Seven Core Components of a Comprehensive Compliance Program
November 19, 2018
By Valerie Charles, Chief Strategy Officer, GAN Integrity
With the wide range of risks and business functions a compliance program must address, it can often be difficult for business executives to wrap their heads around the purpose of each component and how they contribute to the business overall. Below are the seven key areas that a compliance program should address, the objective of each and how having the right tools allows the compliance department to seamlessly function with other areas of operations, enabling businesses to leverage the many benefits of strong compliance.
Regardless of a company’s circumstance, industry, size or business objectives, the fundamental structure of a compliance program must include the basic capabilities discussed below. Without them, businesses open themselves up to a myriad of financial and reputational consequences.
1. Code of Conduct and Policy Management
The Code of Conduct, supported by strong policy management, tells employees how to behave and why. The right Code of Conduct helps employees—and third parties—understand what matters for ethical business conduct.
A policy management tool helps compliance officers manage the complex task of putting those priorities into practice on a daily basis and ensure that employees don’t misconstrue basic principles stated in the Code of Conduct. Taken together, they also help to address the most dangerous conduct risk of all: the one you haven’t anticipated.
2. Risk Assessment
Compliance programs must be able to address a wide range of risks: anti-corruption, anti-competition, data privacy, trade sanctions, money laundering, operational threats — the list is endless. As business becomes more global and more complex, so does the task of managing risk and remaining compliant.
The most rudimentary risk assessment tool is the spreadsheet. It does not work well. An effective risk assessment tool is standardized, flexible and current.
3. Remediation Management
A remediation management tool guides the compliance program manager as he or she tries to implement changes to controls, policies and procedures that are creating organizational risk. It facilitates the many required steps of remediation: controls need to be identified and tested, weak controls need corrective steps, those steps need to be assigned to a control owner, deadlines need to be set, and follow-up testing needs to be done.
4. Training Programs
Training on ethical responsibilities and compliance procedures is a crucial part of the modern corporate compliance program. Not only must a company train its own employees but also that of third parties. Successful training matches the risk the company has to its employees and third parties, as well as the policies governing that risk and the applicable procedures those employees and third parties should follow.
Effective compliance training is risk-based, where employees receive both relevant training and training that reflects the degree of risk they face. For example, an entry-level accounting clerk may need some training on anti-bribery controls in the company’s account payable system, while a new senior sales executive working in emerging markets will need much more training, perhaps in person rather than online.
5. Case Management
Because one regulation after another requires some mechanism to allow the anonymous reporting of suspicious activity, all compliance programs need that capability. A common instinct is to associate the phrase “internal reporting” with whistleblower hotlines. In practice, however, an effective compliance program needs to blend whistleblower reporting into a larger case management system.
Ideally, the mechanism to report allegations is the front end of a larger case management system, where compliance officers can track details such as case closure time, issues in question, executives against whom allegations are made and so forth.
The data should be primed for analytics, too. Studied over time, these analytics can inform future investigation protocols and sharpen decisions about training programs or personnel actions.
6. Due Diligence
Performing due diligence on business partners is fundamental to the modern compliance program. The compliance function must be able to identify the controllers and beneficial owners of third parties, whether those parties are customers, suppliers, joint venture partners, resellers or some other relationship. Then those controllers and owners must be screened against various watch lists (specially designated nationals and/or politically exposed persons). The company itself should be evaluated for past regulatory trouble, adverse media reports and so forth.
7. Gifts and Entertainment Management
An effective compliance program also needs a tool to monitor all spending activity on gifts and entertainment (G&E) and detect spending that goes outside permitted norms. A huge number of compliance risks come from improper spending on gifts and entertainment.
A G&E tool should interface with the company’s financial systems to follow transactions, data and forms. At the transaction level, the tool should be able to identify questionable payments immediately. At a program level, the tool should also provide compliance officers with a holistic view of all gifts and entertainment activity.
Positioned for Compliance
It is clear that effective compliance programs have many moving parts, leading businesses to sometimes view compliance as a tremendous and disjointed effort. By adopting the right tools, ideally a unified system or a collection that can be integrated to work together, businesses position themselves to operate and reach growth objectives in compliance without impeding the flow of business.
About the author:
Valerie serves as GAN Integrity’s Chief Strategy Officer. With diverse industry experience, Valerie helps define and drive our strategic position in the compliance community, focused on thought leadership and growth strategy. She also leads GAN’s legal function with a focus on compliance, commercial & strategic transactions, employment, litigation and regulatory issues. Valerie has served as outside counsel, conducted internal investigations, and represented clients in connection with matters involving anti-bribery restrictions worldwide. She has also served as associate general counsel and global compliance lead for an international technology company.