization faces such circumstances from time to time where it may not be practical or reasonable to rigidly stick to a rule. It may have to make exceptions and the flexible approach allows for it. This is a more suitable approach for smaller companies that have the liberty of making decisions on a case-to-case basis. They have fewer people to manage and anything that goes out of hand can be controlled much more easily.

However, a flexible approach may be applicable to large companies under certain circumstances. Large companies may have several different policies to comply with and often there may be contradictory policies resulting in conflicting standards within the organization. In such cases, the organization has to take a flexible approach and choose which policies to comply with and which ones to leave out based on the priorities.

There is no hard and fast rule as to which approach a company should take. The same organization may choose to take a different stance under different circumstances. For rigid compliance, the company policies must be extremely clear and leave no scope for ambiguity. Wherever there is a lack of clarity, the company has to allow more flexibility. The organization must have procedures in place to allow for such exceptions, such as getting a written permission or informing the supervisor before deviating from the standard process.

---

Administer compliance training

The next step after creating the compliance management strategy is to prepare the employees for compliance. An employee will only be able to follow the guidelines when he or she is aware of them. This is why a robust compliance training program is absolutely necessary for every organization.

The compliance training educates your employees about the laws, regulations, and standards that the organization needs to abide by. These are, therefore, the regulations that they need to abide by as well being a part of the organization. The training program cannot be unidimensional though. Laws and regulations keep changing. So, the organization cannot expect to manage compliance successfully by simply training their employees once. There has to be a separate training program for onboarding or new employees, introducing them to the existing rules and policies. Also, there have to be training programs planned for whenever there is any change in the regulations or whenever new procedures are introduced.

Periodic training must be made mandatory in order to achieve the successful implementation of rules and regulations. Training may be conducted live in person or through e-learning platforms, video conferencing, or other modes, to make the training programs more accessible to everyone. In situations like the current Covid-19 pandemic the world has experienced, it is all the more important for organizations to experiment more with remote training and development programs.

Focus on monitoring and annual reporting

Any compliance framework has to have a monitoring and reporting method in place to ensure that the efforts to ensure compliance are hitting the target. The organizations should have oversight of its compliance management through constant monitoring and the compliance team must make sure that all employees are working within the compliance framework. This continuous monitoring allows the compliance managers to detect issues and eliminate them before they can lead to serious consequences.

Effective monitoring requires established protocols and controls to detect problems and reform them to ensure compliance at all times. In case of a breach in compliance, the monitoring method must be able to correctly identify how the breach occurred or where it originated. This helps the compliance managers address the correct issues and prevent similar problems in the future.

Compliance managers also need to have a standard method of reporting to the senior management of the company. The report should discuss in detail how the organization is enforcing or implementing rules, regulations, laws, and standards. It should include the analyses of the methods implemented and discuss whether they have been effective.

Regular audits and reporting are an extremely essential part of compliance administration as it allows the organization to avoid non-compliance in time. Internal audits from time to time can help them address issues before external auditors can find them. This can save the organization from regulatory penalties and lawsuits.

Track and report exceptions

We have already discussed above that an organization may need to make circumstantial exceptions when it comes to compliance. But these exceptions, if undocumented or untracked, may cause external auditors to consider them as non-compliance. This may land the organization in serious trouble.

Whenever an organization decides to make an exception to compliance with a given standard, it must immediately record it and report the same to the higher authorities, within or outside the company. For example, under the GDPR in the European Union, if a company has undergone a data breach and reported the breach to the Data Protection Agency (DPA) within 72 hours, the fine imposed on the organization may be lowered. But failure to report can result in even heavier penalties.

For internal policies, any exception made must be reported to the senior management along with circumstances that called for such an exception. This allows the appropriate authorities to investigate and confirm the incident in a timely manner.

---

Risk Assessment

Risk assessment is an important part of the compliance management framework. Conducting a compliance risk assessment is a necessary step in compliance administration. Every organization has certain areas where compliance risks are high and which may lead to potential legal, financial or reputational damage. Compliance risks are the threats to the organization’s operational performance or legal, financial, and reputational standing due to non-compliance with the law, standards, or codes of conduct.

To understand all the potential risks, an organization may need to improve its compliance risk assessment process. An organization may have experience with risk assessment in general. Every business has to carry out a risk assessment for various purposes, but not all of these risk assessments focus on legal or regulatory compliance implications. Though compliance risk assessments may follow a similar approach as enterprise risk assessment or internal audits, they are supposed to be much more focused on the legal aspects.

