Modern organizations face increasing pressure to operate safely, sustainably, and in compliance with various regulations and other requirements related to material use, supply chain, by-products, and environmental, health, and safety (EHS) practices across the globe.

To achieve these goals, it is critical to develop and maintain key internal controls that ensure the reliability of compliance programs that adhere to current and upcoming regulations, industry standards, and other requirements. This article covers how organizations can build and implement world-class compliance programs.

What are the ingredients of a great ethics and compliance program?

While several factors separate good from great, we have found out the key differentiators of the best-performing ethics and compliance programs that are essential for your business.

Culture of integrity

One of the most important elements of a great compliance program is building a culture of integrity, and that comes from the tone at the top. Culture is by far one of the greatest determinants of individual behavior in many organizations. Organizational culture consists of the underlying values, beliefs, attitudes, and expectations shared by everyone in the company and on the basis of which decisions are made and behaviors formed.

A culture of integrity is generally characterized by:

• A set of clear values ​​that emphasize, among other things, the organization’s commitment to compliance with laws and regulations, integrity, and business ethics.
• Operating policies and business requirements are consistent with leadership’s messages regarding ethics and compliance.
• Middle management carries the banner: Front-line and mid-level managers practice stringent compliance ethics. They have the power to encourage ethical behavior amongst team members.
• Management and senior managers throughout the organization encourage employees and business partners to behave legally and ethically and in accordance with policies and compliance requirements.

Tone from the top

The starting point for any world-class compliance program is the buy-in from the board of directors and senior management and the sense of responsibility they share to protect shareholders’ reputation and financial assets. The board and senior management need to do more than just talk about ethics and compliance. Reputational risks today are undoubtedly increasing and encompassing strategic, operational, and financial risks.

Once a company’s reputation is compromised, the impact can be devastating, from falling stock prices to losing customers. So the board and leadership team should empower and train their resources to mitigate risks and build organizational trust. This is a shared responsibility that needs to be borne by everyone.

Risk assessment

The compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions that affect the organization’s ability to achieve objectives must be identified, distinguishing between risks and opportunities.

These risks are analyzed considering the following:

• Size of the risk: where, how big, how often/how many?
• The severity of outcome: How would it affect safety, environmental, operational, financial, customer relationships, and regulatory compliance?
• Possibility/likelihood of each risk: How likely is it that an adverse outcome will occur, taking into account the maturity of existing controls?

Based on this assessment, management can prioritize risks, select appropriate risk responses and develop a set of actions to align with the organization’s risk tolerance/appetite.

After applying selected improvements and internal controls, an acceptable residual risk is considered. From there, policies and procedures can be established and implemented to ensure risk responses are communicated effectively for operational managers and individuals to execute their duties.

Chief of ethics and compliance officer

Today, the Chief Compliance Officer (CCO) operates in a dynamic legal, regulatory, social, and economic environment, often characterized by complex and sometimes conflicting rules and regulations. The implementation of compliance programs is the responsibility of the CCO.

In addition to this, CCOs must also respond to a number of new and rapidly emerging risks. For example, law enforcement agencies have achieved unprecedented cross-border cooperation in one of their efforts to control bribery and corruption.

Testing and monitoring

It is important to conduct an annual risk assessment which should go beyond the focus areas of the Department of Justice (DOJ). The testing and monitoring process should include interviews with key personnel to identify risks unique to each organization, analyze compliance challenges over the past 12 months, and consider internal controls and accountability.

The annual risk assessment should be continually reviewed throughout the year to ensure it remains accurate given the organization’s changes.

The assessment can be used to identify trends, support quality reviews and other operational activities, identify where expertise is lacking and should be outsourced to third parties, evaluate vendors, and track compliance hotline calls.

Alongside this, the annual compliance plan can be more comprehensive than just review and monitoring and include creating new policies and procedures and the ability to proactively address potential compliance issues.

The action plan for implementing a compliance program

A well-designed and well-executed compliance program is essential for improving and verifying business performance and mitigating compliance risk. That said, the effectiveness of a compliance program ultimately depends on whether it is simply a paper program or whether it is embedded into the organization and applied in practice on a daily basis.

To achieve a compliance program on par with world-class organizations, there are a number of best practices that organizations should adopt.

Know the requirements

You should maintain an inventory of the regulatory compliance requirements for each compliance program as well as the binding state/local/contractual agreements that apply to operations. It is vital that the organization stays informed of current/upcoming requirements.

Plan and develop compliance programs.

Identify and assess compliance risks, then set performance improvement goals and targets based on top priorities. Define program improvement initiatives, assign and document compliance responsibilities, develop procedures and tools, and then allocate the resources necessary to accomplish them. After conducting a risk assessment and internal audit, try finding loopholes in your existing internal compliance system.

In addition, understand the laws and regulations that govern IT compliance.

Here are a few of the most common ones:

• The Sarbanes-Oxley Act: It aims at managing auditing and financial reporting.
• The Gramm-Leach Bliley Act: It establishes the regulatory criteria for sharing of nonpublic personal information and financial data.
• The Health Insurance Portability and Accountability Act (HIPAA): It focuses on regulating the disclosure of patient health information (PHI).

Establish clear ownership for transparency.

When everyone understands and prioritizes security, it’s much easier for employees to do their jobs safely. One of the most important steps in promoting compliance organization-wide is to communicate roles and responsibilities to each employee clearly.

A few questions that you should ask yourself for setting up the compliance program:

• Who is responsible for managing and vetting compliance?
• How often should compliance policies be reviewed and updated?
• How are employees held accountable for compliance policies and procedures?

After establishing your organization’s policies and procedures, educate employees about the relevant laws and regulations and your organization’s policies and code of conduct.

Ensure compliance in operations.

Establish routine reviews, inspections, and reporting within departments to assess compliance with sub-process procedures. Process audits should be designed and implemented across operations and sub-processes to assess compliance with company policies and procedures. In addition, regulatory compliance audits must be conducted to meet program requirements.

Take action on issues and problems.

Collect, record, and classify nonconformities, and process nonconformities and near misses. Implement a corrective/preventive process based on important issues and document all corrective/preventive actions for the compliance programs.

Automate and implement workflows with a compliance management technology like VComply

Updating the organization’s compliance programs over spreadsheets can be challenging considering the constantly changing regulatory ecosystem. Integrated compliance management software VComply centralizes and automates compliance processes across multiple functions.

Here’s how VComply enables organizations to implement world-class compliance programs:

• As a single source of truth, cloud-based centralized compliance management allows tracking and managing compliance obligations across GDPR, ISO-27001, and more.
• Configure workflows to review compliance evidence and report process gaps.
• Automated compliance management allows assigning tasks, risks, action plans, and policies to teams and individuals.
• Visually stunning reports allow board members to scan through the security posture of the organization and spot discrepancies.

Conclusion

Organizations cannot simply be “good enough”, instead, they need to strive for “great” world-class compliance programs. Amid the current scenario where risks are increasing, your compliance program protects the organization from internal and external threats and strengthens the relationship with all stakeholders.