The compliance risk assessment framework can help compliance managers detect any inefficiencies or loopholes in the system and address them before they can create bigger problems for the organization. Compliance risks are even greater with the rapidly changing regulatory landscape today. Businesses find it challenging to keep up with the changes and the chances of non-compliance, and associated risks of penalties, increase as a result. A strong compliance risk assessment framework can prevent this from happening.

For efficient compliance risk assessment, an organization has to build a proper methodology for risk assessment. The methodology usually consists of a few basic steps which include the following:

Identifying the hazards

This is the first step, where the organization must assess its current state to identify any processes, procedures, systems, or transactions that may be non-compliant. This current state assessment also lets the compliance managers find existing materials already prepared for compliance purposes and see if they are being followed efficiently. The key people working closely with the business process need to be interviewed to understand how they are ensuring compliance.

This step allows the compliance administrators to get a clear picture of the company’s compliance landscape and identify the compliance risk points or areas that are potentially violating regulations. Evaluating all the key processes, systems, and recurring transactions in terms of regulatory compliance with the applicable laws and standards can give valuable insights.

During this initial assessment, the compliance managers may come across two types of risks, namely Inherent Risks, and Residual Risks. Inherent risks are simply the risks that already existed in the organization before the controls to mitigate risks were put into force. Understanding the inherent risks in a business allows the compliance managers to decide how to control them and build a compliance strategy well in advance.

Residual risks are those risks that still pose a threat despite applicable controls being in place. These risks could be a result of inefficiencies in the existing controls or compliance measures and will require corrective actions to improve the system.

Assessing the current controls

The next step is to assess the controls in place and detect any insufficiency in the policies, procedures, working instructions, or other applicable controls. To understand whether all controls are efficiently helping with compliance, the compliance managers must themselves be aware of all possible regulations and standards that are applicable to the business.

Taking measures to enhance compliance

The organization then needs to prioritize its compliance risks and address the compliance program gaps on the basis of the severity of risks. High-risk areas must be covered first then moving on to lower-risk areas systematically. Monitoring, feedback, and improving the risk assessment framework on a regular basis are important to ensure that it delivers results.

---

Testing & Certifications

Compliance with regulations and standards is only useful when the organization has valid evidence to prove it. An organization cannot self certify its compliance with international standards or industry certifications. Self-certification may only be valid as far as internal policies and codes of conduct go. But for all other regulations and standards set by regulatory bodies, testing and certification by the appropriate authorities are essential.

Compliance testing, also sometimes referred to as conformance testing, is the process of testing the controls that the organization has established to validate whether they meet the prescribed standards or not. This is one of the very first tests conducted in any audit for assessing the control environment of the organization. If all controls are found to be effective and the organization’s processes and procedures are found to conform with the standards, the regulatory body can certify the organization or its process/ product/ area as compliant.

The methods and approaches to compliance testing may be different in different industries. If the organization is undergoing an IT compliance testing, for example, the audit teams would check for compliance with the standards set by regulatory bodies such as the World Wide Web Consortium or the International Institute of Electrical and Electronics Engineers. For a manufacturing plant in the US, say, that must comply with the pollution control measures laid down in the Clean Air Act (CAA), the company may have to undergo emissions testing and so on.

For different industries, there may be different standards and, thus, different certifications. Companies working in the Banking & Finance, Insurance, or Investment industries, in particular, are required to operate in a very complex regulatory landscape. The US alone has several regulations at both the federal and state levels. There are privacy and cybersecurity laws, corporate finance regulations, investment regulations, and much more.

It is, therefore, important for organizations to have their own internal testing methods in place, so that external audits cannot find any gaps in the control environment and acquiring certification becomes easier. For compliance testing internally, compliance teams can first create a checklist of all the applicable regulations and certifications that the organization is required to have. Then, a testing methodology can be developed from their understanding of compliance testing, taking into consideration what external auditors could look for. This will help them identify issues and remediate them before an external compliance testing takes place.

The testing methodology may be simple. The aim here is to test whether the deliverables of each system or process are compliant with the prescribed standards or not.

---

Workflow Processes

Management of workflow processes is a crucial part of compliance management as well. The workflow processes are the series of tasks that need to be carried out sequentially to execute a business process successfully. But these workflows cannot be designed any way one likes. It has to follow some predefined rules and standards. That means, the workflow processes need to be compliant too. The workflow processes must be designed to comply with the company’s internal policies and applicable laws or regulations set by external agencies.

The organization has to define the compliance benchmarks based on these internal and external compliance requirements for the workflow.

Workflow management software

Till a few years ago, companies would try to achieve workflow compliance through manual efforts, trying to enforce the regulations and laws, seeing to it that they were followed to the T.

However, this is not only time-consuming but also leaves chances of human errors and reduces accountability, making the workflow process prone to violations. That is why companies today, rely on workflow management software that makes compliance a lot easier. A workflow management software streamlines the business process and automates most of the work involved in workflow design. Tasks can be assigned on the software along with instructions and guidelines to ensure that the person responsible for carrying it out is aware of the compliance requirements. So employees do not need to be reminded of regulations again and again.

A good workflow management software can ensure that all necessary steps in the workflow process are followed, control processes are enforced without fail and all information is verified. The workflow manager can assign approval checkpoints so that work is approved only when it meets the compliance requirements. This also saves time on monitoring and evaluation of the work.

Workflow automation can reduce the risk of non-compliance and result in no problems when the time for compliance testing comes. For example, let us consider the accounting workflow of an organization. There are a lot of factors to be remembered in this workflow, such as what comes in and what goes out, who comes under debit and who comes under credit, etc. Then there are tax calculations, standard formats and so much more to follow. By automating the accounting workflow through the workflow management software, the organization can ensure that all documents, calculations, etc. go to the appropriate departments at the right time. The chances of a lapse here are minimal as everything is input to the system beforehand and the rest of it is automated. With minimum human interference, compliance becomes more likely.

---

Ethics Code

Every business has to develop a code of ethics for more than one reason. Ethics broadly define the values and principles that the organization stands for and they are supposed to guide the behavior of everyone working in the organization. As a business grows, it is not possible for the leaders to reinstate these ethics in each and every employee directly and that is why a code of ethics becomes essential. The code of ethics is a documented version of the values and principles that can be shared with everyone, making them easily accessible. It should remind each stakeholder of the organization of their responsibilities, towards the enterprise and the society.

There are usually two kinds of ethics codes in an organization – one that is based on integrity and one based on compliance.

Integrity-based code of ethics

The integrity- or value-based code of ethics refers to the company’s core values. It outlines the standards or responsible behavior of everyone in the company, for the greater good of society. These value-based codes of conduct may not always have any severe consequences if violated, so they require more self-regulation and cannot be enforced by others. Every individual has to consciously control their behavior to comply with these ethics. Instead of dictating a certain kind of behavior, an integrity-based code of ethics focuses on certain actions or outcomes that the organization hopes to achieve.

Compliance-based code of ethics

A compliance-based code of ethics, on the other hand, is developed so that everyone in the organization follows the regulations and laws set down by regulatory bodies. Issues that can have serious implications such as safety, workplace harassment, cybersecurity, privacy, environmental hazards, etc. are usually controlled by binding regulations. Compliance-based codes of ethics are not just guidelines for employees to follow, they can also result in heavy penalties if violated. The penalties are also, usually, defined in the code of ethics itself.

Employees may need to undergo formal training to fully understand the laws and regulations as well as the code of conduct. As there are legal implications of non-compliance with these ethics, the organization is usually at loss for even a single error at the employees’ end. So individual employees can also be penalized by the organization for failure to comply and follow guidelines, despite being constantly reminded.

In most organizations, it is the responsibility of the compliance administration team, or the compliance officer to ensure that the principles and conduct mentioned in the code of ethics are followed by all employees across all departments. They are also expected to keep track of any changes in regulations and update the code of ethics accordingly as well as communicate these changes to employees in order to encourage compliance.

The compliance-based code of ethics has very clearly defined rules and consequences. It usually does not allow for circumstantial changes or individual monitoring and applies to all, irrespective of the circumstances. There is no place for ambiguity in compliance-based conduct as ambiguity makes way for different interpretations by different people.

Training and communication

In the case of both integrity-based and compliance-based codes of ethics, it is very important for organizations to focus on training and communication. Organizations can never expect to comply with their codes of ethics if employees are not well versed in the organizational policies and procedures. Employees need to be communicated about their ethical boundaries within the organization and their responsibilities as a part of the organization.

---

Professional Ethics

The compliance program in an organization has to go hand in hand with a professional ethics program. Professional ethics in the organization play a very important role in ensuring compliance. Professional ethics began to be seen as an integral component for compliance when more and more cases of financial scandals, scams, money laundering, etc. began to come to light. Major events like the tech bubble that burst in 2002 leading the stock market to crash, or the housing bubble in the US in 2008, cause governments and regulatory bodies to strengthen regulations and focus more on professional ethics, transparency, and rigorous scrutiny.

Such events have caused professional ethics and compliance to take center stage and made them a part of the strategic foundation of the organization. Good professional ethics are not just necessary for an organization now but are the key to gaining stakeholders’ trust and a reputation in the industry. A strong professional ethics and compliance program can enhance the company’s reputation, increase employee engagement and create a healthy organizational culture where ethical behavior is not exceptional but rather a norm.

Identifying the gaps

For a strong and effective business ethics program, it is important for the organization to first understand where it stands. The compliance managers need to ask several questions, such as:

What challenges in terms of business ethics does the organization face?

Which group of people, departments, locations, or business units show the highest risk of non-compliance or poor ethics?

What are the organizational values that employees need to stand by?

What other values may be necessary for the organization to be compliant?

What resources may be needed to help employees understand and comply with the necessary ethics?

Which group of people’s inputs may be important or useful in developing the company’s code of ethics?

Answering these and other similar questions can help compliance administrators create a meaningful and clear plan of action. This gives them a detailed picture of their current strengths and weaknesses. A gap analysis like this will tell them what needs to be done to promote strong professional ethics among the employees.

Establishing a strong foundation

Once an organization knows what it needs, it can start laying the foundation for strong professional ethics and thus, for strong compliance. The first step to laying a strong foundation is building a robust ethics and compliance program. An ethics and compliance program has been proven to be a very powerful tool in preventing the compromise of standards and observations of misconduct. It results in increased reporting of misconduct by employees and also reduces the fear among people to point out wrongdoings. With a strong professional ethics program in the organization, employees cannot feel pressured to compromise standards or break laws and assures strict action against those who themselves deviate or pressurize others to do so.

As more people value professional ethics and the organizational culture encourages it, bad conduct comes to light more easily making it easier to address the problems internally.

Building a strong foundation requires several tools. These include a written code of conduct, employee training in ethics and compliance, company resources offering advice and information about ethics and compliance, a prescribed method for reporting potential violations, and so on. Any reporting of violations should be kept confidential and anonymous to build confidence among employees. Also, it is important to have a regular evaluation of performance in terms of ethical conduct and a strong system in place to discipline and penalize those who violate.

Committing to ethics and compliance from the top down

Professional ethics and compliance are not meant for employees alone. The commitment towards professional ethics must be exhibited by the top executives of a company as well. Integrity, honesty, and transparency among the organization’s leadership are essential to influence good conduct among employees. The leaders of the company are the people who develop the organizational culture over time, and so they have the power to change the organizational culture for the better as well.

Leaders can, therefore, promote strong professional ethics through their words and actions. They need to talk more about the importance of ethics. They must communicate the issues that arise every day due to a lack of professional ethics. Leaders must themselves keep their word and uphold promises they make to employees or other stakeholders to demonstrate their integrity. Apart from this, the company’s leaders should also make an effort to recognize and acknowledge those who show highly ethical conduct and hold accountable those who violate regulations and codes of conduct.

Such a display of integrity and ethics by the leadership can play a huge role in changing the environment of the organization.

Making professional ethics central to all operations

To promote a culture of professional ethics and compliance, it is not enough to just talk about it once a month or conduct a workshop every year. Professional ethics have to be central to everything that the organization does. Ethics should be an integral part of the company’s day-to-day functioning. Starting from the company’s HR policies to the hiring processes, from performance management to reward systems, everything that the company does must be done within the value system and ethical framework that it hopes to establish.

Even in a time of crisis, leaders have to take the opportunity to teach ethics that can help find a feasible as well as an honest solution to the problem. Employees should never be encouraged to compromise on standards, take shortcuts or adopt unethical means to solve a problem. Staying firm on their ethics even during crises, helps leaders show employees that professional ethics are an important element for a successful business.

---

Types of Ethics

The three major approaches in normative ethics are virtue ethics, consequential ethics and deontological or duty-based ethics. Virtue ethics emphasize moral character in judging whether something is right or wrong. Consequential ethics make this judgment based on the consequences engendered. Deontological ethics suggest that an action is right or wrong depending on a specific set of rules.

The roots of virtue theory go back to the beginning of philosophy in Athens, set out in Aristotle’s ethical treatise the Nicomachean Ethics. Ethical values can arise from a moral rule and have a corresponding vice. For example, a moral rule around ‘not lying/always speaking truthfully’ is associated with honesty and divergent to dishonesty. Moral agnosticism naturally stands in the way of fostering an ethical culture within the organization. It can lead to ‘ethical blindness’, where people (good or bad) behave unethically without being aware of it, usually from not considering the ethical dimensions of a decision they’re making.

Consequential theories base the moral evaluation of actions on the outcomes they produce. Utilitarianism is a famous consequentialist theory that assesses character traits and actions based solely in terms of overall net benefits. It is concerned with the question ‘what outcomes should I want?’ and as you can imagine, be problematic if used to defend actions or decisions that impact the organization’s compliance posture.

Deontology, associated with the philosopher Immanuel Kant, emphasizes the motivations, ideals and principles underlying an action or decision rather than the consequences of that action/decision. According to deontological theories, some actions are always wrong even if they lead to an undesirable outcome.

Judging the morality of actions based on an ethical framework can help shape the ethical character of the entire organization.

---

Gifts & Entertainment

There is a very high-risk compliance area that companies often tend to neglect and that is gifts and entertainment compliance. Although gifts and entertainment may be an important tool for companies to foster good business relationships, there are regulations on their use as well. That is because gifts and entertainment can also lead to inappropriate influences and undue favors. Bribery in government and corporate offices, anti-kickback laws, violation of contract policies with third parties, etc. have increased the requirement for these regulations governing gifts and entertainment in an organization.

Every organization should understand the risks involved regarding conflicts of interest, bribery, or their interactions with certain customers, etc. when creating a gifts and entertainment compliance framework. They should also be aware of the gifts and entertainment policies of their stakeholders, such as clients, suppliers, IT partners, and so on. This helps ensure that the policies of the company do not result in the violation of the other party’s compliance policies.

Building a gifts and entertainment compliance program follows a procedure similar to most other compliance programs. It starts with an assessment of the compliance risks and the applicable regulations, followed by the creation of standards and policies for the company, training and communication, monitoring, and control.

The traditional approach to gifts and entertainment

Till not so long ago, gifts and entertainment were not viewed as a matter of concern. Companies allowed acceptance and gifting of luxury items, visits to luxurious places, or donations without the need for any documentation. During those times, regulations on gifts and entertainment were only seen as an obstruction in building relationships with partners and other businesses.

But the scenario is very different today. Organizations cannot afford to accept or give away expensive gifts or large amounts in donation, without a valid reason or documentation. There are numerous lawsuits and fines associated with inappropriate gifting/ acceptance of gifts, which may be considered corruption. Apart from the legal consequences of violating these regulations and the loss of reputation, employees today are themselves more aware and give importance to ethics and values. So, this traditional approach to gifts and entertainment is no longer valid in today’s world of business.

Creating policies for gifts and entertainment

When creating gifts and entertainment policies for a company, there are certain key factors to keep in mind. First of all, like all other compliance requirements, the gifts and entertainment policies should also be documented and circulated throughout the organization. The documented policy should clearly explain why certain gifts or entertainment activities are not acceptable and why putting these limits on them is important.

It should also clearly mention which gifts and entertainment activities are acceptable within the company. If there are any particular business units or functions where the rules need to be stricter, that should be clearly defined in the policy. The policy should also discuss the penalties and possible action that will be taken against violators.

Training and education of employees in this regard is also equally important. All employees should know the standard code of conduct regarding the acceptance of gifts and the values that the organization upholds.

---

Insider Trading

Insider trading has caused trouble to many big names in the Investment and Finance sector. Employees of companies in these industries have access to a lot of confidential information pertaining to the stock market and trading. Using this information for trading in the stock market for personal gains is not just unethical but also legally prohibited. This is why regulatory bodies have put down very stringent laws against insider trading.

It is very important the compliance program in an organization is adequately designed to deliver maximum effectiveness in detecting and preventing unlawful, criminal activities by employees. the government also requires that these compliance policies be efficiently enforced, although it may not be possible to keep an eye on every activity of employees.

Creating a strong insider trading policy

The organization must have well-defined rules on personal trading for employees. the management should ensure that trading policies for employees are effectively enforced, and distributed, and reviewed regularly. The documented policy on employee trading should clearly differentiate between permitted and restricted employee trading activities. It should also include who the covered persons are and what are the covered securities. If employees are required to avail permission before entering a trade in a covered security, the procedure for approval must also be mentioned clearly. Employees are also required to report their holdings over a fixed period and the policy should define the time period and frequency of reporting.

The rules of insider trading are not limited to employees alone; covered persons may include family members and others over who the company has discretionary authority. So a full list of accounts and trading reports of such persons may also be asked for verification by the company.

A strong process of regularly reviewing employees’ compliance to trading policies and restricted investments must be in place. Organizations also have to take care of who has access to confidential information. For instance, regulatory bodies require companies to regulate and maintain detailed records regarding the sharing of material non-public information (MNPI) with employees. The management of the company must control who gets the privilege of accessing MNPI and keep valid records of it, including when the information is shared and for how long a piece of information is considered MNPI.

Efficient insider trading compliance program characteristics

A strong compliance program for insider trading should have the following characteristics:

– The commitment of top leadership
– Adequate resources, qualifications, and structure to ensure compliance
– A strong code of conduct, policies, and procedures
– Effective training of and communication of policies to employees
– An efficient method for confidential and anonymous reporting, as well as investigation
– Internal auditing and controls testing
– Regular review and improvement of the compliance program

It may be difficult to completely prevent insider trading even with the most efficient compliance program but having robust policies and strong ethics within the company can mitigate the risk to a great extent.

---

Governance and Audit

Proper governance and auditing are an integral and critical part of any compliance program. Internal audits are a necessary way of ensuring that all the controls employed to ensure compliance are working effectively. They also serve as a means of assuring stakeholders that compliance is being taken seriously.

Moreover, regulatory bodies are always increasing the requirement for mandatory disclosures regarding compliance and governance that must be submitted by companies from time to time. That makes governance and auditing all the more important to organizations that have an ongoing compliance program. But despite the pressing need for efficient governance and auditing, the challenges to these activities are not getting any smaller. The regulatory and business landscape is continuously changing. From regulations to people to technology and processes, everything changes rapidly today and adds complexity to governance methods.

Between 2002 till date, that is merely within the past 18 years or so, there have been numerous new regulations and compliance requirements that have been introduced, particularly in the Banking & Finance, Insurance, and Investment industries. From corporate governance requirements to SOX to the Regulatory Mandate for Risk Management, there have been several cultural shifts in the business environment.

This requires businesses to not only focus on governance and auditing but also ensure that their methods are sustainable in the face of an ever-changing environment.

Role of executive suite in governance

Governance and auditing comprise all the activities carried out by the compliance, risk assessment, legal, finance, HR, and IT teams within the organizations. It also includes any auditing done by third parties or external stakeholders. However, it is not just the compliance and auditing teams that are responsible for managing governance, risk, and compliance. The top executives and the board of directors in a company are also equally responsible for governance and compliance. Governance refers to the ways and means by which an organization is controlled. Since most of the major decisions in an organization are made by, or in consultation with, the company’s leaders, their involvement in governance and risk management becomes imperative.

Internal audit functions

Internal audits can cover several key areas of governance, risk, and compliance. Risk-based internal audits are necessary for risk assessment and control assessment within the organization. Audits on operational efficiency review the policies and procedures defined by the organization to ensure compliance. It also reviews the operational framework and the system’s integrity with the business operations and organizational needs. Operational efficiency audits need to focus on the information systems too as communication and information sharing are crucial to effective compliance.

Apart from these, internal audits may also focus on governance processes. This includes reviewing the code of conduct, the risk management committee’s performance, and the audit committee’s effectiveness. There are other forms of internal audits too that may not be directly related to compliance programs but can have an indirect influence. These are cost efficiency audits of the business, performance efficiency audits, and audits of the business strategy and plan.

Paying attention to governance and audit can greatly improve decision-making in the organization. It also helps integrate the company and break down silos for better collaboration and better flow of information. It can make an organization much more agile and confident.

Importance of compliance auditing

Compliance auditing, both internal and external, is important to an organization for several reasons. External auditing is often necessary for confirming compliance and attaining certifications. But internal audits are also equally useful and important. Timely and regular audits can help a company determine its weaknesses in the regulatory compliance framework and processes. This gives an opportunity to fill up the gaps and improve the processes and procedures to increase compliance.

Audits can also help companies attain guidance from expert auditors that can help reduce compliance risks and avoiding potential legal consequences and penalties due to non-compliance. We have emphasized several times that the regulatory landscape is very volatile and constantly changing. This means that compliance programs also need to keep up with changes and evolve. Regular audits enable businesses to